Security Tool & Antivirus Pro 2009 infections [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

5 Pages

1 2 3 > »

Security Tool & Antivirus Pro 2009 infections [Solved]

Options

dhlavinka View Member Profile	Oct 21 2009, 09:11 PM Post #1
Member Posts: 39 From: Houston, Texas OS: Windows XP	I have a full blown McAfee security set up on my home computer. This is available thru my company so I have always used it. No problems with the computer until yesterday. Severe infections and disabled so much functionality. Determined that Security Tool and Antivirus Pro 2009 had been installed on my hard drive. Could not activate the Task Manager to stop processes. Could not access Registry Editor either. Eventually used a program called Exploere from Sysinternals Process Explorer to allow me to see my processes. Disabled the Security Tool program and then was able to delete it. While looking at other programs via the Add/Delete Programs tool noticed that Antivirus Pro 2009 had been installed as well. Deleted that as well. Tried downloading a copy of MBAM and install it. Because my home computer is so messed up - can not access Internet Explorer because it always shuts down the program immediately thereafter. So I downloaded MBAM using my work laptop. Transferred the mbam-setup file to my home workstation using a memory stick. It sets up properly but when it tries to launch it always gives an error of Unable to execute file C:\ProgramFiles......mbam.exe Create process failed; code 2 The system file cannot find the specified file. Also kept getting error that Administrator would not allow me to access Task Manager and Registry Editor when trying to launch them via the Run command. Was able to get that corrected by using the Group Policy tool. Eventually found your site and began with your standard prep work. Successfully ran TFC, SystemRestorePoint & ERUNT. When installing MBAM got to the same point as before and got the same failure message. I am at a complete loss as to where to go from here. Please advise.

chamber View Member Profile	Oct 22 2009, 02:19 AM Post #2
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	Hi, Please download exeHelper to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan) Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file). Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall

dhlavinka View Member Profile	Oct 22 2009, 07:18 PM Post #3
Member Posts: 39 From: Houston, Texas OS: Windows XP	Thanks for your help. Downloaded exeHelper to memory stick. Copied it to desktop on my workstation. Ran once and it ran to completion. But there was an "Error deleting" one of the .dll files. I assumed that was what you indicated might happen. So I ran exeHelper one more time. The resulting .txt file from that second run is pasted below. exeHelper by Raktor Build 20091021 Run at 20:06:36 on 10/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Killed process winupdate.exe Checking for bad files... Deleting file C:\WINDOWS\system32\AVR09.exe Deleting file C:\WINDOWS\system32\~.exe Deleting file C:\WINDOWS\system32\winupdate.exe Deleting file C:\WINDOWS\system32\41.exe Deleting file C:\WINDOWS\system32\winhelper.dll Deleting file C:\WINDOWS\system32\calc.dll Error deleting C:\WINDOWS\system32\calc.dll Deleting file C:\Documents and Settings\Danny\ntuser.dll Deleting file C:\Documents and Settings\Danny\Start Menu\Programs\Startup\scandisk.dll Deleting file C:\Documents and Settings\Danny\Start Menu\Programs\Startup\scandisk.lnk Checking for bad registry entries... Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor Build 20091021 Run at 20:08:51 on 10/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Deleting file C:\WINDOWS\system32\calc.dll Error deleting C:\WINDOWS\system32\calc.dll Deleting file C:\Documents and Settings\Danny\ntuser.dll Deleting file C:\Documents and Settings\Danny\Start Menu\Programs\Startup\scandisk.dll Deleting file C:\Documents and Settings\Danny\Start Menu\Programs\Startup\scandisk.lnk Checking for bad registry entries... Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Not sure if I should proceed with the Combofix immediately anyway....or wait for you to review this and then proceed. To avoid messing something up, I will wait for you to respond. Thanks.

chamber View Member Profile	Oct 23 2009, 12:54 AM Post #4
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	Fire away with ComboFix now.

dhlavinka View Member Profile	Oct 25 2009, 12:24 PM Post #5
Member Posts: 39 From: Houston, Texas OS: Windows XP	Apologies for the delay in responding. Finally got a chance to follow up with the ComboFix. It eventually ran fully and generated the .txt file below. Will wait for your next instructions. Many thanks. ComboFix 09-10-24.06 - Danny 10/25/2009 12:57.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.551 [GMT -5:00] Running from: c:\documents and settings\Danny\Desktop\Combo-Fix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall disabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Brian\ntuser.dll c:\documents and settings\Brian\Start Menu\Programs\Startup\scandisk.dll c:\documents and settings\Brian\Start Menu\Programs\Startup\scandisk.lnk c:\documents and settings\Danny\ntuser.dll c:\documents and settings\Danny\Start Menu\Programs\Startup\scandisk.dll c:\documents and settings\Danny\Start Menu\Programs\Startup\scandisk.lnk c:\documents and settings\Jill\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk c:\documents and settings\Jill\Application Data\seres.exe c:\documents and settings\Jill\Application Data\svcst.exe c:\documents and settings\Jill\ntuser.dll c:\documents and settings\Jill\Start Menu\Programs\AntivirusPro_2010 c:\documents and settings\Jill\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk c:\documents and settings\Jill\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk c:\documents and settings\Jill\Start Menu\Programs\Startup\scandisk.dll c:\documents and settings\Jill\Start Menu\Programs\Startup\scandisk.lnk c:\documents and settings\LocalService\ntuser.dll c:\documents and settings\NetworkService\ntuser.dll C:\explorer.exe c:\program files\downloadmanager\mptray.exe c:\program files\mediapipe c:\program files\mediapipe\ItBill_terms.txt c:\program files\Shared\lib.dll c:\program files\Shared\lib.sig c:\windows\kb913800.exe c:\windows\system32\_scui.cpl c:\windows\system32\berikeda.dll c:\windows\system32\bszip.dll c:\windows\system32\calc.dll c:\windows\system32\diwikewo.exe c:\windows\system32\fotuliza.dll c:\windows\system32\hujinuya.dll c:\windows\system32\mscert.dll c:\windows\system32\nemapehe.exe c:\windows\system32\ruyoneta.exe c:\windows\system32\uninstall.exe c:\windows\system32\wbem\proquota.exe c:\windows\system32\zahuzewi.dll c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 ))))))))))))))))))))))))))))))) . 2009-12-26 04:06 . 2009-06-19 05:51 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll 2009-12-26 04:06 . 2009-12-26 04:06 -------- d-----w- c:\program files\Juniper Networks 2009-12-26 04:06 . 2009-12-26 04:06 -------- d-----w- c:\documents and settings\Danny\Application Data\Juniper Networks 2009-12-26 04:05 . 2009-12-26 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks 2009-12-25 03:26 . 2009-04-09 20:23 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys 2009-12-25 03:26 . 2009-12-25 03:26 -------- d-----w- c:\program files\Common Files\McAfee 2009-12-25 03:26 . 2009-12-25 03:26 -------- d-----w- c:\program files\McAfee.com 2009-12-25 03:25 . 2009-10-22 01:41 -------- d-----w- c:\program files\McAfee 2009-10-25 18:04 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-10-25 18:04 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe 2009-10-22 02:53 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-22 02:53 . 2009-10-22 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-22 02:53 . 2009-10-22 02:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-22 02:53 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-22 02:38 . 2009-10-22 02:38 -------- d-----w- c:\program files\ERUNT 2009-10-22 00:22 . 2009-10-22 00:22 -------- d-----w- c:\documents and settings\Danny\Application Data\Malwarebytes 2009-10-20 23:09 . 2009-10-20 23:09 7680 ----a-w- C:\jyacth.exe 2009-10-20 23:09 . 2009-10-20 23:09 27136 ----a-w- C:\vyiy.exe 2009-10-20 23:09 . 2009-10-20 23:09 53248 ----a-w- C:\ldvx.exe 2009-10-17 02:58 . 2009-10-25 18:03 -------- d-----w- c:\program files\Shared . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-26 04:05 . 2009-12-26 04:05 45132 ------w- c:\documents and settings\Danny\Application Data\JuniperExtXP.exe 2009-12-26 02:58 . 2009-03-16 05:38 -------- d-----w- c:\program files\Steam 2009-12-25 03:29 . 2007-07-13 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-10-25 18:05 . 2005-11-22 17:32 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat 2009-10-25 18:05 . 2005-11-22 17:32 384 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat 2009-10-25 18:03 . 2006-02-24 01:30 -------- d-----w- c:\program files\DownloadManager 2009-10-22 03:21 . 2007-09-08 17:52 -------- d-----w- c:\program files\Quicken Rental Property Manager 2009-10-22 03:21 . 2005-11-22 17:22 -------- d-----w- c:\program files\Modem On Hold 2009-10-22 03:21 . 2005-08-17 02:54 -------- d-----w- c:\program files\ESPNMotion 2009-10-22 03:21 . 2005-08-17 02:54 -------- d-----w- c:\program files\GemMaster 2009-10-22 03:21 . 2005-08-17 02:51 -------- d-----w- c:\program files\EnglishOtto 2009-10-22 03:21 . 2005-11-24 07:06 -------- d-----w- c:\program files\Call of Duty 2009-10-22 03:21 . 2005-12-23 05:27 -------- d-----w- c:\program files\AIM 2009-10-22 03:21 . 2005-11-22 17:22 -------- d-----w- c:\program files\Modem Helper 2009-10-22 02:32 . 2005-11-30 03:56 39864 ----a-w- c:\documents and settings\Danny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-16 15:22 . 2009-05-14 05:25 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-09-16 15:22 . 2007-07-15 00:17 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-09-16 15:22 . 2007-07-15 00:17 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-09-16 15:22 . 2007-07-15 00:17 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-09-16 15:22 . 2007-07-15 00:17 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys 2009-09-13 22:14 . 2006-04-02 00:50 39864 ----a-w- c:\documents and settings\Bradley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 07:36 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-28 23:11 . 2008-09-28 00:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-08-28 13:52 . 2005-11-22 17:21 -------- d-----w- c:\program files\Java 2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-15 04:30 . 2009-01-27 22:55 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-04 15:13 . 2005-08-16 10:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-04 04:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-06-15 05:02 . 2009-06-15 05:02 1374132 ----a-w- c:\program files\wrar39b3.exe 2007-11-14 23:47 . 2007-11-14 23:47 251 ----a-w- c:\program files\wt3d.ini 2006-02-24 01:30 . 2006-02-24 01:30 26922 ----a-w- c:\program files\MoviePass Terms.html 2005-12-01 06:29 . 2005-12-01 06:29 774144 ----a-w- c:\program files\RngInterstitial.dll 2009-03-22 16:48 . 2007-08-28 02:18 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2009-03-22 16:48 . 2007-08-28 02:18 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2009-03-22 16:48 . 2007-08-28 02:18 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2009-03-22 16:48 . 2007-08-28 02:18 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2009-03-22 16:48 . 2007-08-28 02:18 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll 2006-07-30 03:15 . 2005-11-24 06:24 56 --sh--r- c:\windows\system32\85728D2DE4.sys 2009-07-21 11:15 . 2009-07-21 11:15 53248 --sha-w- c:\windows\system32\bimeyonu.dll 2009-07-21 23:15 . 2009-07-21 23:15 39424 --sha-w- c:\windows\system32\gawafuda.dll 2009-07-21 11:15 . 2009-07-21 11:15 53248 --sha-w- c:\windows\system32\gitabiga.dll 2009-07-21 11:15 . 2009-07-21 11:15 39424 --sha-w- c:\windows\system32\gizapune.dll 2006-07-30 03:15 . 2005-11-24 06:24 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-07-20 23:15 . 2009-07-20 23:15 39424 --sha-w- c:\windows\system32\petiyate.dll 2009-07-20 23:15 . 2009-07-20 23:15 27136 --sha-w- c:\windows\system32\sidawafa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39b49dbd-1e6d-4dd9-b820-87e2d628ef9c}] 2009-07-21 11:15 53248 --sha-w- c:\windows\system32\bimeyonu.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2005-05-10 98304] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184] "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-17 180269] "EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2005-05-10 98304] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-21 366400] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328] "CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2004-03-11 28672] "WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-11-27 364544] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-11-29 49254] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-4-26 1528880] Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-11-26 98304] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\kbdnet.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] appsecdll REG_SZ c:\windows\system32\mscert.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Call of Duty\\CoDMP.exe"= "c:\\WINDOWS\\system32"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\drivers\\svchost.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/24/2009 10:27 PM 210216] R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/4/2005 5:12 PM 2368] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 11:00 PM 24652] S2 NUZPHVWV;NUZPHVWV;\??\c:\windows\system32\nuzphvwv.job --> c:\windows\system32\nuzphvwv.job [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE . Contents of the 'Scheduled Tasks' folder 2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-12-25 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-25 17:22] 2009-12-25 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-25 17:22] . . ------- Supplementary Scan ------- . uStart Page = hxxp://cm.my.yahoo.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: {{FA4904B4-1FAF-4afd-886C-C19D2297BA62} - c:\program files\royalvegasMPP\MPPoker.exe Trusted Zone: microsoft.com\.update Trusted Zone: slb.com\gateway Trusted Zone: turbotax.com FF - ProfilePath - c:\documents and settings\Danny\Application Data\Mozilla\Firefox\Profiles\mshvsmvn.default\ FF - prefs.js: browser.startup.homepage - hxxp://musicgalore.net/ajax/ FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKLM-Run-hijukejab - c:\windows\system32\berikeda.dll HKLM-Run-pametogude - fotuliza.dll SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file) SharedTaskScheduler-{9c1c5b35-8e47-49bb-8092-8acdf8c6757f} - c:\windows\system32\berikeda.dll SSODL-rojaludiv-{9c1c5b35-8e47-49bb-8092-8acdf8c6757f} - c:\windows\system32\berikeda.dll AddRemove-26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3 - c:\program files\WildTangent\Apps\GameChannel\Games\26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3\Uninstall.exe AddRemove-D1A6F3FD-7B40-443F-8767-BADB25A0D222 - c:\program files\WildTangent\Apps\GameChannel\Games\D1A6F3FD-7B40-443F-8767-BADB25A0D222\Uninstall.exe AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe AddRemove-Pyramid Song Screen Saver - c:\windows\system32\uninstall.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 13:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NUZPHVWV] "ImagePath"="\??\c:\windows\system32\nuzphvwv.job" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3984) c:\windows\system32\WININET.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\WPDShServiceObj.dll c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.EXE c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\windows\system32\nvsvc32.exe c:\windows\ehome\RMSvc.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\ehome\McrdSvc.exe c:\windows\system32\dllhost.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\system32\wscntfy.exe c:\combo-fix\CF3748.exe c:\windows\eHome\ehmsas.exe c:\windows\system32\RUNDLL32.EXE c:\program files\iPod\bin\iPodService.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\combo-fix\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-25 13:16 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-25 18:16 Pre-Run: 72,215,584,768 bytes free Post-Run: 72,407,621,632 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 6B61FA6CF204FCE0232EACD4099A97C6

chamber View Member Profile	Oct 25 2009, 04:43 PM Post #6
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	Hi, Lets carry on then. 1) CFScript 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\jyacth.exe C:\vyiy.exe C:\ldvx.exe c:\windows\system32\sidawafa.exe c:\windows\system32\petiyate.dll c:\windows\system32\gizapune.dll c:\windows\system32\gitabiga.dll c:\windows\system32\gawafuda.dll c:\windows\system32\bimeyonu.dll c:\windows\system32\nuzphvwv.job Folder:: Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39b49dbd-1e6d-4dd9-b820-87e2d628ef9c}] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" Driver:: NUZPHVWV KillAll:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. 2) Malwarebytes Please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. 3) OTL Download OTL to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in. In your reply I would like to see copied and pasted, 1) ComboFix logs 2) Malwarebytes log 3) OTL logs

dhlavinka View Member Profile	Oct 25 2009, 09:27 PM Post #7
Member Posts: 39 From: Houston, Texas OS: Windows XP	Appreciate the quick response. I appear to have a problem though. I downloaded the CFScript file. Disabled my McAfee fully. Dragged the script .txt file to Combo-Fix as you said and it opened the window indicating the "ComboFix is preparint to run". Then realized that I had disconnected my ethernet cord from my router. Wasn't sure if it needed to be connected for this procedure or not....so I connected it. After that my McAfee began downloading updates automatically. Then it completed that process. Then I remembered that when the ComboFix runs you said it disconnects internet sessions first. Perhaps I messed things up by connecting the ethernet cord AFTER ComboFix had begun. Now, even though I did not clidk on the ComboFix window...it appears to have stalled. Recommendations?

chamber View Member Profile	Oct 26 2009, 01:37 AM Post #8
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	Is it still stalled. Try restarting your computer and then running the CFScript again.

chamber View Member Profile	Oct 26 2009, 08:05 AM Post #10
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	Hi, 1) OTL Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL :Services :Reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\drivers\svchost.exe" =- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\drivers\svchost.exe" =- :Files :Commands [purity] [emptytemp] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done 2) JavaRa Please download JavaRa to your desktop and unzip it to its own folder Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. Accept any prompts. Open JavaRa.exe again and select Search For Updates. Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. 3) Kaspersky Using Internet Explorer or Firefox, visit Kaspersky Online Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs. 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take quite a long time to download. Once the update is complete, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, adware, dialers, and other riskware Archives E-mail databases Click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View report... at the bottom. Click the Save report... button. Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply In your reply I would like to see copied and pasted, 1) OTL log 2) Kaspersky scan

dhlavinka View Member Profile	Oct 26 2009, 06:34 PM Post #11
Member Posts: 39 From: Houston, Texas OS: Windows XP	To be clear....do I need to disable my McAfee items again before conducting any of your latest requests?

chamber View Member Profile	Oct 27 2009, 01:39 AM Post #12
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	No, You can just go ahead.

dhlavinka View Member Profile	Oct 27 2009, 05:24 AM Post #13
Member Posts: 39 From: Houston, Texas OS: Windows XP	Good morning. Hope all is well on your end of the world. Finally got to read thru some other parts of the website and I see you are from Ireland. Appreciate yoru time. After signing on I gave my McAfee a few minutes to search for updates. It updated and I rebooted. I signed in again and tried to proceed without disabling my McAfee. As I am looking at my my Windows Explorer window suddenly my OTL icon on my desktop and the appllication on my memory stick disappear. McAfee notifies me that it has removed a Trojan from my computer called Artemis.....something. I downloaded another copy of OTL from my laptop to my memory stick (from the same link you advised earlier), moved the memory stick to my workstation and McAfee deleted it again citing the same Trojan file Artemis had been removed. Tried this all one time again with the same results. I know I had my McAfee enabled at some point previously and it did not delete the OTL application. I am confused.

chamber View Member Profile	Oct 27 2009, 05:25 AM Post #14
Trusted Helper Posts: 1,817 From: ~/ OS: Linux all the way!	Ok, Go ahead and disable McAfee and then run through the steps.

dhlavinka View Member Profile	Oct 27 2009, 07:28 AM Post #15
Member Posts: 39 From: Houston, Texas OS: Windows XP	OTL scan log attached below. Kaspersky scan currently running. Only 3% completed after 12 minutes. I need to head to the office. Will attach the Kaspersky report later today after the scan completes. Thanks All processes killed ========== OTL ========== ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\drivers\svchost.exe deleted successfully. Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\drivers\svchost.exe deleted successfully. ========== FILES ========== ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: All Users User: Bradley ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: Brett ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: Brian ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Java cache emptied: 0 bytes User: Danny ->Temp folder emptied: 1789 bytes File delete failed. C:\Documents and Settings\Danny\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 3353053 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Jill ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Java cache emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 557300 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes File delete failed. C:\WINDOWS\temp\mcmsc_8XyAdlcWUpCeujJ scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mcmsc_fuZqPt6mBiq3Rff scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mcmsc_vOTGyhe4p8mdGbO scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_734.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b04.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\sqlite_PJSTQxTuz30hTl7 scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\sqlite_VuGGMUdfH5yFMBD scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\sqlite_wWNMgniZyu3POAE scheduled to be deleted on reboot. Windows Temp folder emptied: 35480 bytes RecycleBin emptied: 175006 bytes Total Files Cleaned = 3.93 mb OTL by OldTimer - Version 3.0.22.1 log created on 10272009_071902 Files\Folders moved on Reboot... File\Folder C:\WINDOWS\temp\mcmsc_8XyAdlcWUpCeujJ not found! File\Folder C:\WINDOWS\temp\mcmsc_fuZqPt6mBiq3Rff not found! File\Folder C:\WINDOWS\temp\mcmsc_vOTGyhe4p8mdGbO not found! File\Folder C:\WINDOWS\temp\Perflib_Perfdata_734.dat not found! File\Folder C:\WINDOWS\temp\Perflib_Perfdata_b04.dat not found! C:\WINDOWS\temp\sqlite_PJSTQxTuz30hTl7 moved successfully. C:\WINDOWS\temp\sqlite_VuGGMUdfH5yFMBD moved successfully. C:\WINDOWS\temp\sqlite_wWNMgniZyu3POAE moved successfully. Registry entries deleted on Reboot...

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

5 Pages

1 2 3 > »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Help - Fake Windows Security Center & Spyware Guard 2009 [Solved] 123	30 / 1,081	11th February 2009 - 06:36 PM dpanone started - last by SpySentinel
Virus, Spyware and Trojan Removal Google Redirect / AntiVirus Pro 2009 [Solved]	13 / 216	15th August 2009 - 05:55 AM Mr. Doo started - last by kahdah
Virus, Spyware and Trojan Removal stubborn antivirus pro 2009 [Solved]	12 / 215	21st October 2009 - 04:38 AM RoBSTaR started - last by Rorschach112
Hardware, Components and Peripherals No sound after Security Tool & Antivirus Pro 2010 infection	13 / 194	10th November 2009 - 07:46 AM dhlavinka started - last by happyrock