Free Malware Removal Forum

[bhaenke]

Description of Problem:
My PC has been infected with Trojan.Win32.Patched.hg. The security software provided by my (old) ISP detects it upon startup: "Malicious code found in file C:\WINDOWS\syst...\ws2_32.dll Infection: Trojan.Win32.Patched.hg". Once booted I can use local applications, but network access is blocked. When I try to open Firefox I get "firefox.exe Application Error: The application failed to initialize properly (0xc0000022) Click on OK to terminate the application." I get the same message when I try to ping from the command prompt (ping.exe Application Error....). I can launch IE, but I just get the generic "The page cannot be displayed" response. Finally, I tried to install another malware tool suggested by one of your counterparts (I think the tool was MGTools?), but found that Patched.hg detected this and would consistently change the file extension from .exe to .ex0 (or similar), preventing installation. I know I'm out of date on my MS updates. I get to that as soon as I get clean. Here's the HJT output as instructed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:34 PM, on 4/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
c:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINDOWS\system32\ahfp.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\bcranky\Desktop\HijackThis.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [Matrox PowerDesk SE] "c:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ahfP Service (ahfprog) - Unknown owner - C:\WINDOWS\system32\ahfp.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - c:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe

--
End of file - 4951 bytes

HijackThis Uninstall List
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
CCleaner
Charter Security Suite
GlidePoint Touchpad
HiJackThis
HijackThis 2.0.2
Matrox Graphics Software (remove only)
Matrox PowerDesk-SE
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.17)
SnagIt 8
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
WinRAR archiver


Thanks for your help!

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[askey127]

Hi bhaenke,
I am not terribly optimistic about the chances to fix this without a reformat and re-install.
The unpatched Windows XP and the hidden folders make this nearly impossible to troubleshoot.
The resident infections may have corrupted your system files beyond repair.
If the procedures outlined below are unacceptable or unmanageable to you, I understand, but in that case cannot help further.

If you want to try, i would suggest the following:
You have a program called "Advanced Hide Folders" installed on the machine. You need to first use it to Unhide all the effected folders.
Then you need to Uninstall "Advanced Hide Folders" and "Spybot - Search and Destroy"
Use Control Panel, Add/Remove Programs to do so.
If Spybot asks whether you want to remove all settings, answer YES.
------------------------------------------------
REBOOT(RESTART) Your Machine
------------------------------------------------
You may need to download some of the following from a clean machine to a flash drive, and copy them to your machine.
First delete any file on the flash named autorun.inf, and create a FOLDER by that name on the flash. This just minimizes the prospect of a file by that name being copied to the flash as a cross-infection vector.
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop (you may want to download several and use whichever one works. They have different extensions):
One, Two,Three or Four

• Double click on Rkill.
• A command window will open then disappear upon completion, this is normal.
• Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.
If you cannot get Rkill to run without being stopped, tell me about it in your reply.
-----------------------------------------------
Run the RSIT Scanner
Please download the scanner from here and save it to your desktop. The icon will be named RSIT.exe
Doubleclick the RSIT icon.
When the scan is complete, two text files will open
log.txt <- this one will be maximized
info.txt <- this one will be minimized
( Both files will be saved here -> C:\rsit\ )
Copy/Paste the contents of both log.txt and info.txt into your next post please. Use two posts if you prefer.
Communicate with the forum here from another machine if necessary.

Let me know how it goes
askey127

[bhaenke]

Hi askey127,

First, thanks for your response. I followed your instructions and captured the tool output on the afflicted machine. I also removed some other non-essential applications.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as bcranky on 04/12/2010 at 21:39:36.
Processes terminated by Rkill or while it was running:

C:\Documents and Settings\bcranky\Desktop\rkill.exe

Rkill completed on 04/12/2010 at 21:39:42.

*****

info.txt logfile of random's system information tool 1.06 2010-04-12 21:33:48

======Uninstall list======

-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware Scanner"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus Client Security Installer"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Automatic Update Agent"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure DAAS"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure DAAS2"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Diagnostics"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure E-mail Scanning"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure FWES"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure GateKeeper Interface"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Gemini"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure GUI"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Help"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure HIPS"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Internet Shield"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure ISP News"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Localization API"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Management Agent"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure ORSP Client"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Pegasus Engine"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Protocol Scanner"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Spam Control"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Spam Scanner"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure TNB"
-->"C:\Program Files\Charter High-Speed Security Suite\Uninstall\fsuninst.exe" /UninstRegKey:"F-Secure Uninstall"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Charter Security Suite-->"C:\Program Files\Charter High-Speed Security Suite\FSGUI\PostInstall.exe" /tUnInstall
GlidePoint Touchpad-->MsiExec.exe /I{1380CA9A-C3EC-4387-9E28-9A5AD4C48E4C}
HijackThis 2.0.2-->"C:\Documents and Settings\bcranky\Desktop\HijackThis.exe" /uninstall
HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}
Matrox Graphics Software (remove only)-->C:\WINDOWS\system32\PDesk\PDUninst.exe
Matrox PowerDesk-SE-->MsiExec.exe /X{769ADBAC-47FC-482A-8D93-98D19838EE85}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0.17)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
SnagIt 8-->MsiExec.exe /I{DA0BF7AB-88EB-4675-8FA1-531EAD938821}
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: Charter Security Suite 8.02
FW: Charter Security Suite 8.02

======System event log======

Computer Name: BCRANKY-1087B57
Event Code: 3019
Message: The redirector failed to determine the connection type.

Record Number: 1857
Source Name: MRxSmb
Time Written: 20080824211207.000000-240
Event Type: warning
User:

Computer Name: BCRANKY-1087B57
Event Code: 3019
Message: The redirector failed to determine the connection type.

Record Number: 1856
Source Name: MRxSmb
Time Written: 20080824211203.000000-240
Event Type: warning
User:

Computer Name: BCRANKY-1087B57
Event Code: 3019
Message: The redirector failed to determine the connection type.

Record Number: 1855
Source Name: MRxSmb
Time Written: 20080824211154.000000-240
Event Type: warning
User:

Computer Name: BCRANKY-1087B57
Event Code: 3019
Message: The redirector failed to determine the connection type.

Record Number: 1854
Source Name: MRxSmb
Time Written: 20080824211150.000000-240
Event Type: warning
User:

Computer Name: BCRANKY-1087B57
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 1707
Source Name: W32Time
Time Written: 20080803141211.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: BCRANKY-1087B57
Event Code: 103
Message: 1 2008-04-02 22:26:16-04:00 bcranky-1087b57 BCRANKY-1087B57\bcranky F-Secure Anti-Virus
Scanning of \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\CHARTER HIGH-SPEED SECURITY SUITE\COMMON\FSPMAPI.DLL was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).


Record Number: 173
Source Name: F-Secure Anti-Virus
Time Written: 20080402222619.000000-300
Event Type: error
User:

Computer Name: BCRANKY-1087B57
Event Code: 103
Message: 1 2008-04-01 23:53:22-04:00 bcranky-1087b57 BCRANKY-1087B57\bcranky F-Secure Anti-Virus
An error occurred while scanning \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\COMMON FILES\SYSTEM\MSADC\MSADCO.DLL.



Record Number: 170
Source Name: F-Secure Anti-Virus
Time Written: 20080401235323.000000-300
Event Type: error
User:

Computer Name: BCRANKY-1087B57
Event Code: 103
Message: 1 2008-04-01 23:28:54-04:00 bcranky-1087b57 BCRANKY-1087B57\bcranky F-Secure Anti-Virus
Scanning of \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\CHARTER HIGH-SPEED SECURITY SUITE\FSAUA\SUBSCRIPTIONS\AVH_AVPE was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).


Record Number: 167
Source Name: F-Secure Anti-Virus
Time Written: 20080401232856.000000-300
Event Type: error
User:

Computer Name: BCRANKY-1087B57
Event Code: 103
Message: 1 2008-03-30 02:54:51-04:00 bcranky-1087b57 BCRANKY-1087B57\bcranky F-Secure Anti-Virus
Scanning of \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\CHARTER HIGH-SPEED SECURITY SUITE\COMMON\FSPMAPI.DLL was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).


Record Number: 143
Source Name: F-Secure Anti-Virus
Time Written: 20080330025453.000000-300
Event Type: error
User:

Computer Name: BCRANKY-1087B57
Event Code: 103
Message: 1 2008-03-23 01:53:16-04:00 bcranky-1087b57 BCRANKY-1087B57\bcranky F-Secure Anti-Virus
Scanning of \DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\BCRANKY\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\8X536SLD.DEFAULT\PREFS-1.JS was aborted due to exceeded scanning time limit. The file may be in use or reading it was too slow (e.g. network connection was under stress).


Record Number: 126
Source Name: F-Secure Anti-Virus
Time Written: 20080323015318.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 0 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=000a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


Logfile of random's system information tool 1.06 (written by random/random)
Run by bcranky at 2010-04-12 21:50:21
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (18%) free of 29 GB
Total RAM: 512 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:29 PM, on 4/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
c:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\bcranky\Desktop\RSIT.exe
C:\Documents and Settings\bcranky\Desktop\bcranky.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [Matrox PowerDesk SE] "c:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - c:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe

--
End of file - 4243 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
SnagIt Toolbar Loader - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll [2007-05-01 63048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll [2007-05-01 161352]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"=C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE [2009-02-19 182936]
"F-Secure TNB"=C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe [2009-02-19 957024]
"CirqueGesture"=C:\Program Files\Touchpad\Gesture.exe [2005-10-03 123904]
"Glide"=C:\WINDOWS\system32\glidew32.exe [2005-10-03 81920]
"Matrox PowerDesk SE"=c:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe [2007-04-04 1771016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-04-12 21:33:30 ----D---- C:\rsit
2010-04-07 22:46:20 ----A---- C:\WINDOWS\system32\ws2_32.dll
2010-03-28 21:23:00 ----D---- C:\WINDOWS\pss
2010-03-28 20:53:23 ----D---- C:\Program Files\CCleaner
2010-03-13 18:59:54 ----D---- C:\HijackThis

======List of files/folders modified in the last 1 months======

2010-04-12 21:39:05 ----RD---- C:\Program Files
2010-04-12 21:36:38 ----D---- C:\Program Files\Mozilla Firefox
2010-04-12 21:33:33 ----D---- C:\WINDOWS\Temp
2010-04-12 21:28:25 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-12 21:26:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-12 21:26:07 ----D---- C:\WINDOWS\system32
2010-04-12 21:21:46 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-04-12 21:20:07 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-12 21:15:04 ----D---- C:\WINDOWS
2010-04-12 20:14:08 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-10 01:23:37 ----D---- C:\Program Files\Charter High-Speed Security Suite
2010-03-28 20:53:47 ----D---- C:\WINDOWS\Debug
2010-03-13 18:59:58 ----SHD---- C:\WINDOWS\Installer
2010-03-13 18:56:16 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-13 18:56:11 ----D---- C:\WINDOWS\system32\drivers

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 F-Secure HIPS;F-Secure HIPS; \??\C:\Program Files\Charter High-Speed Security Suite\HIPS\drivers\fshs.sys []
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 admjoy;Aureal Game Port Enumerator; C:\WINDOWS\system32\DRIVERS\admjoy.sys [2004-08-03 10880]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 36224]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper; \??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys []
R3 G400DH;G400DH; C:\WINDOWS\system32\DRIVERS\g400dhm.sys [2007-04-13 350464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mf;mf; C:\WINDOWS\system32\DRIVERS\mf.sys [2004-08-04 63744]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM); C:\WINDOWS\system32\drivers\adm8830.sys [2001-08-17 747392]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 G400;G400; C:\WINDOWS\system32\DRIVERS\G400m.sys [2001-08-17 322432]
S3 glidesvc;GlidePoint Mouseclass Service; C:\WINDOWS\system32\DRIVERS\glidesvc.sys [2005-10-03 38183]
S3 gpmouser;GlidePoint Serial Touchpad Service; C:\WINDOWS\system32\DRIVERS\gpmouser.sys [2005-10-03 27519]
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-17 17664]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 UtilNT;UtilNT; \??\C:\WINDOWS\system32\drivers\UtilNT.sys []
S4 F-Secure Filter;F-Secure File System Filter; \??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys []
S4 F-Secure Recognizer;F-Secure File System Recognizer; \??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 F-Secure Gatekeeper Handler Starter;FSGKHS; C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe [2010-02-11 215648]
R2 FSMA;FSMA; C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE [2009-02-19 117400]
R2 Matrox Centering Service;Matrox Centering Service; c:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2007-04-04 480776]
R2 MGABGEXE;MGABGEXE; C:\WINDOWS\system32\mgabg.exe [2007-04-04 87560]
R3 FSAUA;F-Secure Automatic Update Agent; C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe [2009-02-19 490080]
R3 FSDFWD;F-Secure Anti-Virus Firewall Daemon; C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe [2009-02-19 510560]
R3 FSORSPClient;F-Secure ORSP Client; C:\Program Files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe [2009-02-19 55904]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

A couple of new developments: After booting up the machine today and clearing out some initial warning messages about the Patched, they didn't reappear. Typically my AV warns me as soon as I boot up, and several times during the session, but this time the message didn't appear, even after rebooting several times. I didn't try, but I assume that Patched would reappear if I tried to access the network.
However, in the AV log I noticed a single appearance of two new (or old) offenders on 4/7/10: Trojan-Dropper.Win32.Agent and Packed:W32/Tibs.gen!A.

If after your analysis you strongly recommend that I re-image, I will. Thank you.

[askey127]

bhaenke,
I general, the charter Anti-virus is excellent, but F-Secure is a very heavy load for an older, slower machine.
If we can get this cleaned up, when we are done I would suggest you Uninstall all the Charter(F-Secure) antivirus applications and install either Avira Antivir or Microsoft Security Essentials.
They are both light on resources. The Microsoft AV requires your Windows to pass validation first.
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware
Please go here to the Download Location, click on Download.

• After clicking on the download and choosing Save, the "Save to location" dialog will come up.
• Choose Desktop as the location to save the installer and click Save again.
• You should now have a desktop icon named mbam-setup.exe. Double-click it.
• Let it install the program where it wants to, with the default settings, and click Finish.
• If an update is found, it will download and install the latest version.
• If necessary, start Malwarebytes Anti-Malware again.
• Once the program is running, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
• The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
• Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
• You can now delete the installer icon, named mbam-setup.exe from your desktop.

askey127

[bhaenke]

I will run the tests as instructed. BTW, I ran the Charter (F-secure) AV scan and another anomaly showed up: Server-FTP.Win32.SFH.cu.

[bhaenke]

Hi askey127. Here is the mbam log:

Malwarebytes' Anti-Malware 1.45
http://www.malwarebytes.org

Database version: 3994

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/16/2010 2:03:22 AM
mbam-log-2010-04-16 (02-03-22).txt

Scan type: Quick scan
Objects scanned: 114992
Time elapsed: 28 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphc932j0en95.scr (Pup.FakeBlueScreen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc932j0en95.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

****
I was surprised to see yet more (different) items.

I'll check out the other AV software you mentioned.

Please let me know next steps and thanks again for your expert assistance. -b

[askey127]

bhaenke,
Spybot's Teatimer attempt to prevent changes to your system. In doing so, it can prevent proper removal of spyware.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Spybot Search & Destroy

Take extra care in answering questions posed by any Uninstaller.
You can re-install it after we are done, if you wish.
If the Uninstaller asks whether you want to remove all the settings, answer YES.
-----------------------------------------------------------
IMPORTANT - REBOOT(RESTART) Your Machine
----------------------------------------------------------------------------------
We need to do this again in case Spybot prevented removals the first time. It should be a bit quicker.
Run MalwareBytes' Anti-Malware

• Start Malwarebytes' Anti-Malware.
• Click on The Update tab. Choose Check for Updates.
• If an update is found, it will download and install the latest version.
• If necessary, start Malwarebytes Anti-Malware again.
• Once the program is running, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected

Let me know when you are done, and tell me if you have a broadband internet connection, like Cable.
askey

[bhaenke]

askey,

I followed your instructions and it appears that I'm clean. F-Secure did find one virus in a data backup file and I deleted that folder. I have a cable modem and I'm downloading and installing SP3 right now. I'm not too concerned about performance and F-secure seems to be working for me, but I'll consider switching to one of the other AV programs you suggested.

It doesn't do justice, but... thank you again for your expert assistance!!

-b

[askey127]

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.