View Full Version : Infected with brastk.exe, karna.dat, antivirus2009...
Hello. I'll start with posting some system info: I have Windows XP Home
(SP2), and I use an HP Pavilion dv4000 series laptop. I'll provide any more
relevant specs as required. Towards the end of this message I will supply
the HJT logfile.
My computer got infected recently, and here's how I started noticing the
problem...I was just browsing the web normally, when all of a sudden my
computer restarted by itself. When it did restart, I noticed several
peculiarities:
1. First of all, there was a little white "X" on a circular red background
in my system tray in the lower right of my screen, and this launched a
little bubble saying "Your computer is infected! Windows has detected a
spyware infection! It's recommended to use special antispyware tools to
pervent (sic) data loss. Windows will now download and install the most up-
to-date antispyware for you. Click here to protect your computer from
spyware!"
2. Also, I have McAfee VirusScan Plus (a free-edition suite from
AOL/McAfee). McAfee's shields seemed to have been shut down. All of the
real-time protections (av, as, scripts, etc..) were disabled, and I was not
able to re-activate them by clicking "Fix Now" in the McAfee main panel.
3. When I opened up Internet Explorer, my home page was no longer Yahoo!,
but Google. So, I went to Internet options to change this back to "Yahoo",
but, even after doing this, my home page continued to revert to Google upon
subsequent restarts of my system.
4. I tried opening up "fsbl.exe" from my desktop (the F-Secure Blacklight
anti-rootkit scanner), but it would not open.
5. I also was not able to access the online scanners NOD32 and TM Housecall.
These are in my "favorites" in IE, but, when I clicked on them, I would get
a message from Google saying "Oops! This link appears to be broken. Page not
found--connection failure."
6. Out of curiosity, I tried searching for random things on Yahoo and
Google. And I noticed that several (if not all) of the links either took me
to the wrong page or back to that Google message I mentioned in the previous
point.
7. I also have McAfee SiteAdvisor, but its ratings were no longer present
for Google or Yahoo search results (but the SA bar was still present at the
top of the screen). Also, the search results from these sites looked
weird...the font-size was larger than it used to be, and I could not return
it to the normal size.
8. I tried opening up HiJackThis from my desktop, but it would not open.
9. I tried restarting my computer several times, but, each time, a few
seconds after it restarted, I kept getting a Blue Screen. All Blue Screens
were followed by an immediate automatic restart.
Now, let me describe for you what I did...
I restarted my computer again..then, I ran a full McAfee scan. McAfee's
real-time protections were still disabled, but I was able to run a full on-
demand scan. It turned up 3 infections, all of which I removed from my
system (I cannot recall what or where these 3 infections were). Then, I ran
Windows Live OneCare online scanner (the only online scanner I was able to
access in my "favorites"). This found 2 different infections: I don't
remember one of them but the other was called
"TrojanDownloader:Win32/Renos". OneCare said that this infection was
comprised of 12 "items" on my system (I can supply these 12 items if
desired). It was able to delete all of them (as well as the 2nd general
infection that I couldn't recall). However, one of the deletions required me
to restart my system (the file in question was C:\Windows\system32
\brastk.exe). Anyway, I proceeded to do as WLOC suggested, and I restarted
my system. Now, there were a few positive changes I noticed after the
restart. First of all, my home page was back to normal (Yahoo). Secondly,
the McAfee shields were up and functioning again. Also, the little white "X"
symbol in my system tray was no longer there. So, now I proceeded to try
some more disinfection steps...here's what I did:
1. I tried opening NOD32 online scanner again, but it wouldn't work. I
couldn't access the web page where the scanner was to be found.
2. I tried opening the TM Housecall online scanner, but, again, I could not
access the web page.
3. I tried navigating to the web page where I can download IceSword (a
powerful anti-rootkit app) from, but I was not able to access the page.
4. I tried opening fsbl.exe (F-Secure Blacklight anti-rootkit) again from my
desktop. This time it opened up, and I was able to run a scan. But, the scan
finished VERY, VERY quickly..like in less than 1 minute. Usually it takes
more like 4 or 5 minutes to complete. Anyway, nothing suspicious was found.
5. Finally, I was able to open and run HiJackThis.
Another abnormal event I should note that occurred AFTER I ran the McAfee
and WLOC scans and restarted my computer (as per WLOC's suggestion): I got a
pop-up message while on the internet saying "Attention! Do you want to
install AntiVirus 2009 to scan your computer now?" Then, below, there were 2
options "OK" and "Cancel". Obviously, I chose the latter.
Next, I sent the log of HJT to a knowledgeable person, and he told me to
delete 2 entries: one pertaining to a Yahoo! toolbar (which I do not have in
either of my 2 browsers: IE7 and Firefox 3) and the other was called
"AppInit_DLLs: karna.dat". This latter item was entry O20 in the log. I went
ahead and deleted both. Then, this person to whom I sent the log told me to
reboot my machine (I did), make sure that these 2 HJT entries were still
absent (they were), check to see if I could now open the other online
scanners (I could not), reboot into Safe Mode w/ Networking if I could not
open those scanners (I did), and try opening the scanners from there (they
still did not open). When I tried opening them from Safe Mode w/ Networking,
I got sent to a page saying "IE could not open the page" or something like
that.
So, the next thing I did was reboot back into Normal mode. When I did this,
I discovered that several of the initial problems I reported above were
back: that little white "X" was back in my system tray, McAfee's real-time
protections were disabled again, my home page had been converted from Yahoo!
to Google again, I still got sent to that "Google Oops" screen when trying
to open NOD32 and TM Housecall online scanners, Yahoo! and Google search
result links were still taking me to wrong pages, SiteAdvisor ratings were
still absent from Yahoo! and Google search results (and the search results
still looked odd as described above), and HJT would not open again from my
desktop (HJT failed to open in Safe Mode, as well).
I proceeded to try other online scanners (Norton, Panda, and Ewido), but
they all failed in normal mode (I didn't try these 3 in safe mode, since I
assumed they would fail just as NOD32 and TM Housecall had). I then tried
installing the Scan-Only (free) version of Webroot Antivirus with
Antispyware. This resulted in a Blue Screen (the contents of which I can
supply, if needed) towards the very end of the installation process. So, I
went ahead and tried installing it in safe mode with networking. To do this,
I first downloaded the Webroot Safe Mode Installer to my desktop (since the
Windows Installer doesn't work in safe mode). Then, I opened up the Webroot
Antivirus with Antispyware installation file from my desktop and tried to
install it once again (in safe mode this time). But once again, I got the
same Blue Screen message towards the very end of the installation process.
So, currently, this particular software cannot be installed on my machine in
EITHER normal or safe mode.
Now, there are a few more observations I would like to mention:
1. From safe mode (with networking), I opened up msconfig, and I found an
entry with the startup name "brastk", the command "brastk.exe", and the
location "HKLM\SOFTWARE\Microsoft\Windows\CurrentVer." I disabled this
entry. But, upon a reboot into normal mode, this seems to have made no
difference: brastk started up again.
2. I found "brastk.exe" running in my Task Manager (in normal mode). I
clicked "end process" for it. But, on subsequent restarts of my system, it
always comes back.
3. In safe mode with networking, I did a computer search for "brastk.exe"
and "karna.dat". Each of these were found in C:\WINDOWS and
C:\WINDOWS\System32. This discovery was made subsequent to the scans by
McAfee, WLOC (which apparently was supposed to have deleted brastk.exe from
these 2 locations), and HJT (which apparently was supposed to have deleted
karna.dat). I did not try to delete them, though, because I highly doubted
it would have made any difference. I also found entries in my registry with
the data names "brastk" and "karna."
4. McAfee has quarantined a trojan called "NTRootkit-AC" located in
C:\WINDOWS\system32\drivers\beep.sys. I also saw an entry called "beep" in
my registry (this was the "data" name).
5. I found a malicious file called "delself.bat" in c:\WINDOWS\system32. I
also saw a data name in my registry called "delself". This is apparently
associated with infections by brastk.exe and karna.dat.
6. I found the following data names in my registry (which are apparently
associated with infections by brastk.exe and karna.dat): braviax, figaro,
scvhost (NOT svchost), 2009, antivirus2009, wini10581.exe, univrs32, and
internet. I'm not sure if "internet" is malicious or not, but it was located
along with these other entries. These are just some possible malicious
entries that I found....there may be more.
7. I did some research, and someone said that this malware I seem to have
can corrupt/infect csrss.exe (in C:\WINDOWS\system32) and also winlogon.exe
(same location). I am not sure if mine are infected, though. I also found an
entry with the data name "csrss" in my registry...this was located along
with the malicious entries noted in the previous point.
8. I have tried creating a manual restore point on my machine, but it does
not work. The virus seems to have shut down my ability to do this.
9. While surfing the internet, I got a Blue Screen with the following
message: "Page_fault_in_nonpaged_area."
10. I continue to be unable to reactivate McAfee's real-time shields in Safe
Mode w/ Networking.
11. I have Webroot Window Washer on my system. This has an option to wipe
the entire Free Space on my hard drive. Out of curiosity, I tried performing
this task from both normal and safe modes, but it would not start
(wwDisp.exe was having trouble launching).
12. I tried defragmenting my hard drive using Windows' own built-in
defragmenter, but it would not start from either mode.
13. From normal mode, in Internet Explorer 7, I went to "Tools" and then
"Manage Add-Ons" to see if there was anything odd there. I didn't see any
malicious entries, but, under "Add-Ons currently loaded", there were only 3
entries there: one for the Google Toolbar (which I have), one for the
SiteAdvisor toolbar (which I also have), and one which just said "research".
Usually, there are SEVERAL entries listed here...not just 3.
14. The Google "PageRank" meter doesn't work any more (this is a small bar
that informs you about the "importance" of a page).
And here is my HJT logfile (note: the Google Toolbar listing is OK, since I
normally have that installed on my system):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:12 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. (www.webroot.com (http://www.webroot.com)) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 6505 bytes
Thanks very much...I appreciate anyone's help.
Hi and welcome to the forums. :)
Please read the instructions before doing anything else. That will make things easier to you.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE (http://www.bleepingcomputer.com/forums/topic114351.html) for help
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
For more information, please read A guide and tutorial on using ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Hi Verkappe. Thank you so much for your prompt response. I am, however, having a couple of problems with your last post:
1. None of the 3 links you provided to obtain combofix.exe works. Whenever I click any of the links, I get taken to a Google page saying "Oops! This link appears broken. Page not found--connection failure." Do you know of any other place from which I can download combofix?
2. I'm a little worried that combofix will not be able to automatically download the Windows Recovery Console. This is because when I tried visiting the Microsoft support site from which one can download the Console directly to the desktop (the link to this Microsoft site was in the ComboFix info page from bleepingcomputer.com), I was taken to the "Google Oops" screen. If the virus is preventing me from accessing that page, maybe it will prevent ComboFix from automatically finding and downloading it, as well?
Thanks so much...I appreciate your assistance.
Those download links works well here, so there is something in your computer that prevents you. It might be also that you're not able to download any other tools either. In that case, you will need to use another computer to transfer tools to the infected machine.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new Hijack This log
Hi Vekarppe. I tried clicking the link for SDFix, but I got sent to a page saying "Internet Explorer cannot display the webpage." However, I did find another link from which I can download combofix.exe. It is this:
www.plunder.com/ComboFix-exe-download-156163.htm (http://www.plunder.com/ComboFix-exe-download-156163.htm)
Is this a safe site from which to dowload this file?
Also, I just searched and I found another site from which I can download SDFix.exe...it is this:
http://files.aoaforums.com/I3709-SDFix.exe.html
Is this a safe site from which to download SDFix?
Which one of these would you prefer that I download at this time?
Thanks again
I dont know about those sites, but I uploaded the file to MediaFire.
http://www.mediafire.com/download.php?hryninowzyn
ncs22
10 Nov 2008, 11:31pm
Hi Vekarppe. Thanks so much for SDFix...it seems to have removed at least some infections and solved some of my "symptoms". The internet is now faster, the Google links work again, and McAfee's shields are active again, also. Here is my SDFix log, followed by my HJT log:
SDFix: Version 1.240
Run by xp on Mon 11/10/2008 at 05:57 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\TDSSdxcp.dll - Deleted
C:\WINDOWS\system32\TDSSshyf.dll - Deleted
C:\WINDOWS\system32\TDSSwppe.dat - Deleted
C:\WINDOWS\system32\TDSSnmxh.log - Deleted
C:\WINDOWS\system32\TDSSkkao.log - Deleted
C:\WINDOWS\system32\TDSSwubs.log - Deleted
Could Not Remove C:\WINDOWS\system32\TDSSottu.dll
Could Not Remove C:\WINDOWS\system32\TDSScrrn.dll
Could Not Remove C:\WINDOWS\system32\TDSSbvqh.dll
Could Not Remove C:\WINDOWS\system32\TDSSjpmr.dll
Folder C:\Program Files\Microsoft Security Adviser - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 18:14:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\xp\ntuser.dat, 0
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
C:\WINDOWS\system32\TDSSottu.dll Found
C:\WINDOWS\system32\TDSScrrn.dll Found
C:\WINDOWS\system32\TDSSbvqh.dll Found
C:\WINDOWS\system32\TDSSjpmr.dll Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 7 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 7 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 2 Oct 2006 50,280 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:16 PM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. (www.webroot.com (http://www.webroot.com)) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 6522 bytes
Thank you so much..
You're welcome. It seems, however, that SDFix failed to remove some of the viruses. Please try to run ComboFix now as instructed above. Let me know if you still can't do that.
Hi Vekarppe...I was thankfully able to run ComboFix, and I have provided its log below. Also, I had one question about the SDFix: while using it, it said "protective host files such as MVPS/HP hosts or Spybots Immunizer feature should be reapplied after using SDFix." Do I need to do anything in this regard?
And here is the ComboFix report....thanks once again:
ComboFix 08-11-10.01 - xp 2008-11-11 1:07:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.243 [GMT -5:00]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\drivers\TDSSmxwe.sys
c:\windows\system32\TDSSbvqh.dll
c:\windows\system32\TDSScrrn.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSjpmr.dll
c:\windows\system32\TDSSkkao.log
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSottu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSshyf.dll
c:\windows\system32\TDSSwppe.dat
c:\windows\system32\TDSSwubs.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-10 17:49 . 2008-11-10 17:49 <DIR> d-------- c:\windows\ERUNT
2008-11-10 17:35 . 2008-11-10 18:14 <DIR> d-------- C:\SDFix
2008-10-29 12:23 . 2008-10-29 12:23 <DIR> d-------- C:\Binaries
2008-10-29 12:22 . 2008-10-12 12:18 1,553,272 --a------ c:\windows\WRSetup.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 16:17 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-01 17:37 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-01 17:37 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-01 17:37 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-01 17:33 164 ----a-w C:\install.dat
2008-10-31 03:10 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-29 17:24 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-10-29 17:22 --------- d-----w c:\program files\Webroot
2008-10-29 17:22 --------- d-----w c:\documents and settings\xp\Application Data\Webroot
2008-10-18 21:59 --------- d-----w c:\program files\EsetOnlineScanner
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-09 21:43 --------- d-----w c:\program files\Google
2008-10-07 17:59 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 17:59 --------- d-----w c:\program files\Trend Micro
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 07:57 --------- d-----w c:\program files\McAfee
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-05 21:47 140 ----a-w c:\documents and settings\xp\Application Data\wklnhst.dat
2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ----a-w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\dllcache\ntkrpamp.exe
2007-02-10 18:55 108,330 -c--a-w c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-03-29 233534]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySecurer.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SECUREMAKER.lnk]
backup=c:\windows\pss\SECUREMAKER.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 08:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2004-12-03 15:24 290816 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-05-04 12:59 794624 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 09:51 289064 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a--c--- 2004-10-14 15:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a--c--- 2004-08-06 10:27 860160 c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 11:11 1388544 c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 05:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a------ 2007-11-26 13:47 1206600 c:\program files\Webroot\Washer\wwDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-04-13 05:12 88209 c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-01 29808]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-08 198944]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-10-12 1066360]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [ ]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
2008-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-06-24 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\xp\Application Data\Mozilla\Firefox\Profiles\a2qcmsr0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF -: plugin - c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 01:10:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?1?5?0??????? ???B?????????????hLC? ??????
scanning hidden files ...
c:\docume~1\xp\LOCALS~1\Temp\RGI6.tmp
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmxwe.sys"
.
Completion time: 2008-11-11 1:11:54
ComboFix-quarantined-files.txt 2008-11-11 06:11:51
Pre-Run: 84,460,855,296 bytes free
Post-Run: 84,458,733,568 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
197 --- E O F --- 2008-10-24 18:01:25
Looks good now.
How is your computer running?
Let's update your old Java:
Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Then download and install Java SE Runtime Environment (JRE) 6 Update 10 (http://java.sun.com/javase/downloads/index.jsp).
Hi Vekarppe. Thanks so much for your assistance. I downloaded and installed the latest Java Update that you provided. My system seems much better at the moment, and almost all of the problems that I mentioned in my initial post are no longer present...however, I had a few questions that I would appreciate your input with:
1. While using SDFix, I got a message from it saying "Protective Host files such as MVPS/HP hosts or Spybots Immunizer feature should be reapplied after using SDFix." I don't have Spybot, but do I need to do anything regarding MVPS/HP hosts (or any other "protective host files")?
2. Do you recommend that I reset System Restore?
3. Do you recommend that I keep SDFix, Combofix, and the Microsoft Windows Recovery Console (including any items placed into quarantine by SDFix/Combofix)?
4. Are there any other scanners you recommend that I should use to be CERTAIN that ALL infections are gone from my machine?
Also, I am currently searching my computer for malicious files or registry entries...I will of course inform you about anything that I find.
Thanks again
Hey. Regarding to your first question, if you don't know what is custom HOSTS file or wheter you're using such thing, there is nothing to worry. However, if you are interested about the issue, you can check this site > http://www.mvps.org/winhelp2002/hosts.htm
We will clean System Restore and remove all used tools later.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
ncs22
13 Nov 2008, 10:27pm
Hi Vekarppe. Thanks so much for providing me with MBAM...it found 38 infections!! I was utterly surprised by this, since most of the "symptoms" on my machine had vanished after running SDFix and ComboFix. Are there any other scanners I should use? Who knows if MBAM caught everything? Anyways, here's the logfile of MBAM...and thanks again:
Malwarebytes' Anti-Malware 1.30
Database version: 1395
Windows 5.1.2600 Service Pack 2
11/13/2008 5:08:08 PM
mbam-log-2008-11-13 (17-08-08).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103915
Time elapsed: 32 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 37
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbvqh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScrrn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSjpmr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSottu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmxwe.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0132775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0133775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0138775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0138776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0139775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0142775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0142776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0143775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0144775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0144776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0147775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0147776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148775.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148776.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148777.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0148778.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0149777.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0151779.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0151780.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152781.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152782.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0152784.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0153783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0153784.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0154783.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155783.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155784.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155785.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155786.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0155787.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP590\A0149778.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Actually MBAM just removed infected files from System Restore and ComboFix's quarantine.
Congrats! Your computer is clean! :clap:
Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Click Start then Run
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
Note: Do not use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended to be used under the guidance and supervision of an expert, not for private use.
Please download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer and save it to your desktop.
Double-click OTMoveIt3.exe to run it.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not, delete it by yourself.
===========================================
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clean up System Restore
You can find instructions on how to disable and enable System Restore from these guides:
Disable And Enable System Restore (http://forums.majorgeeks.com/showthread.php?t=31668)
Windows XP System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial56.html)
Make Your Internet Explorer More Secure
This can be done by following these simple instructions:
From within Internet Explorer click on the tools menu and then click on Options
Click once on the "Security" tab
Click once on the "Internet" icon so it becomes highlighted
Click once on the Custom Level button.
Change the "Download signed ActiveX" controls to Prompt
Change the "Download unsigned ActiveX" controls to Disable
Change the "Initialize and script ActiveX controls" not marked as safe to Disable
Change the "Launching programs and files in an IFRAME" to Prompt
Change the "Navigate sub-frames across different domains" to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Note that Internet Explorer is not the most secure browser. There are safer alternatives available like Opera (http://www.opera.com/) and Firefox (http://www.mozilla.org/products/firefox/).
Keep Your System Up to date
It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update (http://www.windowsupdate.com) site regularly.
Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Additional Utilities and Tips to Enhance Your Safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:
12 Ways to get Infected (http://forums.subratam.org/index.php?showtopic=10086) by tashi
How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes
So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html) by Tony Klein
Ten Commandments for Your Computer Sanity (http://icrontic.com/forum/showthread.php?t=39435) by BitDefender
Have a nice computing day and stay clean. :)
Hi Vekarppe...thanks so much for your assistance and for making the disinfection of my computer so easily accomplished...rarely have I received such efficient help online. There were just a few other things I was curious about before I follow the steps in your last post:
1. I searched for and found the files "brastk.exe", "karna.dat", and "delself.bat" in the "backups" folder. Are these problematic or indicative of more infections on my system? Can I safely delete these?
2. I found some registry entries pertaining to brastk.exe in my registry (using RegEdit). For example, I found the following:
My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Windows\system32\brastk.exe REG_SZ brastk
I also found a couple entries pertaining to delself.bat. Should I delete these manually, or are they basically harmless (since the scanners didn't catch them)? If they are harmful, should I go ahead and search for/delete any other particular "keywords" in RegEdit that may point to an infection?
3. Somebody sent me the following information regarding registry changes which occur with the brastk.exe virus:
"Information
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system.
File
<System>\brastk.exe
<System>\delself.bat
<System>\dllcache\beep.sys
<System>\dllcache\figaro.sys
Registry
Created Registry Values: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1208 = 0x00000000
2500 = 0x00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
brastk = "%System%\brastk.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Enable Browser Extensions = "yes"
Search Bar = "http://www.google.com/ie"
[HKEY_CURRENT_USER\Software\Microsoft\Security Center]
AntiVirusDisableNotify = 0x00000001
FirewallDisableNotify = 0x00000001
UpdatesDisableNotify = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
brastk = "%System%\brastk.exe"
Registry Values were modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = "http://www.google.com/ie"
Search Page = "http://www.google.com"
Start Page = "http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = "http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1201 = 0x00000000
1804 = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1201 = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1201 = 0x00000000
1804 = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1201 = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1200 = 0x00000000
1201 = 0x00000000
1608 = 0x00000000
1804 = 0x00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page = "http://www.google.com"
Search Page = "http://www.google.com"
ATTENTION
Once the virus installed on your computer, it will connect to http://do-scan-progress.com/?wmid=1058&l=33&it=2&s=1 and tries to download a file named wini10581.exe , puts it in the Windows directory and installs an application called XP AntiSpyware 2008 (or 2009) or XP AntiVirus 2008 or 2009."
I noticed that at least some of the registry entries under "created registry values" and "registry values were modified" were present in my registry. Should I delete them, or leave them alone? And what if there are any other "created" or "modified" values in my registry (maybe as a result of viruses OTHER than brastk.exe)? Is there any other action I should take based on all of this information?
Thanks again
Please download RegSearch (http://download.bleepingcomputer.com/steelwerx/regsearch.zip) by Bobbi Flekman.
Download and extract the contents of the zip file.
Double-click the icon for RegSearch.exe to launch the program.
Enter a string "brastk.exe" to search for and click OK.
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same location as RegSearch.exe.
Post the rearch results.
Hi Vekarppe...I had a few issues to discuss here, so I'll divide this post into 3 parts:
A. I have run the RegSearch and provided the logfile below. Out of curiosity, I searched my registry for ALL malicious items from the logfiles of SDFix, ComboFix, and MBAM. I found only one other item in my registry that perhaps matches something that ComboFix found during its scan (setup.inf)...here is the logfile:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 11/15/2008 11:14:05 PM for strings:
; 'brastk.exe'
; 'setup.inf'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation]
"INF"="C:\\WINDOWS\\Downloaded Program Files\\setup.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{233C1507-6A77-46A4-9443-F871F945D258}\DownloadInformation]
"INF"="C:\\WINDOWS\\Downloaded Program Files\\setup.inf"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\brastk.exe"="brastk"
; End Of The Log...
B. Also, I searched my registry with Regedit and found 2 entries relating to "delself.bat" (a malicious file which has been deleted from my system already).....can I safely delete these?:
1. My Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
name: C:\Windows\system32\delself.bat
type: REG_SZ
data: delself
2. My Computer\HKEY_USERS\s-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache
name: C:\Windows\system32\delself.bat
type: REG_SZ
data: delself
C. And lastly, should I delete/modify any of the registry entries from the list that I provided in my previous post? For example, according to that list, 2 registry entries that are "created" by the brastk.exe virus are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1208 = 0x00000000
2500 = 0x00000003
I found both of these on my system...should I delete them?
I also found some of the entries that are apparently "modified" by the brastk.exe virus...do I need to "re-modify" them back to their normal forms?
Thanks once again very much...
You can use registry cleaner (such as CCleaner) to remove invalid and orphaned entries. CCleaner (http://www.ccleaner.com/) is a free system optimization, privacy and cleaning tool. If you wanna clear out your registry manually, you can remove at least all MUICache items you listed. I strongly suggest that you do a backup of your registry before making any changes.
To reset Internet Explorer 7 security settings, please follow the instructions here
http://pcsupport.about.com/od/fixtheproblem/ht/ie7securitydef.htm
Hi Vekarppe...thanks again for your help and recommendations. I just had 2 final questions for now:
1. Are you quite sure my computer is completely disinfected now? (so it would be safe to enter personal info/credit card info online?)
2. My free McAfee/AOL suite clearly failed me badly this time. Can you recommend a good FREE antivirus/antispyware/firewall (whether it be a suite or separate apps)?
Thanks again
I just had 2 final questions for now
Go ahead! :)
1. Are you quite sure my computer is completely disinfected now? (so it would be safe to enter personal info/credit card info online?)
Yes, your computer seems to be clean. No malwares lurking there anymore.
2. My free McAfee/AOL suite clearly failed me badly this time. Can you recommend a good FREE antivirus/antispyware/firewall (whether it be a suite or separate apps)?
With pleasure.
There are two AntiVirus (free, of course) I'd recommend: avast! Home Edition (http://www.avast.com/eng/download-avast-home.html) and Avira AntiVir Personal (http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html).
Both of these does excellent job. Note: use only one AntiVirus at a time!
As a FireWall, I recommend Comodo Firewall Pro (http://www.filehippo.com/download_comodo/). Can't find better.
Comodo have also free Security Suite that consist of AntiVirus and FireWall; more information here (http://www.personalfirewall.comodo.com/index.html).
I'm using Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and a-squared Free (http://www.emsisoft.com/en/software/download/) as my AntiSpyware tools.
There are also other ways to project the computer.
For example, I'm not using any AntiVirus program at the moment; instead I have DriveSentry (http://www.drivesentry.com/) proactive defence. Comodo Firewall includes similar protection (Defense+).
Other interesting tools are Sandboxie (http://www.sandboxie.com/) and Returnil Virtual System (http://www.returnilvirtualsystem.com/).
Last, don't forget backups!
Have a good night. :)
Thanks Vekarppe for your security software recommendations...I was in particular wondering if the DEFAULT settings would be okay for the following?:
avast! home ed.
avira antivir personal
comodo firewall pro
comodo free suite
Also, for the comodo free suite, does that actively guard against spyware, too?
Thanks so much...
Hi. You should use only one AntiVirus program for doing real-time scanning and mail. Having two running in the memory may interfere with each other creating serious problems regarding security vulnerability as well as system stability. Same thing applies with Firewalls also - use only one at a time.
In this case, choose either avast or AntiVir and one Firewall (Comodo).
Or you can use Comodo Suite that consist of both (AntiVirus and Firewall).
If you're asking my recommendation, I would choose Comodo and Avast/AntiVir.
ncs22
17 Nov 2008, 11:09pm
Hi Vekarppe...thank you for all of your security recommendations. Just one final thing: you provided me instructions for deleting ComboFix..but is there any special procedure for deleting SDFix or RegSearch?
Thanks again
Have you tried this:
Please download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer and save it to your desktop.
Double-click OTMoveIt3.exe to run it.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not, delete it by yourself.
You can remove RegSearch manually. Just delete files.
Hi Veka. Today I ran MalwareBytes again, just to be sure everything was OK...but it actually found 3 more infections (all of which I deleted). I also ran the free (scan-only) version of Webroot Spy Sweeper, and it found 1 piece of adware. Since my system still does not seem to be 100% free of infections, do you think it's a good idea to run a LOT of different scanners, just to be sure? Maybe I can use some online (browser-based) ones, so I don't have to necessarily INSTALL a lot of new software to do this...
Thanks again
Hello. Of course the computer isn't clean, if it's infected again. What MBAM found, exactly?
Hi Veka...here is what MBAM found:
A. Files Infected:
1. C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP593\A0156133.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
2. C:\WINDOWS\system32\drivers\ttul.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
B. Registry Keys Infected:
1. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mukyojz (Trojan.Downloader) -> Quarantined and deleted successfully.
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mukyojz (Trojan.Downloader) -> Quarantined and deleted successfully.
Interesting. I't seems that MBAM failed to recognize these last time. Did you update MBAM before scan?
Please do a final scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: Internet Explorer should be used
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste the report into your next reply.
Hi Veka...I did do a manual update of MBAM prior to running it. Perhaps that is how it was able to detect these 4 infections this time, while missing it the last time. Here is my Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 20, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 20, 2008 20:06:26
Records in database: 1397677
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 50596
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:37:45
File name / Threat name / Threats count
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.
I have not deleted anything yet..
That is related to AOL. Do you use any AOL products?
Hi Veka...actually, I never use any AOL products at all. I do have AOL on my system (when I go to START>ALL PROGRAMS>ONLINE SERVICES>AOL). But when I click on AOL, a box comes saying "Launch AOL installer: choose country". Then there is a list of countries. I of course just clicked "cancel". How do I get rid of this particular malware?
Thanks
Actually, this isn't a malware; it's a legit AOL file. It just happens to have embedded adware, like many applications these days.
ncs22
21 Nov 2008, 10:11pm
Hi Veka..thanks for the clarification about this AOL adware...I will just leave it alone. I am planning on running several additional standard antivirus scanners, just to be absolutely sure everything is OK (since I know each scanner uses a different signature database)...I will of course promptly let you know if I find anything malicious..
One other important note: sometimes (especially during antivirus scans of my machine) my McAfee firewall throws up an alert of the following type:
McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it, we recommend that you remove the program.
About this Potentially Unwanted Program
Name: Tool-NirCmd
Location: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP599\A0156375.com
Spyware, adware, and other potentially unwanted programs can harm your computer, compromise its security, and damage valuable files.
Then it gives 3 options:
1. Remove this program
2. Trust this program
3. Close this alert
I normally choose option 1, but I keep getting alerts for this "Tool-NirCmd" anyway. After I click "remove this program", a message comes asking if I want to use McAfee's uninstaller to remove the program or if I want to manually remove it using the vendor's own uninstaller. I always choose the former. It is possible that, for each alert, the exact LOCATION of Tool-NirCmd is different. Do you have any advice on all of this?
Thanks so much once again
Just Clean up System Restore.
You can find instructions on how to disable and enable System Restore from these guides:
Disable And Enable System Restore (http://forums.majorgeeks.com/showthread.php?t=31668)
Windows XP System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial56.html)
Hi Veka...thanks for reminding me about cleaning up System Restore..that's one step I forgot to do. I also wanted to mention that there seems to be something wrong with my Java. I installed the latest version that you provided, but I have since received 2 messages pointing to a potential problem with Java:
1. When I ran the Kaspersky online scanner, I initially received a warning box saying "Starting Java Applet has failed...please go online to use program." Then I clicked "OK" and the scanner started working normally.
2. I tried using the Trend Micro Online scanner, and usually I am able to do so using the "Java-based kernel", but this time there was a warning next to this option saying "Java support is disabled on your system or no Java runtime environment is installed. If you want to use the Java-based Housecall kernel, please enable or install a Java runtime environment version 1.4 or higher. If your runtime environment is up-to-date but you are still receiving this message, please close your browser window and reopen Trend Micro Housecall in a new window." I tried this latter piece of advice, to no avail. Do you know what's wrong or how I can fix this problem?
Thanks
Let me have a look at your HijackThis log.
Hi Veka..here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:24 PM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] "C:\Program Files\Registry Mechanic\RegMech.exe" /H
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?AuthParam=1226469509_1dc8e8ed10a1c83d7a326b29d5e90deb&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab&File=jinstall-6u10-windows-i586-jc.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com (http://www.webroot.com)) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 8228 bytes
You do have latest Java installed, so no problem there. I cant' say what is causing your problem.
Hi Veka...just to make sure that the occurrances with Kaspersky and Trend Micro Housecall were not just "flukes", do you know of a good direct method I can use to test the condition of my Java?
Thanks
Try this
http://www.java.com/en/download/help/testvm.xml?ff3
Hi Veka, thanks so much for that link. It turns out that my Java is functioning properly. I am now running some additional scanners, and I will promptly let you know if they find anything malicious on my system..
Thanks again
ncs22
27 Nov 2008, 10:45pm
Hi Veka...I ran several more scanners, and I ended up with just 3 questionable items:
1. The Panda Online Scanner found the following:
name: Trj/Banker.JER
location: C:\Program Files\InstallShield Installation Information\{76542EE3-5849-11D2-9C18-00609707C0FF}\data1.cab[wget.exe]
According to the Panda scanner, this infection is "Latent" and "non-disinfectable." What should I do about this, if anything?
2. The Avira AntiVir Personal scan flagged a couple of "warnings" (in each case, the "file could not be opened" during the scan):
a. C:\WINDOWS\system32\SsiEfr.exe
b. C:\WINDOWS\system32\wrLZMA.dll
I was curious if these 2 files are malicious or not..I did a little research, and apparently "wrLZMA.dll" should be in the Webroot directory, NOT the WINDOWS directory. Also, if "wrLZMA.dll" is a legit Webroot file, it should be 17 kb..but this one is about 30kb. As a further piece of information, the SsiEfr.exe on my system is about 16 kb. What should I do about these? Both were "created" on a day in which I did NOT have any Webroot software on my system...therefore, I'm a little suspect about these 2 files...
Thanks again so much
1. The Panda Online Scanner found the following:
name: Trj/Banker.JER
location: C:\Program Files\InstallShield Installation Information\{76542EE3-5849-11D2-9C18-00609707C0FF}\data1.cab[wget.exe]
It seems this is related to program you have installed. Also the file wget.exe might be a malware. Unfortunately, I can't say more than that.
Post an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
2. The Avira AntiVir Personal scan flagged a couple of "warnings" (in each case, the "file could not be opened" during the scan):
a. C:\WINDOWS\system32\SsiEfr.exe
b. C:\WINDOWS\system32\wrLZMA.dll
I was curious if these 2 files are malicious or not..I did a little research, and apparently "wrLZMA.dll" should be in the Webroot directory, NOT the WINDOWS directory. Also, if "wrLZMA.dll" is a legit Webroot file, it should be 17 kb..but this one is about 30kb. As a further piece of information, the SsiEfr.exe on my system is about 16 kb. What should I do about these? Both were "created" on a day in which I did NOT have any Webroot software on my system...therefore, I'm a little suspect about these 2 files...
Thanks again so much
There is simply test. Just rename these file:
SsiEfr.exe to SsiEfr.0xe
wrLZMA.dll to wrLZMA.0ll
Does this cause problems to your Webroot softwares?
Do you notice any other symptoms?
Hi Veka...I uninstalled the Webroot Antivirus scanner, and when I did so the Ssiefr.exe and wrLZMA.dll were deleted automatically. So it appears those files were harmless, and everything is OK there. Also, my computer does not appear to be displaying any obvious symptoms at the moment.
As far as the other potential infection found by the PANDA scanner, here is my HJT file that you requested:
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Agere Systems AC'97 Modem
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner (remove only)
EasyCleaner
ESET Online Scanner
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Deskjet 3840
HP Help and Support
HP Update
HP Wireless Assistant 1.01 B2
HP_User_Guides_0005
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
iTunes
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0 - SE
Panda ActiveScan 2.0
Quick Launch Buttons 5.10 B5
QuickTime
RealPlayer
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SoundMAX
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Window Washer
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Zone Deluxe Games
Nothing suspicious there.
The "data1.cab[wget.exe]" file isn't a security risk as it's archive. You can, however, extract the archive and scan wget.exe by uploading it to VirusTotal (http://www.virustotal.com/) if you wanna make it sure.
ncs22
28 Nov 2008, 11:01pm
Hi Veka...I was just wondering how exactly do I extract this particular archive and upload it to VirusTotal (I'm not too experienced with computers)? If you could, I'd really be grateful for some kind of step-by-step approach..
Thanks very much
Sorry about the lack of instructions. :(
First you need a software that unpacks cab files, like IZArc (http://www.izarc.org/) or 7-Zip (http://www.7-zip.org/). Both are free.
Open the archive file and search out the wget.exe (there can be loads of files). When you manage to find it, just drag and drop the file to your desktop.
Go to VirusTotal
(http://www.virustotal.com/)
Search the file using Browse button and then click on the Send File button.
Save a copy of the Anti-Virus results only. Post the results in your next reply.
Note: If you come to the "File has already been analysed:" page, select "Reanalyse file now" to get a fresh scan.
Hi Veka...I tried using 7-zip to open the data1.cab file, but it did not work. Here's what happened and what I did: I navigated to the appropriate data1.cab file, then I right-clicked it. Then in the context menu I clicked "7-zip". Then I clicked "open archive." When I did this, I got a message from 7-zip saying "Cannot open [filename] as archive." Did I do something wrong?
Thanks
You did it right. I'm using IZArc and able to open CAB file just double clicking them.
Hi Veka...I also downloaded IZArc and tried opening the CAB file using it (by double-clicking the CAB file), but when the IZArc window opened, it was empty. It appears as if this file is totally empty (or somehow I did not use IZArc correctly). But the size of the file is listed as above 2000 kb, so I assumed something would be contained within it. Do you know of what I can do to see the contents of this file? Or would you say that it is okay to maybe just ignore this particular CAB file for now?
Thanks
Yeah. I found these CAB files empty also. Anyway, you can ignore this because it should not be a problem. It's just archived file. :)
Hi Veka...thanks for looking into the situation with the CAB file. I will just leave it alone. Also, I am soon going to be installing some new security software, and I just had a few questions about this:
1. For the antivirus, you recommended Avast or Avira...in your opinion, is one better than the other?
2. If I choose either of the above options, do I need to change any of the default settings once the program is installed?
3. If I pick one of these antivirus programs, will I need a separate antispyware program to go along with it (one that actively protects against spyware infections)? If so, which do you recommend?
4. You also recommended the Comodo Firewall...once I install this, will I need to change any of its default settings?
5. Lastly, another alternative that you mentioned was the Comodo Suite...will this be adequate protection by itself, and will I need to alter any of its default settings after I install it?
Thanks so much
Hi ncs.
1. Not really. It's a matter of taste, and I just like AntiVir; despite that nag screen. Choose the one that pleases you most.
2. This is matter of taste (and needs), again.
I have made an installation guide for AntiVir, but it's in finnish. Maybe it will help you, however.
http://sites.google.com/site/vekansivu/Home/avira-antivir-personal
3. I can't answer to that, its depend on you. I'm myself using MBAM and a-squared but without a realtime protection.
4. No. I recommend to install Comodo with "Optimum Proactive Defense".
5. Comodo's AntiVirus isn't very effective yet. That's why I recommend something else instead.
Hope these helps you. :)
Hi Veka..thanks so much for answering those questions. Also thanks for providing the instruction link for AntiVir. Even though I don't understand it, the snapshots of the programme make it easy to follow. I think I will install AntiVir and Comodo..and perhaps some free antispyware programme as well.
I just had a few final questions about certain items:
1. In the SDFix log entry that I posted previously, there are a couple of references to Yahoo Messenger (under the "Remaining Services" section). I used to have this programme, but I uninstalled it a long time ago (even before I ran SDFix). How do I delete these traces of YM that SDFix found?
2. In the log for Combofix that I posted previously, under the "Registry loading points" section, there are the following items listed:
My Securer
Google Web Accelerator
SecureMaker
Symantec Core LC
Symantec AV
Symantec FW
I used to have these on my system also, but I uninstalled them a long time ago. How do I get rid of these traces?
Those are registry entries. There is no need to delete anything. If you have run registry cleaner, it is possible that they are removed already.
ncs22
11 Dec 2008, 10:15pm
Hi Veka...thanks so much for your assistance in curing my computer..everything seems to be okay at the moment (minus a major problem I'm having uninstalling Adobe Reader, but I'm getting help with that from another forum)...
Also, I just had one last question regarding the new security software I'm going to install. I like to keep the number of programs to a minimum, so I'm going to just install the free Comodo firewall and also the free Avast! (or possibly free AVG) antivirus..would this be adequate protection for me? I decided against AntiVir because it does not include anti-spyware protection and would thus mean I would need to install a separate program for that. I also kept MBAM on my system...
Thanks...
That should be enough. However, I'd install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) and maybe the free version of WinPatrol (http://www.winpatrol.com/) also, to give some extra protection.
Glad we could be of assistance! The help you received here was free.
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.
If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead :)
_______________________________
Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 (http://icrontic.com/forum/showthread.php?t=29803) and fold for a cure.
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.