Author Topic: Malware attack of the 'System Tools' (Read 15981 times)

Gray Badger · « **on:** March 31, 2011, 07:37:15 PM »

I've been working intermittently over a month trying to eliminate/document a virus/malware attack on home PC running Windows Vista Home Premium SP2. I mistakenly clicked what I thought were McAfee popups, but weren't McAfee. The PC now functions in Safe Mode, but locks up early in about any direction I want to go after typical boot & usual desktop display- if I get that far: no printer access in safe mode, no internet, etc. Trying to do anything outside of Safe Mode is nearly impossible. All inserted logs were typed on second computer as can't print or email them and am concerned re putting them on disc or flashdrive & possibly infecting next computer.

There is a possible Recovery(ies) save on disc(s), but would like to attempt that as last resort as subsequent stuff would be lost. Before reading evilfantasy's post of 11/9/07 'Computer Hope Virus and Spyware section Guidelines', I read another post on the same topic in Computer Hope and mistakenly followed it, believing it would fix my PC. I installed/ran ARO 2011 up to the point that they wanted to get paid for more sw/services. That enabled functionality for approx 2 wks, but eventually a couple of "blue screens of death" & errant lock-ups led to consistent problems getting past the start-up mode in a typical reboot. ARO prompts to "Keep these errors", "Fix Them Free", or "Buy Now". "Fix Them Free" entails buying something else from a selection of other vendors and goods. Following is an attempt to provide you the information you request in sequence evilfantasy delineated:

I have anti-virus/security suite installed that comes with 'AT&T Internet Security Suite Powered by McAfee'. At the beginning of this it showed "Real Time Scanning: On" "Updates: Current", "Firewall: On", and "Subscription" Active". I can reach nothing that tells me version or further details. Now- there's an omnipresent display of AT&T/McAfee pop-up of "Your computer is at risk" and "Real Time Scanning is Off". But, in attempting to engage Real-Time Scanning, it momentarily flashes on (green indications), then back off (red indications).

There was nothing noteworthy I recall or have in notes regarding Add or Remove Programs. I know I sifted thru the listings per the sequence request.

3/8- CCleanerSlim installed and ran. No cookies deleted- none I wanted to delete.

3/8- SUPERAntiSpyware installed and ran. Log copied & pasted:

SUPER Antispyware Scan Log
http://www.superantispyware.com

Generated 03/08/2011 at 11:40 PM

Application version: 4.49.1000

Core Rules Database Version: 6553
Trace Rules Database Version: 4365

Scan Type: Complete Scan
Total Scan Time: 01:35:40

Memory Items Scanned: 347
Memory Threats Detected: 0
Registry Items Scanned: 13502
Registry Threats Detected: 0
File Items Scanned: 183893
File Threats Detected: 48

Adware. Tracking Cookie
a.ads2.msads.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash
Player#SharedObjects\GSBL3PGD ]
acvs.mediaonenetwork.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash
Player#SharedObjects\GSBL3PGD ]
b.ads2.msads.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash
Player#SharedObjects\GSBL3PGD ]
banners.securedataimages.com [
C:\Users\DRC\AppData\Roaming\Macromedia\Flash\Player#SharedObjects\GSBL3PGD ]
broadcast.pixmedia.fr [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash
Player#SharedObjects\GSBL3PGD ]
cdn2.invitemedia.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash
Player#SharedObjects\GSBL3PGD ]
cdn4.invitemedia.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash
Player#SharedObjects\GSBL3PGD ]
cdn5.invitemedia.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player#SharedObjects\GSBL3PGD ]
cloudfront.mediamatters.org [
C:\Users\DRC\AppData\Roaming\Macromedia\Flash\Player#SharedObjects\GSBL3PGD ]
content.yieldmanager.edgesuite.net [
C:\Users\DRC\AppData\Roaming\Macromedia\Flash\Player#SharedObjects\GSBL3PGD ]
core.insightexpressai.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
ia.media-imdb.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
interclick.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
m1.2ndn.net com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
m2.media-yoomee.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
macromedia.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media-ut.pictela.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.entertonement.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.ign.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.kyte.tv [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.lintvnews.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.mtvnservices.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.scanscout.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media.vmixcore.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media1.break.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
media10.washingtonpost.com [
C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
mediaforgews.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
msnbcmedia.msn.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
objects.tremormedia.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
s0.2mdn.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
secure-us.imrworldwide.com com [com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
spe.atdmt.com com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
static.2mdn.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
static.xxxmatch.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
udn.specificclick.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
www.naiadsystems.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
www.nudebeachteens.net [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
www.porntube.com [ C:\Users\DRC\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\GSBL3PGD ]
C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]
[2].txt
C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]
[1].txt

C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]
[2].txt

C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]
[1].txt

C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]
er[2].txt

C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\drc@doubleclick[1].txt

C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\drc@invitemedia[2].txt
C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\drc@legolas-
Media[1].txt
C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\drc@pointroll
[1].txt
C:\Users\DRC\AppData\Roaming\Microsoft\Windows\Cookies\Low\drc@serving-
Sys[1].txt

3/13- Loaded & ran Malwarebytes AntiMalware. Log copied & pasted:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

3/13/2011 9:37:44 PM
mbam-log-2011-03-13 (21-37-44).txt

Scan type: Quick Scan
Objects scanned: 156587
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Valued Infected:0
Registr Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items affected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

3/13/2011 10:22:54 PM
mbam-log-2011-03-13 (22-22-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 319800
Time elapsed: 39 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Valued Infected:0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items affected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Java 6 Update 24 is loaded on the problem PC. Windows Installer Service could not be accessed to unload Java 6 Update 5 (in Safe Mode).

3/15- HiJack This installed and run. Log copied & pasted:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:57:02 AM, on 3/15/2011
Platform: Windows Vista sp2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Safe mode

Running processes"
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
http://www.att.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
= :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files (x86)\Yahoo!\Companion\Installs|cpn\yt.d11
F2 - REG:system.ini: UserInit=userinit.exe
01 - Hosts: ::1 localhost
02 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
02- BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D-784B7D6BE0B3} -
C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
02- BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-OBBC1D38A37E} -
C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
02- BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files
(x86)\Common Files\McAfee\System Core\ScriptSn.20110222190658.dll
02- BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -
c:\PROGR~2\mcafee\SITEAD~1\mcieplg.dll
02- BHO: Java(tm) Plug-In- 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -
C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
02- BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program
Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
03 - Toolbar: Yahoo! Toobar - {EF99BDC32-C1FB-11D-892F-0090271D4F88} - C:\Program
Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
03 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}
- c:\PROGR~2\mcafee\SITEAD~1\mcieplg.dll
04 - HKLM\..\Run: [StartCCC] "C:Program Files (x86)\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
04 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
04 - HKLM\..\Run: [LedKey] CNYHKey.exe
04 - HKLM\..\Run: [Smart Copy] "C:\Program Files (x86)\IOI\Smart
Copy\ButtonMonitor.exe" -A
04 - HKLM\..\Run: [P2Go_Menu] "C:\Program Files (x86)
\CyberLink\Power2Go\MUITransfer|MUIStartMenu.exe" "C:\Program Files (x86)
\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
Update\HPWuSchd2.exe
04 - HKLM\..\Run: [RetroExpress] C:\PROGRA~2\RETROS~1\RETROS~1.0\RetroExpress.exe
/h
04 - HKLM\..\Run: [GrooveMonitor] "C:Program Files (x86)\Microsoft
Office\Office12\GrooveMonitor.exe"
04 - HKLM\..\Run: [Check Point Endpoint Security] "C:\Program Files (x86)
\CheckPoint\Endpoint Connect\TrGUI.exe"
04 - HKLM\..\Run: [SunJavaUpdatSched] "C:\Program Files (x86)\Common
Files\Java\Java Update\jusched.exe"
04 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)
\Adobe\Reader 8.0\Reader\Reader_sl.exe"
04 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0
\AdobeARM.exe"
04 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe"
/runkey
04 - HKCU\..\Run: [ISUSPM] "C:\Program Files (x86)\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
04 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
04 - HKCU\..\Run: [AROReminder] C:\Program Files (x86)\ARO 2011\ARO.exe -rem
/detectMem (User 'LOCAL SERVICE')
04 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
ooberfldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
04 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe
/detectMem (User 'NETWORK SERVICE')
04 - Global Startup: BigFix.lnk = C\Program Files\BigFix\bigfix.exe
04 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)
\HP\Digital Imaging\bin\hpqtra08.exe
08 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2
\MICROS~2\Office12\EXCEL.EXE/3000
09 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
09 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-
5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
09 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
09 - Extra button:HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -
C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpsqp_BHO.dll
016 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlitt-Packard Online Support
Services) - https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
016 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
016 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) -
http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
016 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} -
http://www.trueswitch.com/TruInstall.exe
018 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -
c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
018 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
018 - Protocol: sacore - {5513507E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2
\mcafee\SITEAD~1\mcieplg.dll
022 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-
11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
023 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program
Files\SUPERAntiSpyware\SASCORE64.EXE
023 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner
- C:\Windows\system32\agr64svc.exe (file missing)
023 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner -
- C:\Windows\system32\alg.exe (file missing)
023 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32
\Ati2evxx.exe (file missing)
023 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32
\DFSR.exe (file missing)
023 - Service: Empowering Technology Service (ETService) - Unknown owner -
C:\Program Files\GATEWAY\Gateway Recovery Management\Services\ETService.exe
023 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)
\Gateway Games\Gateway Game Console\GameConsoleService.exe
023 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. -
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
023 - Service: @keyiso.dll,-100 (KeyIso)- Unknown owner - C:\Windows\system32
\lsass.exe (file missing)
023 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files
(x86)\McAfee\SiteAdvisor\McSACore.exe
023 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. -
C:\Program Files\Common Files\McAfee\McSvcHost\McSvcHost.exe
023 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program
Files\Common Files\McAfee\\McSvcHost\McSvcHost.exe
023 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program
Files\Common Files\McAfee\McSvcHost\McSvcHost.exe
023 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program
Files\Common Files\McAfee\McSvcHost\McSvcHost.exe
023 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program
Files\McAfee\VirusScan\mcods.exe
023 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program
Files\Common Files\McAfee\McSvcHost\McSvcHost.exe
023 - Service: McShield - McAfee, Inc. - C:\Program Files\Common
Files\McAfee\SystemCore\mcshield.exe
023 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program
Files\Common Files\McAfee\SystemCore\\mfefire.exe
023 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown
owner - C:\Windows\system32\mfevtps.exe (file missing)
023 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\system32
\msdtc.exe (file missing)
023 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown
owner - C:\Windows\system32\lsass.exe (file missing)
023 - Service: MaxSyncService (NTService1A) - - C:\Program Files (x86)
\Maxtor\Utils\SyncServices.exe
023 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) -
Unknown owner - C:\Windows\system32\lsass.exe (file missing)
023 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC
Corporation - C:\Program Files (x86)\Retrospect\Retrospect Express HD 2.0
\retrorun.exe
023 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner -
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
023 - Service: @%systemroot%\system32\Locater.exe,-2 (RcpLocator) - Unknown owner
- C:\Windows\system32\locator.exe (file missing)
023 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner -
C:\Windows\system32\lsass.exe (file missing)
023 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner -
C:\Windows\system32\SLsvc.exe (file missing)
023 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner
- C:\Windows\system32\snmptrap.exe (file missing)
023 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owern-
C:\Windows\system32\spoolsv.exe (file missing)
023 - Service: Check Point Endpoint Security (TracSrvWrapper) - Check Point
Software Technologies - C:\Program Files (x86)\CheckPoint\Endpoint
Connect\TracSrvWrapper.exe
023 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown
owner - C:\Windows\system32\UI0Detect.exe (file missing)
023 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner -
C:\Windows\system32\vds.exe (file missing)
023 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner -
C:\Windows\system32\vssvc.exe (file missing)
023 - Service: @%Systemroot%\system32\wbem\WmiApSrv.exe,-110 (wmiApSrv) - Unknown
owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
023 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101
(WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media
Player\wmpnetwk.exe (file missing)
023 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file
missing)

--
End of file - 11186 bytes

I tried running the 'Self-Help: Using the Computer Hope HiJack This process Tool'. I have a couple of problems:
1) Some Processes are not "recognized"(?), because I may have "word-wrap
' on? Again, I'm concerned about infecting a 2nd computer by copying the logs (IF I could), and therefore have tried to retype what I see including the spacing (apparently somewhat unsucessfully).
2) Because my Vista is a 64bit OS, I shouldn't trust the Tool anyway?
3) Given both these factors, I should trust the 'Getting your system clean' sequence?

Thanks for any advice you can offer. I've read a success story or two or three regarding malware on this section of Computer Hope. But, it would be fair to say I'm not brimming with confidence re my personal judgement and experience on this topic. Thank you.

SuperDave · « **Reply #1 on:** April 01, 2011, 11:50:55 AM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************
Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
ARO 2011
There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
*********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

Gray Badger · « **Reply #2 on:** April 03, 2011, 07:30:51 PM »

Thank you very much for you assistance. I have a question:

"If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line."

Do I understand that given the lack of internet access on the infected computer, by using CD-RW as the preferred method of log transfer (versus USB drive) to my uninfected second computer, I should not infect the second computer in transferring the logs? If the log transfer has to take place by USB storage device, that's theoretically safe if the described down-shift-key is followed? Just confirming I'm risking a second PC or not.

For instance, the 'Security Check by screen 317' log display is not lengthy to type-out, if that's acceptable. Please. Thanks.

SuperDave · « **Reply #3 on:** April 04, 2011, 01:21:21 PM »

Quote

Do I understand that given the lack of internet access on the infected computer, by using CD-RW as the preferred method of log transfer (versus USB drive) to my uninfected second computer, I should not infect the second computer in transferring the logs? If the log transfer has to take place by USB storage device, that's theoretically safe if the described down-shift-key is followed? Just confirming I'm risking a second PC or not.

Just follow this advice and you should be safe.

Quote

For instance, the 'Security Check by screen 317' log display is not lengthy to type-out, if that's acceptable.

I would prefer the actual log.

Gray Badger · « **Reply #4 on:** April 04, 2011, 10:03:47 PM »

Results of screen317's Security Check version 0.99.10
Windows Vista (UAC is enabled)
Out of date service pack!![/b]
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 24
Java(TM) 6 Update 5
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.2.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

.
DDS (Ver_11-03-05.01) - NTFS_AMD64 MINIMAL
Run by DRC at 23:54:36.95 on Mon 04/04/2011
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3838.3259 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
mStart Page = hxxp://www.att.net
mDefault_Page_URL = hxxp://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110222190658.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
uRun: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [AROReminder] C:\Program Files (x86)\ARO 2011\ARO.exe -rem
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [LedKey] CNYHKey.exe
mRun: [Smart Copy] "C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe" -A
mRun: [eRecoveryService]
mRun: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon]
mRun: [RetroExpress] C:\PROGRA~2\RETROS~1\RETROS~1.0\RetroExpress.exe /h
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Check Point Endpoint Security] "C:\Program Files (x86)\CheckPoint\Endpoint Connect\TrGUI.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BigFix.lnk - C:\Program Files\BigFix\bigfix.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/TrueInstall.exe
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110222190658.dll
BHO-X64: scriptproxy - No File
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [Skytel] Skytel.exe
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
S0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-2-22 529128]
S1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\System32\drivers\mfenlfk.sys [2011-2-22 75032]
S1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2011-2-22 283360]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2009-7-3 24576]
S2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2010-12-5 110312]
S2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2011-2-22 355440]
S2 McNaiAnn;McAfee VirusScan Announcer;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2011-2-22 355440]
S2 McProxy;McAfee Proxy Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2011-2-22 355440]
S2 McShield;McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-2-22 200056]
S2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-2-22 245352]
S2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2011-2-22 149032]
S2 TracSrvWrapper;Check Point Endpoint Security;C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe [2010-9-26 4142608]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc --> RUNDLL32.EXE ykx64coinst,serviceStartProc [?]
S3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2011-2-22 62800]
S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2009-7-25 190136]
S3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2011-2-22 441328]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-2-22 94864]
S3 mferkdk;McAfee Inc. mferkdk;C:\Windows\System32\drivers\mferkdk.sys [2009-7-25 40904]
S3 mfesmfk;McAfee Inc. mfesmfk;C:\Windows\System32\drivers\mfesmfk.sys [2009-7-25 49480]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 vna_ap;Check Point Virtual Network Adapter - Apollo;C:\Windows\System32\drivers\vnaap.sys [2010-9-26 161256]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2008-8-5 392192]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-8-24 89920]
.
=============== Created Last 30 ================
.
2011-03-15 06:46:33   388096   ----a-r-   C:\Users\DRC\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-15 06:46:27   --------   d-----w-   C:\Program Files (x86)\Trend Micro
2011-03-15 06:24:04   --------   d-----w-   C:\JavaRa
2011-03-14 01:27:58   --------   d-----w-   C:\Users\DRC\AppData\Roaming\Malwarebytes
2011-03-14 01:27:53   38224   ----a-w-   C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-14 01:27:45   --------   d-----w-   C:\PROGRA~3\Malwarebytes
2011-03-14 01:27:42   24152   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2011-03-14 01:27:42   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-03-09 03:00:14   --------   d-----w-   C:\Users\DRC\AppData\Roaming\SUPERAntiSpyware.com
2011-03-09 03:00:14   --------   d-----w-   C:\PROGRA~3\SUPERAntiSpyware.com
2011-03-09 03:00:10   --------   d-----w-   C:\PROGRA~3\!SASCORE
2011-03-09 03:00:08   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2011-03-09 02:19:57   --------   d-----w-   C:\Program Files\CCleaner
.
==================== Find3M ====================
.
2011-02-03 02:40:23   472808   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
2011-01-20 16:46:10   900480   ----a-w-   C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-20 16:17:15   366592   ----a-w-   C:\Windows\System32\winspool.drv
2011-01-20 16:17:03   625152   ----a-w-   C:\Windows\System32\dxgi.dll
2011-01-20 16:16:53   287232   ----a-w-   C:\Windows\System32\d3d10core.dll
2011-01-20 16:16:52   327680   ----a-w-   C:\Windows\System32\d3d10_1core.dll
2011-01-20 16:16:52   196096   ----a-w-   C:\Windows\System32\d3d10_1.dll
2011-01-20 16:16:52   1268224   ----a-w-   C:\Windows\System32\d3d10.dll
2011-01-20 16:16:47   748544   ----a-w-   C:\Windows\System32\stobject.dll
2011-01-20 16:16:40   47104   ----a-w-   C:\Windows\System32\cdd.dll
2011-01-20 16:16:10   3548672   ----a-w-   C:\Windows\System32\mf.dll
2011-01-20 16:16:08   35840   ----a-w-   C:\Windows\System32\printfilterpipelineprxy.dll
2011-01-20 16:14:49   278528   ----a-w-   C:\Windows\System32\mfplat.dll
2011-01-20 16:14:49   195072   ----a-w-   C:\Windows\System32\mfps.dll
2011-01-20 16:08:16   478720   ----a-w-   C:\Windows\SysWow64\dxgi.dll
2011-01-20 16:08:06   219648   ----a-w-   C:\Windows\SysWow64\d3d10_1core.dll
2011-01-20 16:08:06   189952   ----a-w-   C:\Windows\SysWow64\d3d10core.dll
2011-01-20 16:08:06   160768   ----a-w-   C:\Windows\SysWow64\d3d10_1.dll
2011-01-20 16:08:06   1029120   ----a-w-   C:\Windows\SysWow64\d3d10.dll
2011-01-20 16:07:42   258048   ----a-w-   C:\Windows\SysWow64\winspool.drv
2011-01-20 16:07:16   586240   ----a-w-   C:\Windows\SysWow64\stobject.dll
2011-01-20 16:06:38   2873344   ----a-w-   C:\Windows\SysWow64\mf.dll
2011-01-20 16:04:54   98816   ----a-w-   C:\Windows\SysWow64\mfps.dll
2011-01-20 16:04:54   209920   ----a-w-   C:\Windows\SysWow64\mfplat.dll
2011-01-20 15:01:50   3068416   ----a-w-   C:\Windows\System32\xpsservices.dll
2011-01-20 15:01:09   1653760   ----a-w-   C:\Windows\System32\XpsPrint.dll
2011-01-20 14:59:59   1032192   ----a-w-   C:\Windows\System32\printfilterpipelinesvc.exe
2011-01-20 14:58:38   1461760   ----a-w-   C:\Windows\System32\OpcServices.dll
2011-01-20 14:57:44   479744   ----a-w-   C:\Windows\System32\XpsGdiConverter.dll
2011-01-20 14:57:28   231936   ----a-w-   C:\Windows\System32\XpsRasterService.dll
2011-01-20 14:42:00   1257984   ----a-w-   C:\Windows\System32\MFH264Dec.dll
2011-01-20 14:41:29   428544   ----a-w-   C:\Windows\System32\MFHEAACdec.dll
2011-01-20 14:40:17   345088   ----a-w-   C:\Windows\System32\mfreadwrite.dll
2011-01-20 14:40:14   34304   ----a-w-   C:\Windows\System32\mfpmp.exe
2011-01-20 14:40:11   377344   ----a-w-   C:\Windows\System32\mfmp4src.dll
2011-01-20 14:37:06   2002944   ----a-w-   C:\Windows\System32\d3d10warp.dll
2011-01-20 14:35:30   566272   ----a-w-   C:\Windows\System32\d3d10level9.dll
2011-01-20 14:28:38   1554432   ----a-w-   C:\Windows\SysWow64\xpsservices.dll
2011-01-20 14:27:50   876032   ----a-w-   C:\Windows\SysWow64\XpsPrint.dll
2011-01-20 14:25:25   847360   ----a-w-   C:\Windows\SysWow64\OpcServices.dll
2011-01-20 14:24:32   288768   ----a-w-   C:\Windows\SysWow64\XpsGdiConverter.dll
2011-01-20 14:24:26   135680   ----a-w-   C:\Windows\SysWow64\XpsRasterService.dll
2011-01-20 14:15:10   979456   ----a-w-   C:\Windows\SysWow64\MFH264Dec.dll
2011-01-20 14:14:39   357376   ----a-w-   C:\Windows\SysWow64\MFHEAACdec.dll
2011-01-20 14:14:03   302592   ----a-w-   C:\Windows\SysWow64\mfmp4src.dll
2011-01-20 14:14:03   261632   ----a-w-   C:\Windows\SysWow64\mfreadwrite.dll
2011-01-20 14:12:46   1172480   ----a-w-   C:\Windows\SysWow64\d3d10warp.dll
2011-01-20 14:11:34   486400   ----a-w-   C:\Windows\SysWow64\d3d10level9.dll
2011-01-20 14:06:15   834048   ----a-w-   C:\Windows\System32\d2d1.dll
2011-01-20 14:02:46   1555968   ----a-w-   C:\Windows\System32\DWrite.dll
2011-01-20 14:02:44   1147904   ----a-w-   C:\Windows\System32\FntCache.dll
2011-01-20 13:47:51   683008   ----a-w-   C:\Windows\SysWow64\d2d1.dll
2011-01-20 13:44:05   1068544   ----a-w-   C:\Windows\SysWow64\DWrite.dll
2011-01-08 09:03:01   48128   ----a-w-   C:\Windows\System32\atmlib.dll
2011-01-08 08:47:50   34304   ----a-w-   C:\Windows\SysWow64\atmlib.dll
2011-01-08 06:45:51   367104   ----a-w-   C:\Windows\System32\atmfd.dll
2011-01-08 06:28:49   292352   ----a-w-   C:\Windows\SysWow64\atmfd.dll
.
============= FINISH: 23:55:29.58 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 6/27/2009 3:21:35 PM
System Uptime: 4/4/2011 10:45:47 PM (1 hours ago)
.
Motherboard: Gateway | | RS780
Processor: AMD Phenom(tm) 9150e Quad-Core Processor | AM2 | 1800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 586 GiB total, 451.907 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
6400_Help
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.0
ARO 2011
AT&T Yahoo! Browser Configuration
BigFix
Bookworm Adventures - Fractured Fairytales
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Norwegian
CCC Help Spanish
CCC Help Swedish
Check Point Endpoint Security
Compatibility Pack for the 2007 Office system
CustomerResearchQFolder
CyberLink LabelPrint
CyberLink MediaShow
CyberLink Power2Go
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocMgr
DocProc
DocProcQFolder
eSupportQFolder
Fax
Gateway Games
Gateway Recovery Management
Google Toolbar for Internet Explorer
GPBaseService
GPBaseService2
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Photosmart Essential 2.5
HP Product Detection
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
iSEEK AnswerWorks English Runtime
J6400
Java Auto Updater
Java(TM) 6 Update 24
Java(TM) 6 Update 5
KB0817 Keyboard Driver
Malwarebytes' Anti-Malware
MarketResearch
Marvell Miniport Driver
Maxtor OneTouch III
McAfee SecurityCenter
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
ProductContext
PSSWCORE
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Retrospect Express HD 2.0
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skins
Smart Copy 3.1.1.1
SmartWebPrintingOC
Solar Fire Gold v7.3
SolutionCenter
Status
Toolbox
TrayApp
TurboTax 2009
TurboTax 2009 winiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
UnloadSupport
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2492475)
VideoToolkit01
WebReg
Yahoo! Install Manager
Yahoo! Toolbar
.
==== End Of File ===========================

SuperDave · « **Reply #5 on:** April 05, 2011, 01:16:13 PM »

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
******************************************************
C:\Program Files\BigFix should not be in your startup because it's a resource hog.

You can uninstall Java(TM) 6 Update 5

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Gray Badger · « **Reply #6 on:** April 05, 2011, 03:30:38 PM »

Dave:

Thanks for your efforts. I lost second PC last night to what visually was a quick bombardment of unwanted "virus files" before I turned it off. There were approximately four listed in red and I recall one being labeled a Trojan before I turned the PC off. I had used it earlier to receive log files from infected PC, following instructions of, " If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line."

While naturally concerned, I can imagine the unwanted attack could be attributable to being on internet, with less quality virus protection than I believe recommended (Microsoft Defense, or something like that, versus McAfee or Symantec). Given the testimonials I read of your prowess, I'd like to believe bad coincidence. Again, no vast experience with these problems until about a month ago & now acquiring all I could want.

Bottom line is I can burn CDs at work for your latest recommendations (Acrobat Reader & ComboFix), but I'm going to have to type logs or we'll be doing without them until 2nd PC is back (can't risk/juggle only other choice of job PC). I interpret "prefer the actual log" to be reluctantly receptive of my typing unless I hear correction.

SuperDave · « **Reply #7 on:** April 06, 2011, 04:15:17 PM »

Please try this. Re-boot in Safe Mode and run a full scan with MBAM. Then, re-boot in Normal mode and again, run a full scan with MBAM. Just let me know if there's any change in your computer.

Computer Hope Forum

News:

Author Topic: Malware attack of the 'System Tools' (Read 15981 times)

Gray Badger

Malware attack of the 'System Tools'

SuperDave

Re: Malware attack of the 'System Tools'

Gray Badger

Re: Malware attack of the 'System Tools'

SuperDave

Re: Malware attack of the 'System Tools'

Gray Badger

Re: Malware attack of the 'System Tools'

SuperDave

Re: Malware attack of the 'System Tools'

Gray Badger

Re: Malware attack of the 'System Tools'

SuperDave

Re: Malware attack of the 'System Tools'