Need Help with virus

Dell / DIMENSION 3000
January 24, 2009 at 09:46:19
Specs: Microsoft Windows XP Home Edition, 2.394 GHz / 509 MB
I am unable to do a system restore in regular mode and safe mode. I also am unable to run any type of virus scan. Also, unable to go to any site that has virus information. Such as AVG, McAfee, anything pertaining to virus help. Please help me if you have any ideas.

See More: Need Help with virus

Report •


#1
January 24, 2009 at 16:56:53
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 27, 2009 at 04:33:07
Thanks very much for your help. As soon as I disabled TDSSserv.sys and restarted my computer McAfee found a trojan virus and removed it. It is now letting me update my defintions. Only question is do I enable what I just disabled?

Thanks again


Report •

#3
January 27, 2009 at 16:59:29
No, that is a temporary fix.

You need to run the suggested scans and post their logs. They will remove some of the bad files, we will need to see these logs to determine the path forward.


Report •

Related Solutions

#4
February 3, 2009 at 17:07:38
Malwarebytes' Anti-Malware 1.28
Database version: 1200
Windows 5.1.2600 Service Pack 3

2/3/2009 8:06:08 PM
mbam-log-2009-02-03 (20-06-08).txt

Scan type: Quick Scan
Objects scanned: 57248
Time elapsed: 16 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Jessica Baker.D9HFHW71\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:13 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1147388256\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Upromise\Upromise.exe
C:\Program Files\Upromise\UpromiseUa.exe
C:\Program Files\Upromise\UpromiseTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Jessica Baker.D9HFHW71\Desktop\tools.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FOR...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FOR...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147388256\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Upromise] C:\Program Files\Upromise\Upromise.exe
O4 - HKCU\..\Run: [Upromise Update] C:\Program Files\Upromise\UpromiseUa.exe
O4 - HKCU\..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra 'Tools' menuitem: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/Walgree...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/sh...
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v5...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10603 bytes


Report •

#5
February 3, 2009 at 17:36:19
Did you run Malwarebytes, if so please post its log.

Report •

#6
February 3, 2009 at 18:28:01
Yes I did run Malware its at the top of the last post.

Report •

#7
February 3, 2009 at 19:03:50
Sorry, I overlooked it.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus, and any antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#8
February 4, 2009 at 07:17:34
ComboFix 09-02-03.01 - Jessica Baker 2009-02-04 9:56:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.224 [GMT -5:00]
Running from: c:\documents and settings\Jessica Baker.D9HFHW71\Desktop\toolb.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090202231108156.log
c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\FunWebProducts
c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\FunWebProducts\Data\Jessica Baker\avatar.dat
c:\program files\SAV
c:\windows\system\oeminfo.ini
c:\windows\system32\ahtn.htm
c:\windows\system32\bszip.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\TDSSkyai.log
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 09:54 . 2009-02-04 10:06 <DIR> d-------- C:\32788R22FWJFW
2009-02-04 09:33 . 2004-08-04 05:00 96,256 --a------ c:\windows\SYSTEM32\CDMODE.dll
2009-02-03 17:13 . 2009-02-03 17:13 444 --a------ c:\windows\SYSTEM32\d3d8caps.dat
2009-02-03 10:19 . 2009-02-03 10:19 142,848 --a--c--- c:\windows\SYSTEM32\DLLCACHE\userinit.exe
2009-02-02 23:24 . 2009-02-02 23:24 138,016 --a------ c:\windows\SYSTEM32\DRIVERS\ethiygcq.sys
2009-02-02 23:20 . 2009-02-02 23:20 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Yahoo!
2009-02-02 23:20 . 2009-02-02 23:25 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\HPAppData
2009-02-02 23:20 . 2009-02-02 23:20 0 --a------ c:\windows\SYSTEM32\ŸcŸc
2009-02-02 23:19 . 2009-02-02 23:24 164,388 --a------ c:\windows\SYSTEM32\1E.tmp
2009-02-02 23:19 . 2009-02-02 23:19 61,440 --a------ c:\windows\SYSTEM32\16.tmp
2009-02-02 23:19 . 2009-02-02 23:19 15,000 --------- c:\windows\SYSTEM32\hnsf983ind.dll
2009-02-02 23:14 . 2009-02-03 07:22 124 --a------ c:\windows\adobe.bat
2009-02-02 23:14 . 2009-02-03 08:13 5 --a------ c:\windows\_id.dat
2009-02-02 23:13 . 2009-02-02 23:13 104,870 --a------ c:\windows\SYSTEM32\81.tmp
2009-02-02 23:12 . 2009-02-02 23:12 61,440 --a------ c:\windows\SYSTEM32\77.tmp
2009-01-13 14:58 . 2009-01-16 16:49 <DIR> d-------- c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\Move Networks
2009-01-12 22:58 . 2009-01-18 00:34 <DIR> d-------- c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\HPAppData
2009-01-09 09:34 . 2008-12-06 05:05 1,203,770 -----c--- c:\windows\SYSTEM32\DLLCACHE\sysmain.sdb
2009-01-08 13:21 . 2009-01-08 13:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-01-08 13:20 . 2009-01-08 13:20 <DIR> d-------- c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\HP
2009-01-08 13:19 . 2008-01-24 16:22 49,920 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZid412.sys
2009-01-08 13:19 . 2008-01-24 16:22 16,496 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZipr12.sys
2009-01-08 13:18 . 2009-01-08 13:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-08 13:18 . 2008-01-24 16:23 271,704 -ra------ c:\windows\SYSTEM32\hpzids01.dll
2009-01-08 13:18 . 2007-10-20 18:25 118,272 --a------ c:\windows\SYSTEM32\hpz3l5mu.dll
2009-01-08 13:18 . 2008-01-24 16:22 21,568 -ra------ c:\windows\SYSTEM32\DRIVERS\HPZius12.sys
2009-01-08 13:17 . 2008-01-24 16:22 729,088 -ra------ c:\windows\SYSTEM32\hpowiax7.dll
2009-01-08 13:17 . 2008-01-24 16:22 581,632 -ra------ c:\windows\SYSTEM32\hpotscl6.dll
2009-01-08 13:17 . 2008-01-24 16:22 372,736 -ra------ c:\windows\SYSTEM32\hppldcoi.dll
2009-01-08 13:17 . 2008-01-24 16:22 309,760 -ra------ c:\windows\SYSTEM32\difxapi.dll
2009-01-08 13:17 . 2008-01-24 16:22 303,104 -ra------ c:\windows\SYSTEM32\hpovst15.dll
2009-01-08 13:16 . 2008-04-13 13:45 15,104 --a------ c:\windows\SYSTEM32\DRIVERS\usbscan.sys
2009-01-08 13:16 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\SYSTEM32\DLLCACHE\usbscan.sys
2009-01-08 13:11 . 2009-01-08 13:11 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-08 13:11 . 2009-01-08 13:11 <DIR> d-------- c:\program files\Common Files\HP
2009-01-08 13:11 . 2009-01-08 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-08 13:11 . 2009-01-08 13:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-08 13:10 . 2009-01-08 13:10 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-08 13:08 . 2008-04-13 13:45 32,128 --a------ c:\windows\SYSTEM32\DRIVERS\usbccgp.sys
2009-01-08 13:08 . 2008-04-13 13:45 32,128 --a--c--- c:\windows\SYSTEM32\DLLCACHE\usbccgp.sys
2009-01-08 13:05 . 2009-01-08 13:20 <DIR> d-------- c:\program files\HP
2009-01-08 13:04 . 2009-01-08 13:21 166,217 --a------ c:\windows\hpoins28.dat
2009-01-08 13:04 . 2008-05-11 22:49 796 --------- c:\windows\hpomdl28.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 14:54 --------- d-----w c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\SlimBrowser
2009-02-03 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-31 18:41 --------- d-----w c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\LimeWire
2009-01-23 15:30 --------- d-----w c:\program files\SlimBrowser
2009-01-06 23:17 --------- d-----w c:\program files\Java
2008-12-18 15:25 --------- d-----w c:\program files\Common Files\Adobe
2008-12-17 12:31 --------- d-----w c:\documents and settings\Jessica Baker.D9HFHW71\Application Data\Apple Computer
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2005-11-01 18:07 310 -c--a-w c:\program files\Warez P2P ClientIPGUARD.LOG
2008-09-24 04:02 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
.

------- Sigcheck -------

2008-04-13 19:12 1051136 b656dad82fdaf553f607bb3f195af9d8 c:\windows\explorer.exe
2004-08-12 08:57 1049600 f6ac1b1516001236bc0301ce094bd66f c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 19:12 1051136 3134226847962c8147c8083239fd960b c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-12 08:56 32768 f787290435aa9836022e2b93da275521 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32768 78be751862115707ee7003c6941a522b c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32768 b48c462b29773d94677e6508c28e1e0b c:\windows\SYSTEM32\ctfmon.exe

2005-06-10 19:17 75264 3b60061218898bff679c381e0a06e0a1 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 75264 44cccae1e7224076ccbf4b3fdfe386ec c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-12 09:06 75264 0b649259f80bbd23fb4da5a985133047 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 75264 20e358d9f265a31684732d2350ea5865 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 75264 350ee3c52964b5fdf9cc080afd27cf0a c:\windows\SYSTEM32\spoolsv.exe

2004-08-12 09:08 41984 bb44478fa090c8a2fef19a153ba11564 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43520 046da73287405808541caed7379bcd51 c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-03 10:19 142848 69951eed29feb5b4d5cde8cb65a1a38f c:\windows\SYSTEM32\userinit.exe
2009-02-03 10:19 142848 69951eed29feb5b4d5cde8cb65a1a38f c:\windows\SYSTEM32\DLLCACHE\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2006-12-26 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-03-25 214360]

[COLOR=RED] SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [/COLOR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-23 c:\windows\Tasks\McAfee SecurityCenter.job
- c:\progra~1\McAfee\MSC\mcshell.exe [2008-06-21 12:38]

2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 19:12]

2009-02-03 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(972)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
r Running Proce
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\McAfee.com\Agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\AOL\1147388256\ee\aolsoftware.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\HP\HP Software Update\hpwuSchd2.exe
c:\program files\Upromise\Upromise.exe
c:\program files\Upromise\UpromiseUa.exe
c:\program files\Upromise\UpromiseTray.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsmap.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-04 10:15:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 15:14:38

Pre-Run: 57,162,186,752 bytes free
Post-Run: 57,233,551,360 bytes free

Sets=
199


Report •

#9
February 5, 2009 at 20:04:15
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here:

FixPolicies

Double-click FixPolicies.exe.


Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\SYSTEM32\1E.tmp
c:\windows\SYSTEM32\16.tmp
c:\windows\SYSTEM32\hnsf983ind.dll
c:\windows\_id.dat
c:\windows\SYSTEM32\81.tmp
c:\windows\SYSTEM32\77.tmp

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •


Ask Question