Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware problem

Unread postby IwaYama » December 21st, 2009, 11:20 am

i tried following instructions but i get a
"Program too big to fit in memory" message

Do i need to clear some memory on the C drive?
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am
Advertisement
Register to Remove

Re: Malware problem

Unread postby peku006 » December 21st, 2009, 12:23 pm

Hi IwaYama

Have you ran a defrag or chkdsk lately?
Have you tried to add more to your page file?
What does your memory look like in Task Manager when trying to run it?

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 21st, 2009, 2:08 pm

Hi Peku006

1)no, not really
2)don't know what page file means, so maybe but if so not knowingly.
3)err.. memory seems fine in task manager, CPU usage ~50% when running and commitment charge 1017M/3940M (this is with the chrome browser window open) and if running the 'cmd' command the CPU usages jumps to ~78% for a moment.

hope that helps a bit
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am

Re: Malware problem

Unread postby peku006 » December 21st, 2009, 3:38 pm

Hi IwaYama

"Windows Installer problem not due to malware. I think the best and fastest solution for you is to post on a PC troubleshooting forum

Tech support guy
or
what the tech

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
Code: Select all
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> http://scanyourpc-onlinex.com/pr.cgi?id=2847
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> http://scanyourpc-onlinex.com/pr.cgi?id=2847
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-854245398-1770027372-839522115-1004\] > -> 
YY -> HKEY_USERS\S-1-5-21-854245398-1770027372-839522115-1004\: URLSearchHooks\\"{E312764E-7706-43F1-8DAB-FCDD2B1E416D}" [HKLM] -> C:\Program Files\Search Settings\kb128\SearchSettings.dll [SearchSettings Class]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\David Craggs\Application Data\Mozilla\FireFox\Profiles\19pq91zp.default\prefs.js
YN -> extensions.enabledItems -> search@searchsettings.com:1.2.2
< FireFox Extensions [Program Folders] > -> 
YY -> ~EmptyValue -> C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "uecwekbk32" -> C:\WINDOWS\System32\uecwekbk32.DLL [rundll32 "C:\WINDOWS\system32\uecwekbk32.dll" uecwekbk]
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "uecwekbk32" -> C:\WINDOWS\System32\uecwekbk32.DLL [rundll32 "C:\WINDOWS\system32\uecwekbk32.dll" uecwekbk]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\David Craggs\Local Settings\Temp\VRT1134.tmp" -> C:\Documents and Settings\David Craggs\Local Settings\Temp\VRT1134.tmp [C:\Documents and Settings\David Craggs\Local Settings\Temp\VRT1134.tmp:*:Enabled:installer]
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
YN -> \\"AppSecDll" -> C:\WINDOWS\System32\wincert.dll [C:\WINDOWS\system32\wincert.dll]
[Files/Folders - Created Within 30 Days]
NY -> {32EA29D8-4205-4797-8953-A028149A1D70} -> C:\Documents and Settings\David Craggs\Local Settings\Application Data\{32EA29D8-4205-4797-8953-A028149A1D70}
NY -> WSOXKDKGD_APDM -> C:\Documents and Settings\All Users\Application Data\WSOXKDKGD_APDM
NY -> 82c78be -> C:\Documents and Settings\All Users\Application Data\82c78be
[Files - No Company Name]
NY -> CddbCdda.dll -> C:\WINDOWS\System32\CddbCdda.dll


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 21st, 2009, 4:38 pm

done, here is the log

[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page not found.
Registry value HKEY_USERS\S-1-5-21-854245398-1770027372-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ deleted successfully.
C:\Program Files\Search Settings\kb128\SearchSettings.dll moved successfully.
Prefs.js: search@searchsettings.com:1.2.2 removed from extensions.enabledItems
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\COMPONENTS folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\CHROME\SKIN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\CHROME\LOCALE\EN-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\CHROME\LOCALE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\CHROME\CONTENT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\CHROME folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com folder moved successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uecwekbk32 deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uecwekbk32 not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\David Craggs\Local Settings\Temp\VRT1134.tmp deleted successfully.
Registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\\AppSecDll deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Documents and Settings\David Craggs\Local Settings\Application Data\{32EA29D8-4205-4797-8953-A028149A1D70}\chrome\content folder moved successfully.
C:\Documents and Settings\David Craggs\Local Settings\Application Data\{32EA29D8-4205-4797-8953-A028149A1D70}\chrome folder moved successfully.
C:\Documents and Settings\David Craggs\Local Settings\Application Data\{32EA29D8-4205-4797-8953-A028149A1D70} folder moved successfully.
C:\Documents and Settings\All Users\Application Data\WSOXKDKGD_APDM folder moved successfully.
C:\Documents and Settings\All Users\Application Data\82c78be\WSDDSys folder moved successfully.
C:\Documents and Settings\All Users\Application Data\82c78be\Quarantine Items folder moved successfully.
C:\Documents and Settings\All Users\Application Data\82c78be folder moved successfully.
[Files - No Company Name]
C:\WINDOWS\System32\CddbCdda.dll moved successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.12.0 fix logfile created on 12212009_203645
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am

Re: Malware problem

Unread postby peku006 » December 21st, 2009, 4:56 pm

Hi IwaYama

looks better :)
Let's make sure we got everything

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 17
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.

How's the computer running now? Any problems?

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 21st, 2009, 5:10 pm

Hi,
Im unable to uninstall old java programs getting the same windows uninstaller problem message as before, should i still install the new java version?
I am also getting a "trojan quarantined" message from mcafee constantly(ive had about 10 in the last hour or so) saying its quarrented a file from my temp folder with names along line of '*random letters*.tmp\svchost.exe'
and google links on browser still redirecting.
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am

Re: Malware problem

Unread postby peku006 » December 22nd, 2009, 3:23 am

Hi IwaYama

Of course you can not uninstall or install programs......I'm sorry :oops:

1 - Download and Run ComboFix
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 22nd, 2009, 6:15 am

Here is combo fix log:

ComboFix 09-12-21.04 - David Craggs 22/12/2009 9:47.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1579 [GMT 0:00]
Running from: c:\documents and settings\David Craggs\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David Craggs\Favorites\games.url
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Alcmtr.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sessmgr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_UNPR
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 00:53 . 2009-12-22 00:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-21 22:40 . 2009-12-21 22:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-21 22:39 . 2009-12-21 22:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-21 22:35 . 2009-12-21 22:35 -------- d-sh--w- c:\documents and settings\David Craggs\IETldCache
2009-12-21 21:50 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-21 21:50 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 21:50 . 2009-12-21 21:50 -------- d-----w- c:\windows\ie8updates
2009-12-21 21:49 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-21 21:47 . 2009-12-21 21:49 -------- dc-h--w- c:\windows\ie8
2009-12-21 21:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-21 20:36 . 2009-12-21 20:36 -------- d-----w- C:\_OTS
2009-12-20 18:47 . 2009-12-20 18:47 -------- d-----w- c:\program files\MSECACHE
2009-12-20 14:02 . 2009-12-20 14:02 -------- d-----w- c:\program files\ESET
2009-12-20 13:34 . 2009-12-20 13:34 -------- d-----w- C:\_OTM
2009-12-20 13:32 . 2009-12-20 13:32 -------- d-----w- c:\program files\ERUNT
2009-12-20 12:21 . 2009-12-20 12:21 -------- d-----w- C:\rsit
2009-12-20 11:15 . 2009-12-20 11:15 -------- d-----w- c:\documents and settings\David Craggs\Application Data\Malwarebytes
2009-12-20 11:15 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 11:15 . 2009-12-20 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 11:15 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 11:15 . 2009-12-20 11:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:43 . 2009-12-19 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-19 13:43 . 2009-12-19 13:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-15 06:03 . 2009-12-15 06:03 -------- d-----w- c:\program files\Trend Micro
2009-12-15 05:29 . 2009-12-15 05:29 0 ----a-w- c:\windows\Vzevineputehob.bin
2009-12-15 05:29 . 2009-12-15 14:46 120 ----a-w- c:\windows\Adobaf.dat
2009-12-15 03:16 . 2009-12-15 03:16 104 ----a-w- c:\documents and settings\David Craggs\409993625.BAT
2009-11-22 16:39 . 2009-11-22 16:39 -------- d-----w- c:\documents and settings\David Craggs\Application Data\Nvu
2009-11-22 16:39 . 2009-11-22 16:39 -------- d-----w- c:\program files\Nvu
2009-11-22 16:38 . 2009-11-22 16:38 -------- d-----w- c:\documents and settings\David Craggs\Local Settings\Application Data\WMTools Downloaded Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 15:02 . 2009-12-18 15:02 1 ----a-w- c:\documents and settings\David Craggs\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-17 09:47 . 2008-02-21 22:42 -------- d-----w- c:\program files\McAfee
2009-12-15 17:47 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-15 03:15 . 2009-12-15 03:15 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-12-12 18:59 . 2009-06-15 14:35 -------- d-----w- c:\documents and settings\David Craggs\Application Data\Spotify
2009-12-06 06:08 . 2008-02-21 22:18 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2009-12-01 20:31 . 2008-02-21 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 00:01 . 2009-09-16 00:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 10:32 . 2009-11-16 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-11-16 07:22 . 2008-02-21 23:20 34640 ----a-w- c:\documents and settings\David Craggs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-15 19:25 . 2009-11-15 19:25 -------- d-----w- c:\documents and settings\David Craggs\Application Data\OpenOffice.org
2009-11-15 19:14 . 2009-11-15 19:14 -------- d-----w- c:\program files\JRE
2009-11-15 19:14 . 2009-11-15 19:14 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-15 19:14 . 2008-12-01 20:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-15 19:14 . 2008-05-08 10:18 -------- d-----w- c:\program files\Java
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-14 20:23 . 2009-10-14 20:23 135 ----a-w- c:\documents and settings\David Craggs\Local Settings\Application Data\fusioncache.dat
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-05 10:32 . 2009-10-05 10:32 30464 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-04 08:10 . 2009-10-04 08:10 152576 ----a-w- c:\documents and settings\David Craggs\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\David Craggs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"Steam"="d:\steam\steam.exe" [2009-11-12 1217808]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\David Craggs\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-04-06 17:22 1843200 ------r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54GSv2SVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"d:\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"d:\\Microsoft Games\\Age of Empires III\\age3.exe"=
"d:\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\EA Games\\Red Alert 3\\Data\\ra3_1.6.game"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\gamemd.exe"=
"d:\\EA Games\\Red Alert 3\\Data\\ra3_1.10.game"=
"c:\\Documents and Settings\\David Craggs\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"d:\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\Game.exe"=
"d:\\Spotify\\spotify.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"d:\\Steam\\SteamApps\\common\\eve online\\eve.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [15/09/2009 17:41 93320]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [04/03/2009 14:52 202016]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [19/12/2007 17:53 37376]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S4 WUSB54GSv2SVC;WUSB54GSv2SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [01/07/2008 15:48 41025]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\David Craggs\Application Data\Mozilla\Firefox\Profiles\19pq91zp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\David Craggs\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - e:\divx\DivXConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - e:\divx\DivXCodecUninstall.exe
AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - e:\divx\DivXPlayerUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - e:\divx\DivXConverterUninstall.exe
AddRemove-{B7050CBDB2504B34BC2A9CA0A692CC29} - e:\divx\DivXWebPlayerUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 09:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBAC12662]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8fcf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1770027372-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:6e,21,f5,3e,13,2c,cc,2b,05,90,04,c8,a5,73,c5,55,7b,a9,55,12,44,
de,41,61,57,8b,74,4b,82,f8,51,a0,4b,89,83,51,1b,9c,e0,0b,80,aa,e3,86,a9,ca,\
"rkeysecu"=hex:6c,40,94,d9,3b,b6,cf,97,f7,e2,6e,8c,dd,1a,45,d1
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(596)
c:\windows\system32\WININET.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\mmfinfo.dll
c:\windows\system32\mkunicode.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2009-12-22 09:58:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 09:58

Pre-Run: 15,846,215,680 bytes free
Post-Run: 15,796,834,304 bytes free

- - End Of File - - 2E77EFCCCEEC1C221F77553DFD0380A3

============================================================================================
P.S. the McAfee warnings about trojan's being saved in temp file being blocked every 5 mins have stopped, (just for a bit of extra information).
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am

Re: Malware problem

Unread postby peku006 » December 22nd, 2009, 6:42 am

Hi IwaYama

TFC (Temp File Cleaner)

  • Please download TFC to your desktop
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click Yes to reboot.

NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


  • Please download TDSSKiller.rar and save it to your desktop.
  • Extract the rar file to your desktop.
  • Double click on TDSSKiller.exe to run it.
  • When it finished press any key to continue.
  • If needed reboot the computer.

Go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -t >log.txt&start log.txt

A log file opens. Please post the content to your reply.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 22nd, 2009, 7:14 am

for some reason i am unable to open .rar file. it asks to select program from list and am unable to find winzip (or install a new version)
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am

Re: Malware problem

Unread postby peku006 » December 22nd, 2009, 8:05 am

Hi IwaYama

a little difficult because you can not install any programs... :lol:

let´s try "fix" the Windows Installer problem first

Open Notepad and copy the contents of the following box to a new file.

Code: Select all
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"DisableMSI"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"ImagePath"=-
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,\
  00,73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,20,00,2f,00,\
  56,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Description"="Provides systems management information to and from drivers."
"DisplayName"="Windows Management Instrumentation Driver Extensions"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000003
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="WdmWmiServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,73,00,\
  79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,73,00,69,00,65,00,78,\
  00,65,00,63,00,2e,00,65,00,78,00,65,00,20,00,2f,00,56,00,00,00
"DisplayName"="Windows Installer"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Enum]
"0"="Root\\LEGACY_MSISERVER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> Image

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

After that, Reboot.

Now try installing winzip again and run TDSSKiller

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 22nd, 2009, 10:48 am

ok ran the tdsskiller and here is the log from command promt

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBAC12662]<<
kernel: MBR read successfully
user & kernel MBR OK
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am

Re: Malware problem

Unread postby peku006 » December 22nd, 2009, 11:20 am

Hi IwaYama

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 17
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.

How's the computer running now? Any problems?

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Malware problem

Unread postby IwaYama » December 22nd, 2009, 3:02 pm

Ok, i have fixed windows installer. removed the old versions of java and installed latest version, i have also uninstalled search settings program mentioned earlier from the add/remove panel.

I am running kaspersky online scan now and will post report when done, it will take a couple of hours to complete.
IwaYama
Regular Member
 
Posts: 24
Joined: December 15th, 2009, 1:46 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware