Find your solution!

NeonFx · 01-Nov-2009, 02:02 PM **#16**

Much better

Let's run a general purpose scan to look for leftovers.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

altogaflash · 01-Nov-2009, 11:41 PM **#17**

Good Evening Neonfx

,
I still get the BSOD when I try to boot up in safe mode (see post #1 from this thread).
Another strangeness. I noticed a few days ago that my start menu has the Microsoft Outlook Email Icon there. I've never used this program and haven't planned to.I don't remember registering for it when I first got the computer so I should not have an email account. I opened the Icon and it wants me to start registering for it-which I didn't do.....Another strange connection here. When I've run my McAfee Security Center Quick Clean process the last 3-5 days, during the 'Analzing Your Computer' step, it always stops at Outlook Express Email Cleaner-(deleted items) and a Windows pop up displays the message: "To free up disk space, Outlook Express can compact messages. This may take a few minutes". I always closed the pop up and the 'Quick Clean' completes as normal.

Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3
11/1/2009 9:20:01 PM
mbam-log-2009-11-01 (21-20-01).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 178504
Time elapsed: 49 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2b ee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

NeonFx · 02-Nov-2009, 12:03 AM **#18**

Please download and run the following tool to try to fix the Safe Mode problems: http://download.bleepingcomputer.com...tKeyRepair.exe

Also, Have you tried uninstalling Outlook by going to Start > Control Panel > Add/Remove Programs?

NeonFx · 02-Nov-2009, 12:04 AM **#19**

Nevermind, I thought you meant the full version of Outlook, not Outlook Express which comes installed by default in every version of Windows.

altogaflash · 02-Nov-2009, 12:55 AM **#20**

Thanks!!!!
The tKey Repair for safe mode worked. I'm able to boot up in safe mode now!
Yea, I'm sorry. The Outlook Express icon showed up on my start menu the at the same time (last 3-5 days). Both it, the Microsoft Outlook-Email icon and the McAfee Security Center Quick Clean issue occured at the same time. Figured these abnormal circumstances were related with trojan issue in someway.
Did you see the Malwarebytes Anti-Malware Scan Results Log in my previous post? What ya think?....My computer's running so much betterrr, but I must admit I'm a little gun shy

on online bank/bill paying sites, web searches, web site visits, etc. until I get a full bill of health.

NeonFx · 02-Nov-2009, 01:18 AM **#21**

The results are just what I expected

It took care of leftovers that the tools I used could not see.

Have you contacted your banks and/or changed all your online passwords? If you are worried that your information was stolen (and with good reason!), this would be the best thing you can do now that your system is clean.

Let's run an online scan of your system to be absolutely sure you're clean. This will take a while but it's well worth it as it can find things most other scanners will miss.

STEP 1

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

STEP 2

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

altogaflash · 07:00 AM

Hi Neonfx,

Just an FYI,

After the Kaspersky scan, I renabled McAfee and Windows Defender. Windows Defender did an auto quick scan (which found no issues). Got a window 'Virtual Memory Minimum to low' alert on my desktop that went away about 5 minutes later.
Computer is sluggish, maybe just a little wore out after that scan

Anyway, here 's the log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 02, 2009 07:42:05
Records in database: 3114191
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 77754
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:19:38

File name / Threat / Threats count
C:\_OTS\MovedFiles\10312009_170533\C_WINDOWS\system32\kuwibipa.dll Infected: Packed.Win32.Katusha.g 1
C:\_OTS\MovedFiles\10312009_170533\C_WINDOWS\system32\mirajehi.dll Infected: Packed.Win32.Katusha.g 1
Selected area has been scanned.

NeonFx · 02-Nov-2009, 01:01 PM **#23**

You're clean now

For things you can try in an attempt to speed your computer up see HERE. Let's clean up.

STEP 1

To clean up OldTimer's tools, along with a few others, do the following:

Run OTS.exe by double clicking on it
Click on the "CleanUp" button on the top.
You will be asked if you wish to reboot your system, select "Yes"

STEP 2

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (Programs and Features in Vista/7)

All Clean

Congratulations!,

, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

Read further information HERE on how to prevent Malware infections and keep yourself clean.

altogaflash · 03-Nov-2009, 06:34 PM **#24**

Hi neonfx,
Ohh how I want this to be over.

So my computer's clean even though the my 11/2 Kaspersky scan showed the 1 'threat' and 2 infected 'objects'?:

Scan statistics:
Objects scanned: 77754
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:19:38

File name / Threat / Threats count
C:\_OTS\MovedFiles\10312009_170533\C_WINDOWS\system32\kuwibipa.dll Infected: Packed.Win32.Katusha.g 1
C:\_OTS\MovedFiles\10312009_170533\C_WINDOWS\system32\mirajehi.dll Infected: Packed.Win32.Katusha.g 1
Selected area has been scanned.

(My lack of computer knowledge to fully interpret the above, I'm sure, will show my ignorance here. But I just want to make sure I should be clean.)

I've had alot of problems after logging back into my computer to check your response to the Kapersky scan log (McAfee telling me I'm not protected via icon and pop up message<-this happened yesterday. Excessive hard drive activity, error messages, and all computer processes very slow).
I was was about to get my bottle of Jack Daniels, my baseball bat, and commence to putting this thing out of service (not really

).
Buttt decided to give it one more try today. Computer booted up fine, McAfee seems OK, was able to login here, saw your reply to the Kaspersky Scan.
I completed your steps 1 & 2 and the MS Windows update check. Per the Secunia check for other program updates, I have some to complete, but will do those after 1AM when my Hughes Net download threshhold will not count against me.
I've tried to reply back to you 4 times today, but each time during my reply attempt, computer slows, won't complete a 'copy and paste', basically freezes up. Lets see if this attempt goes through.
I have Hughes Net satellite internet service and think maybe it's a connectivity problem. I've received a few alerts from them today and yesterday too. So maybe that's the problem.

NeonFx · 03-Nov-2009, 06:56 PM **#25**

I'm sorry to hear that. I thought you said your computer was pretty much ok.

The Kaspersky results say the items are in this folder: C:\_OTS\MovedFiles

That is where all the files went that we took care of using OTS, which means we had already taken care of those items and they were removed using the "Cleanup" button in step 1 of my cleanup post.

Let's do the following as you're probably still infected with something because of the symptoms you are describing.

Note: Disabling any security programs you have running will significantly increase the chances of the following working as it should. Please disable AntiViruses, AntiSpywares and Firewalls before continuing on with my instructions. For instructions, if needed, see HERE or HERE

Download Combofix from any of the links below but rename the file to altogaflash before saving it to your desktop.

To do so in Internet Explorer right click one of the links and select "Save Target As.." from the options. This will open a Save box where you should navigate to your Desktop and change the name in the textbox on the bottom.
To get the same box in Firefox right click one of these links and select "Save Link As.." from the menu.

Link 1
Link 2

==================================

Double click on the altogaflash.exe & follow the prompts.

When finished, it will produce a report for you.
If you are asked to allow ComboFix to download and install the Recovery Console or have it update, let it do so.
Please post the results that are saved at C:\ComboFix.txt in your next reply

altogaflash · 03-Nov-2009, 09:02 PM **#26**

Neonfx,
Here's 1 of 2 Combo fix logs. This one was done with McAfee virus protection off, but my McAfee firewall and spyware protection on. (I ran the previous Kerpersky scan like this too, what a dummy) I thought I had them turned off. In my next post will be the Combo fix with all protection off.

ComboFix 09-11-03.01 - Jack Oliver 11/03/2009 18:40.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.252 [GMT -6:00]
Running from: c:\documents and settings\Jack Oliver\Desktop\Malware Folder\altogaflash.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.
2009-11-02 06:30 . 2009-11-02 06:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 02:23 . 2009-11-02 02:23 -------- d-----w- c:\documents and settings\Jack Oliver\Application Data\Malwarebytes
2009-11-02 02:23 . 2009-11-02 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 04:26 . 2009-10-28 04:26 -------- d-----w- c:\program files\Trend Micro
2009-10-25 10:20 . 2009-10-31 00:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 09:30 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-24 01:22 . 2009-10-24 01:22 -------- d-----w- c:\program files\Citrix
2009-10-24 01:22 . 2009-10-24 01:22 -------- d-----w- c:\documents and settings\Jack Oliver\Local Settings\Application Data\Citrix
2009-10-24 01:22 . 2009-10-24 01:22 61224 ----a-w- c:\documents and settings\Jack Oliver\GoToAssistDownloadHelper.exe
2009-10-20 22:40 . 2009-10-24 03:07 -------- d-----w- c:\documents and settings\Jack Oliver\Application Data\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 00:50 . 2006-07-11 22:47 -------- d-----w- c:\program files\Dl_cats
2009-11-03 20:12 . 2007-02-13 05:35 -------- d-----w- c:\documents and settings\Jack Oliver\Application Data\SiteAdvisor
2009-11-03 19:23 . 2006-07-11 06:51 27536 ----a-w- c:\documents and settings\Jack Oliver\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 20:41 . 2009-01-12 09:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-23 22:33 . 2006-07-05 12:27 -------- d-----w- c:\program files\McAfee
2009-10-20 22:39 . 2006-07-05 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-05 22:51 . 2006-07-05 12:20 -------- d-----w- c:\program files\America Online 9.0
2009-10-01 15:29 . 2009-10-02 19:06 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-16 15:22 . 2007-02-13 05:33 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2007-02-13 05:33 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2007-02-13 05:33 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2007-02-13 05:33 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2007-02-13 05:33 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-11 22:12 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-01-04 10:55 . 2006-09-03 07:17 88 --sh--r- c:\windows\system32\2565AE0E4E.sys
2009-01-04 10:55 . 2006-09-03 07:17 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-05 169984]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-09-13 73728]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-02 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-01 185872]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-24 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-5 24576]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\DellSupport\\DSAgnt.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Windows Live Safety Center\\wlscUploader.exe"=
"c:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"=
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-13 17:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-13 17:22]
2009-11-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 03:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 18:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dlcdcoms.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-11-04 18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 00:56
Pre-Run: 62,741,659,648 bytes free
Post-Run: 62,640,283,648 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

altogaflash · 03-Nov-2009, 09:05 PM **#27**

ComboFix 09-11-03.01 - Jack Oliver 11/03/2009 19:23.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.227 [GMT -6:00]
Running from: c:\documents and settings\Jack Oliver\Desktop\Malware Folder\altogaflash.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.
2009-11-02 06:30 . 2009-11-02 06:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 02:23 . 2009-11-02 02:23 -------- d-----w- c:\documents and settings\Jack Oliver\Application Data\Malwarebytes
2009-11-02 02:23 . 2009-11-02 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 04:26 . 2009-10-28 04:26 -------- d-----w- c:\program files\Trend Micro
2009-10-25 10:20 . 2009-10-31 00:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 09:30 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-24 01:22 . 2009-10-24 01:22 -------- d-----w- c:\program files\Citrix
2009-10-24 01:22 . 2009-10-24 01:22 -------- d-----w- c:\documents and settings\Jack Oliver\Local Settings\Application Data\Citrix
2009-10-24 01:22 . 2009-10-24 01:22 61224 ----a-w- c:\documents and settings\Jack Oliver\GoToAssistDownloadHelper.exe
2009-10-20 22:40 . 2009-10-24 03:07 -------- d-----w- c:\documents and settings\Jack Oliver\Application Data\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 00:50 . 2006-07-11 22:47 -------- d-----w- c:\program files\Dl_cats
2009-11-03 20:12 . 2007-02-13 05:35 -------- d-----w- c:\documents and settings\Jack Oliver\Application Data\SiteAdvisor
2009-11-03 19:23 . 2006-07-11 06:51 27536 ----a-w- c:\documents and settings\Jack Oliver\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 20:41 . 2009-01-12 09:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-23 22:33 . 2006-07-05 12:27 -------- d-----w- c:\program files\McAfee
2009-10-20 22:39 . 2006-07-05 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-05 22:51 . 2006-07-05 12:20 -------- d-----w- c:\program files\America Online 9.0
2009-10-01 15:29 . 2009-10-02 19:06 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-16 15:22 . 2007-02-13 05:33 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2007-02-13 05:33 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2007-02-13 05:33 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2007-02-13 05:33 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2007-02-13 05:33 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-11 22:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-11 22:12 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-01-04 10:55 . 2006-09-03 07:17 88 --sh--r- c:\windows\system32\2565AE0E4E.sys
2009-01-04 10:55 . 2006-09-03 07:17 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-05 169984]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-09-13 73728]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-02 149280]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-01 185872]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-24 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-5 24576]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\DellSupport\\DSAgnt.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\WINDOWS\\system32\\dumprep.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Windows Live Safety Center\\wlscUploader.exe"=
"c:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"=
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-13 17:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-13 17:22]
2009-11-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 03:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 19:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-04 19:31
ComboFix-quarantined-files.txt 2009-11-04 01:31
Pre-Run: 62,658,199,552 bytes free
Post-Run: 62,634,446,848 bytes free

NeonFx · 03-Nov-2009, 09:22 PM **#28**

ComboFix turned up nothing (it didn't even delete anything), and this isn't surprising seeing as I found nothing in your last OTS log and MBAM and Kaspersky are clean.

Could you make me a list of the symptoms you are noticing? Please be specific.

altogaflash · 03-Nov-2009, 11:58 PM **#29**

neonfx,

After I ran the Kaspersky scan early 11/2 AM , Windows Defender did an auto quick scan (which found no issues). Got a window 'Virtual Memory Minimum to low' alert on my desktop that went away about 5 minutes later.
Computer was sluggish, but sped up to about normal by the time I posted the Kaspersky scan results on here. After I did that post, I went on Microsoft Security encyclpedia to look up the Packed.Win32.Katusha.g 1 trojan that was listed on the Kaspersky scan results log. About the time I was reading the definitions, my computer started going into overdrive like it was downloading or uploading data. I tried closing the browser, but it froze up. I tried shuting the computer down (remember I'm still thinking(in error) that the Packed.Win32.Katusha.g 1 is still active on my computer) and received an MS Windows error stating the following program is not responding. I closed it and got the "do I want to report this error to MS?" option. I looked at the error details and wrote them down

Error signiture:
szAppName:iexpore szAppVer:8.06001.18702szModName:huncapp
sz ModVer:0.0.0.0 offset:00000000

Error Reports content IE tech info:
C:\Docume~1\Jackol\Locals~1\Temp\WERc9ed.dir00\ieexplore.exe.mdmp
C:\Docume~1\Jackol\Locals~1\Twmp\WERc9ed.dir00\appcompat.txt

The computer was taking forever to shut down as it was still running in overdrive, so I diconnected the power.
I then turned it back on and signed on in safe mode (which is new territory for me). Soon thereafter my McAfee messaged me that I wasn't protected. I tried to bring up McAfee to no avail sooo I disconnected power again after computer failed to logoff normally.
I restarted computer in normal mode. Computer cranked into overdrive again, McAfee again displayed protection was off. I tried to turn protection back on and got an error message for McAfee. I wrote down part of the message before it disappeared:

'One or more problems cannot be fixed because of an error'
'McAfee MISP Shell'

Computer again wouldn't shut down normally, so again I disconnected the power. Which is where I left it before coming back on this afternoon, reconnecting power, logged in, and into the current scenerio.
I'm sure I'm missing a few details, but that's all I got right now.
Other than what I reported earlier (slow performance/ freezing on 'copy and paste' and a few diognostic issues with Hughes Net), right now computer seems normal other than a little slow (I can now copy and paste without trouble).
I'm now thinking that having the Hughes Net modem disconnected from a power source over 10 hours might have/be some of the problems today as it needs constant power to stay up to date with transmissions.
But the early 11/2 problems I'm not sure unless the massive Kaspersky data update/download and scan caused a backlog of HughesNet/McAfee update transmission which in return temporaryly crashed/overran my operating system.

By the way, you and this forum are sooo awesome doing this for us. Thank you for doing what you do.

NeonFx · 04-Nov-2009, 12:47 AM **#30**

You're welcome.

If McAfee was running (even if it was running only partly) during the Kaspersky scan then its possible it too was working too hard.

Also, McAfee or any other protection program cannot be enabled in safe mode. It's "safe" because no resident programs (drivers/services and startup programs) are allowed to run and only the absolute necessary components are loaded. A lot won't work in safe mode, but that's by design.

Try the computer out for a day or two and let me know if you experience any problems. In that time, try some of the advice HERE that I linked to earlier on speeding your system up.

Feel free to mark this thread as Solved by clicking on the button at the top whenever you feel you're ready to close this.

Let's uninstall ComboFix:

The following will implement some cleanup procedures as well as reset System Restore points.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)

ComboFix /Uninstall

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: