Jump to content

Jarv

Members
  • Posts

    1
  • Joined

  • Last visited

Everything posted by Jarv

  1. Hi, I seem have a couple of machines infected with "Antivirus soft" and in the past have got rid of these using safe mode and malwarebytes'. However this one seems a bit more serious in that it is stopping most processes run in normal mode in XP (dosent this make it a virus and not spyware??). As well as saying you have a "virus" one of the users has reported porn displaying which I have not seen before with these fake AV vendors. I have booted into safe mode and run malwarebytes but it dosent find anything. I have tried a couple of the methods listed on here including renaming the file to firefox.exe but without any luck. As well as popping up with the various messages saying I am infected and need to buy the software I can also see files associated with this "virus" - under the users \Local Settings\Application Data directory is a random(?) directory called "qnpele" and a file within it called "vnofsftav.exe". I have enclosed the requested files and wonder if anyone could with this further? DDS.TXT DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL Run by Super at 13:45:25.96 on 18/02/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.837 [GMT 0:00] AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Super.D620-XPIMAGE\Desktop\Defogger.exe C:\Documents and Settings\Super.D620-XPIMAGE\Desktop\dds.com ============== Pseudo HJT Report =============== BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe" mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe" mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe" mRun: [storageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\facsys~1.lnk - c:\program files\facsys\facsys desktop client\facsys.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - c:\windows\temp\f5tmp\urxvpn.cab DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - c:\windows\temp\f5tmp\f5tunsrv.cab DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\windows\temp\f5tmp\InstallerControl.cab DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153831188840 DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - c:\windows\temp\f5tmp\urTermProxy.cab DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - c:\windows\temp\f5tmp\urxshost.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - c:\windows\temp\f5tmp\urxhost.cab DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab Notify: igfxcui - igfxdev.dll Hosts: 172.17.189.44 mcf-portal2 [sonoma DNS Change for HP Shared Services] Hosts: 172.16.227.44 content.foodservice.mcain.ca Hosts: 172.16.227.124 staging.retail.mcain.ca Hosts: 172.16.227.44 staging.content.foodservice.mcain.ca Hosts: 172.16.227.124 staging.foodservice.mcain.ca Note: multiple HOSTS entries found. Please refer to Attach.txt ============= SERVICES / DRIVERS =============== S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816] S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440] S2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2006-10-12 242296] S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744] S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704] S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2006-11-22 10752] S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-1-21 72904] S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-1-21 34344] S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-1-21 177672] S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2009-3-27 33920] =============== Created Last 30 ================ 2010-02-18 12:28:29 0 ----a-w- c:\documents and settings\super.d620-xpimage\defogger_reenable 2010-02-18 10:10:13 0 d-----w- c:\docume~1\super~1.d62\applic~1\Malwarebytes 2010-02-18 10:10:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-18 10:10:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-18 10:10:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-02-18 10:10:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-16 18:00:01 621 ----a-w- c:\windows\system32\CcmFramework.h 2010-02-16 18:00:01 4764 ----a-w- c:\windows\system32\CcmFramework.ini 2010-02-16 17:58:24 0 d-----w- c:\windows\ms 2010-02-11 14:04:38 0 d-----w- c:\program files\Self Serve 2010-01-19 16:01:54 0 d--h--w- c:\windows\system32\GroupPolicy ==================== Find3M ==================== 2010-02-18 11:40:04 119171 ----a-w- c:\windows\system32\nvModes.dat 2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll 2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll ============= FINISH: 13:46:11.68 =============== attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.