GRIVEN

SCANS for Mr.Charlie

157 posts in this topic

None of the antimalware I've tried has been permitted to work on (my mate's) computer (which she needs for work).

What started out as a S,M,A,R,T. Repair HDD infection (as I came to learn) has progessed into

a continuing horror show. The attached files are from the infected computer which I have volunteered my help with despite the fact I'm only a bit more knowledgeable about cyberstuff than she is.

Since then, I found a brazen "Smart HDD" folder in the programs list & deleted it but things only got worse with the Smart bug gone. I've gone back and forth on attempted solutions so much, I'm at BOTH ends of my rope.

Her computer is too difficult to work with, so I'm sending this from my own with the hope that the cyberangels mentioned on the "I'm Infected, Now What" page have some basis in reality and that the attached "dds.txt" & "attach.txt" files I'm sending hold a clue to the way out of this swamp.

Bottomless Thanks for any help with this nightmare.

(I don't see any "Track this topic" or "Immediate email" options to check on this page.)

Help

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180

Run by donna at 23:14:50 on 2012-05-01

.

============== Running Processes ===============

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Registry Mechanic\RegMech.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Spyware Doctor\Update.exe

C:\Program Files\Spyware Doctor\upgrade.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\donna\Desktop\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://duckduckgo.com/

uDefault_Page_URL = hxxp://www.hvaccess.com/members

uDefault_Search_URL = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mStart Page = hxxp://www.hvaccess.com/members

mWindow Title = HVAccess Internet Services

mSearch Bar = hxxp://www.google.com

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [Dell|Alert] c:\program files\dell\support\alert\bin\DAMon.exe

mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Lexmark X73 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X73.exe

mRun: [Lexmark X73 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X73.exe

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm

IE: Download using FlashGet - c:\program files\flashget\jc_link.htm

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://www.spywarestormer.com/files2/Install.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{A50CC01F-446C-42DF-AB69-34577E224D65} : DhcpNameServer = 209.18.47.61 209.18.47.62

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R? MBAMSwissArmy;MBAMSwissArmy

R? PCTSDInjDriver32;PCTSDInjDriver32

R? rootrepeal;rootrepeal

S? !SASCORE;SAS Core Service

S? Browser Defender Update Service;Browser Defender Update Service

S? FixTDSS;TDSS Fixtool driver

S? MBAMProtector;MBAMProtector

S? MBAMService;MBAMService

S? PCTCore;PCTools KDS

S? SASDIFSV;SASDIFSV

S? SASKUTIL;SASKUTIL

S? SBRE;SBRE

S? sdAuxService;PC Tools Auxiliary Service

S? sdCoreService;PC Tools Security Service

.

=============== Created Last 30 ================

.

2100-02-08 20:03:54 53248 -c--a-w- c:\program files\ACMonitor_X73.exe

2012-04-30 22:37:27 -------- d-----w- c:\documents and settings\donna\DoctorWeb

2012-04-30 17:26:52 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-04-30 17:10:51 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-30 17:10:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-30 16:24:28 -------- d-----w- c:\documents and settings\donna\application data\SUPERAntiSpyware.com

2012-04-30 16:20:04 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-04-30 16:20:04 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2012-04-30 16:11:20 1666978 ----a-w- c:\program files\MGtools.exe

2012-04-30 16:03:56 1973368 ----a-w- C:\avg_remover_stf_x86_2012_2125.exe

2012-04-29 18:04:16 -------- d-----w- c:\documents and settings\donna\local settings\application data\Threat Expert

2012-04-29 17:37:03 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-29 17:31:43 -------- d-----w- c:\documents and settings\donna\application data\FixTDSS

2012-04-29 17:31:36 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys

2012-04-27 21:12:43 767952 ----a-w- c:\windows\BDTSupport.dll

2012-04-27 21:12:42 149456 ----a-w- c:\windows\SGDetectionTool.dll

2012-04-27 21:12:41 165840 ----a-w- c:\windows\PCTBDRes.dll

2012-04-27 21:12:41 1652688 ----a-w- c:\windows\PCTBDCore.dll

2012-04-27 21:02:58 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2012-04-27 21:01:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2012-04-27 21:01:54 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2012-04-27 21:00:41 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2012-04-27 20:59:43 -------- d-----w- c:\program files\Spyware Doctor

2012-04-27 20:59:43 -------- d-----w- c:\documents and settings\donna\application data\PC Tools

2012-04-27 16:59:50 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-04-26 22:38:41 134984 ----a-w- c:\windows\system32\LnkProtect.dll

2012-04-26 22:09:08 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro

2012-04-23 00:07:08 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2012-04-23 00:07:08 27984 ----a-w- c:\windows\system32\sbbd.exe

2012-04-23 00:04:13 -------- d-----w- C:\VIPRERESCUE

2012-04-22 23:29:22 -------- d-----w- c:\program files\ware2

2012-04-21 22:41:41 1409 ----a-w- c:\windows\QTFont.for

2012-04-21 00:29:50 54016 ----a-w- c:\windows\system32\drivers\qpykhd.sys

2012-04-20 01:52:56 -------- d-----w- c:\program files\common files\PC Tools

2012-04-20 01:52:44 -------- d-----w- c:\program files\PC Tools

2012-04-20 01:49:30 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2012-04-20 01:49:26 -------- d-----w- c:\documents and settings\donna\application data\TestApp

2012-04-16 17:46:28 -------- d-----w- c:\documents and settings\donna\application data\AVG

2012-04-16 04:30:02 -------- d-----w- c:\documents and settings\donna\application data\AVG2012

2012-04-16 04:06:34 -------- d-----w- c:\documents and settings\all users\application data\Common Files

2012-04-16 04:01:57 -------- d-----w- c:\documents and settings\all users\application data\AVG2012

2012-04-15 20:55:29 -------- d-----w- c:\documents and settings\donna\application data\Malwarebytes

2012-04-15 20:53:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-04-14 20:30:12 168 ----a-w- c:\documents and settings\all users\application data\rpm.exe

2012-04-14 20:30:12 0 ----a-w- c:\documents and settings\all users\application data\321.exe

2012-04-14 20:29:48 256 ----a-w- c:\documents and settings\all users\application data\abc.exe

.

==================== Find3M ====================

.

2007-03-11 22:39:41 3224463 -c--a-w- c:\program files\fgf173.exe

2001-05-08 20:36:42 114688 -c--a-w- c:\program files\lxarscan.dll

.

============= FINISH: 23:16:23.67 ===============

dds.txt

attach.txt

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

-----------------------------------

Next.......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

------->Logs will be closed if you haven't replied within 3 days!<--------

Share this post


Link to post
Share on other sites

Loaded Rogue Killer and OTL

Computer moving like a raft in a lagoon on a windless night.

Gathered these scans....

RogueKiller V7.4.3 [05/04/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version

Started in : Normal mode

User: donna [Admin rights]

Mode: Scan -- Date: 05/04/2012 23:14:10

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

[FAKED] ati1rvxx.sys : c:\windows\system32\drivers\ati1rvxx.sys --> CANNOT FIX

[FAKED] ati2mtaa.sys : c:\windows\system32\drivers\ati2mtaa.sys --> CANNOT FIX

[FAKED] atinxsxx.sys : c:\windows\system32\drivers\atinxsxx.sys --> CANNOT FIX

[FAKED] HSF_K56K.sys : c:\windows\system32\drivers\HSF_K56K.sys --> CANNOT FIX

[FAKED] mf.sys : c:\windows\system32\drivers\mf.sys --> CANNOT FIX

[FAKED] mtlstrm.sys : c:\windows\system32\drivers\mtlstrm.sys --> CANNOT FIX

[FAKED] nic1394.sys : c:\windows\system32\drivers\nic1394.sys --> CANNOT FIX

[FAKED] NWLNKNB.SYS : c:\windows\system32\drivers\NWLNKNB.SYS --> CANNOT FIX

[FAKED] slnt7554.sys : c:\windows\system32\drivers\slnt7554.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: MAXTOR 6L020J1 +++++

--- User ---

[MBR] 141d32b8dc6b23f80683d8f16cfcba7f

[bSP] f49cae14d8b91b005dff84b1f6d8852f : Windows XP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 19563 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

////////////////////////////////////////////////////////////////////////////////////

Anxiously awaiting further instructions...

Grivin

OTL.Txt

Share this post


Link to post
Share on other sites

First...Please don't start any new post...just stay in this one and use the "Post" or "More Reply Options" button.

I'll have your 2 threads merged.

Have you been helped some where else or just ran all these programs on your own??

MrC

Share this post


Link to post
Share on other sites

OOps...I didn't see how to add to the original thread at first. Sorry.

I was just trying to follow the clues at various malware help sites & trying

"cures" I thought might be appropriate. A large percentage of them

wouldn't run properly or returned results I couldn't make sense of.

Mr.C's advice is the first direct help I've had.

I hope my random (and frantic) attempts to find a helpful tool didn't dig

any ruts I can't fill in...

-GRIVEN

Share this post


Link to post
Share on other sites

Please make sure system restore is running and create a new restore point before continuing.

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Stymied on the first step. I couldn't find Restore XP at the site you cited but others I looked at pretty much said the same thing.

I followed those guidelines, but the "system tools" box said "empty" running back & forth between her computer and mine (to search for alternatives) one site suggested running on a "msconfig" command but that refused to run. Then things froze up & Task Master (which is opening in multiple boxes now) helped me reboot & start again. Looking further, I found another suggestion

to run %SystemRoot%\System32\restore\rstrui.exe as a command.

Still awaiting results from that, I came back to this computer, which unlike the infected system, doesn't take a half hour to respond to a click, to report in. If the last mentioned method doesn't work, are there any other tricks to set a restore point?

Thanks,

Grivin

Share this post


Link to post
Share on other sites

Breakthrough. While waiting for something to happen, it froze again & Task Mgr. wouldn't come up, so I decided to try rebooting in safe mode. This bug is anything but consistent. Sometimes, trying to run an executable, it will deny it by saying there's not enough virtual memory, sometimes it'll claim an entirely different problem "file is corrupted" or something else. Sometimes it blocks Safe Mode with a

"Keyboard Failure" notice and right below that, just for laughs, it'll say "Strike F1 to Continue,"

Anyhow, I did get the keyboard on and ran the %SystemRoot% command and this time it worked. Or at least looks like it did. Bingo. I'm going back now to flashstick ERUNT & Kapersky onto the desktop.

I do remember using TDSSKILLER before & getting blocked, renaming it. After that I don't recall the results.

I must have been near delirious by then & stopped taking my handwritten notes.

If I have any luck with TDSS, I'll post the txt.file.

Thanks again...

Grivin

Share this post


Link to post
Share on other sites

The nightmare continues. I'm rolling back my premature optimism.

The restore function ended with a notice that Windows could not restore to the selected date. (April 4, a day before the virus showed up)... It suggested selecting another date. It seems there are BOLD listed dates in the calender to choose from. I rolled back to March 27-the only bold date left & tried again. Same result.

What now?

The computer is still in the restore program but there are no more bold dates left before the bug's arrival.

It won't go to Feb. & 27 was the only featured date in March.

As it switched off to, supposedly Restore, I noticed a box which said "WKUFind.exe failed to initialize because Windows is shutting down." If that means anything.

Still clinging to the last strands of my rope. Can you give me a hand up here? I'm hesitant of exiting the Restore program for fear of getting locked out again.

What do you think?

Grivin

getting locked out of it again.

Share this post


Link to post
Share on other sites

It sounds like the system is so corrupt and possible an overheating or hardware problem.

How about backing everything up and doing a repair install or a complete format and install.

Do you have any disks for this computer??

MrC

Share this post


Link to post
Share on other sites

I believe my mate bought this beast over the internet with the program already installed but I'll have to check on that.

It's hard to see how there could be a hardware problem. She uses it only when she has to for work, mostly, and it's

never on for extended periods. She has taken meticulous care of it. There are no fan revs or anything like that.

I can't quite picture the processes you mention. Sounds daunting.

Isn't there any way to get around the restore point issue? She mentioned, last night, having restore points in the past but not for a "long time." It wouldn't make sense to try to use a restore point after the infection showed up and then try to cure it from there, would it?

-Grivin

Share this post


Link to post
Share on other sites

Lets see if we can se what's wrong with system restore.

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

MrC

Share this post


Link to post
Share on other sites

Confirmed-Windows was installed on purchase. But, because of a grad school requirement, the current version was legally installed through some sort of institutional arrangement or exemption.

I strongly feel this problem is not hardware-related.

Whatever is at root seems to sense when a remedial program is about to run and halts the process with some excuse about inadequate resources or some other such bull.. From my brief acquaintance with this spooky realm, I'm guessing that some sort of "root-kit" is involved but I don't know enough about them to really be certain of anything.

A large question looms here. Since this seemed to begin with a SMART HDD Repair invasion- an outfit with an apparent address

to receive payment & everyone in the cyber community seems fairly convinced that they are delivering this rogue horror-

why can't they be stopped? There's so much concern, right now, about cyber security, what's protecting the known malware distributors from prosecution?

Thanks in advance for your views...

-Grivin

Share this post


Link to post
Share on other sites

Were you able to run FSS?

See if you can do this.....

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes

MrC

Share this post


Link to post
Share on other sites

Okay. Got your FSS advice.

Will do.

Share this post


Link to post
Share on other sites

DETAILS- I transferred FSS.exe to Desktop

When I inserted the flashstick (just in case there's some kind of clue in this) I got a message saying "This USB device can perform

faster if you connect it to a Hi-Speed USB 2.0 port. For a list of available ports, click here." (I did not click)

When I tried running FSS, I got that familiar hour glass image for about ten minutes & tried Task Master to see what was going on.

TaskMaster flunked: "...application failed to initialize properly (Oxc00012d) Click on OK to terminate..."

As I leaned back, pondering that, the FSS box opened. I clicked all but "Windows Defender" box (which wasn't indicated in your directions), removed the flashstick,

closed the TaskMaster notice and ran FSS successfully. There were no problems running the "List Parts" scan. Both are pasted below.

/////////////////////////////

Farbar Service Scanner Version: 30-04-2012 01

Ran by donna (administrator) on 06-05-2012 at 10:52:31

Running from "C:\Documents and Settings\donna\Desktop"

Microsoft Windows XP Home Edition Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll

[2001-08-18 07:00] - [2006-05-19 08:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys

[2001-08-18 07:00] - [2008-08-14 05:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys

[2001-08-18 07:00] - [2004-08-04 02:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys

[2001-08-18 07:00] - [2008-06-20 06:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys

[2001-08-18 07:00] - [2004-08-04 02:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll

[2001-08-18 07:00] - [2008-02-20 01:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\ipnathlp.dll

[2004-11-10 19:29] - [2004-08-04 03:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll

[2001-08-18 07:00] - [2005-08-22 14:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll

[2001-08-18 07:00] - [2004-08-04 03:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll

[2001-11-26 14:50] - [2004-08-04 03:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys

[2001-08-18 07:00] - [2004-08-04 02:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll

[2004-08-04 03:56] - [2004-08-04 03:56] - 0081408 ____N (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll

[2001-08-18 07:00] - [2004-08-04 03:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll

[2001-08-18 07:00] - [2004-08-04 03:56] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll

[2002-01-22 15:51] - [2004-08-04 03:56] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll

[2004-11-10 19:31] - [2008-07-07 16:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C

C:\WINDOWS\system32\cryptsvc.dll

[2001-08-18 07:00] - [2004-08-04 03:56] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe

[2001-08-18 07:00] - [2004-08-04 03:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll

[2004-11-10 19:31] - [2009-02-09 06:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe

[2001-08-18 07:00] - [2009-02-06 13:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x0B0000000400000001000000020000000300000009000000080000005A0000000A000000050000000600000007000000

IpSec Tag value is correct.

**** End of log ****////////////////////////////////////////

ListParts by Farbar Version: 12-03-2012 03

Ran by donna (administrator) on 06-05-2012 at 10:53:39

Windows XP (X86)

Running From: C:\Documents and Settings\donna\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 79%

Total physical RAM: 126.01 MB

Available physical RAM: 25.94 MB

Total Pagefile: 498.59 MB

Available Pagefile: 189.72 MB

Total Virtual: 2047.88 MB

Available Virtual: 2009.84 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:19.11 GB) (Free:3.59 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 19 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 31 MB 32 KB

Partition 2 Primary 19 GB 31 MB

======================================================================================================

Disk: 0

Partition 1

Type : DE

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 19 GB Healthy System (partition with boot components)

======================================================================================================

****** End Of Log ******

//////////////////////////////////////

-GRIVEN

Share this post


Link to post
Share on other sites

The logs look OK.

I notice you have very little Total physical RAM:

Percentage of memory in use: 79%

Total physical RAM: 126.01 MB<----------------

Available physical RAM: 25.94 MB<---------------

Total Pagefile: 498.59 MB<----------------

Available Pagefile: 189.72 MB<-------------

Total Virtual: 2047.88 MB

This is my XP machine:

Percentage of memory in use: 49%

Total physical RAM: 1023.23 MB

Available physical RAM: 517.73 MB

Total Pagefile: 2459.09 MB

Available Pagefile: 2027.31 MB

Total Virtual: 2047.88 MB

Available Virtual: 2009.09 MB

Any thoughts?? MrC

Share this post


Link to post
Share on other sites

I see.

I doubt that's a causative factor but could it contribute to the inability of anti-malware programs to initialize?

Share this post


Link to post
Share on other sites

If the logs look okay, does that mean I should retry System Restore Point? My head is spinning a little here.

-Grivin

Share this post


Link to post
Share on other sites

NO, system restore seems to be corrupt.

You need more RAM installed on the system for it to function properly.

Please do this: Download and run HiJackThis:

http://www.trendmicr.../HijackThis.exe

Run HJT.exe

Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Save the log to a convenient location.

Copy and paste it into your post.

MrC

Share this post


Link to post
Share on other sites

  • I used a "HijackThis" which I had put on a week or so back but never got around to using for some reason or another.
  • I hope there's no update problem since then. If so, please let me know.
  • Here it is-
  • //////////////////////////////////////////////////////////////////////////////
  • Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:08:11 PM, on 5/6/2012
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
  • Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Spyware Doctor\Update.exe
    C:\Program Files\Spyware Doctor\upgrade.exe
    C:\Documents and Settings\donna\Desktop\ListParts.exe
    C:\Documents and Settings\donna\Desktop\HijackThis.exe
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hvaccess.com/members
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://duckduckgo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hvaccess.com/members
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-21-3646499915-954458941-3890034720-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-3646499915-954458941-3890034720-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
    O4 - HKUS\S-1-5-21-3646499915-954458941-3890034720-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -update activex (User 'Administrator')
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
  • --
    End of file - 6947 bytes

Share this post


Link to post
Share on other sites

Please create a folder and place HJT in there so back ups can be made and found.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Click on Fix Checked when finished and exit HijackThis.

------------------------------------------------------------------

Reboot and see if you can run ComboFix:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Sorry for the delay but does Hijack This signal any indication of when it is finished?

I've checked the 3 boxes as ordered & clicked Fix. Everything disappeared from the

HJT list screen and I have been waiting for a notice that it is finished before preceeding to

the next step. In view of the precautions & the slowness of the computer's current

operations, I don't want to jump the gun before closing it.

Share this post


Link to post
Share on other sites

Just run another HJT scan and we'll see......MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.