Jump to content

Windows XP recovery malware


Recommended Posts

Hi,

We had the Windows XP Recovery Malware (or virus) hijack our computer today. I successfully downloaded your program from a clean computer to a USB stick and installed it from there. We ran the program found a few things and allowed Malwarebytes to restart the computer.

The restart was successfull but we still have no programs listed or accessible. I access the internet by typing a webpage into the RUN box. When on the internet I noticed that all the saved favorites are missing too. I don't know if that is related but thought I'd let you know.

I tried looking for the notes file after it ran but I can't find it in the logs or I would have posted it. We are using the free version and it is the most updated version at this writing. We have the most update free version of Avira AntiVirus too. Which the malware kept interrupting before it was removed.

I hope you can further help us.

Thank you.

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Download unhide.exe & save it to your windows folder:

Right click on unhide.exe and select Run as administrator (In case you have Vista or Win7)

Reboot

This will unhide folders/files that were set to be hidden by the infection you had.

Let me know if that solved your problem.

Link to post
Share on other sites

Hi,

I was unable to find this (my original post) after searching, as well as searching under my screen name so I reposted prior to your reply with the logs yesterday. Here is a link to that post. My link

As you will see in that post I tried to follow the directions in this boards pinned post. I am not at that computer now but will be later today and will try and copy/paste those logs here if you like, but what to do about the GMER as I had trouble with that log?

I hope you can delete one of these posts to consolidate your board...

Waiting to run unhide.exe until you see the other post.

Link to post
Share on other sites

This was the log generated at the start of the problem.Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6905

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/21/2011 12:30:36 PM

mbam-log-2011-06-21 (12-30-36).txt

Scan type: Quick scan

Objects scanned: 159205

Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Log post unhide.exeMalwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6928

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/23/2011 1:12:22 PM

mbam-log-2011-06-23 (13-12-22).txt

Scan type: Quick scan

Objects scanned: 159925

Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS report prior to running unhide.exe

.

DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK

Internet Explorer: 7.0.5730.13

Run by Owner at 13:05:31 on 2011-06-21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1639 [GMT -4:00]

.

AV: Verizon Internet Security Suite Anti-Virus *Disabled/Outdated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Verizon Internet Security Suite Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Owner\Application Data\U3\0000188C3671D2D1\LaunchPad.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=DX110S

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=DX110S

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\verizon\verizon internet security suite\pkR.dll

BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll

BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\verizon\verizon internet security suite\FBHR.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [AbacastDistributedOnDemand:11] c:\documents and settings\owner\local settings\application data\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

uRun: [dDvfxSVnTfHs] c:\documents and settings\all users\application data\dDvfxSVnTfHs.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [<NO NAME>]

mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN

mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"

mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"

mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"

mRun: [Lexmark Pro800-Pro900 Series Fax Server] "c:\program files\lexmark pro800-pro900 series\fm3032.exe" /s

dRun: [Power2GoExpress] NA

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285267317328

DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2C6A64E4-1CC7-4A77-AEAF-23DEA62485B8} : DhcpNameServer = 192.168.1.1

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-16 11608]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-16 108289]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-16 185089]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-16 56816]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2010-9-8 193192]

S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-5-10 668912]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

.

=============== Created Last 30 ================

.

2011-06-20 20:39:13 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2011-06-20 20:15:53 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-20 20:15:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-20 20:15:49 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-20 20:15:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-15 07:16:20 105472 -c-h--w- c:\windows\system32\dllcache\mup.sys

.

==================== Find3M ====================

.

2011-05-02 15:31:52 692736 ---ha-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19:43 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 15:51:58 832512 ---ha-w- c:\windows\system32\wininet.dll

2011-04-25 15:51:57 78336 ---ha-w- c:\windows\system32\ieencode.dll

2011-04-25 15:51:57 1830912 ---h--w- c:\windows\system32\inetcpl.cpl

2011-04-25 15:51:57 17408 ---h--w- c:\windows\system32\corpol.dll

2011-04-25 12:01:21 389120 ---ha-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ---ha-w- c:\windows\system32\drivers\mup.sys

.

============= FINISH: 13:06:19.54 ===============

Attach report from DDS prior to running unhide.exe

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-12.02)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 7/9/2006 11:58:06 AM

System Uptime: 6/21/2011 1:04:24 PM (0 hours ago)

.

Motherboard: MicroStar International | | MS-7248

Processor: Intel® Celeron® CPU 2.80GHz | Socket 775 | 2799/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 148 GiB total, 131.403 GiB free.

D: is FIXED (FAT32) - 5 GiB total, 2.703 GiB free.

E: is CDROM ()

F: is CDROM (CDFS)

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP780: 3/23/2011 12:32:54 PM - System Checkpoint

RP781: 3/24/2011 2:00:04 PM - Software Distribution Service 3.0

RP782: 3/24/2011 2:15:16 PM - Installed Compatibility Pack for the 2007 Office system

RP783: 3/24/2011 5:42:11 PM - Software Distribution Service 3.0

RP784: 3/25/2011 4:56:43 PM - Software Distribution Service 3.0

RP785: 3/26/2011 5:23:13 PM - System Checkpoint

RP786: 3/28/2011 9:19:21 AM - System Checkpoint

RP787: 3/29/2011 9:29:49 AM - System Checkpoint

RP788: 3/30/2011 10:27:14 AM - System Checkpoint

RP789: 3/31/2011 11:27:09 AM - System Checkpoint

RP790: 4/1/2011 12:01:31 PM - System Checkpoint

RP791: 4/2/2011 12:19:23 PM - System Checkpoint

RP792: 4/3/2011 12:27:08 PM - System Checkpoint

RP793: 4/4/2011 1:44:59 PM - System Checkpoint

RP794: 4/5/2011 3:29:23 PM - System Checkpoint

RP795: 4/6/2011 3:59:01 PM - System Checkpoint

RP796: 4/7/2011 4:49:40 PM - System Checkpoint

RP797: 4/8/2011 4:55:15 PM - System Checkpoint

RP798: 4/10/2011 11:13:59 AM - System Checkpoint

RP799: 4/11/2011 1:21:21 PM - System Checkpoint

RP800: 4/12/2011 3:56:46 PM - System Checkpoint

RP801: 4/13/2011 4:15:18 PM - System Checkpoint

RP802: 4/13/2011 6:23:40 PM - Software Distribution Service 3.0

RP803: 4/14/2011 8:49:22 AM - Software Distribution Service 3.0

RP804: 4/15/2011 8:55:04 AM - System Checkpoint

RP805: 4/16/2011 9:31:30 AM - System Checkpoint

RP806: 4/17/2011 10:30:09 AM - System Checkpoint

RP807: 4/18/2011 10:47:06 AM - System Checkpoint

RP808: 4/19/2011 12:15:32 PM - System Checkpoint

RP809: 4/20/2011 12:18:36 PM - System Checkpoint

RP810: 4/21/2011 1:54:03 PM - System Checkpoint

RP811: 4/22/2011 2:38:59 PM - System Checkpoint

RP812: 4/23/2011 3:14:44 PM - System Checkpoint

RP813: 4/24/2011 4:14:43 PM - System Checkpoint

RP814: 4/25/2011 4:30:24 PM - System Checkpoint

RP815: 4/26/2011 5:14:37 PM - System Checkpoint

RP816: 4/26/2011 6:03:18 PM - Software Distribution Service 3.0

RP817: 4/28/2011 8:50:53 AM - System Checkpoint

RP818: 4/29/2011 9:21:53 AM - System Checkpoint

RP819: 4/30/2011 9:53:14 AM - System Checkpoint

RP820: 5/1/2011 11:03:49 AM - System Checkpoint

RP821: 5/2/2011 11:11:32 AM - System Checkpoint

RP822: 5/3/2011 12:00:17 PM - System Checkpoint

RP823: 5/4/2011 12:58:13 PM - System Checkpoint

RP824: 5/8/2011 9:22:13 AM - System Checkpoint

RP825: 5/9/2011 3:49:42 PM - System Checkpoint

RP826: 5/10/2011 4:05:45 PM - System Checkpoint

RP827: 5/11/2011 4:44:13 PM - System Checkpoint

RP828: 5/12/2011 3:00:16 AM - Software Distribution Service 3.0

RP829: 5/13/2011 3:34:38 AM - System Checkpoint

RP830: 5/13/2011 2:22:30 PM - Software Distribution Service 3.0

RP831: 5/14/2011 2:34:39 PM - System Checkpoint

RP832: 5/15/2011 3:34:39 PM - System Checkpoint

RP833: 5/16/2011 4:34:34 PM - System Checkpoint

RP834: 5/17/2011 2:34:23 PM - Software Distribution Service 3.0

RP835: 5/18/2011 3:23:23 PM - System Checkpoint

RP836: 5/19/2011 4:10:10 PM - System Checkpoint

RP837: 5/20/2011 4:45:46 PM - System Checkpoint

RP838: 5/21/2011 5:20:58 PM - System Checkpoint

RP839: 5/22/2011 6:29:37 PM - System Checkpoint

RP840: 5/24/2011 9:38:47 AM - System Checkpoint

RP841: 5/25/2011 10:37:19 AM - System Checkpoint

RP842: 5/26/2011 12:39:50 PM - System Checkpoint

RP843: 5/27/2011 12:51:26 PM - System Checkpoint

RP844: 5/27/2011 2:25:48 PM - Removed Napster Burn Engine

RP845: 5/27/2011 2:26:01 PM - Removed Napster

RP846: 5/28/2011 2:37:19 PM - System Checkpoint

RP847: 5/29/2011 3:37:20 PM - System Checkpoint

RP848: 5/30/2011 4:35:44 PM - System Checkpoint

RP849: 5/31/2011 5:03:07 PM - System Checkpoint

RP850: 6/1/2011 5:37:13 PM - System Checkpoint

RP851: 6/2/2011 6:37:13 PM - System Checkpoint

RP852: 6/3/2011 7:37:15 PM - System Checkpoint

RP853: 6/4/2011 8:37:14 PM - System Checkpoint

RP854: 6/5/2011 9:37:14 PM - System Checkpoint

RP855: 6/6/2011 10:37:13 PM - System Checkpoint

RP856: 6/7/2011 11:07:57 PM - System Checkpoint

RP857: 6/8/2011 11:37:10 PM - System Checkpoint

RP858: 6/10/2011 9:15:23 AM - System Checkpoint

RP859: 6/11/2011 10:27:18 AM - System Checkpoint

RP860: 6/12/2011 10:46:45 AM - System Checkpoint

RP861: 6/13/2011 3:24:11 PM - System Checkpoint

RP862: 6/14/2011 3:53:26 PM - System Checkpoint

RP863: 6/15/2011 3:57:43 PM - System Checkpoint

RP864: 6/15/2011 8:00:19 PM - Software Distribution Service 3.0

RP865: 6/16/2011 8:34:39 PM - System Checkpoint

RP866: 6/17/2011 9:11:02 PM - System Checkpoint

RP867: 6/18/2011 10:11:00 PM - System Checkpoint

RP868: 6/19/2011 11:11:02 PM - System Checkpoint

RP869: 6/20/2011 1:13:06 PM - Removed Java 2 Runtime Environment, SE v1.4.2

RP870: 6/21/2011 9:13:36 AM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Abacast Distributed Live

Abacast Distributed On-Demand

ABBYY FineReader 6.0 Sprint

Adobe Flash Player 10 ActiveX

Adobe Flash Player 9 ActiveX

Adobe Reader 7.1.0

Anti-Spyware

ATI - Software Uninstall Utility

ATI Display Driver

ATI Parental Control & Encoder

AudibleManager

Authentium

Avira AntiVir Personal - Free Antivirus

Browser Address Error Redirector

CADKIT Pricing Kit

Canon iP1600

Canon Utilities Easy-PhotoPrint

Compatibility Pack for the 2007 Office system

Coupon Printer for Windows

Critical Update for Windows Media Player 11 (KB959772)

DVD Solution

Easy-WebPrint

Fundamentals of Pricing Kit

Google Toolbar for Internet Explorer

Google Update Helper

gtw_logo

GWCares

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Learn2 Player (Uninstall Only)

Lexmark Printable Web

Lexmark Pro800-Pro900 Series

Lexmark Toolbar

Malwarebytes' Anti-Malware version 1.51.0.1200

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Digital Image Library 9 - Blocker

Microsoft Encarta Encyclopedia Standard 2005

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2005

Microsoft National Language Support Downlevel APIs

Microsoft Picture It! Library 10

Microsoft Picture It! Premium 10

Microsoft Streets and Trips 2005

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Word 2002

Microsoft Works

Microsoft Works 2005 Setup Launcher

Microsoft Works Suite Add-in for Microsoft Word

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Netscape Internet Service

Netscape Web Accelerator

Power2Go 4.0

PowerDVD

Product Information Manuals

QuickTime

RealPlayer Basic

Realtek High Definition Audio Driver

Recovery Software Suite Gateway

Safety Training Toolkit

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2497640)

Security Update for Windows Internet Explorer 7 (KB2530548)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Shockwave

SmartFTP Client

Soft Data Fax Modem with SmartCP

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Verizon Help and Support Tool

Verizon Internet Security Suite

Verizon Servicepoint 3.5.10

Viewpoint Media Player

Vz In Home Agent

WebFldrs XP

Windows Backup Utility

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 11

Windows Search 4.0

Windows XP Service Pack 3

Works Upgrade

.

==== Event Viewer Messages From Past Week ========

.

6/21/2011 9:16:52 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.

6/21/2011 9:15:55 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.

6/21/2011 12:53:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

6/20/2011 4:39:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

6/20/2011 4:15:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm ssmdrv

6/20/2011 4:14:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

6/20/2011 4:14:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/20/2011 1:13:38 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

6/20/2011 1:07:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxecCATSCustConnectService service to connect.

6/20/2011 1:07:27 PM, error: Service Control Manager [7000] - The lxecCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

GMER log We did not have the option of saving this as other than a .log file so I had to copy and paste it into Notepad. i.e. after naming the file the window below the name would not list anything other than .log and would not permit me to type .txt into it. It looked even worse in Word. If you can tell me what I did wrong, that would be most appreciated!

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-22 15:05:22

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-16 HDT722516DLAT80 rev.V43OA96A

Running: 3jmsixl7.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwtyafob.sys

---- System - GMER 1.0.15 ----

SSDT BA70841E ZwCreateKey

SSDT BA708414 ZwCreateThread

SSDT BA708423 ZwDeleteKey

SSDT BA70842D ZwDeleteValueKey

SSDT BA708432 ZwLoadKey

SSDT BA708400 ZwOpenProcess

SSDT BA708405 ZwOpenThread

SSDT BA70843C ZwReplaceKey

SSDT BA708437 ZwRestoreKey

SSDT BA708428 ZwSetValueKey

SSDT BA70840F ZwTerminateProcess

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) ADFF216D

INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) ADFF1FC2

Code 8A2D0018 ZwCreateSection

Code 8A2809D8 ZwSetInformationFile

Code 8A2FB630 ZwSetSystemInformation

Code 8A452018 ZwWriteFile

Code 8A2D0017 NtCreateSection

Code 8A2809D7 NtSetInformationFile

Code 8A452017 NtWriteFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!IoGetBootDiskInformation + 66F 8056BC17 7 Bytes JMP 8A35BC5C

PAGE ntkrnlpa.exe!NtSetInformationFile 80570394 5 Bytes JMP 8A2809DC

PAGE ntkrnlpa.exe!NtWriteFile 80572358 7 Bytes JMP 8A45201C

PAGE ntkrnlpa.exe!NtCreateSection 805A0816 7 Bytes JMP 8A2D001C

PAGE ntkrnlpa.exe!ObCloseHandle + 17 805B1D89 7 Bytes JMP 8A3DCD04

PAGE ntkrnlpa.exe!ZwSetSystemInformation 806068D6 5 Bytes JMP 8A2FB634

PAGE Fastfat.SYS B062B9C8 7 Bytes JMP 8A4C529C

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xADBC9400, 0x7960C, 0xE8000020]

.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xADC6B420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xADC6B420]

.protectÿÿÿÿhardlockunknown last code section [0xADC6B200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xADC6B200, 0x5049, 0xE0000020]

? C:\DOCUME~1\Owner\LOCALS~1\Temp\kwtyafog.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1416] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom Code 8A4C5298

AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)

Device \Driver\aksusb \Device\00000091 AKSCLASS.SYS (Aladdin Class Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)

Device \FileSystem\Fastfat \Fat Code 8A4C5298

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I'm guessing it is ok to re-enable DeFogger or delete/uninstall now?

Link to post
Share on other sites

Did you run unhide?

Are you programs / shortcuts back?

You're running 2 anti-virus programs

AV: Verizon Internet Security Suite Anti-Virus *Disabled/Outdated*

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

Uninstall one of them
Link to post
Share on other sites

Did you run unhide?

Are you programs / shortcuts back?

Yes I ran unhide. The programs and shortcuts are back but so is a shortcut named "windows XP repair" which we never had. It is also in the programs list where there never was a listing for this before.

The "properties" describe:

Creation date of June 20, 2011 at 12:53:59 pm which is when the malware came up and took hold of this computer.

Size: 1.68 Kb

Size on disk: 8.00 KB

Contains: 2 Files, 0 folders

So I'm guessing we're not completely rid of it yet? Also, was it normal for the Defogger and GMER to take 2 hours EACH to run?

You're running 2 anti-virus programs

Uninstall one of them

The Verizon one (our internet provider) is disabled.

Link to post
Share on other sites

I forgot to mention the Windows XP Repair now listed in our Programs list on the Start menu also has an Uninstall but, as the creation date was the same time as the same named malware took hold of the computer I don't want to click on it and possibly restart the bugger.

Link to post
Share on other sites

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Thank you for your continued help!

I followed your instructions and was able to run ATF Cleaner and ComboFix without any problems. The machine seems to be running normally, even prior to running these two but still with the Windows Malware still present (?)

Here is the ComboFix log as requested. Everything was run in "regular" mode, not safe mode. Also,the Windows XP repair icon is no longer present on the desktop screen or listed under Programs at the Start Menu after running these applications.

ComboFix 11-06-24.02 - Owner 06/24/2011 13:33:11.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1349 [GMT -4:00]

Running from: c:\program files\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator.YOUR-5E03CF73DE\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner\Desktop\Search.lnk

c:\documents and settings\Owner\Desktop\Windows XP Repair.lnk

c:\documents and settings\Owner\Start Menu\Programs\Windows XP Repair

c:\documents and settings\Owner\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk

c:\documents and settings\Owner\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk

c:\documents and settings\Owner\WINDOWS

c:\windows\system32\BSTIEPrintCtl1.dll

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\TEMP\__3ESolutions_temp\simple_screensaver_gtw_slow.exe

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))

.

.

2011-06-24 17:24 . 2011-06-24 17:24 4137378 ------r- c:\program files\ComboFix.exe

2011-06-24 17:19 . 2011-06-24 17:19 50688 ----a-w- c:\program files\ATF_Cleaner.exe

2011-06-23 17:19 . 2011-06-23 17:19 684297 ----a-w- c:\program files\unhide.exe

2011-06-22 17:17 . 2011-06-22 17:17 302592 ----a-w- c:\program files\3jmsixl7.exe

2011-06-20 20:39 . 2011-06-20 20:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2011-06-20 20:15 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-20 20:15 . 2011-06-20 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-20 20:15 . 2011-06-21 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-20 20:15 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-20 20:14 . 2011-06-24 17:37 -------- d-----w- c:\documents and settings\Administrator.YOUR-5E03CF73DE

2011-06-15 07:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2004-08-26 18:01 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-26 16:12 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 15:51 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 15:51 . 2004-08-26 16:11 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 15:51 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-04-25 15:51 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll

2011-04-25 12:01 . 2004-08-26 16:11 389120 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-26 16:12 105472 ----a-w- c:\windows\system32\drivers\mup.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]

"AbacastDistributedOnDemand:11"="c:\documents and settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-30 54776]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-28 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]

"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-01-18 139944]

"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]

2006-10-20 21:47 237568 ----a-w- c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=

"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=

"c:\\WINDOWS\\system32\\lxeccoms.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/16/2009 3:09 PM 108289]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [5/10/2010 1:44 PM 668912]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 5:12 PM 135664]

S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [9/8/2010 2:47 PM 193192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 5:12 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-dDvfxSVnTfHs - c:\documents and settings\All Users\Application Data\dDvfxSVnTfHs.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-24 13:38

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(820)

c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

.

Completion time: 2011-06-24 13:40:26

ComboFix-quarantined-files.txt 2011-06-24 17:40

.

Pre-Run: 139,996,622,848 bytes free

Post-Run: 140,050,587,648 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 7667AAA87226F026EECC61A96F0C880F

Link to post
Share on other sites

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\program files\3jmsixl7.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites

When I clicked send to virustotal the page went blank and froze. Then the internet crashed/closed out.

Here are the results from virusscan. I did not submit this file for scanning before, maybe another user has???

Jotti's malware scan

This file has been scanned before. The results for this previous scan are listed below.

--------------------------------------------------------------------------------

Filename: GMER.exe

Status: Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Tue 21 Jun 2011 18:14:45 (CET) Permalink

--------------------------------------------------------------------------------

Additional info

File size: 302592 bytes

Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: b83cd19b824c5112fdccf35ba590af32

SHA1: e3e6c868b5f905de92a957a5d74e82edff219740

Packer (Drweb): UPX

Packer (Kaspersky): UPX

Scanners

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-18 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

2011-06-21 Found nothing 2011-06-21 Found nothing

--------------------------------------------------------------------------------

I had the kapersky site scan it too.

Kaspersky File Scanner

Scanned file: 3jmsixl7.exe

You're clean!

Kaspersky File Scanner has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Internet Security

Purchase Kaspersky Internet Security in our E-Store

Purchase Kaspersky Internet Security from a certified partner

Statistics:

The scanner will display the following results: the number of antivirus programs in Kaspersky Lab’s antivirus databases, the date of the latest database update and the number of scanned files and detected threats.

Known viruses: 5647185 Updated: 25-06-2011

File size (Kb): 296 Virus bodies: 0

Files: 1 Warnings: 0

Archives: 0 Suspicious: 0

I may not be able to get back to this computer until this evening. Thank you for your continued assistance!

Link to post
Share on other sites

We need to get a copy of that file

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

http://forums.malwarebytes.org/index.php?showtopic=87781

Collect::
c:\program files\3jmsixl7.exe

Folder::
c:\documents and settings\Administrator.YOUR-5E03CF73DE

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Here is the report. We had to reset the screen saver as it never came back and when I tried to run ComboFix I got the notice about the Microsoft Windows Recovery Console not being installed, would you like to install it. I clicked yes and followed the instructions as before. I am a bit confused as to why this came up again as the same thing came up when it was requested we run it earlier and we installed it then as per the instructions. So it should not have come up again??? The computer is only used for DSL internet including e-mail, and connected to a copy/scan/fax machine as well. Other than those two issues it seems to be running normally.

I don't know if I will be able to get back to this computer again until Monday but I will check this forum board from home. Thanks again.

ComboFix 11-06-25.05 - Owner 06/25/2011 20:22:37.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1192 [GMT -4:00]

Running from: c:\program files\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Recent\CFScript.lnk

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\TEMP\__3ESolutions_temp\simple_screensaver_gtw_slow.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))

.

.

2011-06-24 17:24 . 2011-06-26 00:11 4137147 ------r- c:\program files\ComboFix.exe

2011-06-24 17:19 . 2011-06-24 17:19 50688 ----a-w- c:\program files\ATF_Cleaner.exe

2011-06-23 17:19 . 2011-06-23 17:19 684297 ----a-w- c:\program files\unhide.exe

2011-06-22 17:17 . 2011-06-22 17:17 302592 ----a-w- c:\program files\3jmsixl7.exe

2011-06-20 20:39 . 2011-06-20 20:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2011-06-20 20:15 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-20 20:15 . 2011-06-20 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-20 20:15 . 2011-06-21 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-20 20:15 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-20 20:14 . 2011-06-24 17:37 -------- d-----w- c:\documents and settings\Administrator.YOUR-5E03CF73DE

2011-06-15 07:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 15:31 . 2004-08-26 18:01 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-26 16:12 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 15:51 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 15:51 . 2004-08-26 16:11 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 15:51 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-04-25 15:51 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll

2011-04-25 12:01 . 2004-08-26 16:11 389120 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-26 16:12 105472 ----a-w- c:\windows\system32\drivers\mup.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]

"AbacastDistributedOnDemand:11"="c:\documents and settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-30 54776]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-28 98304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]

"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-01-18 139944]

"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]

2006-10-20 21:47 237568 ----a-w- c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=

"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=

"c:\\WINDOWS\\system32\\lxeccoms.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/16/2009 3:09 PM 108289]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [5/10/2010 1:44 PM 668912]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 5:12 PM 135664]

S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [9/8/2010 2:47 PM 193192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 5:12 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

2011-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

TCP: DhcpNameServer = 192.168.1.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-25 20:28

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(820)

c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

.

Completion time: 2011-06-25 20:30:27

ComboFix-quarantined-files.txt 2011-06-26 00:30

ComboFix2.txt 2011-06-24 17:40

.

Pre-Run: 139,978,600,448 bytes free

Post-Run: 139,978,604,544 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - C31FA4D113EED31C0D788D0BFB5DE3B5

Link to post
Share on other sites

Please try this again as it didn't work last time

We need to get a copy of that file

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

http://forums.malwarebytes.org/index.php?showtopic=87781

Collect::
c:\program files\3jmsixl7.exe

Folder::
c:\documents and settings\Administrator.YOUR-5E03CF73DE

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I will not be able to do this until probably Monday evening as I will not be able to get to that computer 'til then.

I had trouble accessing the file to copy it into ComboFix. I had to go to My Computer>programs>Notepad then minimize that window, do the same for ComboFix then resize the windows and drag the file into ComboFix that way.

I was also on as owner, not Administrator. Is that a problem? Are these the reason the report did not generate what you needed?

Also, the file 3jmsixl7.exe that you had me scan is the randomly named file created when I downloaded GMER. Was the program/link bad?

As far as to how the computer is running: We had to reset the screen saver as it never came back and when I tried to run ComboFix I got the notice about the Microsoft Windows Recovery Console not being installed, would you like to install it. I clicked yes and followed the instructions as before. I am a bit confused as to why this came up again as the same thing came up when we we instructed to install and run it earlier and we were prompted to install the Windows Recovery Console then, which we did. So it should not have come up again???

Should I uninstall ComboFix and reinstall it if I get the Microsof Windows Recovery Console download message again?

The computer is only used for DSL internet including e-mail, and connected to a copy/scan/fax machine as well. Other than those two issues it seems to be running normally which I also confirmed with my friend the owner of the computer.

Thanks again.

Link to post
Share on other sites

Also, the file 3jmsixl7.exe that you had me scan is the randomly named file created when I downloaded GMER.
Thank you for that info.

No need to run combofix again.

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Thanks very much to all of your help in this matter. I double checked the IE settings and they're good to go with your other advice. I use Malwarebytes on my laptop as do my family members and we are very happy with your product. Especially the low system usage and lack of bloatware!

Thanks again. Hope you don't hear from us anytime soon! ;)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.