Windows XP Recovery icon appeared and Google keeps redirecting me

[barbara07]

Hi there.

Here's a brief overview of what's happened.

I started getting problems last night after clicking on a Green tick Google search item while in a Mozilla window. The computer froze and on restarting, a whole bunch of icons had disappeared from my desktop and from the Start / All Programs menu, my desktop background picture was replaced by a plain purple and I was unable to open up a Mozilla FireFox or Opera window. I restarted the computer in Safe Mode and re-downloaded MalwareBytes' Anti-Malware and performed a quick scan which found and quarantined a few items. When I restarted the computer (in Normal? mode) everything seemed fine, icons were back, background back but Mozilla was redirecting all my searches. Bring on the blue screen of death and the earlier problems of missing icons and changed background are back along with the Windows XP Recovery icon. For a while I wasn't able to get back to Safe Mode, I could chose the Safe Mode with Networking and then the screen would freeze. It wasn't until I let it carry it to 'Normal mode' where I saw an NTFS error: Checking file system on C:

The type of file system is NTFS

One of your disks needs to be checked for constistency.

Windows will not check the drive.

Since then, I've gone back to Safe Mode and run full scans using Malwarebytes' Anti-Malware and Spybot - Search and Destroy. I've tried to run the Windows XP Recovery self-help guide but I was unable to get the TDSS Rootkit Removing Tool to run.

So, now I given up on that approach and am following the 'I'm infected - What do I do now?' tutorial. I'm attaching the logs that I got through following those steps.

Malwarebytes' Anti-Malware quick scan log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6732

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

31/05/2011 16:27:42

mbam-log-2011-05-31 (16-27-42).txt

Scan type: Quick scan

Objects scanned: 160468

Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Copy/pasted DDS log file

.

DDS (Ver_11-05-19.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Run by Administrator at 18:53:29 on 2011-05-31

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1391 [GMT 1:00]

.

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRunOnce: [scan_after_setup] "c:\program files\avira\antivir desktop\avcenter.exe" /SCANAFTERSETUP="scan wait newprocess"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247239793109

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\trbj5jkg.default\

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\opera\program\plugins\NPSibelius.dll

FF - plugin: c:\program files\opera\program\plugins\NPSibelius.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-7-31 20744]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-17 27632]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-31 11608]

S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-31 136360]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-31 269480]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-31 61960]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-10 88176]

S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-10 359952]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-10 144704]

S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-5-17 90112]

S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 29192]

S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 25480]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-10 606736]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-10 79816]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-10 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-10 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-10 40552]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-7-17 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-7-17 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-7-17 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-7-17 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-7-17 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-7-17 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-7-17 115752]

.

=============== Created Last 30 ================

.

2011-05-31 16:10:48 -------- d-----w- c:\documents and settings\administrator\application data\Avira

2011-05-31 16:09:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-31 16:09:46 -------- d-----w- c:\program files\Avira

2011-05-31 16:09:46 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-05-31 03:04:03 -------- d-sh--w- C:\found.000

2011-05-30 23:52:57 -------- d-----w- c:\program files\omvhsnel

2011-05-30 23:10:03 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-05-22 01:03:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-01 19:08:06 -------- d--h--w- c:\documents and settings\all users\application data\cA06511PhCpK06511

.

==================== Find3M ====================

.

2011-05-31 04:27:03 90112 ----a-w- c:\windows\DUMP446b.tmp

2011-04-05 20:48:26 639995 ----a-w- c:\windows\unins000.exe

2011-03-29 08:08:46 80896 ----a-w- c:\windows\system32\ff_vfw.dll

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2009-07-28 03:34:11 58652 ----a-w- c:\program files\AMVapp-uninst.exe

.

============= FINISH: 18:54:56.03 ===============

Please find attached ark.txt and attach.txt in the file Attach.zip (if I've attached it properly).

Attach.zip

I ran into a few issues while following the tutorial as follows:

- DeFogger didn't prompt me to restart.

- I checked that the right boxes were unchecked - the first time, GMER Scanner stopped after 15 minutes but hadn't finished and the second time, I left the GMER Scanner to run for over two hours before I cut it off - I wasn't sure how long it was supposed to run for.

Please excuse my waffling; I'm not so hot on computers and I have no idea what's going on with my computer.

Any advice is appreciated,

kind regards

Babs

[Kenny94]

Hi barbara07 and Welcome to Malwarebytes!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

• Please download and run UnHide.exe by Grinler.
  
• Double-click unhide.exe to run the program.
  
• After running it, your files should reappear. Please let us know the result.
  

Next

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
  
• Double click aswMBR.exe to run it
  
• Click the Scan button to start the scan as illustrated below
  

Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

• Once the scan finishes click Save log to save the log to your Desktop
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

[barbara07]

Hi Kenny94, thanks for the welcome!

I've noted the words in red and I will follow only the advice here.

Here's a blow by blow account of what I've done

In Safe mode with Networking

Administrator Profile

23:37 Downloaded and run unhide.exe

23:42 A yellow triangle with an exclamation mark in the bottom right of my screen appeared with the following -> attrib.exe - Corrupt File

\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb is corrupt and unreadable. Please run the Chkdsk utility.

23:42 unhide.exe finished

In Start/All Programs, there are some of my programs.

Most don't lead anywhere e.g. Start/All Programs/CCleaner/(empty),

the only ones that do are the ones downloaded to my desktop such as Malwarebytes', Spybot Search and Destroy and (weirdly I think) some of the items on Start/All Programs/Accessories.

A lot of my files, not including photos are in My Computer/Babs' Documents.

I restarted the computer to see what it was like in normal mode, this is what happened:

23:46 Restart computer in normal mode

Checking file system on C:

The type of the file system is NTFS

One of your disks needs to be checked for consistancy.

You may cancel the disk check, but it is strongly recommended that you continue.

I pressed space bar to skip this but the screen froze

23:49 Restart computer in normal mode

Same message as before.

Pressed space bar to skip - Desk checking has been cancelled.

Purple background (not of my choosing), Opera icon missing.

Same as in Safe mode: many programs returned to in Start/All Programs but don't lead anywhere. The folder is there but the program isn't e.g. Sibelius Software, Mathtype 6, Interproset Wireless, CCleaner.

Avira started up so I stopped the scan it wanted to do.

23:55 Restarted in Safe Mode with Networking

Administrator Profile

23:59 Downloaded aswMBR.exe

00:00 Scan

00:01 Scan finished successfully

Copy and pasted aswMBR log

aswMBR version 0.9.5.317 Copyright© 2011 AVAST Software

Run date: 2011-06-01 00:00:18

-----------------------------

00:00:18.562 OS Version: Windows 5.1.2600 Service Pack 3

00:00:18.562 Number of processors: 2 586 0xE08

00:00:18.562 ComputerName: DBHC7H2J UserName:

00:00:19.203 Initialize success

00:00:24.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

00:00:24.875 Disk 0 Vendor: SAMSUNG_HM060HI YD100-15 Size: 55796MB BusType: 3

00:00:26.921 Disk 0 MBR read successfully

00:00:26.937 Disk 0 MBR scan

00:00:26.953 Disk 0 Windows XP default MBR code

00:00:28.968 Disk 0 scanning sectors +114254280

00:00:29.015 Disk 0 scanning C:\WINDOWS\system32\drivers

00:00:36.921 File C:\WINDOWS\system32\drivers\volsnap.sys **SUSPICIOUS**

00:00:36.937 Service scanning

00:00:40.640 Disk 0 trace - called modules:

00:00:40.687 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a5001ed]<<

00:00:40.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a542ab8]

00:00:40.718 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a588d98]

00:00:40.750 \Driver\atapi[0x8a5816b8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a5001ed

00:00:48.578 Unsigned kernel modules:

00:00:48.671 0xf7717000 C:\WINDOWS\system32\drivers\cercsr6.sys

00:01:01.734 Scan finished successfully

00:01:40.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"

00:01:40.578 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR0001.txt"

One question, should I stay in Safe Mode with Networking or back to normal mode?

Regards

Babs

[Kenny94]

You need to be in normal mode with the fixes. Unless otherwise instructed....

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[barbara07]

Thanks for that, Normal mode from now on

00:53 Restart to Normal mode

Skipped the disk checking by pressing space bar.

00:58 Downloaded ComboFix.exe

01:00 Avira window popped up saying the following: Guard Malware found

AntVirGuard Detected 2 Viruses or unwanted programs.

Access was denied.

Please select a further action.

I checked the x close button top right of the box.

Disabled antivirus and antispyware

01:20 Double clicked ComboFix.exe

01:31 Scanning for infected files...

01:51 Preparing log report

01:58 Log report ready and saved

Re-enabled antivirus and antispyware.

Please find the ComboFix report attached combolog.txt .

Thank you for all your help.

Regards

Babs

[Kenny94]

Nice Job!

There are some older versions of Java and Adobe Acrobat Reader on your computer. These can be a source of the infection/infections.

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel

Adobe Reader 9.1

Java

[barbara07]

Thank you for your quick replys!

I've fallen at the first hurdle of your instructions.

03:06 Via Control/Add Remove Programs, clicked Remove for Adobe Reader 9.1, no problem.

Clicked option to restart later.

03:09 When I clicked Remove for Java 6 Update 17, I got the following box:

The applications listed are currently running and must be closed to allow the install to proceed.

iexplore.exe

There is a check box which said 'Quit the applications listed (save your work before clicking Retry).

I thought 'install' sounded weird. So I clicked the Cancel option.

Should I check the box and hit Retry?

Regards

Babs

[Kenny94]

Go ahead and click retry next time Babs.....

[barbara07]

Cool, so I'd gotten through the first two steps without a hitch; I'd followed the instructions to remove Adobe Reader 9.1 and Java Update 17 and install Adobe Reader 10.0.1 and the latest version of JRE 6. When I clicked on the test for my Java Run-time, I got the following with a white tick inside a yellow circle: Vendor: Sun MicroSystems Inc.

Version: Java SE 6 Update 25

Operating System: Windows XP 5.1

Architecture: x86.

Now, when I got the next step regarding the ESET Online Scanner, I disabled Mcafee and Avira AntiVir and got up to Step 1 Downloading Virus Signature database. After a minute or two, I got the following Initialisation... (and in red writing) Can not get update. Is proxy configured? and the scan came to a halt.

The step by step baby instructions are a real help, what shall I do now?

Regards

Babs

[Kenny94]

Please download MiniToolBox to Desktop and run it.

Checkmark the following boxes:

• 
  
• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• List content of Hosts
  
• List IP Configuration
  
• Lst Last 10 Event Viewer Errors
  
• List Users, Partitions and Memory Size
  

Click Go and copy/paste the log (Result.txt) into your next post.

Next, try to run ESET Online Scanner Babs. Post this log as well...

[barbara07]

Thanks for that

I was able to run both the MiniToolBox and ESET Scanner.

Here are those copy/pasted logs;

Result.txt

MiniToolBox by Farbar

Ran by Babs (administrator) on 01-06-2011 at 18:53:40

Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

================= Flush DNS: ==============================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

================= End of Flush DNS ========================================

========================= IE Proxy Settings: ==============================

Proxy is not enabled.

No Proxy Server is set.

========================= End of IE Proxy Settings ========================

"Reset IE Proxy Settings": Proxy Settings were reset.

=============== Hosts content: ============================================

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------

# Interface IP Configuration

# ----------------------------------

pushd interface ip

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp

set dns name="Local Area Connection" source=dhcp register=PRIMARY

set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp

set dns name="Wireless Network Connection" source=dhcp register=PRIMARY

set wins name="Wireless Network Connection" source=dhcp

popd

# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : dbhc7h2j

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-15-C5-AD-E1-5C

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection

Physical Address. . . . . . . . . : 00-18-DE-22-59-85

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.6

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 194.168.4.100

194.168.8.100

Lease Obtained. . . . . . . . . . : 01 June 2011 18:44:41

Lease Expires . . . . . . . . . . : 01 June 2011 19:44:41

Server: cache1.service.virginmedia.net

Address: 194.168.4.100

Name: google.com

Addresses: 209.85.229.104, 209.85.229.147, 209.85.229.99

Pinging google.com [209.85.229.104] with 32 bytes of data:

Reply from 209.85.229.104: bytes=32 time=35ms TTL=53

Reply from 209.85.229.104: bytes=32 time=24ms TTL=53

Ping statistics for 209.85.229.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 24ms, Maximum = 35ms, Average = 29ms

Server: cache1.service.virginmedia.net

Address: 194.168.4.100

Name: yahoo.com

Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70

67.195.160.76

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=277ms TTL=53

Reply from 98.137.149.56: bytes=32 time=193ms TTL=53

Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 193ms, Maximum = 277ms, Average = 235ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 15 c5 ad e1 5c ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport

0x3 ...00 18 de 22 59 85 ...... Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.6 25

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.0.0 255.255.255.0 192.168.0.6 192.168.0.6 25

192.168.0.6 255.255.255.255 127.0.0.1 127.0.0.1 25

192.168.0.255 255.255.255.255 192.168.0.6 192.168.0.6 25

224.0.0.0 240.0.0.0 192.168.0.6 192.168.0.6 25

255.255.255.255 255.255.255.255 192.168.0.6 2 1

255.255.255.255 255.255.255.255 192.168.0.6 192.168.0.6 1

Default Gateway: 192.168.0.1

===========================================================================

Persistent Routes:

None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:

==================

Error: (06/01/2011 06:47:27 PM) (Source: ESENT) (User: )

Description: wuauclt (4104) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1022.

Error: (06/01/2011 06:47:27 PM) (Source: ESENT) (User: )

Description: wuauclt (4104) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" for read / write access failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The open file operation will fail with error -1022 (0xfffffc02).

Error: (06/01/2011 06:47:27 PM) (Source: ESENT) (User: )

Description: wuauclt (4104) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Error: (06/01/2011 06:47:26 PM) (Source: ESENT) (User: )

Description: wuauclt (4036) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1022.

Error: (06/01/2011 06:47:26 PM) (Source: ESENT) (User: )

Description: wuauclt (4036) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" for read / write access failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The open file operation will fail with error -1022 (0xfffffc02).

Error: (06/01/2011 06:47:26 PM) (Source: ESENT) (User: )

Description: wuauclt (4036) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Error: (06/01/2011 06:47:26 PM) (Source: ESENT) (User: )

Description: wuauclt (4408) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1022.

Error: (06/01/2011 06:47:26 PM) (Source: ESENT) (User: )

Description: wuauclt (4408) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" for read / write access failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The open file operation will fail with error -1022 (0xfffffc02).

Error: (06/01/2011 06:47:26 PM) (Source: ESENT) (User: )

Description: wuauclt (4408) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Error: (06/01/2011 06:47:25 PM) (Source: ESENT) (User: )

Description: wuauclt (5404) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1022.

System errors:

=============

Error: (06/01/2011 03:16:33 PM) (Source: DCOM) (User: Babs)

Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (06/01/2011 04:33:52 AM) (Source: DCOM) (User: SYSTEM)

Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.

Error: (06/01/2011 04:31:36 AM) (Source: DCOM) (User: Babs)

Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.

Error: (06/01/2011 01:31:29 AM) (Source: Service Control Manager) (User: )

Description: The Sony Ericsson OMSI download service service terminated unexpectedly. It has done this 1 time(s).

Error: (06/01/2011 01:23:01 AM) (Source: Service Control Manager) (User: )

Description: The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (06/01/2011 01:23:01 AM) (Source: Service Control Manager) (User: )

Description: The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (06/01/2011 01:19:41 AM) (Source: DCOM) (User: Babs)

Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (06/01/2011 00:56:44 AM) (Source: DCOM) (User: Babs)

Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (06/01/2011 00:54:23 AM) (Source: DCOM) (User: SYSTEM)

Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""

in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/01/2011 00:20:54 AM) (Source: DCOM) (User: Administrator)

Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""

in order to run the server:

{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Microsoft Office Sessions:

=========================

Error: (06/01/2011 06:47:27 PM) (Source: ESENT)(User: )

Description: wuauclt4104C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022

Error: (06/01/2011 06:47:27 PM) (Source: ESENT)(User: )

Description: wuauclt4104C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022 (0xfffffc02)1392 (0x00000570)The file or directory is corrupted and unreadable.

Error: (06/01/2011 06:47:27 PM) (Source: ESENT)(User: )

Description: wuauclt4104C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022 (0xfffffc02)1392 (0x00000570)The file or directory is corrupted and unreadable.

Error: (06/01/2011 06:47:26 PM) (Source: ESENT)(User: )

Description: wuauclt4036C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022

Error: (06/01/2011 06:47:26 PM) (Source: ESENT)(User: )

Description: wuauclt4036C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022 (0xfffffc02)1392 (0x00000570)The file or directory is corrupted and unreadable.

Error: (06/01/2011 06:47:26 PM) (Source: ESENT)(User: )

Description: wuauclt4036C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022 (0xfffffc02)1392 (0x00000570)The file or directory is corrupted and unreadable.

Error: (06/01/2011 06:47:26 PM) (Source: ESENT)(User: )

Description: wuauclt4408C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022

Error: (06/01/2011 06:47:26 PM) (Source: ESENT)(User: )

Description: wuauclt4408C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022 (0xfffffc02)1392 (0x00000570)The file or directory is corrupted and unreadable.

Error: (06/01/2011 06:47:26 PM) (Source: ESENT)(User: )

Description: wuauclt4408C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022 (0xfffffc02)1392 (0x00000570)The file or directory is corrupted and unreadable.

Error: (06/01/2011 06:47:25 PM) (Source: ESENT)(User: )

Description: wuauclt5404C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb-1022

========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 50%

Total physical RAM: 2038.37 MB

Available physical RAM: 1013.23 MB

Total Pagefile: 2641.15 MB

Available Pagefile: 1668.69 MB

Total Virtual: 2047.88 MB

Available Virtual: 1998.81 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:37.21 GB) (Free:9.87 GB) NTFS

2 Drive d: (Backup) (Fixed) (Total:12.55 GB) (Free:2.85 GB) NTFS

================= Users: ==================================================

User accounts for \\DBHC7H2J

-------------------------------------------------------------------------------

Administrator ASPNET Babs

Guest HelpAssistant SUPPORT_388945a0

The command completed successfully.

================= End of Users ============================================

ESET Scanner Results

C:\DELL\ATAPI.EXE a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R105921\MS\snymsico.dll a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\HDAQFE\win2k_xp\us\kb835221.exe a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\WDM\stacapi.dll a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\WDM\staco.dll a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\WDM\stacsv.exe a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\WDM\stlang.dll a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\WDM\stsystra.exe a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114075\WDM\suhlp.exe a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114079\CSVer.dll a variant of Win32/Ramnit.H virus

C:\DELL\drivers\R114079\Instngin.dll a variant of Win32/Ramnit.H virus

C:\Documents and Settings\Babs\My Documents\My Videos\Veoh\VeohWebPlayerSetup_eng.exe Win32/OpenCandy application

C:\System Volume Information\_restore{3B80D175-1B01-4903-83B2-4761282C32E3}\RP309\A0357991.exe a variant of Win32/Kryptik.OKF trojan

Kind regards

Babs

[Kenny94]

Those entries are false positives by ESET. How is your computer doing?

[barbara07]

My computer is still pretty poorly to be honest

• Whether I'm using Mozilla FireFox, Opera or Internet Explorer, unless I'm clicking a direct link like your download links, I'm redirected somewhere else.
  
• Internet browsing is pretty slow.
  
• Startup and Shutdown is longer than it was a couple days ago.
  
• A lot of programs are still hidden if that's the right terminology in that I keep getting empty. e.g. Start/All Programs/Skype/(empty). Some are just plain missing such as VLC Player.
  
• In My Computer there are some saved files for some of the missing programs but I'm unable to open them. e.g. Start/All Programs/Sony/Vegas Pro 8.0/(empty), when I tried to open one of my .veg files, the program starts but then I get an error message saying that I have missing media.
  
• The background is still purple (it's becoming too familiar!).
  
• Opera is missing here in Normal mode even though I've assigned it as my default browser.
  

This is rather a long list of problems but there have been some improvements since following the steps on here.

Is there anything else I can do?

Regards

Babs

[Kenny94]

DragTDSSKiller.exe icon into the recycle bin. Download a updated copy.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• Vista/Windows 7 users right-click and select Run As Administrator.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

[Kenny94]

Now looking at your logs and ComboFix had deleted odd looking files. We might have Ramnit virus on board. Let's hope not.

Post the TDSSKiller log for now.

[barbara07]

I've downloaded TDSSKiller and extracting TDSSKiller.exe but I've been unable to run it.

I've double-clicked it and left it but nothing's happened and right-clicked it and selected 'Run as Administrator' as per instructions but it's not happening

[Kenny94]

Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (Example: puppy.com). If you do not see the file extension, please refer to: How to change the file extension.

Also, Run Malwarebytes to Babs.

Update Run Malwarebytes

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[barbara07]

What I've done;

Changed RDSSKiller.exe to theatre.com

Updated Malwarebytes

[Kenny94]

Drag combofix icon into the recycle bin. Download a updated copy.

Please rerun Combofix and tell me if it still detects rootkit activity? Also, post that log in your next reply:

1. Download ComboFix from below:
   Combofix download
   

[barbara07]

Hi there,

I dragged away the old ComboFix icon and downloaded ComboFix.exe from the link provided.

I double-clicked it and got the window asking if I accepted the terms and conditions and clicked yes. I got the blue window for a few seconds then a loud beep, another window appeared and saying that it had found something. A few seconds later, another window appeared which said that it 'has detected rootkit activity and needs to reboot'. The computer restarted, no noticable differences apart from a new file on the desktop catchme.log . I wasn't able to find ComboFix.txt .

The content of catchme.log is

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully

File list cleared

I hope you can make sense of this :s

Regards

Babs

[Kenny94]

Combofix log resides in your C: Drive. C:\ look for ComboFix.txt. There should be two ComboFix.txt files. Post the one with todays date on the top of the report.

[barbara07]

Found it!

It was in something called C:\Qoobox .

There were two combofix files with the date 01/06/11.

The first copy/paste is of ComboFix2.txt

ComboFix 11-05-31.01 - Babs 01/06/2011 1:31.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1244 [GMT 1:00]

Running from: c:\documents and settings\Babs\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\hpe2B1.dll

c:\documents and settings\Babs\Application Data\.#

c:\documents and settings\Babs\Application Data\.#\MBX@950@3837C8.###

c:\documents and settings\Babs\Application Data\.#\MBX@950@3837D8.###

c:\documents and settings\Babs\Application Data\.#\MBX@950@3837E8.###

c:\documents and settings\Babs\Application Data\Adobe\plugs

c:\documents and settings\Babs\Application Data\Adobe\shed

c:\documents and settings\Babs\WINDOWS

D:\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-05-01 to 2011-06-01 )))))))))))))))))))))))))))))))

.

.

2011-05-31 16:10 . 2011-05-31 16:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira

2011-05-31 16:09 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-31 16:09 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-05-31 16:09 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-05-31 16:09 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-05-31 16:09 . 2011-05-31 16:09 -------- d-----w- c:\program files\Avira

2011-05-31 16:09 . 2011-05-31 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-05-30 23:52 . 2011-05-30 23:52 -------- d-----w- c:\program files\omvhsnel

2011-05-30 23:10 . 2011-05-30 23:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-05-22 01:03 . 2011-05-22 01:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-31 04:27 . 2009-07-10 13:12 90112 ----a-w- c:\windows\DUMP446b.tmp

2011-04-05 20:48 . 2011-04-05 20:48 639995 ----a-w- c:\windows\unins000.exe

2011-03-29 08:08 . 2011-04-10 02:22 80896 ----a-w- c:\windows\system32\ff_vfw.dll

2011-03-07 05:33 . 2009-07-10 12:42 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-08-10 11:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2009-07-28 03:34 . 2009-07-28 03:34 58652 ----a-w- c:\program files\AMVapp-uninst.exe

2010-03-31 09:09 . 2010-03-31 09:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2010-04-08 11:36 . 2010-04-08 11:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2010-03-31 09:09 . 2010-03-31 09:09 10437264 ----a-w- c:\program files\opera\program\plugins\PDFNetC.dll

2010-04-08 11:36 . 2010-04-08 11:36 107760 ----a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-09 645328]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-07-10 14:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AVerQuick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AVerQuick.lnk

backup=c:\windows\pss\AVerQuick.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Babs^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]

path=c:\documents and settings\Babs\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk

backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2004-08-10 11:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2004-08-10 11:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 17:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2005-11-16 14:35 397312 ----a-w- c:\windows\stsystra.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2009-09-24 13:41 434176 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-12-09 12:33 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2009-07-15 19:42 288048 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2010-02-22 22:52 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

.

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31/07/2008 20:45 20744]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [31/05/2011 17:09 136360]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/07/2009 15:38 88176]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [17/05/2010 22:27 27632]

S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [17/05/2010 22:27 90112]

S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [07/12/2008 12:44 29192]

S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [02/07/2008 14:58 25480]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [17/07/2009 01:00 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [17/07/2009 01:00 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [17/07/2009 01:00 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [17/07/2009 01:00 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [17/07/2009 01:00 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [17/07/2009 01:00 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [17/07/2009 01:00 115752]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-10 20:26]

.

2011-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-10 20:26]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s

IE: Free YouTube to MP3 Converter - c:\documents and settings\Babs\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

FF - ProfilePath - c:\documents and settings\Babs\Application Data\Mozilla\Firefox\Profiles\mrt3l3bt.default\

FF - prefs.js: network.proxy.type - 4

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org

FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}

FF - Ext: OldFactory Black: {69D30031-F4A8-452a-A5B3-5D6787C3C5CF} - %profile%\extensions\{69D30031-F4A8-452a-A5B3-5D6787C3C5CF}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-ggePSKfpxtP - c:\documents and settings\All Users\Application Data\ggePSKfpxtP.exe

HKCU-Run-cdMfaqMjcME - c:\documents and settings\All Users\Application Data\cdMfaqMjcME.exe

AddRemove-FolderLock6 - c:\program files\Folder Lock\Uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-01 01:51

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(920)

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

.

Completion time: 2011-06-01 01:58:56

ComboFix-quarantined-files.txt 2011-06-01 00:58

.

Pre-Run: 10,988,879,872 bytes free

Post-Run: 11,212,197,888 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 557029CFBCAACA6638E72B04BB82AB7C

The second copy/paste is of ComboFix-quarantined-files.txt

2011-06-01 00:58:06 . 2011-06-01 00:58:06 610 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-FolderLock6.reg.dat

2011-06-01 00:56:34 . 2011-06-01 00:56:34 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-cdMfaqMjcME.reg.dat

2011-06-01 00:56:34 . 2011-06-01 00:56:34 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ggePSKfpxtP.reg.dat

2011-06-01 00:51:28 . 2007-11-07 07:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\D\install.exe.vir

2011-06-01 00:45:27 . 2011-06-01 00:45:27 9,897 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-06-01 00:25:18 . 2011-06-01 00:25:18 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2010-05-17 21:27:31 . 2010-05-17 21:27:31 148,736 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\hpe2B1.dll.vir

2009-07-15 19:02:11 . 2009-07-15 19:02:11 2,048 -c--atw- C:\Qoobox\Quarantine\C\Documents and Settings\Babs\Application Data\.#\MBX@950@3837C8.###.vir

2009-07-15 19:02:08 . 2009-07-15 19:02:08 2,048 -c--atw- C:\Qoobox\Quarantine\C\Documents and Settings\Babs\Application Data\.#\MBX@950@3837E8.###.vir

2009-07-15 19:02:07 . 2009-07-15 19:02:07 2,048 -c--atw- C:\Qoobox\Quarantine\C\Documents and Settings\Babs\Application Data\.#\MBX@950@3837D8.###.vir

Regards

Babs

[Kenny94]

Attention: Your computer is severely infected with Win32\Ramnit what is now called, a cocktail infection. This is an infection that is comprised of many different types of viruses and other malware, to damage your computer, and use it as a zombie for its backdoor network. In other words, your computer is under control of a hacker, and regaining control is now next to impossible.

The first component is a backdoor trojan, which is a type of trojan that communicates with a hacker: to transfer personal information about you, use your computer to help perform a denial-of-service attack, redirect your internet searches in order to make money off of your browsing habits, and can be a keylogger to steal personal identifiable information to help rob your identity.

The second component is a rootkit, which is a type of malware to take control over your computer at administrator access, having full permission to modify all of your device drivers, and allowing itself to hide all the malware on the system. In other words, it is a hackers way of taking control of your computer, and hiding in the dark at the same time. This is a prime initiative of hackers to help keep access to your computer, robbing all of your personal information, and using your computer to send spam across the internet.

The third component is a file infector, which is a type of virus to purposely damage as many files as possible, in order to keep control of your system, so you have as little access as possible.

Not only has your system been compromised severely, it is also highly damaged, and if you do not commit to my suggested removal method below, then your computer may not function anymore.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do

Removal method:

It is recommended to do a reformat and reinstall of your operating system. the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

I recommend the following articles to read:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?
  

Guides for format and reinstall:

http://forums.whatthetech.com/index.php?showtopic=91962

Should you have any questions, please feel free to ask.

[barbara07]

*Sigh* that's news I didn't want to hear.

Unfortunately, this isn't the first time I've had to reformat my computer

I will be taking your advice of wiping it and use this experience as the final kick I needed to make to switch from Windows to Linux.

I've got a lot of reading to do and backing up to do but in the meantime, I will disable internet access from my laptop and change my passwords on a clean computer.

Kenny94, thank you for all your time and guidance in trying to heal my computer.

Kindest regards

Babs

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!