Jump to content

Recommended Posts

I've been having trouble getting malwarebytes to install and can't seem to resolve it. I tried dr. cureit (or something like that) and it said I had some tdss rootkit. I downloaded and ran tdsskiller.exe and that seemed to have worked for that. However, I still can't install malwarebytes to resolve any other issues I'm having (my desktop items are gone, etc.). I've run the requested logs and attached them here.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_18

Run by Jason at 9:49:28 on 2011-10-15

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.1956 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\WLTRYSVC.EXE

C:\Windows\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\aestsrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\Program Files\VERIZONDM\bin\sprtsvc.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\VERIZONDM\bin\tgsrvc.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\OEM02Mon.exe

C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

C:\Windows\System32\WLTRAY.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\VERIZONDM\bin\sprtcmd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

uWindow Title = Internet Explorer provided by Dell

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

BHO: {05df32f3-8b0e-4099-8929-27966e877692} - c:\users\jason\appdata\local\SystemWin32.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111011015044.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [JavaServiceTray] rundll32.exe "c:\programdata\JavaServiceTray.dll",DllRegisterServer

uRun: [Flip Update] rundll32 "c:\users\jason\appdata\local\stardock_corporation\stardock_corporationupdate\Stardock_Corporationupdt32.dll",DllRegisterServer

uRun: [674270020] c:\users\jason\appdata\local\temp\\jucheck.exe

uRun: [Apple Update] rundll32 "c:\users\jason\appdata\local\apple computer\appleupdate\Appleupdt32.dll",DllRegisterServer

uRun: [Creative Update] rundll32 "c:\users\jason\appdata\local\temp\update\Updateupdt32.dll",DllRegisterServer

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe

StartupFolder: c:\users\jason\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: DisableTaskMgr = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{0053643F-7104-4063-8E06-5784C672896A} : DhcpNameServer = 163.244.112.71 10.101.101.100 163.244.101.69 163.244.100.254

TCP: Interfaces\{3FB7919C-5547-4B99-8566-5D387D1A4EED} : DhcpNameServer = 192.168.1.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jason\appdata\roaming\mozilla\firefox\profiles\xo8agqu6.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NpIpx32.dll

FF - plugin: c:\users\jason\appdata\roaming\move networks\plugins\npqmp071705000014.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\jason\appdata\roaming\Move Networks

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-4 64512]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-11 461864]

R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-11 64712]

R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-11 164776]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-7-16 73728]

R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 94880]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-11 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-11 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-11 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-11 166024]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-11 160344]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-11 148520]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2010-9-29 206120]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2010-9-29 185640]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-11 57432]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-11 180072]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-11 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-11 338040]

S2 0263831318312349mcinstcleanup;McAfee Application Installer Cleanup (0263831318312349);c:\windows\temp\026383~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\026383~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-7-16 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-11 87808]

S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [2008-5-23 39552]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-15 01:05:52 -------- d-----w- c:\users\jason\DoctorWeb

2011-10-15 00:14:24 349696 ----a-w- c:\programdata\1kAlMiG2Kb7FzP.exe

2011-10-15 00:13:51 -------- d-----w- c:\users\jason\appdata\roaming\XH57dEK8gZhXjVl

2011-10-15 00:13:28 -------- d-----w- c:\users\jason\appdata\roaming\yycS1ivD3n4HW7E

2011-10-14 23:50:33 -------- d-----w- c:\users\jason\appdata\roaming\W0ucS2ibDpGaHsK

2011-10-14 23:50:33 -------- d-----w- c:\users\jason\appdata\roaming\EEL9gTjwkVlNx0c

2011-10-14 08:29:16 -------- d--h--w- c:\users\jason\appdata\roaming\V0ycA1ivDoFpHsJ

2011-10-14 08:29:16 -------- d--h--w- c:\users\jason\appdata\roaming\QEL8gRZqhXkVlBz

2011-10-14 08:29:10 -------- d--h--w- c:\users\jason\appdata\roaming\gRZqhYXwkVl

2011-10-14 08:29:09 -------- d--h--w- c:\users\jason\appdata\roaming\p0ucS1ibDoGaHsJ

2011-10-14 00:55:10 307200 ---ha-w- c:\users\jason\appdata\local\SystemWin32.dll

2011-10-14 00:54:27 140288 ---ha-w- c:\programdata\JavaServiceTray.dll

.

==================== Find3M ====================

.

2011-10-15 04:51:23 184320 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-05 00:29:56 101720 ---ha-w- c:\windows\system32\drivers\SBREDrv.sys

2011-09-05 00:29:55 16432 ---ha-w- c:\windows\system32\lsdelete.exe

2011-08-18 19:25:12 64512 ---ha-w- c:\windows\system32\drivers\Lbd.sys

2011-08-15 14:00:06 9344 ---ha-w- c:\windows\system32\drivers\mfeclnk.sys

2011-08-15 14:00:06 87808 ---ha-w- c:\windows\system32\drivers\mferkdet.sys

2011-08-15 14:00:06 64712 ---ha-w- c:\windows\system32\drivers\mfenlfk.sys

2011-08-15 14:00:06 59288 ---ha-w- c:\windows\system32\drivers\mfebopk.sys

2011-08-15 14:00:06 57432 ---ha-w- c:\windows\system32\drivers\cfwids.sys

2011-08-15 14:00:06 461864 ---ha-w- c:\windows\system32\drivers\mfehidk.sys

2011-08-15 14:00:06 338040 ---ha-w- c:\windows\system32\drivers\mfefirek.sys

2011-08-15 14:00:06 180072 ---ha-w- c:\windows\system32\drivers\mfeavfk.sys

2011-08-15 14:00:06 164776 ---ha-w- c:\windows\system32\drivers\mfewfpk.sys

2011-08-15 14:00:06 119808 ---ha-w- c:\windows\system32\drivers\mfeapfk.sys

2011-08-01 16:50:17 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 9:50:48.81 ===============

Attach.txt

DDS.txt

Link to post
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Download unhide.exe & save it to your windows folder:

Right click on unhide.exe and select Run as administrator (In case you have Vista or Win7)

Reboot

This will unhide folders/files that were set to be hidden by the infection you had.

Let me know if that solved your problem.

Link to post
Share on other sites

I'll try that when I have a chance in a couple of hours. However, even if that unhides what I can't find, I'm guessing I still won't be able to actually install the malwarebytes program. I've downloaded the installation executable and tried to install, but when it gets to the very end there's a popup that says access denied and it then rolls back changes. I've read that renaming the file to something like iexplore.exe and then trying to install will sometimes work, but that doesn't work in my case either.

Assuming after running the unhide.exe (if I'm even able to run it) I still can't install the malwarebytes program, what would the next step be?

Link to post
Share on other sites

Lets do one thing at a time when you're at the desktop.

You also have 2 anti-virus programs running.

One of them needs to be uninstalled.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

Link to post
Share on other sites

Ok, here's what I've done so far:

1) I've uninstalled the Lavasoft Ad-Aware anti virus program.

2) I downloaded and ran unhide.exe. After running, one icon appeared and there was a message asking to disable anti-virus to allow it to run completely (or something to that effect). When I rebooted to do this, most if not all the icons were there on the desktop. To make sure the unhide ran completely, I temporarily disabled McAfee and re-ran the unhide.exe. I re-booted again and made sure McAfee was back to being enabled. I think all the icons are back - the only thing was that the desktop background wasn't restored (I don't care about that, but not sure if it signifies some unresolved problem).

3) One of the icons which was back was something called Cloud Protection, which seems to be a fake anti-spyware program that caused me to try to install malwarebytes to begin with. After running the unhide.exe, I was able to successfully install the malwarebytes program. I ran it in quick scan mode and it identified something like 37 problems which were removed. Running malwarebytes seems to have gotten rid of the Cloud Protection program. I can paste the log from running malwarebytes here if you'd like.

Please advise as to next steps to try to ensure the machine is clean. The main issues which caused me to post (missing icons, unable to install and run malwarebytes) seem to have been resolved, but I'm sure there's plenty of stuff behind the scenes unknown to me which could be a problem.

Thank you very much for all your assistance.

Link to post
Share on other sites

There were three logs. I've included the contents of each below.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6401

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19048

4/19/2011 11:09:59 PM

mbam-log-2011-04-19 (23-09-59).txt

Scan type: Quick scan

Objects scanned: 159668

Time elapsed: 11 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7967

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19088

10/17/2011 3:29:45 PM

mbam-log-2011-10-17 (15-29-45).txt

Scan type: Quick scan

Objects scanned: 196793

Time elapsed: 21 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 5

Registry Keys Infected: 5

Registry Values Infected: 5

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 18

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\Users\Jason\AppData\Local\systemwin32.dll (Trojan.Dropper) -> Delete on reboot.

c:\programdata\javaservicetray.dll (Trojan.Dropper) -> Delete on reboot.

c:\Users\Jason\AppData\Local\stardock_corporation\stardock_corporationupdate\stardock_corporationupdt32.dll (Trojan.Dropper) -> Delete on reboot.

c:\Users\Jason\AppData\Local\apple computer\appleupdate\appleupdt32.dll (Trojan.Dropper) -> Delete on reboot.

c:\Users\Jason\AppData\Local\Temp\Update\updateupdt32.dll (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{05DF32F3-8B0E-4099-8929-27966E877692} (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05DF32F3-8B0E-4099-8929-27966E877692} (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{05DF32F3-8B0E-4099-8929-27966E877692} (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DF32F3-8B0E-4099-8929-27966E877692} (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaServiceTray (Trojan.Dropper) -> Value: JavaServiceTray -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flip Update (Trojan.Dropper) -> Value: Flip Update -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Apple Update (Trojan.Dropper) -> Value: Apple Update -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Creative Update (Trojan.Dropper) -> Value: Creative Update -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\674270020 (Trojan.Dropper) -> Value: 674270020 -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

c:\Users\Jason\AppData\Roaming\microsoft\Windows\start menu\Programs\cloud protection (Rogue.CloudProtection) -> Quarantined and deleted successfully.

Files Infected:

c:\Users\Jason\AppData\Local\systemwin32.dll (Trojan.Dropper) -> Delete on reboot.

c:\programdata\javaservicetray.dll (Trojan.Dropper) -> Delete on reboot.

c:\Users\Jason\AppData\Local\stardock_corporation\stardock_corporationupdate\stardock_corporationupdt32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\apple computer\appleupdate\appleupdt32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\Update\updateupdt32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\users\jason\appdata\local\temp\jucheck.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\5816.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\FF5C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\45B4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\9b88.exe (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\thpm2718852917757579898.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Local\Temp\thpm9068982701343070535.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Users\Jason\local settings\application data\systemwin32.dll (Trojan.Dropper) -> Delete on reboot.

c:\Users\Jason\AppData\Roaming\microsoft\Windows\start menu\Programs\cloud protection\cloud protection.lnk (Rogue.CloudProtection) -> Quarantined and deleted successfully.

c:\Users\Jason\Desktop\cloud protection.lnk (Rogue.CloudProtection) -> Quarantined and deleted successfully.

c:\Users\Jason\local settings\application data\apple computer\appleupdate\appleupdt32.dll (Trojan.SHarpro) -> Quarantined and deleted successfully.

c:\Users\Jason\AppData\Roaming\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.

c:\Users\Jason\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

15:06:49 Jason MESSAGE Protection started successfully

15:06:54 Jason MESSAGE IP Protection started successfully

15:28:44 Jason DETECTION C:\USERS\JASON\APPDATA\LOCAL\APPLE COMPUTER\APPLEUPDATE\APPLEUPDT32.DLL Trojan.Dropper QUARANTINE

15:29:06 Jason DETECTION C:\USERS\JASON\APPDATA\LOCAL\STARDOCK_CORPORATION\STARDOCK_CORPORATIONUPDATE\STARDOCK_CORPORATIONUPDT32.DLL Trojan.Dropper QUARANTINE

15:29:08 Jason DETECTION C:\USERS\JASON\APPDATA\LOCAL\TEMP\UPDATE\UPDATEUPDT32.DLL Trojan.Dropper QUARANTINE

15:29:08 Jason DETECTION C:\Users\Jason\AppData\Local\Stardock_Corporation\Stardock_CorporationUpdate\Stardock_Corporationupdt32.dll Trojan.Dropper DENY

15:29:08 Jason DETECTION C:\Users\Jason\AppData\Local\Temp\Update\Updateupdt32.dll Trojan.Dropper DENY

15:31:41 Jason MESSAGE Protection started successfully

15:31:46 Jason MESSAGE IP Protection started successfully

18:10:38 Jason MESSAGE Protection started successfully

18:10:42 Jason MESSAGE IP Protection started successfully

Link to post
Share on other sites

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

I'd like to try to proceed with cleaning without reformatting the system.

I also mentioned earlier that prior to my original post I had run the tdskiller program and it had removed something. I just remembered there was a log for that. Is that a log that you'd need to see as well?

Link to post
Share on other sites

Lets just go for a combofix scan now.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I'm responding from my phone as to not interrupt anything. I've been running the scan for around 1 to 1.5 hrs but I'm not sure if it's doing anything. There's a window that says the following and has since it started:

Scanning for infected files.....

This typically doesn't take more than 10 minutes.

However scan times for infected machines may easily double.

I didn't click in the box so it shouldn't be stalled.

Please advise, I'm not sure if it's frozen or always takes this long.

Thanks again for the help!!!!

Link to post
Share on other sites

One more update. I stopped the initial scan as after a couple of hours nothing was happening. I've restarted the computer and am having an issue disabling my antivirus (mcafee). When attempting to disable the real time scan nothing really happens, sometimes a message pops up saying the mcafee service host stopped working and I can't get the settings to change. Since I can't disable mcafee, I haven't tried to rerun combofix yet.

Link to post
Share on other sites

I've tried in both normal and safe mode but it's getting stuck on the same screen (where it says the scan should take 10 minutes but could be double that). Each time I've let it run at least 1.5 hrs before stopping.

My mcafee also seems to be acting up - not really letting me change settings. The computer is also very sluggish on startup.

Link to post
Share on other sites

To your second question, I'm typing the results of the scan in from my phone as when connected to the Internet in normal mode the computer is extremely sluggish and can't really finish any process. I was able to run a quick scan in safe mode without networking and the log is below. There's also a log earlier in this thread from an earlier run if that would be of use.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7976

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.6001.19088

10/18/2011 7:00:33 PM

mbam-log-2011-10-18 (19-00-33).txt

Scan type: Quick scan

Objects scanned: 192006

Time elapsed: 7 minute(s), 17 second(s)

Memory processes infected: 0

Memory modules infected: 0

Registry keys infected: 0

Registry values infected: 1

Registry data items infected: 0

Folders infected: 0

Files infected: 0

Memory processes infected:

(No malicious items detected)

Memory modules infected:

(No malicious items detected)

Registry keys infected:

(No malicious items detected)

Registry values infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaServiceTray (Trojan.SHarpro.PGen) -> Value: JavaServiceTray -> Quarantined and deleted successfully.

Registry data items infected:

(No malicious items detected)

Folders infected:

(No malicious items detected)

Files infected:

(No malicious items detected)

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

When I went to restart the computer to get into normal mode some startup repair process began. It now says "Startup repair cannot repair this computer automatically. Sending more information can help microsoft create solutions."

Not sure what the next step should be but I didn't want to do anything without checking.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.