Jump to content

nickyr

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral
  1. @LiquidTension Rebooting initially did not help. However, Quick Repair followed by full reboots did restore Excel, but disconnected Excel from .xlsx files (now repaired). So at least we are functioning again. Observations: - Version of Excel seems relatively immaterial (happened on Excel 2013 and Office 365 on the same day) - Happened while Excel was saving both times - The excel file itself has straightforward data - no formulas or pulling down outside data as another user reported
  2. Attempting to fix Excel using the Settings>Apps & Features - Doing a Modify and Quick Repair appears to complete, but does not fix the issue - Doing an Online Repair gives the error 30088-4 Note that I am running all this as a secondary user on this computer, with a different Microsoft account. Switching to the other user does not help (Excel is still broken.)
  3. More info: Office 365 ProPlus 16.0.11929.20838 Excel.exe is not 0k. When I try to run it, i get this error message: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
  4. Same issue, happened more than once today on different versions of Excel (2013 and a completely current Office365). Occurred in the midst of saving a file that was a data export from our UPC provider (that is to say, nothing special). Following the instructions from above: Download and run the Malwarebytes Support Tool Accept the EULA and click Advanced tab on the left (not Start Repair) Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to this reply In addition, can you please copy, zip and attach the following folder? C:\ProgramData\Malwarebytes\MBAMService\ARW mbst-grab-results.zip ARW.zip
  5. MBAM cleaned up some issues when I ran it post-ComboFix, log data below. DDS, F-Secure and Security Check log data below. Hijacking of google results is repaired for the moment. I also haven't seen the atapi.sys infection lately. Since both of these keep coming back, I am not 100% certain I am clean, but I am hopeful. Oh, and THANK YOU!!! == Nicky ---------------- Results: MBAM: Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP644\A0101861.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP644\A0102658.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP644\A0102802.sys (Malware.Trace) -> Quarantined and deleted successfully. DDS log: DDS (Ver_09-12-01.01) - NTFSx86 Run by Nicky at 3:32:24.25 on Tue 01/26/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2303 [GMT -8:00] AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\QuickTime\QTTask.exe D:\Program Files\iTunes\iTunesHelper.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe C:\WINDOWS\system32\ctfmon.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe C:\Documents and Settings\Nicky\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\HPZinw12.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Nicky\Desktop\Malware\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://sports.yahoo.com/nhl/scoreboard uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Google Update] "c:\documents and settings\nicky\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [ECenter] c:\dell\e-center\EULALauncher.exe mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim95\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB DPF: Microsoft XML Parser for Java DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.limelife.com/dana-cached/setup/JuniperSetupSP1.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nicky\applic~1\mozilla\firefox\profiles\1jog43ts.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.new.facebook.com/home.php FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - component: c:\program files\mozilla firefox\components\FFHook.dll FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll FF - plugin: c:\documents and settings\nicky\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664] R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984] R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-24 93320] R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-24 359952] R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-24 144704] R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912] R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-24 606736] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-24 79816] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-24 35272] R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-24 40552] S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\cppwdsvc.exe --> c:\program files\laplink\pcmover\cppwdsvc.exe [?] S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-8-3 4736] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-24 34248] S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-8-3 8960] =============== Created Last 30 ================ 2010-01-26 06:28:10 0 d-sha-r- C:\cmdcons 2010-01-26 06:26:20 98816 ----a-w- c:\windows\sed.exe 2010-01-26 06:26:20 77312 ----a-w- c:\windows\MBR.exe 2010-01-26 06:26:20 261632 ----a-w- c:\windows\PEV.exe 2010-01-26 06:26:20 161792 ----a-w- c:\windows\SWREG.exe 2010-01-21 10:53:11 0 d-----w- c:\program files\Uniblue 2010-01-21 08:38:29 0 ----a-w- c:\documents and settings\nicky\defogger_reenable 2010-01-18 22:38:53 0 d-----w- c:\docume~1\nicky\applic~1\Malwarebytes 2010-01-18 22:38:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-18 22:38:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-18 22:38:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-18 22:38:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-01-17 08:56:16 0 d-----w- c:\program files\Wizards of the Coast 2010-01-12 23:59:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2010-01-04 00:39:26 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-12-29 08:05:21 0 d-----w- c:\docume~1\nicky\applic~1\Virtual Prophecy 2009-12-29 08:04:38 0 d-----w- c:\docume~1\nicky\applic~1\Namco 2009-12-29 08:04:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Namco 2009-12-29 07:32:58 0 d-----w- c:\program files\Namco ==================== Find3M ==================== 2010-01-25 19:17:04 96512 ----a-w- c:\windows\system32\drivers\atapi.svs 2010-01-25 19:17:04 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys 2010-01-25 19:17:04 96512 ------w- c:\windows\system32\drivers\atapi.sys 2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2008-06-19 07:17:05 0 ----a-w- c:\program files\temp01 ============= FINISH: 3:33:02.87 =============== F-Secure: Scanning Report Tuesday, January 26, 2010 13:43:36 - 15:41:53 Computer name: NICKY2 Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ 1 malware found DeepScan:Generic.Zlob.5C2B25B7 (virus) * C:\MY DOWNLOAD FILES\INSTALLTRADEWINDS.EXE (Renamed & Submitted) Statistics Scanned: * Files: 100259 * System: 5266 * Not scanned: 8 Actions: * Disinfected: 0 * Renamed: 1 * Deleted: 0 * Not cleaned: 0 * Submitted: 1 Files not scanned: * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\TEMP\MCMSC_QXXFOHTWKRTQ7Y4 * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Options Scanning engines: Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics Copyright
  6. Figured out that this was a false positive and have done a ComboFix scan. You asked for a new HijackThis scan... I didn't run HijackThis or provide logs from it before, since that wasn't int he instructions, although I do have it and certainly can. Do you want logs from HijackThis, MBAM, DDS or GMER? == Nicky ComboFix.txt
  7. When I try to download ComboFix, McAfee blocks a Trojan (or so it says): Detected: Artemis!3609DB2735BD (Trojan), Artemis!3609DB2735BD (Trojan) Location: C:\Documents and Settings\Nicky\Local Settings\Temporary Internet Files\Content.IE5\UQRXQMZS\ComboFix[1].exe == Nicky
  8. My IE has been hijacked, as search links go off to various places. Also, McAfee keeps cleaning up a "PatchedSYSFile.a" trojan in atapi.sys. I've followed the directions in other topics, results below and attached. Please note that GMER crashes eventually while scanning files. It's crashed twice, both of the horrible "blue screen of death" variety. One was: STOP: d0000144 Unknown Hard Error The other, I did not fully write down, but was of the windows is shutting down to protect the hardware, and had a Driver_irql_not_less_or_equal error. I obtained the attached ark.txt file by stopping GMER part way through the scan of Program Files. Thanks, Nicky Robinson ----------------- DDS (Ver_09-12-01.01) - NTFSx86 Run by Nicky at 0:59:30.17 on Thu 01/21/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2142 [GMT -8:00] AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\QuickTime\QTTask.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe C:\Documents and Settings\Nicky\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\HPZinw12.exe C:\Documents and Settings\Nicky\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://sports.yahoo.com/nhl/scoreboard uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080414 uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll mWinlogon: Shell=Explorer.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Google Update] "c:\documents and settings\nicky\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe" mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe" mRun: [ECenter] c:\dell\e-center\EULALauncher.exe mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim95\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB DPF: Microsoft XML Parser for Java DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab DPF: {4C226336-4032-489F-9674-67E74225979B} - hxxp://otx.ifilm.com/OTXMedia/OTXMedia.dll DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxp://cs5b.instantservice.com/jars/customerxsigned33.cab DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal.limelife.com/dana-cached/setup/JuniperSetupSP1.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli scecli Hosts: 192.168.1.101 HP00163552F5FE Hosts: 66.121.140.76 stage.sanovaden.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nicky\applic~1\mozilla\firefox\profiles\1jog43ts.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.new.facebook.com/home.php FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - component: c:\program files\mozilla firefox\components\FFHook.dll FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll FF - plugin: c:\documents and settings\nicky\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll FF - plugin: c:\program files\opera\program\plugins\np_gp.dll FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664] R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984] R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-24 93320] R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-24 359952] R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-24 144704] R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912] R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-24 606736] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-24 79816] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-24 35272] R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-24 40552] S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\cppwdsvc.exe --> c:\program files\laplink\pcmover\cppwdsvc.exe [?] S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-8-3 4736] S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-24 34248] S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-8-3 8960] =============== Created Last 30 ================ 2010-01-21 08:38:29 0 ----a-w- c:\documents and settings\nicky\defogger_reenable 2010-01-18 22:38:53 0 d-----w- c:\docume~1\nicky\applic~1\Malwarebytes 2010-01-18 22:38:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-18 22:38:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-18 22:38:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-18 22:38:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-01-17 08:56:16 0 d-----w- c:\program files\Wizards of the Coast 2010-01-12 23:59:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2010-01-04 00:39:26 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-12-29 08:05:21 0 d-----w- c:\docume~1\nicky\applic~1\Virtual Prophecy 2009-12-29 08:04:38 0 d-----w- c:\docume~1\nicky\applic~1\Namco 2009-12-29 08:04:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Namco 2009-12-29 07:32:58 0 d-----w- c:\program files\Namco ==================== Find3M ==================== 2010-01-20 18:42:49 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-01-20 18:42:49 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys 2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2008-06-19 07:17:05 0 ----a-w- c:\program files\temp01 ============= FINISH: 1:01:25.78 =============== Attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.