Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Caught the 'My Security Shield' malware today

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 14th, 2010, 5:14 am

Hi Cypher,

No ESET file there, even after search, I'll try scan again? After scan, before clicking "Finish" I'll check for file.

Systen running OK except for small nuisences. At start-up a timed question is asked about which of 3 systems I want, so I always select "Windows XP Home Edition". Also latest boot showed Hotmail sign-in cookie had been deleted, petty probs but I thought you should know.

Mantis
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm
Advertisement
Register to Remove

Re: Caught the 'My Security Shield' malware today

Unread postby Cypher » September 14th, 2010, 5:39 am

Hi Mantis.
Yes run the scan again please and post the log.
Be sure to run ATF Cleaner and disable you're AV again before doing so.
If you still have problems locating the log we can try another scanner.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 14th, 2010, 7:16 pm

Cypher,

This time's the charm, although I had to perform a search of "C:" to find the log. PC's still OK except for the timed (25 sec) prompt when booting-up: "Which of 3 versions of Windows XP do you want?" to which I always choose "Windows XP Home Edition".

Mantis



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=20c62176b940274da9a358cf65d19b9e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-14 10:41:56
# local_time=2010-09-14 06:41:56 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=32034
# found=15
# cleaned=0
# scan_time=3019
C:\WINDOWS\sp.dll REG/StartPage trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\BDERastDx6_30002.dll probably a variant of Win32/Agent.CXRWOYQ trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\BDESac10.dll probably a variant of Win32/Agent.DGBYRQC trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\bdeload.dll probably a variant of Win32/Agent.HLJCGSJ trojan 00000000000000000000000000000000 I
C:\Program Files\Morpheus\msc.exe multiple threats 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\871fae5\65.mof.vir Win32/RogueAV.A trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\871fae5\MS871f_2129.exe.vir a variant of Win32/Injector.CXN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\MSVIEW.DLL.vir Win32/Adware.BiSpy application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\load.exe.vir Win32/Nimda.A worm 00000000000000000000000000000000 I
C:\BDE\bdeviewer.exe Win32/Krepper.Y trojan 00000000000000000000000000000000 I
C:\BDE\cache\bdedetect1.dll Win32/Adware.BrilliantDigital application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{A24DE065-A38C-42CD-8D36-77164549C9D2}\RP186\A0034639.mof Win32/RogueAV.A trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{A24DE065-A38C-42CD-8D36-77164549C9D2}\RP186\A0034640.exe a variant of Win32/Injector.CXN trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{A24DE065-A38C-42CD-8D36-77164549C9D2}\RP186\A0034701.DLL Win32/Adware.BiSpy application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{A24DE065-A38C-42CD-8D36-77164549C9D2}\RP186\A0034703.exe Win32/Nimda.A worm 00000000000000000000000000000000 I
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Cypher » September 15th, 2010, 6:19 am

Hi Mantis.
I would like to to test a couple of files for me.

Upload File/Files for testing

Please go to jotti.org or Virustotal

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\sp.dll

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat the process for the following.
C:\WINDOWS\SYSTEM32\BDESac10.dll
C:\WINDOWS\SYSTEM32\bdeload.dll
C:\Program Files\Morpheus\msc.exe

Post the results in you're next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 6:56 am

Sorry but jotti.org would not accept my entry, not by pasting or by manually trying to type it into the box. I tried other languages, still nothing. The cursor does blink though! Virustotal 'no longer exists'. Just to be sure that I still had typing abilities I returned to Hotmail and it's OK.
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Cypher » September 15th, 2010, 7:26 am

Hi Mantis.
Lets remove those files then if you have no other problems i can give you final instructions.

Re-run OTM
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Files
    C:\WINDOWS\sp.dll
    C:\WINDOWS\SYSTEM32\BDESac10.dll
    C:\WINDOWS\SYSTEM32\bdeload.dll
    C:\Program Files\Morpheus\msc.exe
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the largeImage button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Logs/Information to Post in your Next Reply

  • OTM log.
  • Please give me an one more update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 7:47 am

Cypher,

Before I proceed let me tell you what just happened. I was again attacked by My Security Shield. It completely took over the entire operation and looked exactly like Windows. I tried to shut everything down and it even prevented me from cliking Start. I finally had to unplug the PC and reboot. So far no sign of MSS but some part of it has to be still there.

Mantis
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 8:16 am

Cypher,

I went ahead and performed OTM.exe process as asked and the results are below. When I tried to click "Move It" there was a 'Windows Warning' that C:\WINDOWS\sp.dll was "not a valid Windows image" and was told to check my disk/diskette. I clicked "OK" and it went ahead with the process. No more MSS attacks since the last episode but I'm afraid I may have been reinfected when I was trying to shut down. Any way to be sure ........short of going thru the whole process again? Don't get me wrong, I'll do it if that's what it takes!

(Praying) Mantis.


All processes killed
========== FILES ==========
LoadLibrary failed for C:\WINDOWS\sp.dll
C:\WINDOWS\sp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\BDESac10.dll
C:\WINDOWS\SYSTEM32\BDESac10.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\bdeload.dll
C:\WINDOWS\SYSTEM32\bdeload.dll moved successfully.
C:\Program Files\Morpheus\msc.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 79135 bytes
->Temporary Internet Files folder emptied: 20240051 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1167 bytes

User: NetworkService
->Temp folder emptied: 896 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17192 bytes
Session Manager Temp folder emptied: 0 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19.00 mb


OTM by OldTimer - Version 3.1.16.0 log created on 09152010_075803

Files moved on Reboot...
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\YVMHVEAE\xmlProxy[1].htm moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\YVMHVEAE\xmlProxy[2].htm moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\B87RNWV5\Messenger[1].htm moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\J2RIENRC\default[1].htm moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\J2RIENRC\InboxLight[1].htm moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\J2RIENRC\viewtopic[1].htm moved successfully.
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\GBORBEI4\LocalStorage[1].htm moved successfully.

Registry entries deleted on Reboot...
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 9:50 am

Cypher,

Just thought I'd give you an update. This latest MSS attack occurred at the exact same time that my auto-run gate opened for (alledgedly) Windows(?) to issue updates, coincidence? Right now there are 7 updates awaiting download when I shut-down and I've been avoiding allowing them to download by clicking the option below "Off" in the final phase of shut-down. On that final panel is an icon of a 'shield' that looks suspiciously like the MSS logo. I've never seen a shield on that panel before and I believe it represents MSS ready to reinfect my system. I had just gone to Windows Updates and brought all my updates up-to-date just 4 days ago so that's another reason I'm VERY LEARY about this! I'll await further instructions.

Mantis

PS
I realize now that timed question on booting-up is because the Windows Recovery Console was installed.
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 10:29 am

Cypher,

Just to be clear on what happened during the last MSS attack, while it was happening (WARNING!s that my "computer was now infected!", flashing listings of all the trojans involved, flashing numbers, etc., I could see "My Security Shield" written on the promt buttons. At the same time there was Windows(?) just starting to download 7 "critical updates". I tried to click "Start" so I could immediately shut-down and discovered I was blocked from doing so. That's when I hit the switch on my power-strip cutting-off all power to the PC. When I rebooted I had no trouble but when I went to shut-down I noticed the 7 Windows(?) updates sitting in limbo waiting to download. My very uneducated opinion is either the whole 'update thing' was a total rouse or that MSS snuck-in when the gate opened. Either way I can't trust those awaiting programs. I have since closed the Auto Update gate.

Maybe this wouldn't have happened if I had installed an antivirus program as you instructed? I apoligize but I was still under the assumption that Windows Defender was such a program. Should I install one now or should I wait?

Mantis
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 10:50 am

Cypher,

Sorry to keep posting but I thought this was important. As I was shutting-down just now I notices those 7 Windows(?) Updates were no longer waiting at the last panel. I checked my Install/Uninstall List and they weren't downloaded and they weren't in the Recycle Bin. Maybe I averted a disaster, maybe not. I'll check with Microsoft Update page later to see if 7 critical updates are waiting for me. Either way I'm leaving the Auto Update gate CLOSED from now on. Funny thing is that was the very first time I ever left it on Auto. After updating on 9/12 I thought I'd trust it but up until then I had always kept it closed. Never again.

Mantis
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Cypher » September 15th, 2010, 11:16 am

Hi.
Ok you need to install one of the antivirus applications i suggested earlier NOW.
There were windows updates released this morning but don't install them yet.

Next.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
  • Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. ( it will be maximized )
  • Please post ONLY the "log.txt", file contents in your next reply.
    (This log can be lengthy, so a separate post may be needed.)


Logs/Information to Post in your Next Reply

  • Malwarebytes log.
  • RSIT log.txt.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 3:42 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4599

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09/15/2010 3:22:55 PM
mbam-log-2010-09-15 (15-22-55).txt

Scan type: Quick scan
Objects scanned: 127673
Time elapsed: 22 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Cypher,

Here's the Malwarebytes log but Windows won't let me open the RSIT as administrator, I've tried everything.

Another thing, while Malwarebytes was scanning my new Avira Personal antivirus program detected 2 malware files:

BDERastDx6_30002dll Detected As: ADSPY/DropBrilli.6
BDERastMMX_30001dll Detected As: ADSPY/DropBrilli.7

It's prompting me to quarantine these, should I?

Mantis



Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm

Re: Caught the 'My Security Shield' malware today

Unread postby Cypher » September 15th, 2010, 3:50 pm

Hi Mantis.
It's prompting me to quarantine these, should I

Yes let Avira quarantine them.
Sorry my mistake run RSIT by double clicking on it and post the log.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Caught the 'My Security Shield' malware today

Unread postby Mantis » September 15th, 2010, 4:08 pm

Logfile of random's system information tool 1.08 (written by random/random)
Run by Default at 2010-09-15 15:59:25
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 2 GB (25%) free of 10 GB
Total RAM: 384 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:59:43 PM, on 09/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Default\Desktop\RSIT.exe
C:\Program Files\trend micro\Default.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.topsearcher.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /A "C:\WINDOWS\system32\E_S6.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settin ... Config.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6770.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5768717723
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8471713695
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\BrowseUI.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\BrowseUI.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate1c987a23a3ebcd0) (gupdate1c987a23a3ebcd0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6460 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-8398-26FADCF27386}]
Verizon Broadband Toolbar - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL [2008-05-30 1991680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-07-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-07-17 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-8398-26FADCF27386} - Verizon Broadband Toolbar - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL [2008-05-30 1991680]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"EPSON Stylus C62 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE [2002-04-10 74240]
"VerizonServicepoint.exe"=C:\Program Files\Verizon\VSP\VerizonServicepoint.exe [2009-03-12 2303216]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-03-02 282792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C62 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE [2002-04-10 74240]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"EditLevel"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-09-15 14:37:02 ----A---- C:\WINDOWS\system32\drivers\ssmdrv.sys
2010-09-15 14:36:59 ----A---- C:\WINDOWS\system32\drivers\avipbb.sys
2010-09-15 14:36:59 ----A---- C:\WINDOWS\system32\drivers\avgntmgr.sys
2010-09-15 14:36:59 ----A---- C:\WINDOWS\system32\drivers\avgntflt.sys
2010-09-15 14:36:59 ----A---- C:\WINDOWS\system32\drivers\avgntdd.sys
2010-09-15 14:36:53 ----D---- C:\Program Files\Avira
2010-09-15 14:36:53 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2010-09-15 07:40:26 ----SHD---- C:\FOUND.001
2010-09-12 15:06:24 ----SHD---- C:\Recycled
2010-09-12 15:05:19 ----D---- C:\_OTM
2010-09-12 12:26:33 ----D---- C:\rsit
2010-09-12 09:43:48 ----HD---- C:\WINDOWS\$NtUninstallKB980436$
2010-09-12 09:43:03 ----HD---- C:\WINDOWS\$NtUninstallKB981852$
2010-09-12 09:42:02 ----HD---- C:\WINDOWS\$NtUninstallKB2079403$
2010-09-12 09:41:45 ----HD---- C:\WINDOWS\$NtUninstallKB981997$
2010-09-12 09:41:12 ----HD---- C:\WINDOWS\$NtUninstallKB2160329$
2010-09-12 09:40:57 ----HD---- C:\WINDOWS\$NtUninstallKB982214$
2010-09-12 09:36:45 ----HD---- C:\WINDOWS\$NtUninstallKB982665$
2010-09-12 09:36:35 ----HD---- C:\WINDOWS\$NtUninstallKB2115168$
2010-09-12 09:36:14 ----HD---- C:\WINDOWS\$NtUninstallKB2286198$
2010-09-12 09:36:02 ----HD---- C:\WINDOWS\$NtUninstallKB2229593$
2010-09-12 09:35:50 ----HD---- C:\WINDOWS\$NtUninstallKB975562$
2010-09-12 09:35:39 ----HD---- C:\WINDOWS\$NtUninstallKB979482$
2010-09-12 09:35:30 ----HD---- C:\WINDOWS\$NtUninstallKB980195$
2010-09-12 09:35:19 ----HD---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-09-12 09:35:13 ----HD---- C:\WINDOWS\$NtUninstallKB980218$
2010-09-12 09:35:02 ----HD---- C:\WINDOWS\$NtUninstallKB981793$
2010-09-12 09:34:55 ----HD---- C:\WINDOWS\$NtUninstallKB978542$
2010-09-12 09:34:42 ----HD---- C:\WINDOWS\$NtUninstallKB978601$
2010-09-12 09:34:31 ----HD---- C:\WINDOWS\$NtUninstallKB978338$
2010-09-12 09:34:09 ----HD---- C:\WINDOWS\$NtUninstallKB979309$
2010-09-12 09:33:35 ----HD---- C:\WINDOWS\$NtUninstallKB977816$
2010-09-12 09:33:08 ----HD---- C:\WINDOWS\$NtUninstallKB980232$
2010-09-12 07:13:50 ----D---- C:\Documents and Settings\Default\Application Data\Malwarebytes
2010-09-12 07:12:49 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-09-12 07:12:46 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-09-12 07:12:43 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-09-12 07:12:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-12 06:53:44 ----A---- C:\ComboFix.txt
2010-09-12 06:39:02 ----A---- C:\Boot.bak
2010-09-12 06:38:55 ----RASHD---- C:\cmdcons
2010-09-12 06:36:00 ----A---- C:\WINDOWS\zip.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\SWSC.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\SWREG.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\sed.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\PEV.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\NIRCMD.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\MBR.exe
2010-09-12 06:36:00 ----A---- C:\WINDOWS\grep.exe
2010-09-12 06:35:19 ----D---- C:\Qoobox
2010-09-12 06:10:38 ----D---- C:\WINDOWS\ERDNT
2010-09-12 06:09:25 ----D---- C:\Program Files\ERUNT
2010-09-10 11:29:28 ----D---- C:\Program Files\Trend Micro

======List of files/folders modified in the last 1 months======

2010-09-15 10:55:28 ----A---- C:\WINDOWS\SCHEDLOG.TXT
2010-09-12 09:43:40 ----A---- C:\WINDOWS\imsins.BAK
2010-09-12 06:50:02 ----A---- C:\WINDOWS\system.ini
2010-09-12 06:39:04 ----RASH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2010-03-01 124784]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2010-02-16 60936]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
R3 HCF_MSFT;HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [2001-08-17 907456]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
S3 catchme;catchme; \??\C:\DOCUME~1\Default\LOCALS~1\Temp\catchme.sys []
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2010-04-01 267432]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-07-17 153376]
R2 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2009-01-30 303104]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 gupdate1c987a23a3ebcd0;Google Update Service (gupdate1c987a23a3ebcd0); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------


Cyber,

After prompting Aviva to quarantine those 2 it said after scanning that 6 were actually found (all malware) and that they would have to be deleted, so I allowed that to happen.

PC seems to be running fine. So far Aviva doesn't seem to be the 'resource hog' that I've experienced with other antivirus progs.

Mantis
Mantis
Regular Member
 
Posts: 19
Joined: September 10th, 2010, 12:03 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware