Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected - can't restore/update/hibernate

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected - can't restore/update/hibernate

Unread postby Mzuka » July 22nd, 2010, 4:46 am

Hi,

Last month I noted my wife's computer would no longer hibernate.... upon closer investigation I found I couldn't use Microsoft Update or use the System Restore functions. I had Malware Malbytes already installed, so ran it, and found a file called netuser_mssec.exe has installed itself in the Start Menu/Programs/Startup. I deleted the four files found (I have a log if you want it), and also ran CCleaner (I backed up the registry files removed). However, I'm not really confident this removed it, and I still can't use MS Update/System Restore or Hibernate or Stand By. Can you help at all? Here are the logs requested (Note we haven't installed anything or run further scans since this problem arose, except for the AV automatic updates)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:28 PM, on 7/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.com.auckland.ac.nz/owa/aut ... z%2fowa%2f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 6267618879
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6267614676
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9259 bytes

And the Uninstall List

Ad-Aware
Adobe Acrobat 8.1.2 Professional
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0
Adobe Photoshop Elements 2.0
AOLIcon
Audacity 1.2.4
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Media Experience
Dell Wireless WLAN Card
DellSupport
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
ELIcon
Generic Spectra
Google Talk Plugin
GPL Ghostscript 8.56
GPL Ghostscript Fonts
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 5100 series
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 15
Lame ACM MP3 Codec
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MiKTeX 2.7
Modem Helper
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NetLogin
NetWaiting
PowerDVD 5.7
Qualxserve Service Agreement
QuickSet
QuickTime
R for Windows 2.4.0
Real-Time Windows Target
Recuva (remove only)
Samsung Media Studio
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.1)
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.2_09)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Skype Toolbars
Skype™ 4.2
Sonic Audio module
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Stata 10
Symantec AntiVirus
Synaptics Pointing Device Driver
TeXnicCenter Version 1 Beta 7.01 (Greengrass)
TreeAge Pro
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Script Editor Help (KB957253)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
VC 9.0 Runtime
VC 9.0 Runtime
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Defender
Windows Defender Signatures
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Wolfram Notebook Indexer 1.1
XviD MPEG-4 Video Codec
ZoneAlarm

Thank you in advance for any advice!
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am
Advertisement
Register to Remove

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 26th, 2010, 11:07 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
Hi Mzuka and welcome to Malware Removal. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

I had Malware Malbytes already installed, so ran it, and found a file called netuser_mssec.exe has installed itself in the Start Menu/Programs/Startup. I deleted the four files found (I have a log if you want it)
Please do post this log, thank you.

Security Application Check:

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document in your next reply.

Scan with Rooter:

Please download Rooter <-- Right click on the link and select Save Target As... and save to to your desktop.

  • Double click on Rooter.exe to start the application.
  • Now click on the Scan button.
  • When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
  • Rooter will close automatically.

Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

When completed the above, please post back the following in the order asked for:

  • How is your Wife's computer performing now, any further symptoms and or problems encountered?
  • Malwarebytes' Anti-Malware Log.
  • SecurityCheck Log.
  • Rooter Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Mzuka » July 27th, 2010, 4:17 am

Hi Dakeyras,

Thanks very much for taking the time to look at this. In the order requested:

My wife's computer still can't hibernate, or use Windows Update - I didn't retest System Restore (because it will actually restore if it happens to work). When I try and access Windows Update I get error code 0x80072EFF. If I try and update Windows Defender, I get error code 0x80072efe. Otherwise the computer behaves more or less OK. It's not unusually slow or anything like that.

Here are the scans. Note that I wasn't connected to the Internet when running the two additional scans you requested.

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4203

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/17/2010 1:33:07 AM
mbam-log-2010-06-17 (01-33-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 240093
Time elapsed: 1 hour(s), 21 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1263\A0292764.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\pss\ntuser_mssec.exeStartup (Trojan.Dropper) -> No action taken.
C:\WINDOWS\Internet Logs\LAURA.ldb (Trojan.Dropper) -> No action taken.

NOTE: The program couldn't delete these files - I restarted in safe mode and deleted them.

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Symantec AntiVirus
ZoneAlarm
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.2_09)
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.1)
Java(TM) 6 Update 15
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
Windows Defender MsMpEng.exe
Windows Defender MSASCui.exe
Zone Labs ZoneAlarm zlclient.exe
````````````````````````````````
DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 14 Stepping 8, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:66 Go - Free:11 Go )
D:\ [Fixed-NTFS] .. ( Total:21 Go - Free:9 Go )
E:\ [CD_Rom]
.
Scan : 19:59.24
Path : C:\Documents and Settings\Laura Panattoni\Desktop\Rooter.exe
User : Laura Panattoni ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (788)
______ \??\C:\WINDOWS\system32\csrss.exe (856)
______ \??\C:\WINDOWS\system32\winlogon.exe (880)
______ C:\WINDOWS\system32\services.exe (928)
______ C:\WINDOWS\system32\lsass.exe (940)
______ C:\WINDOWS\system32\svchost.exe (1108)
______ C:\WINDOWS\system32\svchost.exe (1184)
______ C:\Program Files\Windows Defender\MsMpEng.exe (1240)
______ C:\WINDOWS\System32\svchost.exe (1300)
______ C:\WINDOWS\system32\svchost.exe (1368)
______ C:\WINDOWS\system32\svchost.exe (1484)
______ C:\WINDOWS\system32\svchost.exe (1520)
Locked vsmon.exe (1552)
______ C:\WINDOWS\System32\WLTRYSVC.EXE (1696)
______ C:\WINDOWS\System32\bcmwltry.exe (1712)
______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (1720)
______ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (1772)
______ C:\WINDOWS\system32\spoolsv.exe (1912)
______ C:\WINDOWS\system32\svchost.exe (1996)
______ C:\Program Files\Symantec AntiVirus\DefWatch.exe (2032)
______ C:\Program Files\Java\jre6\bin\jqs.exe (156)
______ C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (192)
______ C:\WINDOWS\system32\svchost.exe (232)
______ C:\Program Files\Symantec AntiVirus\Rtvscan.exe (312)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2056)
______ C:\WINDOWS\System32\alg.exe (2148)
______ C:\WINDOWS\Explorer.EXE (3212)
______ C:\WINDOWS\system32\hkcmd.exe (3564)
______ C:\WINDOWS\system32\igfxpers.exe (3576)
______ C:\WINDOWS\stsystra.exe (3588)
______ C:\WINDOWS\system32\igfxsrvc.exe (3624)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (3656)
______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (3664)
______ C:\PROGRA~1\SYMANT~1\VPTray.exe (3680)
______ C:\Program Files\Windows Defender\MSASCui.exe (3772)
______ C:\WINDOWS\system32\WLTRAY.exe (3796)
Locked zlclient.exe (3812)
______ C:\Documents and Settings\Laura Panattoni\Desktop\Rooter.exe (3544)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:49319424)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:49351680 | Length:71601062400)
\Device\Harddisk0\Partition3 (Start_Offset:71658639360 | Length:23359795200)
\Device\Harddisk0\Partition4 (Start_Offset:95018434560 | Length:3495744000)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1996858125-3853305589-2774126147-1006Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1996858125-3853305589-2774126147-1006UA.job
C:\WINDOWS\Tasks\MP Scheduled Scan.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 20:00.04
.
C:\Rooter$\Rooter_1.txt - (27/07/2010 | 20:00.04)

Thanks again.
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 27th, 2010, 7:26 am

Hi. :)

Thanks very much for taking the time to look at this.
You're most welcome and thanks for the update also!

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe.

FixPolicies:

Please download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here.

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close.
  • Leave FixPolicies on your desktop please until I otherwise advise, thank you.

Next:

Now I will be asking you to uninstall some software, they are either ineffective and or display dubious characteristics/have privacy related issues. Out of date versions of Java can be used as a means to either infect a machine and or re-infect. We will update that in due course.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

AOLIcon
Ad-Aware
Java(TM) 6 Update 15
URL Assistant
Viewpoint Media Player
Windows Defender


To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

If you encounter any problems uninstalling anything merely move on to the next in the above list and inform myself in your next reply.


Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your wife's computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Mzuka » July 28th, 2010, 12:14 am

Hi Dakeyras,

Wow! That is very impressive. Thank you very much. My wife's computer can standby and hibernate again. I can also access the Microsoft Update website - I did not update per this forum's strict instructions, but automatic updates will probably catch it shortly if I leave it connected to the Internet. Should I go ahead? As before, I cannot test system restore without actually restoring. I guess I could create a restore point as of today and restore to it as a test if necessary.

Here is the ComboFix log requested. Note that the program stopped halfway through to say it had detected rootkit activity and asked to restart. There was no specific guidance on this point at your link, so I allowed it.

Also note that of the programs you asked me to delete, all succumbed gracefully, except AOLIcon, which did not show up on the list of installed programs.

ComboFix 10-07-27.01 - Laura Panattoni 07/28/2010 15:43:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.608 [GMT 12:00]
Running from: c:\documents and settings\Laura Panattoni\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\muzapp.exe

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-28 03:11 . 2010-07-28 03:11 -------- d-----w- c:\program files\ERUNT
2010-07-27 08:02 . 2010-07-27 08:02 -------- d-----w- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\PCHealth
2010-07-27 08:00 . 2010-07-27 08:00 -------- d-----w- C:\Rooter$
2010-07-04 06:36 . 2010-07-04 06:36 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 03:43 . 2006-08-22 17:59 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-28 03:19 . 2009-01-21 07:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-28 03:19 . 2008-01-20 23:40 -------- d-----w- c:\program files\Lavasoft
2010-07-27 06:23 . 2008-05-13 16:26 -------- d-----w- c:\documents and settings\Laura Panattoni\Application Data\Skype
2010-07-27 04:36 . 2008-05-13 16:29 -------- d-----w- c:\documents and settings\Laura Panattoni\Application Data\skypePM
2010-07-11 21:22 . 2010-07-11 21:22 21503754 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_07_12_09_15_58_full.dmp.zip
2010-06-24 00:16 . 2010-06-24 00:18 1457664 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-06-24 00:16 . 2010-06-24 00:18 867328 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-06-19 15:00 . 2010-06-19 15:01 39936 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-06-18 20:59 . 2008-11-01 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-16 13:03 . 2010-05-13 10:09 -------- d-----w- c:\program files\Trend Micro
2010-06-16 12:41 . 2007-04-09 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-06-16 12:00 . 2010-05-17 09:46 1596748 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-08 11:22 . 2009-03-26 09:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 03:32 . 2010-05-31 03:36 1401856 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-05-31 00:00 . 2010-05-31 00:05 1401856 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-05-30 23:07 . 2010-05-30 23:10 1401856 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-05-30 22:32 . 2010-05-30 22:34 1401856 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-05-21 04:27 . 2010-05-21 10:39 150016 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-05-21 04:27 . 2010-05-21 10:39 1382400 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-05-18 06:13 . 2010-05-18 09:07 1376768 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-17 04:57 . 2010-05-17 09:46 1373184 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-05-14 22:15 . 2006-08-22 17:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-11 23:21 . 2009-10-03 10:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2006-08-22 18:44 . 2006-08-22 18:44 88 --sh--r- c:\windows\system32\C19613D3BA.sys
2006-08-22 18:44 . 2006-08-22 18:44 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-12 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Laura Panattoni^Start Menu^Programs^Startup^ntuser_mssec.exe]
path=c:\documents and settings\Laura Panattoni\Start Menu\Programs\Startup\ntuser_mssec.exe
backup=c:\windows\pss\ntuser_mssec.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 03:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-14 22:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 12:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-07-26 15:05 28672 ----a-w- c:\dell\E-Center\EULAl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-07-09 20:12 133104 ----atw- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-04 16:44 385024 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 04:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-02-24 00:32 126976 ----a-w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-02-15 12:10 981384 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"aawservice"=3 (0x3)
"WZCSVC"=2 (0x2)
"NetLogin Helper"=2 (0x2)
"DSBrokerService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Laura Panattoni\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Laura Panattoni\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [8/23/2006 10:58 AM 27200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/2/2010 10:50 AM 102448]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/14/2010 7:43 PM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/16/2005 8:27 AM 169200]
S4 NetLogin Helper;NetLogin Helper;c:\program files\NetLogin\NetLoginService.exe [2/18/2008 10:38 PM 69632]
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1996858125-3853305589-2774126147-1006Core.job
- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 20:12]

2010-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1996858125-3853305589-2774126147-1006UA.job
- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.com.auckland.ac.nz/owa/aut ... z%2fowa%2f
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{88485281-8b4b-4f8d-9ede-82e29a064277} - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-RealTimeWindowsTarget - c:\windows\rtwintgt -uninstall
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 15:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-28 15:54:08
ComboFix-quarantined-files.txt 2010-07-28 03:54

Pre-Run: 12,815,138,816 bytes free
Post-Run: 13,217,681,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7C48F6B045C90F6C68EAC1DDD0B79C7B
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 28th, 2010, 4:40 am

Hi. :)

Wow! That is very impressive. Thank you very much. My wife's computer can standby and hibernate again. I can also access the Microsoft Update website - I did not update per this forum's strict instructions,
Good and your welcome!

but automatic updates will probably catch it shortly if I leave it connected to the Internet. Should I go ahead? As before,
No do not allow this just yet.

I cannot test system restore without actually restoring. I guess I could create a restore point as of today and restore to it as a test if necessary.
I appreciate your enthusiasm but please do not do so as this will probably complicate matters/the malware removal process, thank you.

Also note that of the programs you asked me to delete, all succumbed gracefully, except AOLIcon, which did not show up on the list of installed programs.
Not a problem and we can address this in due course.

Here is the ComboFix log requested. Note that the program stopped halfway through to say it had detected rootkit activity and asked to restart. There was no specific guidance on this point at your link, so I allowed it.
I highly suggest if your wife has carried out any banking or other financial transactions on this machine or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Do not be overly alarmed by this but merely view it as myself ensuring your online safety.

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK
Code: Select all
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select Off(not recommended) >> OK.

Note: No need for it to be active after the reset because you have the ZoneAlarm Firewall active.

Custom ComboFix-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Code: Select all
    File::
    c:\windows\Internet Logs\xDBB.tmp
    c:\windows\Internet Logs\xDBA.tmp
    c:\windows\Internet Logs\xDB9.tmp
    c:\windows\Internet Logs\xDB8.tmp
    c:\windows\Internet Logs\xDB7.tmp
    c:\windows\Internet Logs\xDB6.tmp
    c:\windows\Internet Logs\xDB5.tmp
    c:\windows\Internet Logs\xDB3.tmp
    c:\windows\Internet Logs\xDB4.tmp
    c:\windows\Internet Logs\xDB2.tmp
    c:\windows\Internet Logs\xDB1.tmp
    c:\windows\system32\C19613D3BA.sys
    c:\windows\system32\KGyGaAvL.sys
    
    Driver::
    C19613D3BA.sys
    KGyGaAvL.sys
    
    Folder::
    c:\program files\Lavasoft
    c:\documents and settings\All Users\Application Data\FLEXnet
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AOLIcon]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "FLEXnet Licensing Service"=-
    "aawservice"=-
    "WZCSVC"=-
    "NetLogin Helper"=-
    "DSBrokerService"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    Reboot::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end.

F-Secure Blacklight:

Please download Blacklight from here to your desktop.

or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:
"%userprofile%\desktop\fsbl.exe" /expert
Accept the license agreement.
Click > scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform a Quick Scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following:

  • How is your wife's computer performing now? Any problems encountered and or any further symptoms?
  • ComboFix Log.
  • Blacklight Log.
  • Malwarebytes Anti-Malware Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Mzuka » July 29th, 2010, 4:17 am

Hi Dakeyras,

Thanks for your warning, but this computer hasn't been used for financial matters for several years and I change banking passwords pretty regularly. I'll change them again to be sure.

I turned off automatic updates via the Security Centre.

The script you had me run using ComboFix deleted a registry key associated with FlexNet (Adobe Licensing). As a result, we can no longer create pdf documents using Adobe on her computer. I should take some blame there - back when I set up that computer, I used msconfig to stop the flexNet service from loading on startup (instead of using services.msc). So when you cleaned up those dead keys, you caught that one. I can reinstall Adobe once you've finished.

Otherwise everything else is behaving normally (Windows update and hibernation), but I'll hold off the celebrations :)

Here are the logs you requested. There were no unusual warnings for any of them, and no requests to restart.



ComboFix 10-07-27.01 - Laura Panattoni 07/29/2010 19:16:07.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.502 [GMT 12:00]
Running from: c:\documents and settings\Laura Panattoni\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Laura Panattoni\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
"c:\windows\Internet Logs\xDB3.tmp"
"c:\windows\Internet Logs\xDB4.tmp"
"c:\windows\Internet Logs\xDB5.tmp"
"c:\windows\Internet Logs\xDB6.tmp"
"c:\windows\Internet Logs\xDB7.tmp"
"c:\windows\Internet Logs\xDB8.tmp"
"c:\windows\Internet Logs\xDB9.tmp"
"c:\windows\Internet Logs\xDBA.tmp"
"c:\windows\Internet Logs\xDBB.tmp"
"c:\windows\system32\C19613D3BA.sys"
"c:\windows\system32\KGyGaAvL.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\FLEXnet
c:\documents and settings\All Users\Application Data\FLEXnet\adobe_00080000_event.log
c:\documents and settings\All Users\Application Data\FLEXnet\adobe_00080000_event.log.bak
c:\documents and settings\All Users\Application Data\FLEXnet\adobe_00080000_tsf.data
c:\program files\Lavasoft
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB6.tmp
c:\windows\Internet Logs\xDB7.tmp
c:\windows\Internet Logs\xDB8.tmp
c:\windows\Internet Logs\xDB9.tmp
c:\windows\Internet Logs\xDBA.tmp
c:\windows\Internet Logs\xDBB.tmp
c:\windows\system32\C19613D3BA.sys
c:\windows\system32\KGyGaAvL.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-28 03:11 . 2010-07-28 03:11 -------- d-----w- c:\program files\ERUNT
2010-07-27 08:02 . 2010-07-27 08:02 -------- d-----w- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\PCHealth
2010-07-27 08:00 . 2010-07-27 08:00 -------- d-----w- C:\Rooter$
2010-07-04 06:36 . 2010-07-04 06:36 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 07:24 . 2006-08-22 17:59 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-28 03:19 . 2009-01-21 07:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-27 06:23 . 2008-05-13 16:26 -------- d-----w- c:\documents and settings\Laura Panattoni\Application Data\Skype
2010-07-27 04:36 . 2008-05-13 16:29 -------- d-----w- c:\documents and settings\Laura Panattoni\Application Data\skypePM
2010-07-11 21:22 . 2010-07-11 21:22 21503754 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_07_12_09_15_58_full.dmp.zip
2010-06-18 20:59 . 2008-11-01 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-16 13:03 . 2010-05-13 10:09 -------- d-----w- c:\program files\Trend Micro
2010-06-16 12:00 . 2010-05-17 09:46 1596748 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-08 11:22 . 2009-03-26 09:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-14 22:15 . 2006-08-22 17:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-11 23:21 . 2009-10-03 10:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-12 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Laura Panattoni^Start Menu^Programs^Startup^ntuser_mssec.exe]
path=c:\documents and settings\Laura Panattoni\Start Menu\Programs\Startup\ntuser_mssec.exe
backup=c:\windows\pss\ntuser_mssec.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-04 16:44 385024 ----a-w- c:\program files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [8/23/2006 10:58 AM 27200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/2/2010 10:50 AM 102448]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/14/2010 7:43 PM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/16/2005 8:27 AM 169200]
S4 NetLogin Helper;NetLogin Helper;c:\program files\NetLogin\NetLoginService.exe [2/18/2008 10:38 PM 69632]
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1996858125-3853305589-2774126147-1006Core.job
- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 20:12]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1996858125-3853305589-2774126147-1006UA.job
- c:\documents and settings\Laura Panattoni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.com.auckland.ac.nz/owa/aut ... z%2fowa%2f
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-07-29 19:29:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 07:29

Pre-Run: 13,327,237,120 bytes free
Post-Run: 13,313,138,688 bytes free

- - End Of File - - 69AA65E2C08335B2629A90FA1706E27F

BLACKLIGHT

07/29/10 19:33:46 [Info]: BlackLight Engine 2.2.1092 initialized
07/29/10 19:33:46 [Info]: OS: 5.1 build 2600 (Service Pack 3)
07/29/10 19:33:46 [Note]: 7019 4
07/29/10 19:33:46 [Note]: 7005 0
07/29/10 19:33:52 [Note]: 7006 0
07/29/10 19:33:52 [Note]: 7022 0
07/29/10 19:33:52 [Note]: 7011 3704
07/29/10 19:33:52 [Note]: 7035 0
07/29/10 19:33:52 [Note]: 7026 0
07/29/10 19:33:53 [Note]: 7026 0
07/29/10 19:33:53 [Note]: FSRAW library version 1.7.1024
07/29/10 19:40:12 [Note]: 7007 0

Note: This is all it produced. It didn't find anything according to the GUI.

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4365

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/29/2010 7:48:27 PM
mbam-log-2010-07-29 (19-48-27).txt

Scan type: Quick scan
Objects scanned: 140345
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 29th, 2010, 5:50 am

Hi. :)

Thanks for your warning, but this computer hasn't been used for financial matters for several years and I change banking passwords pretty regularly. I'll change them again to be sure.
OK and you're welcome!

I turned off automatic updates via the Security Centre
Merely re-enable again was I give the all clear, as otherwise as I mentioned prior any updates installed now during the ongoing malware removal process may actually cause a problem if malware is still present on the system but as of yet undetected by myself.

The script you had me run using ComboFix deleted a registry key associated with FlexNet (Adobe Licensing). As a result, we can no longer create pdf documents using Adobe on her computer. I should take some blame there - back when I set up that computer, I used msconfig to stop the flexNet service from loading on startup (instead of using services.msc). So when you cleaned up those dead keys, you caught that one. I can reinstall Adobe once you've finished.
My sincere apologies about that I honestly had no idea the software was associated with Adobe and thought is was a leftover from a uninstalled application called FlexNet Publisher :oops:. I concur it would probably be best if the actual application was reinstalled once I give the all clear.

BLACKLIGHT

Note: This is all it produced. It didn't find anything according to the GUI.
Absolutely fine, I receive a similar output from my XP SP3 machine when the scan is ran. This merely denotes nothing malicious was detected. Which is a positive sign I will further add.

New Java Installation:

  • Click here to visit Java's website.
  • Scroll down to JDK 6 Update 21 (JDK or JRE). Click on Download JRE.
  • Select Windows from the drop-down list for Platform.
  • Check (tick) Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement box and click on Continue.
  • Click on jre-6u21-windows-i586.exe link to download it and save this to a convenient location.
  • Double click on jre-6u21-windows-i586.exe to install Java. Uncheck Carbonite online backup trial if it's offered there.

Launch your installed CCLeaner application:

  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • After CCleaner has completed its process, click Exit.

Note: I do not recommend ever using the Issues(registry cleaning component)feature as it has a penchant of removing legitimate items. Plus the backups it does create are very rarely successfully merged back with the registry.

Run Kaspersky Online AV Scanner:

Go to this Kaspersky website and perform an online antivirus scan.

Note: Use Internet Explorer for this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

Update HijackThis:

The current version in use has now been superseded by a updated version.

Please download and install the new version, Trend Micro HijackThis v2.0.4 from here.

Note: Do not uninstall the prior version until I give the all clear.

When completed the above, please post back the following:

  • How is your computer wife's performing now? Any problems encountered and or any further symptoms?
  • Kaspersky report.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Mzuka » July 30th, 2010, 12:09 pm

Hi Dakeyras,

Apologies for the delay. Kapersky took forever to download and run. No problems with Adobe, it won't the first time I've had to reinstall it - not only is it pushy about asserting its place on the computer, some of the updates have caused clashes. I'd get rid of it except my wife finds it very useful.

I asked my wife on her opinion of how it's running now. She said the big difference that concerned her was that when she uses her statistical programs (she's doing a course at uni) the program used to be able to clear 900Mb of RAM for use with her large datasets before you started work (and after the infection) and now it can only clear 600Mb RAM. That is the main thing.

When using Kapersky, I turned off Symantec's autoprotect as it advised, and went to bed. When I woke up, I found Symantec had turned itself back on while Kapersky was running and reported two auto-protect results. One was c:\Qoobox\quarantine\C\WindowSystem32\Drivers\pciide.sys.vir, the other was c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP1286\A0307418.sys, neither of which it deleted, although in both cases it claimed successful 'browser cache remediation'. This is probably a log somewhere if you want it.

Here are the two logs you requested.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, July 31, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, July 30, 2010 06:26:20
Records in database: 4199621
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 117685
Threats found: 5
Infected objects found: 18
Suspicious objects found: 0
Scan duration: 04:12:36


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040000.VBN Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040000.VBN Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040000.VBN Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040001.VBN Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040001.VBN Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03040001.VBN Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000.VBN Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000.VBN Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0000.VBN Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0001.VBN Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0001.VBN Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05FC0001.VBN Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A1C0000\4ADE1886.VBN Infected: Virus.VBS.AutoRun.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0000\4ACDAFC2.VBN Infected: Virus.VBS.AutoRun.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0001\4ACDBA61.VBN Infected: Virus.VBS.AutoRun.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0002\4ADCDA5E.VBN Infected: Virus.VBS.AutoRun.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0003\4ADF173C.VBN Infected: Virus.VBS.AutoRun.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F840001\4F9CCBC7.VBN Infected: Packed.Win32.Krap.ao 1

Selected area has been scanned.

And the HijackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:54:30 AM, on 7/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Laura Panattoni\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.com.auckland.ac.nz/owa/aut ... z%2fowa%2f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... channel=us
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 6267618879
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6267614676
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9405 bytes
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 30th, 2010, 2:32 pm

Hi. :)

Apologies for the delay. Kapersky took forever to download and run. No problems with Adobe, it won't the first time I've had to reinstall it - not only is it pushy about asserting its place on the computer, some of the updates have caused clashes. I'd get rid of it except my wife finds it very useful.
Not a problem, sometimes this particular online scan can be quirky but it is very reliable non the less.

I asked my wife on her opinion of how it's running now. She said the big difference that concerned her was that when she uses her statistical programs (she's doing a course at uni) the program used to be able to clear 900Mb of RAM for use with her large datasets before you started work (and after the infection) and now it can only clear 600Mb RAM. That is the main thing.
Very probably the machine will be in need of some serious system maintenance as a result of the effects of malware. I will provide specific advice about this in due course.

When using Kapersky, I turned off Symantec's autoprotect as it advised, and went to bed. When I woke up, I found Symantec had turned itself back on while Kapersky was running and reported two auto-protect results. One was c:\Qoobox\quarantine\C\WindowSystem32\Drivers\pciide.sys.vir, the other was c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP1286\A0307418.sys, neither of which it deleted, although in both cases it claimed successful 'browser cache remediation'. This is probably a log somewhere if you want it.
Thats OK, part of the ComboFix uninstall procedure when I advise it will take care of that.

Next:

It would be prudent to empty the Quarantine folder of Symantec AntiVirus. I would prefer not to target the actual folder myself just in-case I damage the installation as anything Symantec can be problematic at the best of times.

This is the location of the of Quarantine folder if not easily accessed via the actual AV's GUI:-

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

Also I advise you either move the executable for HiJackThis into its own folder at say the root of the system drive and or merely uninstall the new version along with the older one when I give the all clear if you do not intend to keep it installed also.

This is the location is the current location of the updated executable:-

C:\Documents and Settings\Laura Panattoni\Desktop\HijackThis.exe

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Please navigate to Start >> All Programs >> ERUNT >> ERUNT.

  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
  • System registry
  • Current user registry
  • Next click on OK
  • When the Question pop-up appears click on Yes
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.

Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.

Next:

Please download OTM to your Desktop.

  • Double-click OTM to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code: Select all
:Processes

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.

When completed the above, please post back the following in the order asked for:

  • How is your wife's computer performing now, any further symptoms and or problems encountered?
  • OTM Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Mzuka » July 30th, 2010, 5:15 pm

Hi Again,

This is certainly an extensive process :) I appreciate the time you're putting into it.

In terms of performance, my wife's computer is more or less unchanged. I initially had some trouble accessing Microsoft Update (Error 0x80072F78) but eventually got into it after restarting. There appears to be a bit more memory available. I haven't noticed any new symptoms.

It would be prudent to empty the Quarantine folder of Symantec AntiVirus. I would prefer not to target the actual folder myself just in-case I damage the installation as anything Symantec can be problematic at the best of times.

Done, using the GUI. Double checked the folder and it is empty (including hidden files).

Also I advise you either move the executable for HiJackThis into its own folder at say the root of the system drive and or merely uninstall the new version along with the older one when I give the all clear if you do not intend to keep it installed also.

Done, moved for now into C:\HijackThis. Note that the link you sent me for download had two versions; an installable version and an executable. I used the later.

I still had ERUNT installed and made the requested backup.

And here is the OTC log requested (note: IE reported OTC.exe as an 'unsafe download' and made me jump through hoops to get it).

All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 38632 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Laura Panattoni
->Temp folder emptied: 107149056 bytes
->Temporary Internet Files folder emptied: 1087148 bytes
->Java cache emptied: 13766855 bytes
->Flash cache emptied: 1963187 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 111826 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 14711 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 5552657 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 511 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 3466508 bytes

Total Files Cleaned = 127.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 07312010_083354

Files moved on Reboot...
C:\Documents and Settings\Laura Panattoni\Local Settings\Temp\~DFA97A.tmp moved successfully.
File C:\WINDOWS\temp\ZLT03c5f.TMP not found!

Registry entries deleted on Reboot...
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 31st, 2010, 3:07 am

Hi. :)

Thanks for the updates etc and you're most welcome!

Next:

Congratulations your wife's computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Image

Clean up with OTM:

  • Double-click OTM to start the program.
  • Close all other programs apart from OTM as this step will require a reboot
  • On the OTM main screen, press the CleanUp! button.
  • Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

The presently installed security application, Symantec AntiVirus automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:


Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:


Only use one of the above.

Install WinPatrol:

  • Download it from here
  • You can find information about how WinPatrol works here

Next:

Any questions, if so feel free to ask? If not stay safe!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Mzuka » July 31st, 2010, 3:40 am

Hi Dakeyras,

A big thank you to you from me and my wife. I will implement your suggestions on the rest of our computers too - it's been a few years since I last did some serious research on protecting our computers (at the time your website was recommending adaware and zonealarm, hence those installations) and obviously it's past time to update. Thanks again,

Cheers, Mzuka
Mzuka
Active Member
 
Posts: 8
Joined: July 22nd, 2010, 4:29 am

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » July 31st, 2010, 4:04 am

You're most welcome! :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Infected - can't restore/update/hibernate

Unread postby Dakeyras » August 1st, 2010, 4:58 am

As it appears this issue has been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 93 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware