Jump to content

nagrap2

Members
 View Profile  See their activity

  • Posts

    15

  • Joined

  • Last visited

 Content Type 

Posts posted by nagrap2

    System Tool infecting Windows XP

    in Resolved Malware Removal Logs

    Posted

    Hi,

    I tried the suggested rkill files, the one that worked was: WiNlOgOn.exe

    Log:

    --------------------------------------------------

    This log file is located at C:\rkill.log.

    Please post this only if requested to by the person helping you.

    Otherwise you can close this log when you wish.

    Rkill was run on 01/02/2011 at 21:27:00.

    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    C:\Documents and Settings\All Users\Application Data\eAgKhCf15400\eAgKhCf15400.exe

    Rkill completed on 01/02/2011 at 21:27:09.

    ------------------------------------------------------

    I then ran Malwarebytes as instructed and was able to update to the latest version. Then when the application restarted, I get the following error:

    "An error has occurred. Please report this error code to our support team. MBAM_ERROR_EXPANDING_VARIABLES(0, 453)"

    Please suggest next steps.

    System Tool infecting Windows XP

    in Resolved Malware Removal Logs

    Posted

    Hi,

    I have the System Tool virus.

    I have followed the instructions and downloaded DeFogger, DDS, GMER but when I try to run them System Tool prevents them from running. I also cannot run Internet Explorer or Malwarebytes. I have tried renaming the exe files to something else, but they still do not execute.

    Please advise....

    Thanks in advance...

    Security Tool is undetected by Malwarebytes

    in Resolved Malware Removal Logs

    Posted

    Hi,

    I have run Combofix and have pasted the log below. The trojan doesn't seem to be popping now, however, are you able to check from the below to see if it is completely removed?

    ComboFix 10-11-17.04 - Owner 18/11/2010 20:11:29.1.2 - x86

    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

    AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

    FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    C:\2E.tmp

    C:\desktop.ini

    c:\documents and settings\Owner\Local Settings\Application Data\147491517.exe

    c:\documents and settings\Owner\Local Settings\Application Data\24443339.exe

    c:\documents and settings\Owner\Local Settings\Application Data\710192911.exe

    c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk

    C:\kmd.exe

    c:\program files\Altnet

    c:\program files\Altnet\Download Manager\adm25.dll

    c:\program files\Altnet\Download Manager\adm4.dll

    c:\program files\Altnet\Download Manager\adm4005.exe

    c:\program files\Altnet\Download Manager\admdata.dll

    c:\program files\Altnet\Download Manager\admdloader.dll

    c:\program files\Altnet\Download Manager\admfdi.dll

    c:\program files\Altnet\Download Manager\admprog.dll

    c:\program files\Altnet\Download Manager\asmend.exe

    c:\program files\Altnet\Download Manager\dminfo3.cab

    c:\program files\Altnet\Download Manager\dmsetup.bmp

    c:\program files\Altnet\Download Manager\dmsetupbig.bmp

    c:\program files\Altnet\Download Manager\jsinstall.cab

    c:\program files\Altnet\Download Manager\jslegals.txt

    c:\program files\Altnet\Download Manager\selectdir.txt

    c:\program files\Altnet\Download Manager\selectdir1st.txt

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cab.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\docfile.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-1)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-2)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-3)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\hqx.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-1)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-2)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab (incomplete)

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab

    c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab

    c:\program files\Mozilla Firefox\plugins\NPNd2fn.dll

    c:\program files\Need2Find

    c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR

    c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR

    c:\program files\Need2Find\bar\1.bin\N2PLUGIN.DLL

    c:\program files\Need2Find\bar\1.bin\NPND2FN.DLL

    c:\program files\Need2Find\bar\1.bin\PARTNER.DAT

    c:\program files\Need2Find\bar\Cache\0091FED1

    c:\program files\Need2Find\bar\Cache\files.ini

    c:\program files\Need2Find\bar\History\search

    c:\program files\Need2Find\bar\Settings\prevcfg.htm

    c:\windows\Readme.txt

    c:\windows\system\Color

    c:\windows\system32\hadl.dll

    c:\windows\system32\iexplore.exe

    c:\windows\system32\system

    D:\Autorun.inf

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    -------\Legacy_FCI

    -------\Legacy_SYSLIBRARY

    ((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))

    .

    2010-11-16 22:08 . 2010-11-16 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

    2010-11-16 21:09 . 2010-11-16 21:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

    2010-11-16 21:04 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2010-11-16 21:04 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    2010-11-16 21:04 . 2010-11-16 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

    2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

    2010-11-16 20:43 . 2010-11-16 20:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

    2010-11-15 17:33 . 2010-11-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

    2010-10-31 16:55 . 2010-10-31 16:56 -------- d-----w- c:\documents and settings\Owner\Application Data\vShare

    2010-10-31 16:54 . 2010-10-31 16:55 -------- d-----w- c:\program files\vShare

    2010-10-31 16:48 . 2010-10-31 16:48 -------- d-----w- c:\program files\Veetle

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2010-09-18 12:23 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42u.dll

    2010-09-18 06:53 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42.dll

    2010-09-18 06:53 . 2003-01-02 19:10 954368 ----a-w- c:\windows\system32\mfc40.dll

    2010-09-18 06:53 . 2003-01-02 19:10 953856 ----a-w- c:\windows\system32\mfc40u.dll

    2010-09-10 05:58 . 2004-02-06 17:05 916480 ----a-w- c:\windows\system32\wininet.dll

    2010-09-10 05:58 . 2003-01-02 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll

    2010-09-10 05:58 . 2003-01-02 19:10 1469440 ------w- c:\windows\system32\inetcpl.cpl

    2010-09-01 11:51 . 2003-01-01 15:37 285824 ----a-w- c:\windows\system32\atmfd.dll

    2010-08-31 13:42 . 2003-01-02 19:11 1852800 ----a-w- c:\windows\system32\win32k.sys

    2010-08-27 08:02 . 2003-01-02 19:11 119808 ----a-w- c:\windows\system32\t2embed.dll

    2010-08-27 05:57 . 2003-01-02 19:10 99840 ----a-w- c:\windows\system32\srvsvc.dll

    2010-08-26 13:39 . 2003-01-01 15:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys

    2010-08-26 12:52 . 2009-04-14 20:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll

    2010-08-23 16:12 . 2003-01-02 19:10 617472 ----a-w- c:\windows\system32\comctl32.dll

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "NVIEW"="nview.dll" [2003-03-04 831557]

    "kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]

    "PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]

    "Podmailing"="c:\program files\Podmailing\Podmailing.exe" [2008-06-06 173056]

    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-22 26101032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

    "AlcxMonitor"="ALCXMNTR.EXE" [2004-02-17 50176]

    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

    "EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]

    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-22 180269]

    "EPSON Stylus Photo RX420 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]

    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

    "nwiz"="nwiz.exe" [2003-03-04 323584]

    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-04 4595712]

    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]

    "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

    "4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]

    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]

    "Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2008-12-03 2372840]

    "EPSON Stylus Photo RX420 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]

    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

    "Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\matcli.exe [2003-10-19 204800]

    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

    BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    "c:\\Program Files\\LimeWire\\LimeWire.exe"=

    "c:\\StubInstaller.exe"=

    "c:\\Program Files\\iTunes\\iTunes.exe"=

    "c:\\Program Files\\NetMeeting\\conf.exe"=

    "c:\\WINDOWS\\system32\\rtcshare.exe"=

    "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\Kontiki\\KService.exe"=

    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

    R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 16:58 693512]

    R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 18:28 4937752]

    R2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [28/02/2004 16:05 195396]

    R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 18:28 161304]

    R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 18:28 29720]

    R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 18:28 27376]

    S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2010 19:14 133104]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/11/2010 21:04 38224]

    S3 Normandy;Normandy SR2; [x]

    S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 16:58 910600]

    S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 13:10 170736]

    .

    Contents of the 'Scheduled Tasks' folder

    2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13]

    2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://vshare.toolbarhome.com/?hp=df&t=1

    uDefault_Search_URL = hxxp://srch-qgb8.hpwis.com/

    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

    uInternet Connection Wizard,ShellNext = iexplore

    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

    IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\q7l2yjno.default\

    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

    FF - plugin: c:\program files\Veetle\Player\npvlc.dll

    FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

    FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll

    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    .

    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{F48BDBDD-846B-456D-A78D-F9F6100C7D57} - (no file)

    HKLM-Run-Msdmxm - c:\windows\system32\msdmxm.exe

    HKLM-Run-EvtHtm - c:\windows\system32\evthtm.exe

    HKLM-Run-PS2 - c:\windows\system32\ps2.exe

    HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe

    AddRemove-EvtHtm - c:\windows\system32\evthtm.exe

    AddRemove-Msdmxm - c:\windows\system32\Msdmxm.exe

    AddRemove-Yazzle1461Oin - c:\program files\Common Files\Yazzle1461OinUninstaller.exe

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2010-11-18 20:29

    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(784)

    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(2540)

    c:\windows\system32\WININET.dll

    c:\windows\system32\ieframe.dll

    c:\windows\system32\webcheck.dll

    c:\windows\system32\WPDShServiceObj.dll

    c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

    c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

    c:\windows\system32\ConnAPI.DLL

    c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

    c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

    c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll

    c:\windows\system32\PortableDeviceTypes.dll

    c:\windows\system32\PortableDeviceApi.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\windows\system32\Ati2evxx.exe

    c:\program files\Virgin Broadband\PCguard\Fws.exe

    c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    c:\program files\Java\jre6\bin\jqs.exe

    c:\program files\Kontiki\KService.exe

    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

    c:\windows\system32\Ati2evxx.exe

    c:\windows\ALCXMNTR.EXE

    c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

    c:\program files\Common Files\Teleca Shared\CapabilityManager.exe

    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe

    c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

    c:\program files\blueyonder IST\bin\mpbtn.exe

    c:\program files\iPod\bin\iPodService.exe

    c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe

    c:\program files\Common Files\Teleca Shared\Generic.exe

    c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

    c:\windows\system32\wscntfy.exe

    .

    **************************************************************************

    .

    Completion time: 2010-11-18 20:51:28 - machine was rebooted

    ComboFix-quarantined-files.txt 2010-11-18 20:51

    Pre-Run: 61,329,727,488 bytes free

    Post-Run: 66,791,022,592 bytes free

    - - End Of File - - 4FA321475AC89BCCF12AFE1852AE3395

    Security Tool is undetected by Malwarebytes

    in Resolved Malware Removal Logs

    Posted

    Hi,

    I ran ATF Cleaner as requested and it cleared approx 500MB.

    I ran Goored Fix

    I ran TDSSKiller and it said no infections found. When I try to click on the Report button to download the log, Security Tool kicks in and prevents Notepad from starting.

    Basically whenever I try to run any executable it is prevented by Security Tool. The way I got around running the above was to rename each executable to "iexplore.exe" as explorer seems to startup fine.

    What can we try next?

    Security Tool is undetected by Malwarebytes

    in Resolved Malware Removal Logs

    Posted

    Hi,

    I have tried to scan using Malwarebytes in safe boot mode and it doesn't detect any trojans. I then start in normal mode and try to scan and Malwarebytes doesn't complete as I get the blue screen of death.

    I then tried to follow the guide given here (http://forums.malwarebytes.org/index.php?showtopic=9573) but the Security Tool blocks me from running the DDS.scr file in normal mode, so restarted in Safe Boot mode.

    I was unable to run the GMER Rootkit Scanner as I get a windows error saying program has encountered a problem and needs to close...

    I then tried to follow the instructions given at the bottom of this (http://forums.malwarebytes.org/index.php?showtopic=67755&hl=Security+Tool) post to run OTL.exe and RookitUnhooker.

    Unfortunately RootkitUnhooker did not run as I got an error saying "Error loading/opening driver".

    I am running Windows XP.

    Please let me know if you require me to run any other tools?

    DDS.txt:

    DDS (Ver_10-11-10.01) - NTFSx86 NETWORK

    Run by Administrator at 0:18:46.51 on 17/11/2010

    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.368 [GMT 0:00]

    AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

    FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    svchost.exe

    svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    mSearchAssistant =

    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll

    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

    uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

    mRun: [AlcxMonitor] ALCXMNTR.EXE

    mRun: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm

    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

    mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O5 "LPT1:" /M "Stylus Photo RX420"

    mRun: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm

    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

    mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

    mRun: [EPSON Stylus Photo RX420 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX420"

    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

    mRun: [PS2] c:\windows\system32\ps2.exe

    mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

    mRun: [KBD] c:\hp\kbd\KBD.EXE

    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

    mRun: [<NO NAME>]

    mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

    mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup

    mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe

    mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

    mRun: [WinampAgent] c:\program files\winamp\winampa.exe

    mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles

    mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart

    mRun: [EPSON Stylus Photo RX420 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo RX420"

    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

    mRun: [broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN

    mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\matcli.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

    DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB

    DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

    DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

    DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

    DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab

    DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

    DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

    DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

    DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133824864851

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

    DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.5428703704

    DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

    DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab

    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab

    DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

    DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab40641.cab

    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

    Notify: AtiExtEvent - Ati2evxx.dll

    Notify: igfxcui - igfxsrvc.dll

    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath -

    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-1-11 179984]

    S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 133104]

    S2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-22 693512]

    S2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\virgin broadband\pcguard\safeconnect\bin\SanaAgent.exe [2008-11-14 4937752]

    S2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [2004-2-28 195396]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-16 38224]

    S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-22 910600]

    S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\virgin broadband\pcguard\RpsSecurityAwareR.exe [2009-5-27 170736]

    S3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304]

    S3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720]

    S3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376]

    =============== Created Last 30 ================

    2010-11-16 23:56:58 69120 ----a-w- c:\windows\system32\iexplore.exe

    2010-11-16 21:09:09 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

    2010-11-16 21:04:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2010-11-16 21:04:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    2010-11-16 21:04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2010-11-16 20:45:36 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

    2010-11-16 20:45:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

    2010-11-16 20:43:03 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

    2010-11-15 17:33:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

    2010-10-31 16:54:59 -------- d-----w- c:\program files\vShare

    2010-10-31 16:48:20 -------- d-----w- c:\program files\Veetle

    ==================== Find3M ====================

    2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

    ============= FINISH: 0:20:33.51 ===============

    Attach.zip

    Malwarebytes not starting up Win32/Nuqel.E

    in Resolved Malware Removal Logs

    Posted

    :blink:

    Print out these instructions as we may need to close every window that is open later in the fix.

    It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

    Do not reboot your computer after running rkill as the malware programs will start again.

    Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

    There are 5 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Admin

    You only need to get one of them to run, not all of them.

    1. rkill.exe
    2. rkill.com
    3. rkill.scr
    4. WiNlOgOn.exe
    5. uSeRiNiT.exe

    Do not reboot your computer after running rkill as the malware programs will start again.

    Next:

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
      MBAM.PNG
    • When the scan is complete, click OK, then Show Results to view the results.
    • mbam1.png
    • Then click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

    Also please describe how your computer behaves at the moment.

    Please don't attach the scans / logs, use "copy/paste". .

    Hi,

    Since I could startup Firefox web browser I tried renaming the Malwarebytes exe to firefox.exe and managed to get it to startup.

    I ran a scan and cleared the 5 items that were flagged as being trojans.

    So now the pc seems to be clean of the trojan however I am now facing the following issue:

    When I open up either internet explorer or firefox I am unable to load up any http web pages, however, I am able to view https webpages. This issue seems to have come about after removing the files malwarebytes flagged as being trojan files.

    Please advise.

    Malwarebytes not starting up Win32/Nuqel.E

    in Resolved Malware Removal Logs

    Posted

    Hi,

    Looks like I have a trojan which is preventing me from starting up Malwarebytes. I get a fake warning popping saying Threat: Win32/Nuqel.E

    I have tried the following so far but no luck:

    1) Tried renaming the exe to have an extension of .com bbut still didn't startup

    2) Tried running in Safeboot mode and Malwarebutes started and ran scan, also removed all infections, but then when running in non-safeboot mode infections re-appeared.

    What should I try next?

    Thanks in advance,

    Nagra

    Malwarebytes not starting up Win32/Nuqel.E

    in Malwarebytes for Windows Support Forum

    Posted

    Hi,

    Looks like I have a trojan which is preventing me from starting up Malwarebytes. I get a fake warning popping saying Threat: Win32/Nuqel.E

    I have tried the following so far but no luck:

    1) Tried renaming the exe to have an extension of .com bbut still didn't startup

    2) Tried running in Safeboot mode and Malwarebutes started and ran scan, also removed all infections, but then when running in non-safeboot mode infections re-appeared.

    What should I try next?

    Thanks in advance,

    Nagra

    XP Antispyware 2010 Anti-Malware does not startup

    in Malwarebytes for Windows Support Forum

    Posted

    Hi,

    I have the XP Antispyware 2010 trojan on my other laptop. I have tried to install Anti-Malware but it does not startup when I try to click the setup file. I have tried followng various guides on the web that recommend renaming the exe to something else and then trying to run but it does not work.

    I have tried following the removing manually instructions but find I have different files to what the guides tell me.

    I noticed there is a av.exe running.

    Please can someone help !!!

    Much appreciated.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.