Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

But I can't run HijackThis!?! [RESOLVED]


  • This topic is locked This topic is locked

#31
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
David,

I hate to give up on anything but as a "quick fix" that may be the best option for the work computer.

But hold off for a little while, and see if you can delete those same files and folders on your Original Computer.

Let me know how it goes.
  • 0

Advertisements


#32
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay, I did as you suggested on the laptop. After booting into Safe Mode,

I ran: sc delete srosa

I found and deleted
C:\WINDOWS\system32\drivers\downld

I did not find:

C:\autorun.inf
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe

I did find and delete:

C:\WINDOWS\system32\drivers\mdelk.exe

Then I ran DSS (first pointing it to HiJackThis.exe, which I could now install). Here is the log:

Deckard's System Scanner v20071014.68
Run by Mr. Admin on 2008-04-11 19:51:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 6.11 GiB (less than 15%) free.


-- HijackThis (run as Mr. Admin.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:08 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system\wcdvtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Documents and Settings\Mr. Admin\Desktop\dss.exe
C:\DOCUME~1\MR8AF5~1.ADM\Desktop\Mr. Admin.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = htp://www.law.uoregon.edu/students/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator 11\Applications\LEC IE Translation Extension.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OWCWebCamDV] C:\WINDOWS\system\wcdvtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Qwest QuickNetworking.lnk = C:\Program Files\QwestQuickNetworking\WebWorks.exe
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SysTray.lnk = ?
O8 - Extra context menu item: Add to &Teleport - C:\Program Files\Teleport Pro\teleport.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8063 bytes

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-11 19:49:32 0 d-------- C:\WINDOWS\system32\drivers\downld
2008-04-11 17:25:10 0 d-------- C:\Program Files\2Wire Wireless
2008-04-11 16:41:04 0 d-------- C:\Program Files\QwestQuickNetworking
2008-04-11 16:09:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2008-04-10 20:45:10 11254 --a------ C:\WINDOWS\system32\locate.com
2008-04-10 20:43:35 0 d-------- C:\ISeeYouXP
2008-04-10 16:35:29 0 drahs---- C:\autorun.inf
2008-04-10 14:14:33 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-04-10 10:55:25 0 d-------- C:\New Folder
2008-04-10 10:06:32 68096 --a------ C:\WINDOWS\zip.exe
2008-04-10 10:06:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-10 10:06:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-10 10:06:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-10 10:06:32 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-10 10:06:32 98816 --a------ C:\WINDOWS\sed.exe
2008-04-10 10:06:32 80412 --a------ C:\WINDOWS\grep.exe
2008-04-10 10:06:32 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-10 09:16:47 0 dr-hs---- C:\cmdcons
2008-04-10 09:01:08 0 d-------- C:\WINDOWS\setup.pss
2008-04-09 09:19:01 0 d-------- C:\Program Files\Trend Micro
2008-04-08 16:34:09 0 d-------- C:\Documents and Settings\Mr. Admin\.housecall6.6
2008-04-08 13:57:54 0 d-------- C:\Program Files\TimeLine Maker
2008-04-08 11:34:48 0 d-------- C:\Documents and Settings\Mr. Admin\System
2008-04-08 11:34:48 0 d-------- C:\Documents and Settings\Mr. Admin\Application Data\SmartDraw
2008-04-08 11:25:30 0 d-------- C:\Program Files\SmartDraw 2008
2008-04-08 11:17:56 0 d-------- C:\Documents and Settings\Mr. Admin\Application Data\Progeny
2008-04-08 11:00:26 20569 --a------ C:\WINDOWS\system32\pxc25pm.dll <Not Verified; Tracker Software; PDF-XChange Port Monitor>
2008-04-08 11:00:17 0 d-------- C:\Program Files\Common Files\Progeny
2008-04-08 10:58:23 952 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-04-08 10:58:23 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\16D83DFFEA.sys
2008-04-05 16:03:31 0 d-------- C:\Program Files\iPod
2008-04-05 16:02:51 0 d-------- C:\Program Files\iTunes
2008-03-30 14:13:57 0 d-------- C:\Program Files\Smead Viewables
2008-03-29 07:57:33 0 d-------- C:\Documents and Settings\Mr. Admin\Application Data\HP
2008-03-29 07:24:38 117655 --a------ C:\WINDOWS\hpoins11.dat
2008-03-29 06:38:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Kinko's
2008-03-22 11:57:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 08:38:01 6144 --a------ C:\WINDOWS\system32\DVKSPA01.dll <Not Verified; David C. Olsson; Created by MSKLC 1.4>
2008-03-22 08:14:51 6144 --a------ C:\WINDOWS\system32\DVKSWE01.dll <Not Verified; David C. Olsson; Created by MSKLC 1.4>
2008-03-22 07:54:48 0 d-------- C:\Program Files\Microsoft Keyboard Layout Creator 1.4
2008-03-20 15:23:39 0 d-------- C:\Program Files\CandleWorks
2008-03-20 13:37:17 0 d-------- C:\Program Files\Gecko Software
2008-03-20 13:37:17 0 d-------- C:\Documents and Settings\All Users\Application Data\TNT-HF
2008-03-18 08:15:34 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-18 08:15:26 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-18 08:15:16 63488 --a------ C:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2008-03-18 08:15:08 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-03-18 08:15:07 194320 --a------ C:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2008-03-18 08:15:02 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-03-18 08:15:02 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-03-18 07:34:27 0 d-------- C:\Program Files\Auralog
2008-03-15 13:44:36 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-15 08:08:25 0 d-------- C:\Program Files\Power Translator 11
2008-03-14 21:18:45 0 d-------- C:\Program Files\Power Translator 11 Professional Multilanguage
2008-03-14 13:18:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Transparent


-- Find3M Report ---------------------------------------------------------------

2008-04-11 17:25:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-11 15:29:57 0 d-------- C:\Program Files\Systran
2008-04-10 17:20:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-10 17:19:54 0 d-------- C:\Program Files\Lavasoft
2008-04-10 14:01:59 0 d-------- C:\Documents and Settings\Mr. Admin\Application Data\SUPERAntiSpyware.com
2008-04-10 14:01:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-08 13:57:43 0 d-------- C:\Program Files\TLKGAMES
2008-04-08 11:00:17 0 d-------- C:\Program Files\Common Files
2008-04-06 12:26:22 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-05 15:59:30 0 d-------- C:\Program Files\QuickTime
2008-03-29 07:45:52 0 d-------- C:\Program Files\HP
2008-03-22 11:53:57 0 d-------- C:\Documents and Settings\Mr. Admin\Application Data\Lavasoft
2008-03-16 09:18:59 1 --a------ C:\Documents and Settings\Mr. Admin\Application Data\FrontEndCD.ini
2008-03-15 13:44:24 0 d-------- C:\Program Files\Common Files\Real
2008-03-15 13:26:55 0 d-------- C:\Program Files\TeLLmeMore
2008-03-14 13:18:24 0 d-------- C:\Program Files\Transparent
2008-03-02 10:54:17 0 d-------- C:\Program Files\thriXXX
2008-02-22 16:54:42 0 d-------- C:\Documents and Settings\Mr. Admin\Application Data\Adobe
2008-02-21 16:25:16 0 d-------- C:\Program Files\Bonjour
2008-02-21 16:20:10 0 d-------- C:\Program Files\Common Files\Apple
2008-01-20 20:57:26 50 --a------ C:\WINDOWS\mscpt.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [02/02/2004 01:32 PM]
"Logitech Utility"="Logi_MwX.Exe" [06/30/2003 02:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"AtiPTA"="atiptaxx.exe" [11/30/2004 06:10 PM C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [06/25/2004 05:32 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [11/28/2005 02:02 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [11/28/2005 02:02 PM]
"OWCWebCamDV"="C:\WINDOWS\system\wcdvtray.exe" [05/20/2004 09:59 AM]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 01:50 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [04/10/2008 04:48 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [04/10/2008 04:48 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [05/26/2006 02:01 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]

C:\Documents and Settings\Mr. Admin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 1:12:18 AM]
DESKTOP.INI [3/20/2004 10:58:38 AM]
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 1:04:08 PM]
Qwest QuickNetworking.lnk - C:\Program Files\QwestQuickNetworking\WebWorks.exe [4/11/2008 4:41:16 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client Manager.lnk - C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE [4/11/2008 5:25:12 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/4/2004 1:12:18 AM]
DESKTOP.INI [3/20/2004 10:58:38 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 5:23:32 PM]
SysTray.lnk - C:\WINDOWS\Installer\{8F156C85-23F2-4F13-89A6-B0B286D1B4CD}\NewShortcut1_5221CCAB553E4E63B6FD56674A376D04_1.exe [10/13/2005 11:51:23 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [02/02/2005 05:58 AM 212992]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-11 19:52:35 ------------



I think that mdelk may have been something bad--it had an icon of evil-looking crossed swords.

I am going to post this, then give you the results of a an online scan I ran on the workPC, in a separate post.

Thanks,
D
  • 0

#33
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I ran an online scan on the work computer, available at www.eset.eu. I found that recommended in another thread working with bagle-f. I can't cut and paste or otherwise copy the result, but in a nutshell, it says:

Win32/Bagle.OF worm (error while cleaning ...)
C:\QooBox\Quarantine\catchme2008-04-10_192126.40.zip ... srosa.sys

Then a coupe other references to same file, one indicating that it WAS deleted

Finally, Eicar test file (unable to clean - deleted)
C:\Documents and Settings\David Olsson\Local Settings\Temp\Av-test.txt

I don't know if this summary of the scan will help. I still have the results on my monitor, if you need more info, though I tried to include everything that seemed relevant.

D

PS: I now have internet on both machines, though the laptops wireless card appears dead; both are on ethernet at present. The work PC lags a LONG time before finally loading each page. But the online scan ran at a fast pace.

PPS: Now the online scan log has reset itself, so I cannot report further results. But the good news is that now I have the option to view system folders, so I'll try the file deletions you suggested earlier. Again, that's on the workPC; I've already done them on the laptop.

Edited by d_Oregon, 11 April 2008 - 09:15 PM.

  • 0

#34
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Sheesh, I don't get it. I still don't have a WINDOWS\system32\drivers folder on the Work PC. I also did a search for mdelk and found it only in C:\QooBox\Quarantine\C\WINDOWS\system\drivers.

HHEEEYYY...Wait a second. That path looks a little suspicious to me, given that I can't find C:\WINDOWS\system\drivers. If I look in that folder, it contains hldrr.exe.vir, mdelk.exe.vir and srosa.sys.vir. What do you know. But it doesn't help solve the mystery of the missing drivers folder.

Okay, that's where my blundering around comes to an end. I'll be waiting for further instructions.

D

Edited by d_Oregon, 11 April 2008 - 09:27 PM.

  • 0

#35
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you run Combo-Fix again on the Work Computer with the missing drivers folder.
  • 0

#36
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay. This has happened repeatedly: When ComboFix reboots the machine, the Windows Installer runs and I get prompted to put the Dell Resource CD in the drive. Fortunately, I have one, because the process won't continue untill I do. When I do, I get several warnings from Comodo that its processes are off. Then, after PC looks at the resource CD, it reports: "Warning 1909. Could not create shortcut Dell Resource CD.lnk. Verify that the destination folder exists and that you can access it." I click OK and, after machine says its "configuring Dell Resource CD," it passes control back to ComboFix which prepares the Log Report.

Here it is:

ComboFix 08-04-10.7 - David Olsson 2008-04-11 21:18:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -7:00]
Running from: C:\Documents and Settings\David Olsson\Desktop\Combo-Fix.exe
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CATCHME
-------\Legacy_DARKSPY
-------\Legacy_F6CB5
-------\Legacy_SROSA
-------\Service_catchme
-------\Service_DarkSpy
-------\Service_f6cB5
-------\Service_srosa
-------\Legacy_CATCHME
-------\Service_catchme


((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-11 18:48 . 2008-04-11 18:50 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-11 15:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-11 15:33 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-11 15:33 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-11 15:33 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-11 15:33 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-11 13:02 . 2008-04-11 13:02 <DIR> d-------- C:\WINDOWS\system32\vmm32
2008-04-10 19:33 . 2008-04-10 19:33 <DIR> d-------- C:\Deckard
2008-04-10 17:44 . 2008-04-10 17:44 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-08 08:25 . 2008-04-08 08:25 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\Runaware
2008-04-08 08:25 . 2008-04-08 08:25 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\ICAClient
2008-03-27 14:07 . 2008-03-27 14:08 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-27 10:15 . 2008-03-27 11:49 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\Download Manager
2008-03-26 15:04 . 2008-03-26 15:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-26 15:04 . 2008-03-26 15:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-26 11:29 . 2008-03-26 11:29 <DIR> d-------- C:\Program Files\Common Files\Vbox
2008-03-26 11:28 . 2003-11-11 19:55 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-03-26 11:15 . 2008-03-26 11:16 <DIR> d-------- C:\Program Files\Astonsoft
2008-03-26 11:15 . 2008-03-26 11:16 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\DeepBurner
2008-03-24 16:06 . 2008-03-24 16:07 <DIR> d-------- C:\Program Files\Common Files\HP
2008-03-24 16:04 . 2008-03-24 16:05 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-24 16:03 . 2004-10-01 08:01 139,345 --a------ C:\WINDOWS\system32\hpzlnt12.dll
2008-03-24 16:02 . 2008-03-24 16:02 687 --a------ C:\WINDOWS\hpntwksetup.ini
2008-03-24 15:53 . 2008-03-24 16:09 68,937 --a------ C:\WINDOWS\hpoins05.dat
2008-03-24 15:53 . 2004-12-15 00:39 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-03-24 14:17 . 2007-03-10 10:11 2,680,320 --a------ C:\WINDOWS\system32\ImageEnXlibrary.ocx
2008-03-24 13:41 . 2008-03-24 15:52 <DIR> d-------- C:\TEMP\HP_WebRelease

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 04:25 --------- d-----w C:\Program Files\Password Safe
2008-04-12 04:25 --------- d-----w C:\Program Files\IDrive
2008-04-11 16:33 --------- d-----w C:\Program Files\Dell
2008-04-11 01:15 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-09 16:56 --------- d-----w C:\Program Files\Hijack This
2008-03-27 22:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 21:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 23:05 --------- d-----w C:\Program Files\HP
2008-03-17 20:00 --------- d-----w C:\Program Files\pdf995
2008-03-17 19:42 --------- d-----w C:\Program Files\Timeslips by Sage 2007 Trial Version
2008-03-09 19:02 --------- d-----w C:\Program Files\Java
2008-03-04 19:47 --------- d-----w C:\Program Files\Intuit
2008-01-17 20:09 1,788 ----a-w C:\WINDOWS\Fonts\HVCDO___.PFM
2008-01-17 20:09 1,780 ----a-w C:\WINDOWS\Fonts\HVC_____.PFM
2007-10-07 20:19 34,368 ----a-w C:\Program Files\MCj04244600000[1].wmf
2006-10-07 01:27 8 --sha-r C:\WINDOWS\system32\D2178F15B2.sys
2006-10-21 03:08 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.26.11.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-10\ERDNT.EXE
+ 2008-04-11 02:22:37 5,025,792 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-10\Users\00000001\NTUSER.DAT
+ 2008-04-11 02:22:38 188,416 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-10\Users\00000002\UsrClass.dat
+ 2005-10-20 20:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-11\ERDNT.EXE
+ 2008-04-11 20:00:10 5,058,560 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-11\Users\00000001\NTUSER.DAT
+ 2008-04-11 20:00:11 188,416 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-11\Users\00000002\UsrClass.dat
+ 2005-10-20 20:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\4-11-2008\ERDNT.EXE
+ 2008-04-11 16:10:50 5,058,560 ----a-w C:\WINDOWS\ERDNT\AutoBackup\4-11-2008\Users\00000001\NTUSER.DAT
+ 2008-04-11 16:10:51 188,416 ----a-w C:\WINDOWS\ERDNT\AutoBackup\4-11-2008\Users\00000002\UsrClass.dat
- 2007-05-18 20:04:11 45,056 ----a-r C:\WINDOWS\Installer\{FCD9CD52-7222-4672-94A0-A722BA702FD0}\NewShortcut1.EXE
+ 2008-04-11 20:02:05 45,056 ----a-r C:\WINDOWS\Installer\{FCD9CD52-7222-4672-94A0-A722BA702FD0}\NewShortcut1.EXE
- 2005-05-26 12:16:24 75,544 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-31 02:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2005-05-26 12:16:24 75,544 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-31 02:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2005-05-26 12:16:30 465,176 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-07-31 02:19:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2005-05-26 12:16:30 124,184 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-31 02:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2005-05-26 12:16:30 1,343,768 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-31 02:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2005-05-26 12:16:30 127,256 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-07-31 02:19:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2005-05-26 09:16:30 41,240 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-07-31 02:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2005-05-26 12:19:32 173,536 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-31 02:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
- 2005-05-26 12:16:24 127,208 ----a-w C:\WINDOWS\system32\mucltui.dll
+ 2007-07-31 02:19:10 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
- 2005-05-26 12:19:32 178,408 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2007-07-31 02:19:04 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-02-11 16:39:26 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2008-02-11 16:39:18 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2008-02-08 20:53:46 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2008-02-05 15:48:04 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
+ 2004-12-07 17:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
- 2005-05-26 12:16:30 465,176 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-31 02:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2005-05-26 12:16:30 124,184 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-31 02:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2005-05-26 12:16:30 1,343,768 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-31 02:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2005-05-26 12:16:30 127,256 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-31 02:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2005-05-26 09:16:30 41,240 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
- 2005-05-26 09:16:30 18,200 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2005-05-26 12:19:32 173,536 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-07-31 02:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 19:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-05-26 02:01 688128]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"IDriveE Startup"="C:\Program Files\IDrive\IDrvieEStartup.exe" [2007-11-29 18:02 194000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12 98304]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2008-04-10 19:08 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-10 19:08 135224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-07 06:53 185784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 07:38 282624 C:\WINDOWS\stsystra.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19 15872]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 15:02 988701]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 15:02 118784]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 10:24 1115728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-14 15:03 155648]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 12:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 10:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 IDriveE Service;IDriveE Service;"C:\Program Files\IDrive\IDriveE Service.exe" [2007-12-19 15:41]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R2 TSScheduleBackup;TimeslipsBackup;C:\WINDOWS\system32\TSSchBkpService.exe [2006-02-02 16:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08cde423-53d9-11db-8655-806d6172696f}]
\Shell\AutoRun\command - D:\autoRcd.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 17:00:00 C:\WINDOWS\Tasks\ABF OB backup.job"
- C:\Program Files\ABF Outlook Backup\abfOutlookBackup.exe|b
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 21:25:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\IDrive\IDriveETray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IDrive\IDriveEBackground.exe
C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\update\update.exe
.
**************************************************************************
.
Completion time: 2008-04-11 21:32:20 - machine was rebooted [David Olsson]
ComboFix-quarantined-files.txt 2008-04-12 04:32:13
ComboFix2.txt 2008-04-11 02:32:18
Pre-Run: 44,533,465,088 bytes free
Post-Run: 44,354,404,352 bytes free


So, I don't know whether the drivers folder is really gone or just can't be found. One thought I had is that I could restore it from a backup. I have one from March 28 and I did very little on the computer after that time, as I was working out of town most of the time.

Anyway, tell me what you think I should do next.

D

Edited by d_Oregon, 11 April 2008 - 10:40 PM.

  • 0

#37
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay, I'm going to bed. My machines are both bogged down with Windows Updates. The workPC is installing 37 updates!

BTW, my Acronis TrueImage backup does not find any hard drives when I try to restore from a boot disk. I've found nothing useful on the Internet. So it looks like I will not be restoring from a backup. I always wondered how it would go if I ever had to do one. Now I know: It goes badly.
  • 0

#38
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay, I'm up again. And I see that RatHat is online, too. I hope we're making some progress...

One thought: I have ERUNT on both machines, so we could restore the registry from an earlier date. It seems like the hidden system folders relates to a registry entry, so we could maybe get to them again. But, because we can already do that on the laptop, I don't know how helpful that would be. I just want to give you as much useful info as possible.

BTW, the ethernet on the laptop is down again. It seems okay on the workPC, though there is something wrong with IE. My home page opens VERY slowly.

Edited by d_Oregon, 12 April 2008 - 06:48 AM.

  • 0

#39
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Good morning David, had some things to take care of here, but now have time to get back with you.

Now on the machine that has an internet connection, lets download and run DrWebCureIt.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.

Regards,
RatHat
  • 0

#40
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
RatHat,
I have to suspend work on the workPC for now. I am trying again to do a restore of the disk image. I'll let you know whether or not I succeed.

I also have to leave for a couple of hours. Will check this thread when I return.

D
  • 0

Advertisements


#41
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK David, I will be around for most of the weekend, so will be able to check in often
  • 0

#42
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
RatHat,
By updating my version of Acronis True Image, I was able to get the machine to recognize the external drive with my archive on it. I have now done a restore of my C drive on the work PC. Then I restored data files from a daily backup.

I think I am going to do the same thing with my laptop, although my last full backup is from January. But it's a quick, easy and thorough means of cleaning up the system.

Thank you for all you efforts. I am sorry we could not get this cleaned up quicker and easier, but it was not for a lack of effort on your part. I really appreciate your help.

One last question. What apps would you recommend for future protection. I have McAfee Virus Scan Enterprise 7.1.0, free versions of AVG Anti-Spyware and SuperAntiSpyware. I just purchased and installed Webroot SpySweeper, which gets very favorable reviews. And I am running Comodo Firewall Pro. I have done updates to all of them and am currently running full scans on the work PC.

Does that collection sound about right?

Thanks again for your help and please don't close this thread yet. I'll post again when I have successfully completed the restore of the laptop.

D

PS: What's the best way to identify those files on the laptop that have been created in the last 90 days? I know one of these scans does that. Then I can see what files will not be in my backup archive.

Edited by d_Oregon, 12 April 2008 - 05:10 PM.

  • 0

#43
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
David,

I really hope that by restoring your computers to a previous state that you get past this bagle worm's effects. It is one of the nastiest pieces of malware around at the moment, and has a tendancy to create "zombie" computers if not cleaned quickly.

This version of bagle has a hidden "dropper" that re-spawns the main bagle files and drivers, even after they have been deleted, which is why it is so hard to remove.

I would advise running DrWebCureIt on both computers as soon as you have restored them, also running DSS, and posting me the logs so I can check that you do not have any remnants.

OK, with the programs you have, you should be well protected. Ensure you only ever have one AntiVirus, and one Firewall running. If you have more, you will have conflicts and a slowed system due to the amount of resources required.

With AntiSpyware program, you can have several, but should only allow one to give you real time protection. SuperAntiSpyware, or SpySweeper will do this. Some other good AntiSpyware / Adware programs, and a few other good programs, are as follows:

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.
Instant MessengersTemp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.
Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
I will leave this log open until you tell me that you are satisfied with the way things are going with both computers, and can only feel regret that we could not get this fixed by conventional means. However, I have to respect your decision to choose the restore method as long as you feel that is your best option.

Regards,
RatHat
  • 0

#44
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I will runs the scans you suggest. Can you tell me how to scan to identify files created in the last 90 days? (see PS to my last post.)
  • 0

#45
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
DSS will identify system files created within the last 90 days, but if you are looking for files that you have created you will need to open each folder, then go to View, and choose Sort by Date.

There may be other ways to do this, but I am not sure on how.

Regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP