jgary1 Posted August 17, 2010 ID:301475 Share Posted August 17, 2010 Help. I read the pinned instrctions ans folowed them without complete suces. Each time I start my computer, three files show upo on my desktop that I din't cosciously put thee. They are: Spam001.exe, spam003.exe ad troj000.exe. My McAfee anti virus and frewall protecton goe ape with rpeated notices of a trojan that has been blocked. When I ran a full scan, it indicated that 11 bad actors were quarantined. Whe I ran malwarebytes, it indicated that 211 bad actors were found. The infected computer has been removed from the internet. Both McAfee ad Malwarebyts indicate that the offending fies have been quarantined, but the problem is still there when I reboot the computer - even in safe mode!My clumsy efforts to identify the surce of this trouble led me to 2 suspected files:nxfsss.bak and ntload.exe. I found the registry entry for the ntload.exe, associated with rundll32 unde HKEY_LOCAL_MACHINE\software\microsoft\windows\curentversion\run\rundll32C:\Windows\system32\ntload.exeKnowing the grief that can come from monkeying arond in the registry when you don't know what you re doing, I left this alone. So, I follwed the instructrions in this forum ad providing the following:The text copied from the Malwarebytes log, and the DDS.txt file. I've also attached a zipped file that includes the "attach.txt" file from running DDS and the "ark.txt" file from GMER. I also have the log file from HIJACkTHIS if that would be helpful. Where do I go from here?MBAM log:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4052Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.187028/16/2010 4:08:19 PMmbam-log-2010-08-16 (16-08-19).txtScan type: Quick scanObjects scanned: 193055Time elapsed: 18 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Gary.YOUR-4DACD0EA75\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Gary.YOUR-4DACD0EA75\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.DDS.txtDDS (Ver_10-03-17.01) - NTFSx86 MINIMAL Run by Gary at 20:12:50.42 on Mon 08/16/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.693 [GMT -4:00]AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\system32\svchost.exe -k netsvcsC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Microsoft Office\Office12\WINWORD.EXEF:\virus-prot\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.comcast.net/uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktopuDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktopuDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktopuSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktopmSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktopuInternet Connection Wizard,ShellNext = hxxp://www.comcast.net/mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktopuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dllBHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dllBHO: {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - No FileBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dllBHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dllBHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - No FileBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllTB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dlluRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1uRun: [Nwaqiwesif] rundll32.exe "c:\windows\FWMSPI.dll",StartupuRun: [wmsdk64_32.exe] c:\docume~1\gary~1.you\locals~1\temp\wmsdk64_32.exemRun: [EPSON Stylus Photo R1800] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"mRun: [RTHDCPL] RTHDCPL.EXEmRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"mRun: [Recguard] c:\windows\sminst\RECGUARD.EXEmRun: [nwiz] nwiz.exe /installmRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"mRun: [iS CfgWiz] c:\program files\norton internet security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheModemRun: [AlwaysReady Power Message APP] ARPWRMSG.EXEmRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -bootmRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUNmRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorunmRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkeymRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hidemRun: [rundll32] c:\windows\system32\ntload.exemRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /automRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptStartupFolder: c:\docume~1\gary~1.you\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exeIE: &AOL Toolbar SearchIE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htmIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dllIE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dllIE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dllLSP: FarLsp.dllTrusted Zone: internetTrusted Zone: intuit.com\ttlcTrusted Zone: mcafee.comDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174152991953DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5583/mcfscan.cabHandler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dllHandler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dllAppInit_DLLs: c:\progra~1\citrix\system32\mfaphook.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\gary~1.you\applic~1\mozilla\firefox\profiles\832y76st.default\FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dllFF - plugin: c:\documents and settings\gary.your-4dacd0ea75\application data\mozilla\firefox\profiles\832y76st.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dllFF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dllFF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPCltInstall.dllFF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dllFF - plugin: c:\program files\mozilla firefox\plugins\nprade.dllFF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 214664]S1 cdfdrv;cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2008-7-27 27672]S2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2008-8-16 22808]S2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2008-8-16 185880]S2 gupdate1c9b070524e740e;Google Update Service (gupdate1c9b070524e740e);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-14 203280]S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-6-14 359952]S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-14 144704]S2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2008-8-16 398656]S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-20 142169]S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-14 606736]S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-14 79816]S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-14 35272]S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-14 34248]S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-14 40552]=============== Created Last 30 ================2010-08-17 00:00:40 0 ----a-w- c:\documents and settings\gary.your-4dacd0ea75\defogger_reenable2010-08-16 19:44:45 8212 ----a-w- c:\windows\mfebcdata2010-08-16 13:32:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-08-15 21:40:53 0 d-----w- c:\program files\Trend Micro2010-08-15 00:38:15 664 ----a-w- c:\windows\system32\d3d9caps.dat==================== Find3M ====================2010-08-15 18:00:57 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll2010-06-24 21:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe2010-06-21 15:27:11 354304 ------w- c:\windows\system32\drivers\srv.sys2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe2010-06-17 14:03:00 80384 ------w- c:\windows\system32\iccvid.dll2010-06-14 23:50:58 103784 ----a-w- c:\documents and settings\gary.your-4dacd0ea75\GoToAssistDownloadHelper.exe2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll2009-10-16 02:44:21 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat2008-08-30 11:23:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat============= FINISH: 20:13:27.31 ===============Attach_results.zip Link to post Share on other sites More sharing options...
jgary1 Posted August 17, 2010 Author ID:301487 Share Posted August 17, 2010 With my main computer disconnected from the Internet, I am working on a subcompact netbook and the cramped keyboard results in many typos. I hope my problem description was decipherable. Link to post Share on other sites More sharing options...
jgary1 Posted August 18, 2010 Author ID:301720 Share Posted August 18, 2010 Buggers! my last scan with malwarebytes suggeste I only had 2 infecte files. A subsequent scan tonight says 5 are infected. Here is the updated MBAM-log:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4052Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187028/17/2010 8:20:58 PMmbam-log-2010-08-17 (20-20-58).txtScan type: Quick scanObjects scanned: 195679Time elapsed: 22 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\Documents and Settings\Gary.YOUR-4DACD0EA75\ntload.dll (Trojan.Agent) -> No action taken.Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Gary.YOUR-4DACD0EA75\Desktop\nudetube.com.lnk (Rogue.Link) -> No action taken.C:\Documents and Settings\Gary.YOUR-4DACD0EA75\Desktop\pornotube.com.lnk (Rogue.Link) -> No action taken.C:\Documents and Settings\Gary.YOUR-4DACD0EA75\Desktop\youporn.com.lnk (Rogue.Link) -> No action taken.C:\Documents and Settings\Gary.YOUR-4DACD0EA75\ntload.dll (Trojan.Agent) -> No action taken.C:\Documents and Settings\Gary.YOUR-4DACD0EA75\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> No action taken. Link to post Share on other sites More sharing options...
jgary1 Posted August 19, 2010 Author ID:302173 Share Posted August 19, 2010 I'm dying here - I see 67 folks have viewed my prblem, don' t any of you have ome advice or guidance? I would go ahead and pay McAfee $90 for virus removal help except for 2 problems:1. I bought McAfee Security Center to help prevent these problems and help correct them when they occur. After that, I have a hard time paying the more when a poblem arises.2. They won't walk me through the solution, they want me to reconnect the infected computer to the net, wait fo them to respond and then watch while they fixthe trouble remotely.Since the one description of nxfsss.bak I found online suggests it hacks control of my computer an allows remoter access and control by a malicious person(s), I am reluctant to connect until the problem is fixed. The one mention of this problem was from Kapersky, so I downloaded their sofware and am running it in parallel with looking for some targeted advice. I seem to remember that there is a setting that causes an automatic backup to be created that nullfies the changes madeby the virus/trojan removal software. If I have remembered correctly, guidance on how to switch the backups off so the virus/trojan removal can proceed would be appreciated. Link to post Share on other sites More sharing options...
Gammo Posted August 21, 2010 ID:303376 Share Posted August 21, 2010 Hi,Please reconnect your infected computer to the infected again. Run all steps in normal mode (NOT safe mode), unless I specifically tell you to. Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them: Click meIf you can't disable them then just continue on.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply. Link to post Share on other sites More sharing options...
jgary1 Posted August 21, 2010 Author ID:303472 Share Posted August 21, 2010 Gammo: Thanks for the reply. In my frustration, I did more on my own and the indications of the problem went away. Here is what I did:I downloaded Kapersky's Virus Removal Tool and ran it in normal (not safe) mode, but with the machine still disconnected from the internet. It indicated that the registry entry ending in ntload.exe and another one ending in ntload.dll were launching the trojan HUER.Win32.generic. The trojan Win32.FraudPack.bfhk was also embedded in the registry. Other problems were reported connected to the registry entry for rundll32.exe. Several other problems were found and either deleted, or quarantined by the software. McAfee was able to identify a problem (it said the Trojan Generic.dx!tje was identified and blocked) but it wasn't able to remove the malicious software. I uninstalled McAfee and installed the Kapersky 2011 Internet Security Suite and did another full scan of the system. Some adware was found and deleted, but no more evidence of either of the Trojans was found. I also ran Malwarebytes again and it did not report any remaining infections in the registry keys, values or data items. Similarly, Malwarebytes indicated no remaining infections in the files, folders or memory modules.Based on that background, I'm hoping my problem is behind me now. There is a learning curve with Kapersky as it asks for my assessment of actions trying to gain access to other programs or my internal passwords. I've blocked everything I wasn't sure of, but let some things (like Microsoft Outlook) continue to operate normally with unrestricted internal access. If my actions have not been sufficient to deal with the trojans listed, or if I am likely to have a remaining problem that requires continuing with the course of action you outlined so effectively, let me know with another posting. I did run across the advice to run ComboFix on www.bleeping computer.com, but felt the actions taken by the Kapersky software had adequately addressed my problems. If I'm wrong - please let me know and I'll keep swinging the protection axe.Gary Link to post Share on other sites More sharing options...
Gammo Posted August 21, 2010 ID:303477 Share Posted August 21, 2010 Hi,Can you please run DDS again and post the log it produces (DDS.txt)? That way I can verify if your PC is clean. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 28, 2010 ID:305869 Share Posted August 28, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts