Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

XP Security 2011 Infestation

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

XP Security 2011 Infestation

Unread postby Denske » March 20th, 2011, 9:48 pm

I first visited this site for help last fall, with great success. I would greatly appreciate additional help now.

This first attacked last night with warnings and apparent scans, which I tried to stop. It interfered with access and gave multiple warnings, ending up plastering my desktop generic alarms. I shut off computer and selected safe mode but then chose to go to restore point earlier in the week. Computer seemed ok. I updated Avira, scanned and it reported and quarantined Java/Agent.2212. After coming to site and learning about recommended DDS, I downloaded and ran and saved the logs just before the malware struck again. I again booted up in safe mode and transferred files to thumbdrive. The files follow. I will be working from this clean (I hope) computer and leave the other one off until I get directions.

denske

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by user at 21:00:35.89 on Sun 03/20/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1580 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\usr~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\usr~1\applic~1\mozilla\firefox\profiles\dcw93xdo.default\
FF - prefs.js: browser.startup.homepage - hxxp://firedoglake.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=green ... =827316&p=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-11 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-11 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-11 61960]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-4-1 4300]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-4-1 238464]
S1 a6ab7e4f;a6ab7e4f;c:\windows\system32\drivers\a6ab7e4f.sys --> c:\windows\system32\drivers\a6ab7e4f.sys [?]
S2 gupdate1caff48ebb85f9c;Google Update Service (gupdate1caff48ebb85f9c);c:\program files\google\update\GoogleUpdate.exe [2010-5-29 133104]
.
=============== Created Last 30 ================
.
2011-03-20 02:17:55 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-20 02:17:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-20 01:32:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\lFkFjMd05200
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
.
============= FINISH: 21:01:03.93 ===============





.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/28/2009 1:05:18 PM
System Uptime: 3/20/2011 12:52:51 PM (9 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | NC10
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1596/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 59.956 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 71.913 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP50: 12/25/2010 5:30:42 PM - System Checkpoint
RP51: 12/26/2010 5:55:15 PM - System Checkpoint
RP52: 12/27/2010 6:55:14 PM - System Checkpoint
RP53: 12/30/2010 10:40:14 PM - System Checkpoint
RP54: 12/30/2010 11:19:53 PM - Printer Driver PDFCreator Installed
RP55: 1/1/2011 12:10:25 PM - System Checkpoint
RP56: 1/2/2011 1:23:13 PM - System Checkpoint
RP57: 1/5/2011 2:45:48 PM - System Checkpoint
RP58: 1/9/2011 10:37:45 AM - System Checkpoint
RP59: 1/13/2011 10:50:55 AM - System Checkpoint
RP60: 1/14/2011 4:25:21 PM - Software Distribution Service 3.0
RP61: 1/15/2011 6:01:36 PM - System Checkpoint
RP62: 1/16/2011 7:04:38 PM - System Checkpoint
RP63: 1/21/2011 7:38:47 AM - System Checkpoint
RP64: 1/28/2011 8:29:59 PM - System Checkpoint
RP65: 1/29/2011 10:04:42 PM - System Checkpoint
RP66: 1/30/2011 8:18:42 PM - Removed pdfforge Toolbar v4.1.
RP67: 1/31/2011 9:08:09 PM - Installed Image Resizer Powertoy for Windows XP
RP68: 2/5/2011 3:15:58 PM - System Checkpoint
RP69: 2/11/2011 10:06:22 AM - Software Distribution Service 3.0
RP70: 2/12/2011 12:01:23 PM - System Checkpoint
RP71: 2/13/2011 1:06:33 PM - System Checkpoint
RP72: 2/17/2011 9:22:23 PM - System Checkpoint
RP73: 2/18/2011 9:53:55 PM - System Checkpoint
RP74: 2/20/2011 10:05:00 AM - System Checkpoint
RP75: 2/21/2011 10:26:42 PM - System Checkpoint
RP76: 2/23/2011 8:39:19 PM - System Checkpoint
RP77: 2/24/2011 11:16:30 PM - System Checkpoint
RP78: 2/26/2011 9:12:44 AM - Software Distribution Service 3.0
RP79: 2/27/2011 7:20:24 PM - System Checkpoint
RP80: 3/1/2011 10:04:34 PM - System Checkpoint
RP81: 3/3/2011 8:13:16 PM - System Checkpoint
RP82: 3/5/2011 11:42:11 AM - System Checkpoint
RP83: 3/8/2011 7:40:24 PM - System Checkpoint
RP84: 3/8/2011 11:12:40 PM - Software Distribution Service 3.0
RP85: 3/13/2011 8:12:19 PM - System Checkpoint
RP86: 3/14/2011 9:37:41 PM - System Checkpoint
RP87: 3/16/2011 8:07:39 PM - System Checkpoint
RP88: 3/17/2011 9:03:17 PM - System Checkpoint
RP89: 3/19/2011 10:15:02 PM - Restore Operation
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.4.1
Atheros WLAN Client
Avira AntiVir Personal - Free Antivirus
Easy Display Manager
Easy Network Manager
Google Chrome
Google Update Helper
HiJackThis
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB981793)
Image Resizer Powertoy for Windows XP
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0
Java Auto Updater
Java(TM) 6 Update 21
Magic Keyboard
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.15)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Namuga 1.3M Webcam
OpenOffice.org 3.1
PDFCreator
Play Camera
Realtek High Definition Audio Driver
Samsung Battery Manager
Samsung EDS
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Samsung Wallpaper
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Toolbars
Skype™ 4.2
Synaptics Pointing Device Driver
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Guide
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
3/19/2011 9:50:29 PM, error: Service Control Manager [7034] - The Samsung Update Plus service terminated unexpectedly. It has done this 1 time(s).
3/19/2011 9:50:28 PM, error: Service Control Manager [7034] - The Google Update Service (gupdate1caff48ebb85f9c) service terminated unexpectedly. It has done this 1 time(s).
3/19/2011 9:50:28 PM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/19/2011 9:50:28 PM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
3/19/2011 9:43:30 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/19/2011 9:43:30 PM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/19/2011 10:12:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/19/2011 10:12:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
3/19/2011 10:12:38 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:12:38 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:12:38 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:12:38 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:12:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/16/2011 9:52:08 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.254.108. The machine with the IP address 192.168.254.106 did not allow the name to be claimed by this machine.
3/16/2011 9:31:28 PM, error: BROWSER [8019] - The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
3/16/2011 7:48:07 PM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is ENTROPY.
3/16/2011 7:26:37 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am
Advertisement
Register to Remove

Re: XP Security 2011 Infestation

Unread postby Cypher » March 21st, 2011, 1:08 pm

Hi.
Checking your logs now be right back.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Cypher » March 21st, 2011, 1:17 pm

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backup your data - XP
Backup your data - Vista
Backup your data - windows 7


Upload File/Files for testing

Please go to jotti.org or Virustotal

Copy/paste this file and path into the white box at the top:
c:\windows\system32\MEMIO.SYS

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Repeat the process for the following.
c:\windows\system32\drivers\a6ab7e4f.sys

Next.

Add/Remove programs
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the following.
J2SE Runtime Environment 5.0

Next.

I see you already have Malwarebytes Anti-Malware installed:

  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

RSIT (Random's System Information Tool)

Please download RSIT by random/random... and save it to your desktop.
  • Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... 2 logs files...will be produced.
  • The first one, "log.txt", << will be maximized
  • The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)


Logs/Information to Post in your Next Reply

  • Vitustotal or jotti results
  • Malwarebytes log.
  • RSIT log.txt and info.txt contents.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 21st, 2011, 10:37 pm

Hi, Cypher,

Having a little trouble following your instructions.

Upon turning on computer, the malware was active again. It doesn't allow reaching a requested web site using any of IE, Firefox or Chrome browsers. It give all kinds of bogus warnings and solicitation for activating a service. When I put an address into a url window, I can get just a glimpse of the desired web site before the "warning" comes back. I tried going back to another restore point but it didn't give any relief this time. You had directed me to send two path/file combinations to www.virustotal.com, but I was not able to. As a test I did check to see if I could do the third step to remove J2SE Runtime Environment 5.0. I didn't actually remove it because I didn't know if doing it out of order would matter.

Is there something I can do to get around the action of the malware? Should I try yet another restore point?

Denske
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 22nd, 2011, 7:13 am

Hi Denske.
Please do not use system restore again unless i instruct you to do so. this could complicate things.
See if you can complete the following, if you have trouble running ComboFix in normal mode, try running it in safe mode.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.
  • Note: You must rename it before saving it... Rename it: Cypher.com. See images below.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

    Image

    Image
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Cypher » March 22nd, 2011, 7:13 am

Hi Denske.
Please do not use system restore again unless i instruct you to do so. this could complicate things.
See if you can complete the following, if you have trouble running ComboFix in normal mode, try running it in safe mode.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.
  • Note: You must rename it before saving it... Rename it: Cypher.com. See images below.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

    Image

    Image
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Logs/Information to Post in your Next Reply

  • ComboFix.txt.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 22nd, 2011, 9:25 pm

Hi, Cypher,

I downloaded ComboFix using a separate computer and transferred with thumb drive. I had to kill the popups a couple of times, but it ran fine. Resulting file is reproduced below. Btw, it is called "log.txt," not "ComboFix.txt." I think it is what you want anyway, and I didn't think you meant I should rename it.

Have only tried a few things with the computer after running ComboFix. Everything seems ok so far. I was able to get to every web site I tried without pop-up interference, and the shield icon from XP Security 2011 that was in the application tray in the lower right of the screen is no longer there.

Denske


File output from running Cypher.com.exe (ComboFix.exe)

ComboFix 11-03-22.04 - user 03/22/2011 20:48:53.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1592 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\Cypher.com.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Local Settings\Application Data\nsi.exe
c:\documents and settings\user\Local Settings\Application Data\psu.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 02:08 . 2011-03-22 02:08 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-20 02:11 . 2011-03-22 02:06 -------- d-s---w- c:\documents and settings\Administrator
2011-03-20 01:32 . 2011-03-22 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\lFkFjMd05200
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-22 02:13 . 2010-09-12 00:56 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 13:53 . 2009-04-02 00:34 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-04-02 00:34 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-04-02 01:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-04-02 01:51 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2009-04-02 00:34 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-04-02 00:34 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2009-04-02 00:34 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/11/2010 8:56 PM 135336]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [4/1/2009 9:59 PM 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 11:01 PM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [4/1/2009 10:03 PM 238464]
S1 a6ab7e4f;a6ab7e4f;c:\windows\system32\drivers\a6ab7e4f.sys --> c:\windows\system32\drivers\a6ab7e4f.sys [?]
S2 gupdate1caff48ebb85f9c;Google Update Service (gupdate1caff48ebb85f9c);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 12:06 PM 133104]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-29 16:06]
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-29 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dcw93xdo.default\
FF - prefs.js: browser.startup.homepage - hxxp://firedoglake.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=green ... =827316&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 20:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-22 20:54:56
ComboFix-quarantined-files.txt 2011-03-23 00:54
ComboFix2.txt 2010-09-17 22:22
.
Pre-Run: 64,223,043,584 bytes free
Post-Run: 64,423,546,880 bytes free
.
- - End Of File - - F6C59414D6BD97379476F5B33E4EB2F2
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 23rd, 2011, 6:53 am

Hi Denske.
Good work so far, if possible boot your computer in normal mode from now on.

Disable Avira anti-virus
  • Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Image )
  • Note: Don't forget to re-enable it after the fix.

Next.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    Driver::
    a6ab7e4f
    
    File::
    c:\windows\system32\drivers\a6ab7e4f.sys
    
    Folder::
    c:\documents and settings\All Users\Application Data\lFkFjMd05200
    
    DDS:: 
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\dcw93xdo.default\
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - 
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - 
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - 
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Next.

Malwarebytes Anti-Malware
  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Malwarebytes log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 23rd, 2011, 10:30 pm

Cypher,

No progress yet. Since running ComboFix the first time I had been able to boot successfully into normal mode. Tonight I copied the indicated text into notepad, dragged it into the Cypher.com.exe (ComboFix.exe) file. It seemed to run successfully and I saved it on my desktop (or so I thought). When I tried to run Malwarebytes, the rogue program took over and prevented it from running. When I went looking for the log file produced by ComboFix, I couldn't find it. I also cannot find CFScript.txt, although perhaps it was supposed to disappear after dragging it into the ComboFix icon. It is too late this evening to try to make another CFScript file and try again. Doesn't seem that it will be successful anyway, since the XP Security 2011 program seems to prevent it.

Denske
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 24th, 2011, 6:04 am

Hi Denske.
Lets try renaming Malwarebytes to see if that will allow it to run.

Rename MBAM and Run Scan

  • Go to Start, Computer.
  • Double-click Local Disk C:.
  • Double-click Program Files.
  • Double-click Malwarebytes' Anti-Malware.
  • In the top menu, click Views, choose Detail.
  • Right-click the "application" named mbam, and choose Rename.
  • Type in the new name as winlogon.exe and hit <Enter>
  • At the "Access Denied" notice, click Continue.
  • Wait until the screen indicates completion. (grayed out area disappears)
  • Double-Right click on the new winlogon.exe.
  • Select Check for Updates >> Perform Quick Scan.
  • If any malware items are found, Check all items and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2009-mm-dd(hour-min-sec).txt
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 24th, 2011, 2:27 pm

Cypher,

The step I couldn't complete was to use the CFScript in a run with ComboFix and to follow that with a Malwarebytes quick scan. I hope this doesn't constitute a serious violation of your rule not to do anything you don't instruct, but after reporting to you last night I reran ComboFix (without script). As it had the first time, it deleted two files and the computer seemed to work. I'm sorry for not waiting for your new instruction; I won't do it again.

Anyway, after doing it, I was able to complete both the ComboFix rerun with the script and the Malwarebytes quick scan. I am sending results of all three.

Right now the computer is working fine. I am able to use it for this and other web sites. I do notice that the XP Security 2011 icon is still in the program tray, but it is marked with an "X" and is presently disabled.

Log File, ComboFix (Cypher.com) run without script:

ComboFix 11-03-23.04 - User 03/23/2011 22:22:16.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1592 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Cypher.com.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Application Data\gxx.exe
c:\documents and settings\User\Local Settings\Application Data\krj.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-22 02:08 . 2011-03-22 02:08 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-20 02:11 . 2011-03-22 02:06 -------- d-s---w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-22 02:13 . 2010-09-12 00:56 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 13:53 . 2009-04-02 00:34 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-04-02 00:34 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-04-02 01:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-04-02 01:51 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2009-04-02 00:34 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-04-02 00:34 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2009-04-02 00:34 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_00.53.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-24 02:16 . 2011-03-24 02:16 16384 c:\windows\Temp\Perflib_Perfdata_b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/11/2010 8:56 PM 135336]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [4/1/2009 9:59 PM 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 11:01 PM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [4/1/2009 10:03 PM 238464]
S2 gupdate1caff48ebb85f9c;Google Update Service (gupdate1caff48ebb85f9c);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 12:06 PM 133104]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-29 16:06]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-29 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dcw93xdo.default\
FF - prefs.js: browser.startup.homepage - hxxp://firedoglake.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=green ... =827316&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 22:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-23 22:28:18
ComboFix-quarantined-files.txt 2011-03-24 02:28
ComboFix2.txt 2011-03-24 01:39
ComboFix3.txt 2011-03-23 00:54
ComboFix4.txt 2010-09-17 22:22
.
Pre-Run: 64,188,981,248 bytes free
Post-Run: 64,182,091,776 bytes free
.
- - End Of File - - E62E98B963FCA3FC233285F917A86FAB


Log of ComboFix run with CFScript (dragging script file onto ComboFix icon)

ComboFix 11-03-23.04 - User 03/24/2011 13:16:43.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1644 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Cypher.com.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\a6ab7e4f.sys"
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-22 02:08 . 2011-03-22 02:08 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-20 02:11 . 2011-03-22 02:06 -------- d-s---w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-22 02:13 . 2010-09-12 00:56 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 13:53 . 2009-04-02 00:34 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-04-02 00:34 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-04-02 01:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-04-02 01:51 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2009-04-02 00:34 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-04-02 00:34 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2009-04-02 00:34 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_00.53.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-24 16:44 . 2011-03-24 16:44 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/11/2010 8:56 PM 135336]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [4/1/2009 9:59 PM 4300]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 11:01 PM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [4/1/2009 10:03 PM 238464]
S2 gupdate1caff48ebb85f9c;Google Update Service (gupdate1caff48ebb85f9c);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 12:06 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-29 16:06]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-29 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain ... &bmod=SMSN
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\dcw93xdo.default\
FF - prefs.js: browser.startup.homepage - hxxp://firedoglake.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=green ... =827316&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-24 13:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3480)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-24 13:22:10
ComboFix-quarantined-files.txt 2011-03-24 17:22
ComboFix2.txt 2011-03-24 02:28
ComboFix3.txt 2011-03-24 01:39
ComboFix4.txt 2011-03-23 00:54
ComboFix5.txt 2011-03-24 17:15
.
Pre-Run: 64,172,363,776 bytes free
Post-Run: 64,159,973,376 bytes free
.
- - End Of File - - 7D337301A90CC161F9AB8DEBEA7ED877


Log of Malwarebytes Run

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

3/24/2011 1:57:55 PM
mbam-log-2011-03-24 (13-57-55).txt

Scan type: Quick Scan
Objects scanned: 88475
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 24th, 2011, 2:39 pm

Hi Denske.
It seems you didn't update Malwarebytes before running it.
Malwarebytes' Anti-Malware 1.41
Database version: 2775

The latest Database version is 6458, please update Malwarebytes and run another quick scan.
Post the resulting log in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 24th, 2011, 3:28 pm

Hi, Cypher,

Sorry about that update oversight. I did try the update step previously, but forgot it this time. Simply updating from program didn't work, however. I had to go to their web site. And I see that among the most recent changes was a fix to the update routine.

Computer still working ok, with rogue program apparently still disabled in tray. Haven't turned computer off.

Denske

Here is the log (note that it refers to database ver 6158, rather than 6458 referenced above):

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6158

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/24/2011 3:11:53 PM
mbam-log-2011-03-24 (15-11-53).txt

Scan type: Quick scan
Objects scanned: 143419
Time elapsed: 1 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am

Re: XP Security 2011 Infestation

Unread postby Cypher » March 24th, 2011, 3:37 pm

Hi Denske.
Sorry about that update oversight. I did try the update step previously, but forgot it this time.

No need to apologise at all these things happen :)
Try deleting the icon in your system tray, let me know if you were able to do so.
I would like you to do a couple of updates for me then run another scan.


Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE Runtime Environment (JRE) 6 Update 24.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Next.

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X (10.0.1).
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Next.

Please download ATF Cleaner to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next.

Disable Avira anti-virus

  • Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Image )
  • Note: Don't forget to re-enable it after the below scan.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Logs/Information to Post in your Next Reply

  • ESET log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: XP Security 2011 Infestation

Unread postby Denske » March 24th, 2011, 3:55 pm

Cypher,

Just to be clear, you instructed as follows:

Try deleting the icon in your system tray, let me know if you were able to do so.
I would like you to do a couple of updates for me then run another scan.

This was followed by the detailed instructions for Java Runtime Environment, Acrobat Reader, ESET, etc. Did you mean that I should try to delete the icon before all of the updating, and report back before separately, or do all steps in the post and then report?
Denske
Regular Member
 
Posts: 30
Joined: September 10th, 2010, 10:42 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 73 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware