Google Redirect, XP freeze, AntiVirus hijack

Dell / DIMENSION E520
April 27, 2009 at 16:45:27
Specs: Windows XP, SP3
Hi!
I installed a codec pack a couple of days ago and now I have some frustrating problems. The symptoms include normal booting of Windows XP freezes at splash screen, McAfee update/virus scan "memory issues" that prevent operation, failing McAfee update, Google redirects, Malwarebytes and Spybot fail to open fully, etc.
I've booted in safe mode, renamed Malwarebytes and managed to get it to run. It finds a Trojan.DNSchanger in a file C:/Windows/System32/qxvxccounter, but I can't find the file myself. The file returns after Malwarebytes' "fix checked items," and a reboot. Also, the McAfee icon in the corner becomes distorted.
I have done a lot of reading across the forums, and I found that someone seems to have a similar problem, but they decided to go with complete system wipe before an alternative was found.
= O
http://www.computing.net/answers/se...
Haha! I hope it doesn't come to that.

I have a hijackthis log ready to go, but I'm not seeing anything that really sticks out. I'll post on request.

Thanks a lot!!


See More: Google Redirect, XP freeze, AntiVirus hijack

Report •


#1
April 27, 2009 at 18:36:21
Please post your Hijack This log.

Report •

#2
April 28, 2009 at 14:56:47
Jabuck, here is the HJT log (thanks in advance for looking it over!).

Logfile of HijackThis v1.99.1
Scan saved at 5:47:03 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061107
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061107
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\tool.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


Hertinas, thanks for your reply as well! The material that you have linked to suggests a step that wipes all record of system restore points. Can you confirm that you wish that I take that step at this point? I appreciate your expertise!


Report •

#3
April 28, 2009 at 15:42:55
Please do not run system restore at this point in the clean up.

It appears that two antivirus programs may be running at the same time, AVG and McAfee, uninstall one of them as they will conflict. If AVG has been removed run Hijack This to clean the remnants of AVG antivirus, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe


O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\tool.exe" /runcleanupscript

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

Exit Hijack This.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus (you may have to go online to find out how to turn off your version of McAfee), and any other antispyware that you may have.
2. Run Combofix by double clicking the combofix.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.



Report •

Related Solutions

#4
April 28, 2009 at 17:51:20
jabuck,
Your directions have resolved the symptoms I had mentioned. The program suggested ran and restarted my computer for me twice, and deleted some malicious files.
Because the symptoms are gone, I would say that the problem is gone, but I'm not really the expect here.
Below is the log from the Combofix program. Would you recommend any further steps?

Thanks again!!!

Also, I am in possession of the file that I believe is the origin of the problems. Would you suggest that I submit it to a site?


ComboFix 09-04-28.02 - fname lname 04/28/2009 19:43.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.807 [GMT -4:00]
Running from: c:\documents and settings\fname lname\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\log.udt
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\system32\drivers\gxvxcyresbaducdlmlrspvvntjpcdeyiutmcp.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcjxtvormoebfdktkkeaukxbidyrlympxn.dll
c:\windows\system32\hljwugsf.bin
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-25 17:11 . 2009-04-25 17:11 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-22 03:44 . 2003-03-25 09:49 152064 ----a-w c:\windows\system32\unrar.dll
2009-04-22 03:44 . 2004-10-30 19:39 761856 ----a-w c:\windows\system32\xvidcore.dll
2009-04-22 03:26 . 2009-04-22 03:26 -------- d-----w c:\documents and settings\fname lname\Application Data\dvdcss
2009-04-15 13:04 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 13:04 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 13:04 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 13:04 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 13:04 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 13:04 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 13:04 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 13:04 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 13:04 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 13:04 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 13:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 13:04 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 23:39 . 2009-04-10 23:39 -------- d-----w c:\documents and settings\All Users\Application Data\GARMIN
2009-04-10 23:39 . 2009-04-11 02:31 -------- d-----w C:\Garmin
2009-04-10 20:34 . 2009-04-11 01:33 -------- d-----w c:\documents and settings\fname lname\Application Data\Download Manager
2009-04-10 20:30 . 2009-04-11 04:10 -------- d-----w c:\documents and settings\fname lname\Application Data\GARMIN
2009-04-10 20:30 . 2009-04-10 20:30 -------- d-----w c:\program files\Garmin GPS Plugin
2009-04-10 20:30 . 2009-04-10 20:30 -------- d-----w c:\program files\DIFX
2009-04-10 20:30 . 2009-04-10 23:39 -------- d-----w c:\program files\Garmin
2009-04-07 05:57 . 2009-04-07 05:57 -------- d-----w c:\windows\system32\Adobe
2009-04-03 13:55 . 2009-04-03 13:55 -------- d-----w c:\program files\Common Files\Crystal Decisions
2009-04-03 13:40 . 2009-04-03 13:55 -------- d-----w c:\program files\Danfoss Turbocor Compressor Inc
2009-04-03 02:01 . 2006-10-09 05:36 8032 ----a-w c:\windows\system32\drivers\generout.sys
2009-04-03 02:01 . 2006-10-09 05:36 11328 ----a-w c:\windows\system32\drivers\genelan.sys
2009-04-03 02:01 . 2006-10-09 05:36 1589 ----a-w c:\windows\system32\drivers\glexport.sys
2009-04-03 02:01 . 2006-10-09 05:36 10464 ----a-w c:\windows\system32\drivers\glkusb.sys
2009-04-03 02:01 . 2000-11-02 14:38 32768 ----a-w c:\windows\system\setupres.dll
2009-04-03 02:01 . 2009-04-03 02:01 -------- d-----w c:\program files\Genesys Logic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 23:01 . 2006-11-07 06:48 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-27 16:06 . 2008-06-23 00:56 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 15:06 . 2008-10-23 23:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 16:53 . 2008-03-13 15:38 -------- d-----w c:\program files\DNA
2009-04-21 21:59 . 2007-04-02 22:13 137992 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-21 21:58 . 2007-04-02 20:28 201816 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-19 12:56 . 2006-11-07 06:55 -------- d-----w c:\program files\McAfee
2009-04-06 19:32 . 2008-10-23 23:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-10-23 23:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 13:41 . 2006-11-12 04:11 79808 ----a-w c:\documents and settings\fname lname\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 15:06 . 2007-03-06 15:35 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2007-03-06 15:35 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2007-03-06 15:35 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:06 . 2007-03-06 15:35 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:05 . 2007-03-06 15:35 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-21 16:05 . 2008-01-08 23:35 -------- d-----w c:\program files\AZPR
2009-03-21 16:05 . 2009-03-21 16:05 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-03-12 17:42 . 2005-08-17 01:54 -------- d-----w c:\program files\GemMaster
2009-03-06 14:22 . 2005-08-16 09:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 09:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 09:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 09:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 09:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 09:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 09:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 09:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 01:32 . 2009-02-09 01:32 2678 ----a-w c:\windows\java\Packages\Data\V93VJV37.DAT
2009-02-09 01:32 . 2009-02-09 01:32 2678 ----a-w c:\windows\java\Packages\Data\YTFZXZTB.DAT
2009-02-09 01:32 . 2009-02-09 01:32 2678 ----a-w c:\windows\java\Packages\Data\O0ME7DBT.DAT
2009-02-09 01:32 . 2009-02-09 01:32 2678 ----a-w c:\windows\java\Packages\Data\CMPF9ZPF.DAT
2009-02-09 01:32 . 2009-02-09 01:32 2678 ----a-w c:\windows\java\Packages\Data\[u]0[/u]KVLBFB9.DAT
2009-02-06 11:11 . 2005-08-16 09:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 09:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 09:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 09:18 56832 ----a-w c:\windows\system32\secur32.dll
2004-03-15 22:51 . 2004-03-15 22:51 114688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 15:32 . 2006-01-23 15:32 131072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 15:48 . 2007-02-08 15:48 133920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 00:03 . 2007-07-25 00:03 118784 ----a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2007-11-24 03:57 . 2007-11-24 03:57 88 --sh--r c:\windows\system32\F8C98E3994.sys
2007-11-24 03:57 . 2007-11-24 03:57 2516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-08-09 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LkCitadelServer"=2 (0x2)
"nipxirmu"=2 (0x2)
"nidevldu"=2 (0x2)
"ni488enumsvc"=2 (0x2)
"lkTimeSync"=2 (0x2)
"lkClassAds"=2 (0x2)
"WZCSVC"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"WebClient"=2 (0x2)
"Venturi2"=3 (0x3)
"UPS"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SwPrv"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"ose"=3 (0x3)
"NITaggerService"=2 (0x2)
"niSvcLoc"=2 (0x2)
"NILM License Manager"=3 (0x3)
"NIDomainService"=2 (0x2)
"mxssvr"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MHN"=3 (0x3)
"MDM"=2 (0x2)
"McrdSvc"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"HidServ"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"OpcEnum"=3 (0x3)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\dabnoot\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 ba8564decd0e01232df8c976aad12b13;ba8564decd0e01232df8c976aad12b13; [x]
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\System32\drivers\nipbcfk.sys [2007-07-11 15448]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
R2 ATIXBAR;ATI TV Wonder WDM Audio Crossbar;c:\windows\system32\drivers\ativxstw.sys [2001-04-24 33712]
R2 BT848;ATI TV Wonder BtCap, WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2001-04-24 208720]
R2 BTTUNER;ATI TV Wonder TVTuner, WDM TvTuner;c:\windows\system32\drivers\ativtutw.sys [2001-04-24 28624]
R2 BTXBAR;ATI TV Wonder WDM Video Crossbar;c:\windows\system32\drivers\BTXBAR.sys [2001-04-24 10512]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-07-19 11360]
R3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]
R3 Ndisusb;GeneLink Network Driver;c:\windows\system32\DRIVERS\genelan.sys [2006-10-09 11328]
R3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]
R3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]
R3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2007-05-25 22360]
R3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]
R3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2007-07-15 11352]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2007-07-12 11360]
R3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2007-07-14 11336]
R3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2007-07-19 11344]
R3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2007-07-25 11336]
R3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2007-07-25 11336]
R3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2007-07-15 11352]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2007-07-24 11360]
R3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2007-07-18 11392]
R3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2007-06-21 14464]
R3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2007-06-21 151683]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2007-07-14 11360]
R3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2007-07-14 11368]
R3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2007-07-19 11360]
R3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-07-19 11904]
R3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-07-19 11896]
R3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]
R3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2007-07-19 11376]
R3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2007-07-17 11352]
R3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2007-07-16 11344]
R3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2007-07-19 11376]
R3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2007-07-25 11336]
R3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2007-07-15 11312]
R3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2007-07-15 11360]
R3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2007-07-17 11336]
R3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2007-07-19 11360]
R3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-07-19 11384]
R3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-07-19 11360]
R3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2007-07-25 11336]
R3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2007-07-25 11336]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R3 usb6xxxk;usb6xxxk; [x]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R4 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2007-02-16 12696]
R4 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2007-02-16 12696]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-06 15:53]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-06 15:53]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061107
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\fname lname\Application Data\Mozilla\Firefox\Profiles\aerbidvo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pandora.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(288)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-28 19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 23:52

Pre-Run: 20,888,133,632 bytes free
Post-Run: 20,837,621,760 bytes free

317 --- E O F --- 2009-04-15 14:05


Report •

#5
April 28, 2009 at 18:35:24

If you still have that folder:

C:/Windows/System32/qxvxccounter

Delete it and empty the recycle bin.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 13 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

The following Kaspersky scan may take 4hrs.+ to complete but it is worth the time.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#6
April 29, 2009 at 15:56:00
jabuck,
I updated the JRE, and ran the ATF cleaner successfully. I also ran the online scan: the scan found no problems (so there's no log to post).
You're terrific!

Report •

#7
April 29, 2009 at 19:07:07
Your computer appears to be clean


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#8
May 1, 2009 at 21:33:11
I uninstalled Combofix, but it was kind of funny because I had re-enabled McAfee through msconfig, and McAfee thought the program was trouble (kind of like having a friend come over and the dog won't stop barking). Combofix told me that the uninstall was successful.
I got rid of the other stuff, too.
How's the computer running? Of course, all of the malicious behavior has halted. Thank you soooo much!!! I hope you feel good about the help you give people.

What about you?
Do you have a preferred net of software protection?
McAfee is almost a thorn in my side. I had previously disabled some of the McAfee programs from starting with the computer to try and speed things up, and I have re-enabled those applications. The computer is a Dual-Core Pentium D 2.66GHz, 1GB Ram, Front-Side Bus speed unknown, but it is slow now with all the McAfee stuff running. Kind of disappointing, Haha! I'm thinking about options for upgrading the processor, but I'll have to investigate if it's REALLY worth it.
It's my college computer, a gift from dad. I'm graduating but I still do some engineering work on it, and the programs can be very demanding.


Report •

#9
May 2, 2009 at 13:13:27
I would dump McAfee and install a free antivirus such as AVG, Avast, or Avir as McAfee uses so many resouces. Install spyblaster and keep it updated. Installa free firewall, I think Comodo and Zonealarm both have free versions.

As for the PC itself as for increasing potential install as much memory as possible for your model, also defrag it.


Report •


Ask Question