# Access Denied Malware



## rdizy (Sep 4, 2010)

I could really use some help diagnosing some Malware.
I'm getting Access Denied when I try to run HijackThis and GMER is freezing on me.
I was able to run DDS in SafeMode. Results are attached.

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL 
Run by Michelle at 20:11:04.40 on Mon 11/01/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1271 [GMT -6:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Michelle\Desktop\dds.scr
============== Pseudo HJT Report ===============
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = localhost
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ShutterflyStudio] c:\documents and settings\michelle\desktop\studio\bin\SFlyStudio.exe /trayonly
uRun: [SmileboxTray] "c:\documents and settings\michelle\application data\smilebox\SmileboxTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://securedoc.saskpower.com/qp2.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179431535093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180668558656
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://www.walmartphotocentre.ca/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - 
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]
S2 Halt;Halt;c:\program files\soccerwinners\halt\Halt.exe [2007-10-1 45056]
S2 HaltMonitor;HaltMonitor;c:\program files\soccerwinners\halt\HaltMonitor.exe [2007-10-1 20480]
S2 RGFILERW;RGFILERW;\??\c:\windows\system32\drivers\rgfilerw.sys --> c:\windows\system32\drivers\RGFILERW.SYS [?]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\rick\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]
=============== Created Last 30 ================
2010-10-13 12:57:12 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb6ad627230746.mof
2010-10-12 21:18:37 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 21:18:34 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 21:11:30 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 18:23:26 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\dllcache\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-08 15:57:10 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-09-08 15:57:10 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-09-04 20:17:41 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 11:51:14 285824 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\dllcache\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 08:02:29 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 05:57:43 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-08-26 13:39:50 357248 ------w- c:\windows\system32\dllcache\srv.sys
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 05:36:02 10841088 ------w- c:\windows\system32\dllcache\wmp.dll
2010-08-25 11:30:33 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-08-25 11:29:05 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-16 08:45:00 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2008-08-24 04:44:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat
============= FINISH: 20:11:52.31 ===============


----------



## rdizy (Sep 4, 2010)

To start, I think I need a way to remove AntiVirus 2010. It appears to be bogus.


----------



## oldman960 (Apr 8, 2010)

Hi rdizy, welcome to the forum.

To make cleaning this machine easier

Please* do not* uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please* do not* run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask *before* continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Click your *start* button, right click on *My Computer*

Click *properties*
click the *Hardware* tab
click *Device manager* button
click the + sign beside *System Devices*
look for something with* cmz vmkd* or* vbma* in name it should say virtual bus
right click the entry & select uninstall

*Please read through the instructions to familarize youself with what to expect when the tool runs. *

*It is vitally important that combofix is renamed before it is even started to download *

Please download ComboFix from *Link 1*or *Link 2* to your Desktop.
***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***


If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, before you save it to your desktop, rename Combofix to *jgh.exe*

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.

_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._

Double click on *ComboFix.exe (jgh.exe in your case)* & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.









Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:









Click on *Yes*, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

*Notes:*
1.*Do not mouse-click Combofix's window while it is running. That may cause it to stall.*
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, *the connection can be manually restored by restarting your machine.*

Please post back with

combofix log
How is the computer?
Thanks


----------



## rdizy (Sep 4, 2010)

Thanks for helping. I appreciate it.
I can't get an internet connection on the infected computer (I tried regular and safe mode with networking). Can I download Combofix to another machine and transfer it to the infected machine's desktop via USB memory stick?


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,



> Can I download Combofix to another machine and transfer it to the infected machine's desktop via USB memory stick?


Yes you can. Be sure it is renamed as per the previous instructions and transfered directly to the infected computer's desktop.

First we'll protect your usb device and clean computer the best we can.

Run this on the clean computer with the usb device attached.

Download *Flash_Disinfector.exe* by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Since you do not have an internet connection we will also manually install the Recovery Console. Once the Recovery Console is installed you should be given the option to continue scanning for malware.
Make sure you have done any other instructions as requested in the previous post before running combofix.

Download this file *Pro* and transfer it directly to your infected computers* desktop*.

Make sure the copy of combofix (renamed) you have is also located on the desktop.

With your left mouse button, drag the file onto the combofix icon as shown below. This will start combofix so don't do anything else. Also make sure your security programs have been disabled per the previous instructions.









Follow the prompts from there.

Thanks


----------



## rdizy (Sep 4, 2010)

Not sure if the flash disenfector worked, I downloaded and ran it but it didn't seem to do anything?

I ran combofix like you specified. There's still issues with the computer... I still can't connect to the internet and I don't have access to start MSE.

Attached is combo fix log...
ComboFix 10-11-03.04 - Rick 11/04/2010 19:25:22.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1172 [GMT -6:00]
Running from: c:\documents and settings\Rick\Desktop\jgh.exe
Command switches used :: G:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Rick\Application Data\PriceGong
c:\documents and settings\Rick\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Rick\Application Data\PriceGong\Data\z.xml
c:\windows\system32\drivers\bcm4sbxp.sys
c:\windows\system32\Drivers\vbmac8a7.sys
c:\windows\system32\spool\prtprocs\w32x86\IQ31c9s.dll
c:\windows\system32\spool\prtprocs\w32x86\QG55a.dll
c:\windows\system32\USRINI~1.EXE
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_USERINIT
-------\Service_userinit

((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.
2010-11-05 01:18 . 2010-11-05 01:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
2010-11-01 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC9D3B-368A-47F9-AE98-16B9C377E81E}\mpengine.dll
2010-10-12 21:18 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 21:18 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 21:11 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-10-02 20:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-11-12 23:16 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-18 18:23 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 05:36 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 05:36 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2002-08-29 10:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-01 11:51 . 2001-08-17 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 09:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 05:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 05:36 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 05:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 02:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 10:40 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 10:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-10-05 06:52 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdate1c95c931cacec94"=2 (0x2)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
S2 RGFILERW;RGFILERW;\??\c:\windows\system32\Drivers\RGFILERW.SYS --> c:\windows\system32\Drivers\RGFILERW.SYS [?]
S3 vbmac8a7;Virtual Bus for Microsoft ACPI-Compliant System; [x]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
.
Contents of the 'Scheduled Tasks' folder
2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theglobeandmail.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - 
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 19:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-11-04 19:42:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-05 01:42
Pre-Run: 5,804,474,368 bytes free
Post-Run: 6,879,375,360 bytes free
- - End Of File - - 7707E7BE2A02538E7F37C7FAA66124A1


----------



## oldman960 (Apr 8, 2010)

Hi rdizy.

Sorry should have mentioned that there isn't any display when FDD is ran.

You have several items disabled in msconfig. Were these your doing? There is one related to MSE

*MSSE c:\program files\Microsoft Security Essentials\msseces.exe*

We'll work in getting the permissions sorted out and your connection.

On the *clean* computer

Open a new Notepad session 

Click the *Start *button, click *run*
in the run box type *notepad*
click* ok*
In the notepad, Click "Format" and be certain that Word Wrap is *not checked*.
Copy and paste *all* the text in the code box below into the Notepad. *Do Not *copy the word *CODE*


```
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Driver::
vbmac8a7
RGFILERW
```
In the notepad 

Click *File*, *Save as*..., and set the *Save in* to your *Desktop*
In the *filename* box, type (including quotation marks) as the filename: *"CFScript.txt"*
Click *save*

Transfer CFScript.txt to the desktop of the *infected *computer.

*Please follow all previous instructions regarding security programs. *

Using your mouse left button, drag the file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again. Close all browser/windows first.

***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***









Please post the log.

When trying to connect do you recieve an error message? If so what is the message?

Click your *start *button, right click on *My Computer*
Click* properties *
click the *Hardware *tab
click *Device manager* button
Anything in the list with a yellow ! mark?

Still in device manager click the + sign beside *Network adapters*. What is listed there?

Back on the clean computer

Right click the attached file *user.zip*
Select *Save target as*
Set the *Save in* box to *Desktop* or the usb device which you are using for transfering files.

Transfer the files to the infected computer's desktop.

Extract the files to your desktop
Locate *run.bat *and double click it to run it
Please be patient and let it run
When it's finished, a log will be saved at *C:\junction.txt*
Please post it's contents in your next reply

Please post back with

combofix log
junction.txt
please answer any questions asked
Besides MSE and the connection are you experiencing any other problems?

Thanks


----------



## rdizy (Sep 4, 2010)

Hi,
I may have had some items disabled in msconfig but MSE was not one of them.
Prior to the infection, MSE was running normally.
Internet Connection error message is the standard:
Internet Explorer cannot display the webpage (similar to when you unplug your modem)
Device Manager, Network Adaptors shows Broadcom 440x 10/100 Integrated Controller as yellow !
Device Status: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Should I try to Rollback Driver?
As far as other problems, I do not have permission to access HiJackThis, MalewareBytes, can't start the MSE service, etc.

Here's the logs...
ComboFix 10-11-03.04 - Rick 11/04/2010 21:49:51.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1145 [GMT -6:00]
Running from: c:\documents and settings\Rick\Desktop\jgh.exe
Command switches used :: G:\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RGFILERW
-------\Service_RGFILERW
-------\Service_vbmac8a7

((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.
2010-11-05 01:18 . 2010-11-05 01:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
2010-11-01 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC9D3B-368A-47F9-AE98-16B9C377E81E}\mpengine.dll
2010-10-12 21:18 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 21:18 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 21:11 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-10-02 20:25 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-11-12 23:16 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-18 18:23 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 05:36 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 05:36 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2002-08-29 10:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
2010-09-01 11:51 . 2001-08-17 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2002-08-29 09:14 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 05:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 05:36 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 05:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 02:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2002-08-29 10:40 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 10:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-10-05 06:52 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdate1c95c931cacec94"=2 (0x2)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
.
Contents of the 'Scheduled Tasks' folder
2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theglobeandmail.com/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - 
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 21:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-11-04 22:03:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-05 04:03
ComboFix2.txt 2010-11-05 01:42
Pre-Run: 6,908,182,528 bytes free
Post-Run: 6,900,883,456 bytes free
- - End Of File - - ED82497536ED5DE89F7E3BF3A90A34EA

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...

.\\?\c:\\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Mnt\000100130017F614\0: MOUNT POINT
Substitute Name: Volume{073e84df-3de3-11df-8e85-0002e33dcb0d}\
\\?\c:\\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Mnt\000100130017F614\1: MOUNT POINT
Substitute Name: Volume{073e84e0-3de3-11df-8e85-0002e33dcb0d}\

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin: Access is denied.
..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE: Access is denied.
..

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.
.

...

...
Failed to open \\?\c:\\Program Files\Microsoft Security Essentials\MsMpEng.exe: Access is denied.

...

...
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.

.
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.
..

...

...

...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\callcont.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\gdi32.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\h323.tsp: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\h323msp.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\helpctr.exe: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\lsasrv.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\mf3216.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\msasn1.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\msgina.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\mst120.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\netapi32.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\nmcom.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\rtcdll.dll: Access is denied.
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\schannel.dll: Access is denied.
.

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Let's see if we can get this batchfile to restore the permissions. We will also need a tool.

Please download *Inherit* by sUBs and save it to your Desktop or the usb device.

*Next*, create this batch file on the clean computer.

Open a new Notepad session 

Click the *Start *button, click *run*
in the run box type *notepad*
click* ok*
In the notepad, Click "Format" and be certain that Word Wrap is *not checked*.
Copy and paste *all* the text in the code box below into the Notepad.
*Do Not* copy the word *CODE*


```
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
"%userprofile%\desktop\Inherit.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp"
"%userprofile%\desktop\Inherit.exe" "Program Files\Microsoft Security Essentials\MsMpEng.exe"
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
```
In the notepad 

Click *File*, *Save as*..., and set the *Save in* to your *Desktop* or the usb device.
In the *filename* box, type (including quotation marks) as the filename: *"myfix.bat"*
Click *save*
The file will be called myfix.bat with an icon that looks like a gear.

Transfer the file along with the program,* Inherit.exe *to the infected computer's desktop.

Double click *myfix.bat *to run it.

*Next*

Click your *start* button, click *run*

in the run box type *msconfig* and click *ok*
click the *startup* tab
place a checkmark next to *MSSE c:\program files\Microsoft Security Essentials\msseces.exe*
click *apply*, click *ok*
reboot your computer
Can you access the programs now?

We'll look at your network adapter after you post back.

Thanks


----------



## rdizy (Sep 4, 2010)

Hi,
Still can't "Start Now" Microsoft Security Essentials.

Malware Bytes and HijackThis now open. I did not try to run a scan.

I noticed in msconfig, that mssecs was in there twice, one was checked as a startup item and the other was not. I checked the one that was not and restarted. 

MSE does start, but the service is stopped... I'm not sure I made that clear on previous posts.
The message is "Microstf Security Essentials isn't monitoring your computer becuase the program's service stopped. You should restart it now"

When I click "Start Now" I get "Couldn't start Microsoft Security Essentials service. Access Denied."


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

I replied last night but I don't see the post. 

Please download *SystemLook* from one of the links below and save it to your usb and transfer it to your infected computer's desktop.

*Download Mirror #1*
*Download Mirror #2*


Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield
*Do not* copy the word *CODE* , please note the script starts with the *:*


```
:filefind
ndis.*
 
:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis] /s
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\security]
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

*Next*

Click your *start* button, click *run*
type *rsop.msc* and click *ok*
click the + signs beside *Computer Configuration* - *Windows Settings* - *Security Settings*
click on *System Services*
Look for *Microsoft Antimalware Service*
Any restictions listed there?

Thanks


----------



## rdizy (Sep 4, 2010)

Hi again,

SystemLook.txt output is below.

I didn't see any restrictions in Resultant Set of Policy.
All System Servcies are startup = undefined and permission = undefined
If I double click Microsoft Antimalware Service the startup mode options are greyed out (i.e. I can't change them) but I can see that the default startup mode = disabled.

SystemLook 04.09.10 by jpshortstuff
Log created at 21:15 on 06/11/2010 by Rick
Administrator - Elevation successful
========== filefind ==========
Searching for "ndis.*"
C:\i386\NDIS.SY_ --a---- 87077 bytes [18:38 17/05/2007] [14:00 31/03/2003] D032D6F2D040400F7CEDDAF57701176A
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -----c- 182912 bytes [03:29 24/08/2008] [06:14 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\ERDNT\cache\ndis.sys --a---- 182656 bytes [03:34 20/11/2009] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------- 182656 bytes [06:14 04/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a---- 182656 bytes [09:09 29/08/2002] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
Searching for " "
No files found.
========== reg ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis]
"DisplayName"="NDIS System Driver"
"ErrorControl"= 0x0000000001 (1)
"Group"="NDIS Wrapper"
"Start"= 0x0000000000 (0)
"Type"= 0x0000000001 (1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\MediaTypes]
(No values found)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\Parameters]
"ProcessorAffinityMask"= 0x00ffffffff (-1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\Enum]
"0"="Root\LEGACY_NDIS\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc]
"ServiceSidType"= 0x0000000001 (1)
"RequiredPrivileges"="SeLoadDriverPrivilege SeImpersonatePrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege SeSecurityPrivilege SeShutdownPrivilege SeIncreaseQuotaPrivilege SeAssignPrimaryTokenPrivilege"
"Type"= 0x0000000010 (16)
"Start"= 0x0000000002 (2)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"=""c:\Program Files\Microsoft Security Essentials\MsMpEng.exe""
"DisplayName"="Microsoft Antimalware Service"
"Group"="COM Infrastructure"
"DependOnService"="RpcSs"
"DependOnGroup"=" "
"ObjectName"="LocalSystem"
"Description"="Helps protect users from malware and other potentially unwanted software"
"FailureActions"=80 51 01 00 01 00 00 00 01 00 00 00 03 00 00 00 48 00 4f 00 01 00 00 00 98 3a 00 00 01 00 00 00 98 3a 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\security]
"Security"=01 00 14 80 a8 00 00 00 b4 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 78 00 05 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 21 02 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

-= EOF =-


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

We may need to download a driver for your Network Adapter. What brand of computer do you have?

Still looking into the MSE problem.

Try this. Copy and paste the following into a notepad, name it something you will remember and transfer it to the infected computer.


```
"%userprofile%\desktop\Inherit.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin"
```
On the infected computer

open the notepad you just made
right click in the notepad and click *select all*
right click in the notepad again and select *copy*
Click your start *button *click *run*. In the small white field in the run box, right click and select *paste*. Click *ok*.

Let's try to start MSE from a different location

Click your start button click run.

In the run box type *services.msc*
hit* enter*
In the list locate *Microsoft Antimalware Service*

right click on it and select *properties*
In the service status section click *Start*
Did it start or did you recieve an error message?

While you are in there please check the status of *Windows Management Instrumentation*

Thanks


----------



## rdizy (Sep 4, 2010)

Hi,
I have an older machine. Its an HP D220.

I ran the script and it said OK.

I tried starting the service the way you suggested but again get Access Denied.

The Windows Management Instrumentation is Started.


I'm wondering if the MSE service cannot start because AntiVirus 2010 is still on my PC (at least in some shape or form). In Add/Remove Programs I see Antivirus 2010. That is bogus software. I wonder if I should try to remove it?


----------



## rdizy (Sep 4, 2010)

I just downloaded the Broadcom network driver from HP. (sp25326.exe)
http://h20000.www2.hp.com/bizsuppor...wEnvOID=181&swLang=13&taskId=135&mode=4&idx=1

At least, I'm pretty sure this is what I would need?
Let me know if/when you think I should try installing it.


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Antivirus 2010,

It's actually an orphaned entry in ADD/Remove programs. When you uninstall it you will most likely be given an error message. Just click ok and Windows should offer to remove it for you.

Let me check that driver.


----------



## rdizy (Sep 4, 2010)

Thanks!
Tried removing Antivirus 2010 using Add/Remove Programs and get:
"An error occurred while trying to remove AntiVirus 2010. You do not have access to \\.\globalroot\systemroot\system32\userinit.exe, You can specify the new uninstall program below.


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Yes that's the error message you should get. Click ok and windows should offer to remove it.

Looks like the right driver. Let's try just installing the driver first.

From HP
Download the SoftPaq to a directory on your hard drive. The file downloaded is a self-extracting executable with a filename based on the SoftPaq Number above.
Execute the downloaded file and follow the on-screen instructions.
You already have the file just place it in it's own folder and double click it to run it.


----------



## rdizy (Sep 4, 2010)

I'm going to try installing the driver when I get home from work. 

Re: MSE and the denied access to start the service... I wonder if it would be worthwhile trying to Uninstall/Install MSE? I read somewhere that this is a possible solution to this problem (assuming you have first removed any contentious antivirus software). Thoughts?


----------



## rdizy (Sep 4, 2010)

Network driver installed successfully... internet connection now working as expected! 
Thanks for your help. It will make things a bit easier now... no more transfering files via USB.


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Good job!

Let's leave MSE for the moment and make sure you are malware free, we'll come back to it. Please limit your internet activity to this thread and downloading tools until we resolve the MSE issue.

What did you use for an antivirus prior to MSE?

You have this program installed, *Malwarebytes' Anti-Malware* (MBAM). Please update it and run a scan.

Open* MBAM*

Click the *Update* tab
Click *Check for Updates*
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

*Next*

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click on *Minimal Output* at the top
Download the following file *scan.txt* to your *Desktop*. *Click here to download it*. You may need to right click on it and select *"Save"*
Double click inside the Custom Scan box at the bottom
A window will appear saying *"Click OK to load a custom scan from a file or Cancel to cancel"*
Click the OK button and navigate to the file *scan.txt* which we just saved to your desktop
Select *scan.txt* and click Open. Writing will now appear under the Custom Scan box
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time and post them in your topic. They may be long so you might want to attach them


Please post back with

MBAM log
Both OTL logs
Thanks


----------



## rdizy (Sep 4, 2010)

Here's the output...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5086
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
11/9/2010 7:59:01 PM
mbam-log-2010-11-09 (19-59-01).txt
Scan type: Quick scan
Objects scanned: 174976
Time elapsed: 8 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

OTL and Results txt files attached.


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Did you use Norton (Symantec) prior to using MSE?

I see a little glitch in a previous fix 

Click your *start* button click *run*. Copy and paste the following line into the runbox and click *ok*.


```
"%userprofile%\desktop\Inherit.exe" "C:\Program Files\Microsoft Security Essentials\MsMpEng.exe"
```
MSE working now?

Thanks


----------



## rdizy (Sep 4, 2010)

Yes! That worked. I got the MSE service started and it did an update of virus and spyware definitions!
Thanks!!!


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Good.

*uTorrent*
You have uTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself that's the problem but what can be downloaded with it usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles...cles/art053.htm

I would recommend that you uninstall *uTorrent*, however that choice is up to you. If you choose to remove this program, you can do so via *Control Panel >> Add or Remove Programs.*

*If you wish to keep it, please do not use it until your computer is cleaned.*


I see a bit of *Norton* in the logs. Something you no longer use?

You have some very old vulnerable java installed. G to add/remove programs and uninstall

*Java 2 Runtime Environment, SE v1.4.1_02*

*Do not* uninstall *Java 6 Update 17*

*Next*

Click your start button, open Control panel.

Locate the *Java* icon (it looks like a coffee cup)
double click it to open it
click the *Update* tab
Click *update now*

*Next*, Double click on *OTL.exe* to run it

Under the *Custom Scans/Fixes* box at the bottom, paste in the following
*Do Not *copy the word* CODE*
please note the fix starts with the *:*


```
:services
 
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{12CFADC5-C2B3-B677-AD0C-2205AEAFE494}"=-
 
:Commands
[emptytemp]
[createrestorepoint]
```
Then click the* Run Fix* button at the top

Let the program run unhindered
Please save the resulting log to be posted in your next reply.
Please post the *OTL fix*

One more scan to do just to check our handiwork.

**Note*
*It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.*
*Please don't go surfing while your resident protection is disabled!*
*Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.*

Please go to *Kaspersky* website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions.
You will be prompted to install an application from Kaspersky. Click* Run.*
When the downloads have finished, click on *Settings*.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the *Save* button
*Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Archives
[*]Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As*....
Change the *Files of type* to *Text file (.txt)*
Set the Save In to *Desktop*
click the Save button.
Please post this log in your next reply.

Please post back with

OTL fix log
Kaspersky log
Any problems?

Thanks


----------



## rdizy (Sep 4, 2010)

re: uTorrent, I'll consider your suggestion. I only use it to download TV shows but I'm sure there's a possible threat even with .avi files now a days.

I removed the old java and ran the OTL fix. (output is below)

You are correct, I was previously running Norton (a year ago?).

I'm having issues with Kaspersky. The link you provided gives me a 404 Not found.
I played around with the URL (i.e. used http://www.kaspersky.com/kos/eng/partner/default/) and thought I got the scan to work but it is failing after the updates are downloaded.
Error Message is attached gif.

All processes killed
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\{12CFADC5-C2B3-B677-AD0C-2205AEAFE494} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12CFADC5-C2B3-B677-AD0C-2205AEAFE494}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Matthew and Caleb
->Temp folder emptied: 348725 bytes
->Temporary Internet Files folder emptied: 226682979 bytes
->Flash cache emptied: 5259 bytes

User: Michelle
->Temp folder emptied: 957129 bytes
->Temporary Internet Files folder emptied: 193899881 bytes
->Java cache emptied: 338325 bytes
->Flash cache emptied: 47807 bytes

User: NetworkService
->Temp folder emptied: 3428 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Rick
->Temp folder emptied: 10303084 bytes
->Temporary Internet Files folder emptied: 18540966 bytes
->Java cache emptied: 59271 bytes
->Google Chrome cache emptied: 594288 bytes
->Flash cache emptied: 22833 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17090 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 587264 bytes

Total Files Cleaned = 432.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.17.3 log created on 11112010_110556
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

I tried a couple of times, including removing it completely, and get the same error as you.

Use this one instead.

**Note*
*It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.

Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.*


Go here to run an online scannner from 
*ESET* 

(*Note*: You must use* Internet Explorer* for this scan.)

Tick the box next to* YES, I accept the Terms of Use.*
Click* Start*
When asked, *allow* the activex control to install
*Disable* your Antivirus software. You can usually do this with its* Notfication Tray icon* near the clock
Click* Start*
Make sure that the option* "Remove found threats"* is* Unchecked*, and the option *"Scan unwanted applications"* is *Checked*.
Click* Scan*.
Wait for the scan to finish.
*Re-enable* your Antivirus software.
A logfile is created and located at *C:\Program Files\EsetOnlineScanner\log.txt.* or *C:\Program Files\ESET\log.txt*We will need this later.
Please post back with the* ESET* log.


----------



## rdizy (Sep 4, 2010)

Hi,
Here is the result of the Eset Online Scan:

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7fbd37a924e0c141a1e97b8f6a9dc59f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-12 11:16:44
# local_time=2010-11-12 05:16:44 (-0600, Canada Central Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 30465115 30465115 0 0
# compatibility_mode=5891 16776869 100 100 0 19104330 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=129444
# found=11
# cleaned=0
# scan_time=3657
C:\Qoobox\Quarantine\C\WINDOWS\system32\USRINI~1.EXE.vir Win32/Sirefef.BI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\bcm4sbxp.sys.vir Win32/Rootkit.Agent.NSF trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\vbmac8a7.sys.vir a variant of Win32/Olmarik.AGN trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\IQ31c9s.dll.vir a variant of Win32/Olmarik.ADM trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\QG55a.dll.vir a variant of Win32/Olmarik.ADM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP81\A0004985.sys Win32/Rootkit.Agent.NSF trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP81\A0004986.sys a variant of Win32/Olmarik.AGN trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP81\A0004987.dll a variant of Win32/Olmarik.ADM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP81\A0004988.dll a variant of Win32/Olmarik.ADM trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP81\A0004989.exe Win32/Sirefef.BI trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DZ trojan 00000000000000000000000000000000 I


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Nothing to worry about with the latest detections. They are either files we have quarantined or old Sytem Restore Points. All of these will be removed when we remove the tools.

This should get rid of that entry from Add/Remove programs.

*Next*, Double click on *OTL.exe* 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following
*Do Not *copy the word* CODE*
please note the fix starts with the *:*


```
:services
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12CFADC5-C2B3-B677-AD0C-2205AEAFE494}]
```
Then click the* Run Fix* button at the top

Let the program run unhindered
No need to post the log.

We'll clean up the tools and send you on your way.

From your desktop, please delete, if present

any notepads/logs that we created
dds.scr
user.zip
run.bat
junction.exe
Inherit.exe
myfix.bat
SystemLook.exe
SystemLook.txt
You can also delete *C:\junction.txt*

Most of these tools were transfered via USB, you can delete them from that device along with any logs or notepads you saved to it.

*Next*
Click the *Start* button, click *Run*. Copy and paste the following line into the run box and click *OK*

*Combofix /uninstall*

Open *OTL* then click the *Clean Up* button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click *Yes*. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep *MBAM*. Keep MBAM updated and use it regularly.

If you want to remove any leftover Norton you can use the removal tool. 
Download the *Norton Removal Tool* from *HERE* and save it to your desktop.

*Next* Double click on *Norton_Removal_Tool.exe* to run the tool.
Follow the on-screen instructions.

Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

*Some Recommendations and prevention tips*
Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.
Click *FIREWALL* for tips, reviews and links to good, free and paid for firewalls. (*Note*: Zone Alarm is becoming bloatware,IMO)

You should also use *Spyware Blaster* to help immunize your computer.
- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

*OR*
A guide to understanding and using the hosts file.
Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
*HOSTS*
*Please read the info on disabling the DNS Client before* installing a custom hosts file.

-Secure your *Internet Explorer*

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to* Prompt*
Change the Download unsigned ActiveX controls to* Disable*
Change the Initialize and script ActiveX controls not marked as safe to *Disable*
Change the Installation of desktop items to* Prompt*
Change the Launching programs and files in an IFRAME to *Prompt*
Change the Navigate sub-frames across different domains to *Prompt*
When all these settings have been made, click on the *OK* button.
If it prompts you as to whether or not you want to save the settings, press the *Yes* button.
Next press the* Apply* button and then the *OK* to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the *Windows Update Site *(using Internet Explorer) and download and install all critical updates on a regular basis

- Ensure that Automatic Update is turned on so you get all the latest patches. 
Click start, control panel, click Security Center.

- Keep your antivirus program *updated*, as well as any other security programs you have.

-More tips and programs can be found *HERE*

- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879

Post back when you are done. If you are satisfied please click the *Mark Sovled *button at the top.

Take care


----------



## rdizy (Sep 4, 2010)

I cleaned everything up as per your instructions. Everything is now running as expected. Thanks so much for all your help. I really appreciate the time/effort.
Rick


----------



## oldman960 (Apr 8, 2010)

Hi rdizy,

Glad to hear it and you are more than welcome. 

Take care.


----------

