Jump to content

Recommended Posts

Hello,

My XP SP3 machine started acting strangely after a reboot. The start bar had changed color (dull grey/yellow) and the fonts on the start bar have also changed. The machine will not acquire an IP from the DHCP server on my router. I was able to manually give it a IP can get internet connectivity. Windows Update will not run ("cant display page" error). Also, i witnessed random web redirects. IE 8 would launch a new instance and shut down rapidly.

I updated MalwareBytes and did a scan. It found a few items and deleted them (see first scan log attached). However, the machine still acted the same. I then attempted to follow the instructions outlined in the "I'm infected - What do I do now". I get as far as executing GMER. GMER runs for a while and then I get a blue screen (quick flash) and the system reboots itself.

I have attached the Malware logs and the DSS logs for your review. I appreciate any assistance that you can offer.

DSS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 9:04:46.43 on Fri 06/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.427 [GMT -7:00]

AV: ZoneAlarm Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe

C:\Program Files\BUFFALO\NASNAVI\nassvc.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Logitech\Z-5 Speakers\Z-5 Speakers.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\DNA\btdna.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Simplify Media\SimplifyMedia.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

C:\Program Files\BUFFALO\NASNAVI\nassche.exe

C:\Documents and Settings\Administrator.KELLER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

uSearch Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [<NO NAME>]

uRun: [ATI Launchpad]

uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [simplify Media] "c:\program files\simplify media\SimplifyMedia.exe" -splash

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [<NO NAME>]

mRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE

mRun: [WINCINEMAMGR] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"

mRun: [NWEReboot]

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Z-5 Speakers] c:\program files\logitech\z-5 speakers\Z-5 Speakers.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\admini~1.kel\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\admini~1.kel\startm~1\programs\startup\buffal~1.lnk - c:\program files\buffalo\nasnavi\NasNavi.exe

StartupFolder: c:\docume~1\admini~1.kel\startm~1\programs\startup\nassch~1.lnk - c:\program files\buffalo\nasnavi\nassche.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\utility\ColorVisionStartup.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.5\transfer utility\CameraMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll

IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL

LSP: c:\windows\system32\zonelabs\vetredir.dll

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122708817890

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250115269546

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2005-7-20 38784]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-30 214664]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-7-20 271344]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-30 206096]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-30 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-30 144704]

R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2005-10-14 199384]

R2 NasPmService;NAS PM Service;c:\program files\buffalo\nasnavi\nassvc.exe -service_execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\buffalo\nasnavi\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]

R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.4\reporting services\reportserver\bin\ReportingServicesService.exe [2005-10-14 14552]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-30 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-30 35272]

R3 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2005-7-20 114856]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-2-19 2944]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-2-19 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-2-19 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-2-19 10368]

S3 CAISafe;CA ISafe;c:\windows\system32\zonelabs\isafe.exe [2005-7-20 184320]

S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2005-7-20 116224]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-30 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-30 40552]

S3 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2005-7-20 21605]

S3 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2005-7-20 15668]

S3 VETMONNT;VET File and Macro Monitor;c:\windows\system32\drivers\vetmonnt.sys [2005-7-20 896472]

S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-30 606736]

=============== Created Last 30 ================

2010-06-04 03:08:09 0 ----a-w- c:\documents and settings\administrator.keller\defogger_reenable

2010-06-04 02:30:07 54156 ---ha-w- c:\windows\QTFont.qfn

2010-06-04 02:30:07 1409 ----a-w- c:\windows\QTFont.for

2010-06-04 02:28:48 130208 ------r- c:\windows\bwUnin-8.1.1.87-8876480SL.exe

==================== Find3M ====================

2010-05-12 16:19:34 28728 ----a-w- c:\docume~1\admini~1.kel\applic~1\GDIPFONTCACHEV1.DAT

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2005-07-20 22:46:18 65 ----a-w- c:\program files\common files\appop.log

2008-12-10 22:46:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121020081211\index.dat

2010-01-20 02:07:28 16384 --sha-w- c:\windows\temp\cookies\index.dat

2010-01-20 02:07:28 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2010-01-20 02:07:28 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:06:24.67 ===============

Initial Malware log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/3/2010 2:38:43 PM

mbam-log-2010-06-03 (14-38-43).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 346912

Time elapsed: 1 hour(s), 42 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\LocalService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.

Most Recent Malware Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4168

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/4/2010 1:57:36 AM

mbam-log-2010-06-04 (01-57-36).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 351102

Time elapsed: 1 hour(s), 37 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

Link to post
Share on other sites

Hello MtBikeAz

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

===============

Download TDSSKiller and save it to your Desktop.

  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

===============

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I was able to execute tdsskiller and have attached the log file.

I executed ComboFix. It went through its process and rebooted. Upon reboot it stated that it was about to export the log file. Immediately, the system produced a blue screen. mbr.sys was listed as the culprit. The system rebooted again. I checked for the C:\ComboFix.txt file but it was not there.

Noticeable differences: The Start menu is now back to normal. The machine can now obtain an IP from the DHCP server. Internet connectivity restored. Windows update is now available.

I think we are much better, but I still have concerns over the blue screen at the end of the ComboFix process.

Please advise. I really appreciate all your assistance with this, it

TDSSKiller.2.3.2.0_04.06.2010_10.34.34_log.txt

Link to post
Share on other sites

Kahdah,

New Information: last night I attempted to go to a web site and within a few minutes the browser IE 8 size was reduced to a 1"X 1" in the center of the screen, while another page popped up stating a list of viruses with flashing text. Additionally, a dialog box popped up stating similar and wanting me to take action. I Alt-F4'd out and immediately unplugged the network cable from my router and shut down the machine.

This morning I was able to get GMER to finish only after deselecting the C:\ drive. If I had any drive selected the application would cause a blue screen or reboot. I've attached the ark.txt file in hopes it may be useful.

I proceeded to remove MacAfee completely as disabling real time scanning continued to show active via ComboFix.

I then plugged back into the router and downloaded and executed ComboFix again. This time it was successful (no blue screen) and generated a log file. I've attached the results.

I appreciate your continued efforts in this.

ark.zip

ComboFix.txt

Link to post
Share on other sites

No problem you are welcome. :)

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please click here to download Kaspersky Virus Removal Tool.

  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

Both executed and completed. Logs below. Continued Thanks!

MBAM:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4175

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2010 8:51:28 AM

mbam-log-2010-06-07 (08-51-28).txt

Scan type: Quick scan

Objects scanned: 145293

Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kaspersky:

Autoscan: completed 4 minutes ago (events: 27, objects: 321991, time: 01:01:30)

6/7/2010 9:12:25 AM Task started

6/7/2010 9:57:17 AM Detected: not-a-virus:AdWare.Win32.BargainBuddy.v D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0017.BIN/data0002

6/7/2010 9:59:15 AM Detected: not-a-virus:AdWare.Win32.BargainBuddy.a D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0017.BIN/data0003

6/7/2010 9:59:19 AM Detected: not-a-virus:AdWare.Win32.Ucmore.a D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0024.BIN/UCMIE.DLL

6/7/2010 9:59:19 AM Detected: not-a-virus:AdWare.Win32.SaveNow.e D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0026.BIN/data0001.cab/Save.exe

6/7/2010 9:59:19 AM Detected: not-a-virus:AdWare.Win32.SaveNow.bl D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0026.BIN/data0001.cab/SaveUninst.exe

6/7/2010 9:59:20 AM Detected: not-a-virus:AdWare.Win32.SaveNow D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0026.BIN/data0001.cab/Weather/Weather.exe

6/7/2010 9:59:20 AM Detected: not-a-virus:AdWare.Win32.SaveNow.bl D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe/WISE0026.BIN/data0001.cab/Weather/Uninst.exe

6/7/2010 9:59:21 AM Deleted: not-a-virus:AdWare.Win32.SaveNow.bl D:\Old win2K drive (SC400)\MP3 To WAV Ripper\setupmp3towav.exe

6/7/2010 10:08:13 AM Detected: not-a-virus:AdWare.Win32.BargainBuddy.v D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0017.BIN/data0002

6/7/2010 10:09:17 AM Detected: not-a-virus:AdWare.Win32.BargainBuddy.a D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0017.BIN/data0003

6/7/2010 10:09:17 AM Detected: not-a-virus:AdWare.Win32.Ucmore.a D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0024.BIN/UCMIE.DLL

6/7/2010 10:09:18 AM Detected: not-a-virus:AdWare.Win32.SaveNow.e D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0026.BIN/data0001.cab/Save.exe

6/7/2010 10:09:18 AM Detected: not-a-virus:AdWare.Win32.SaveNow.bl D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0026.BIN/data0001.cab/SaveUninst.exe

6/7/2010 10:09:18 AM Detected: not-a-virus:AdWare.Win32.SaveNow D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0026.BIN/data0001.cab/Weather/Weather.exe

6/7/2010 10:09:19 AM Detected: not-a-virus:AdWare.Win32.SaveNow.bl D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe/WISE0026.BIN/data0001.cab/Weather/Uninst.exe

6/7/2010 10:09:19 AM Deleted: not-a-virus:AdWare.Win32.SaveNow.bl D:\System Volume Information\_restore{FB61A0E8-61C9-4D4E-9074-1B62731A324F}\RP1746\A0126454.exe

6/7/2010 10:10:28 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1031\webloadr.bin

6/7/2010 10:10:28 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1028\webloadr.bin

6/7/2010 10:10:28 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1033\webloadr.bin

6/7/2010 10:10:40 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1036\webloadr.bin

6/7/2010 10:10:40 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1040\webloadr.bin

6/7/2010 10:10:40 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1041\webloadr.bin

6/7/2010 10:10:41 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\1042\webloadr.bin

6/7/2010 10:10:41 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\3082\webloadr.bin

6/7/2010 10:10:41 AM Detected: HEUR:Trojan-Downloader.Win32.Generic D:\VSBOOKD1\program files\microsoft visual studio .net\common7\tools\deployment\msiredist\2052\webloadr.bin

6/7/2010 10:13:55 AM Task completed

Link to post
Share on other sites

Your log is clean.

If you did not uninstall the Kaspersky removal tool then you can go into this folder:

C:\Documents and Settings\Administrator.KELLER\Desktop\Virus Removal Tool\setup_9.0.0.722_07.06.2010_19-36\ then use the uninst file there to remove it.

Reboot once that is complete.

Uninstall this version of Adobe reader version 7.0 and download and install the newest version form here > http://get.adobe.com/reader/

===============

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Kahdah,

I want to thank you for your time and efforts with this. Your assistance with this has been exceptional. My machine appears to be functioning normally again. I will read the articles you provided to see what else I need to do in an attempt to prevent this in the future. Currently, I have Windows Update set to Automatic (with confirmation), MacAfee Security Suite and Malwarebytes

Link to post
Share on other sites

You are welcome.

Currently unfortunately there is nothing that is 100% effective against blocking malware so staying up to date with all updates patches and staying away from dubious sites should be plenty to keep you clean.

Safe surfing.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.