1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Access Denied Malware

Discussion in 'Virus & Other Malware Removal' started by rdizy, Nov 1, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    I could really use some help diagnosing some Malware.
    I'm getting Access Denied when I try to run HijackThis and GMER is freezing on me.
    I was able to run DDS in SafeMode. Results are attached.


    DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
    Run by Michelle at 20:11:04.40 on Mon 11/01/2010
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1271 [GMT -6:00]
    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    ============== Running Processes ===============
    "\\.\globalroot\Device\svchost.exe\svchost.exe"
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Michelle\Desktop\dds.scr
    ============== Pseudo HJT Report ===============
    mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
    uInternet Settings,ProxyOverride = localhost
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ShutterflyStudio] c:\documents and settings\michelle\desktop\studio\bin\SFlyStudio.exe /trayonly
    uRun: [SmileboxTray] "c:\documents and settings\michelle\application data\smilebox\SmileboxTray.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
    DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://securedoc.saskpower.com/qp2.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179431535093
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180668558656
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://www.walmartphotocentre.ca/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
    Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
    Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files\quicktax 2009\ic2009pp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    ============= SERVICES / DRIVERS ===============
    S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]
    S2 Halt;Halt;c:\program files\soccerwinners\halt\Halt.exe [2007-10-1 45056]
    S2 HaltMonitor;HaltMonitor;c:\program files\soccerwinners\halt\HaltMonitor.exe [2007-10-1 20480]
    S2 RGFILERW;RGFILERW;\??\c:\windows\system32\drivers\rgfilerw.sys --> c:\windows\system32\drivers\RGFILERW.SYS [?]
    S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\rick\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]
    =============== Created Last 30 ================
    2010-10-13 12:57:12 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb6ad627230746.mof
    2010-10-12 21:18:37 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-12 21:18:34 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-12 21:11:30 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    ==================== Find3M ====================
    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 18:23:26 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\dllcache\mfc40.dll
    2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-08 15:57:10 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-09-08 15:57:10 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2010-09-04 20:17:41 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-09-01 11:51:14 285824 ------w- c:\windows\system32\dllcache\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 08:02:29 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-27 05:57:43 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-08-26 13:39:50 357248 ------w- c:\windows\system32\dllcache\srv.sys
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-26 05:36:02 10841088 ------w- c:\windows\system32\dllcache\wmp.dll
    2010-08-25 11:30:33 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
    2010-08-25 11:29:05 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
    2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-08-16 08:45:00 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
    2008-08-24 04:44:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat
    ============= FINISH: 20:11:52.31 ===============
     

    Attached Files:

  2. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    To start, I think I need a way to remove AntiVirus 2010. It appears to be bogus.
     
  3. oldman960

    oldman960 Malware Specialist

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi rdizy, welcome to the forum.


    To make cleaning this machine easier
    • Please do not uninstall/install any programs unless asked to
      It is more difficult when files/programs are appearing in/disappearing from the logs.
    • Please do not run any scans other than those requested
    • Please follow all instructions in the order posted
    • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
    • Do not attach any logs/reports, etc.. unless specifically requested to do so.
    • If you have problems with or do not understand the instructions, Please ask before continuing.
    • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


    Click your start button, right click on My Computer
    • Click properties
    • click the Hardware tab
    • click Device manager button
    • click the + sign beside System Devices
    • look for something with cmz vmkd or vbma in name it should say virtual bus
    • right click the entry & select uninstall

    Please read through the instructions to familarize youself with what to expect when the tool runs.

    It is vitally important that combofix is renamed before it is even started to download

    Please download ComboFix from Link 1or Link 2 to your Desktop.
    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • If you are using Firefox, make sure that your download settings are as follows:
      -Tools->Options->Main tab
      -Set to "Always ask me where to Save the files".
    • During the download, before you save it to your desktop, rename Combofix to jgh.exe
    • It is important you rename Combofix during the download, but not after.
    • Please do not rename Combofix to other names, but only to the one indicated.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:
    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



    Please post back with
    • combofix log
    How is the computer?
    Thanks
     
  4. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    Thanks for helping. I appreciate it.
    I can't get an internet connection on the infected computer (I tried regular and safe mode with networking). Can I download Combofix to another machine and transfer it to the infected machine's desktop via USB memory stick?
     
  5. oldman960

    oldman960 Malware Specialist

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi rdizy,


    Yes you can. Be sure it is renamed as per the previous instructions and transfered directly to the infected computer's desktop.

    First we'll protect your usb device and clean computer the best we can.

    Run this on the clean computer with the usb device attached.



    Download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Since you do not have an internet connection we will also manually install the Recovery Console. Once the Recovery Console is installed you should be given the option to continue scanning for malware.
    Make sure you have done any other instructions as requested in the previous post before running combofix.


    Download this file Pro and transfer it directly to your infected computers desktop.


    Make sure the copy of combofix (renamed) you have is also located on the desktop.

    With your left mouse button, drag the file onto the combofix icon as shown below. This will start combofix so don't do anything else. Also make sure your security programs have been disabled per the previous instructions.
    [​IMG]

    Follow the prompts from there.

    Thanks
     
  6. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    Not sure if the flash disenfector worked, I downloaded and ran it but it didn't seem to do anything?

    I ran combofix like you specified. There's still issues with the computer... I still can't connect to the internet and I don't have access to start MSE.

    Attached is combo fix log...
    ComboFix 10-11-03.04 - Rick 11/04/2010 19:25:22.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1172 [GMT -6:00]
    Running from: c:\documents and settings\Rick\Desktop\jgh.exe
    Command switches used :: G:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\All Users\Application Data\.wtav
    c:\documents and settings\Rick\Application Data\PriceGong
    c:\documents and settings\Rick\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Rick\Application Data\PriceGong\Data\z.xml
    c:\windows\system32\drivers\bcm4sbxp.sys
    c:\windows\system32\Drivers\vbmac8a7.sys
    c:\windows\system32\spool\prtprocs\w32x86\IQ31c9s.dll
    c:\windows\system32\spool\prtprocs\w32x86\QG55a.dll
    c:\windows\system32\USRINI~1.EXE
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_USERINIT
    -------\Service_userinit

    ((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
    .
    2010-11-05 01:18 . 2010-11-05 01:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
    2010-11-01 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC9D3B-368A-47F9-AE98-16B9C377E81E}\mpengine.dll
    2010-10-12 21:18 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-12 21:18 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-12 21:11 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 20:51 . 2009-10-02 20:25 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2009-11-12 23:16 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-09-18 18:23 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 05:36 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 05:36 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38 . 2002-08-29 10:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
    2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
    2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
    2010-09-01 11:51 . 2001-08-17 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2002-08-29 09:14 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 05:36 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 05:36 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 05:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-16 02:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2002-08-29 10:40 617472 ------w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
    2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
    2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
    2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
    2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
    2010-09-15 10:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
    2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
    2010-10-05 06:52 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
    2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LiveUpdate"=3 (0x3)
    "Automatic LiveUpdate Scheduler"=2 (0x2)
    "WLSetupSvc"=3 (0x3)
    "usnjsvc"=3 (0x3)
    "ose"=3 (0x3)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "gupdate1c95c931cacec94"=2 (0x2)
    "MsMpSvc"=2 (0x2)
    "MDM"=2 (0x2)
    "LeapFrog Connect Device Service"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
    R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
    S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
    S2 RGFILERW;RGFILERW;\??\c:\windows\system32\Drivers\RGFILERW.SYS --> c:\windows\system32\Drivers\RGFILERW.SYS [?]
    S3 vbmac8a7;Virtual Bus for Microsoft ACPI-Compliant System; [x]
    S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
    2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
    2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.theglobeandmail.com/
    mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = localhost
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-04 19:37
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'explorer.exe'(2768)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Canon\CAL\CALMAIN.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-04 19:42:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-05 01:42
    Pre-Run: 5,804,474,368 bytes free
    Post-Run: 6,879,375,360 bytes free
    - - End Of File - - 7707E7BE2A02538E7F37C7FAA66124A1
     
  7. oldman960

    oldman960 Malware Specialist

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi rdizy.

    Sorry should have mentioned that there isn't any display when FDD is ran.

    You have several items disabled in msconfig. Were these your doing? There is one related to MSE

    MSSE c:\program files\Microsoft Security Essentials\msseces.exe

    We'll work in getting the permissions sorted out and your connection.


    On the clean computer

    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
    Code:
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    Driver::
    vbmac8a7
    RGFILERW
    

    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop
    • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
    • Click save

    Transfer CFScript.txt to the desktop of the infected computer.

    Please follow all previous instructions regarding security programs.

    Using your mouse left button, drag the file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

    This will start ComboFix again. Close all browser/windows first.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
    [​IMG]

    Please post the log.



    When trying to connect do you recieve an error message? If so what is the message?
    • Click your start button, right click on My Computer
    • Click properties
    • click the Hardware tab
    • click Device manager button
    Anything in the list with a yellow ! mark?

    Still in device manager click the + sign beside Network adapters. What is listed there?



    Back on the clean computer
    • Right click the attached file user.zip
    • Select Save target as
    • Set the Save in box to Desktop or the usb device which you are using for transfering files.


    Transfer the files to the infected computer's desktop.
    • Extract the files to your desktop
    • Locate run.bat and double click it to run it
    • Please be patient and let it run
    • When it's finished, a log will be saved at C:\junction.txt
    • Please post it's contents in your next reply

    Please post back with
    • combofix log
    • junction.txt
    • please answer any questions asked
    Besides MSE and the connection are you experiencing any other problems?

    Thanks
     

    Attached Files:

  8. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    Hi,
    I may have had some items disabled in msconfig but MSE was not one of them.
    Prior to the infection, MSE was running normally.
    Internet Connection error message is the standard:
    Internet Explorer cannot display the webpage (similar to when you unplug your modem)
    Device Manager, Network Adaptors shows Broadcom 440x 10/100 Integrated Controller as yellow !
    Device Status: Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
    Should I try to Rollback Driver?
    As far as other problems, I do not have permission to access HiJackThis, MalewareBytes, can't start the MSE service, etc.

    Here's the logs...
    ComboFix 10-11-03.04 - Rick 11/04/2010 21:49:51.6.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1145 [GMT -6:00]
    Running from: c:\documents and settings\Rick\Desktop\jgh.exe
    Command switches used :: G:\CFScript.txt
    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_RGFILERW
    -------\Service_RGFILERW
    -------\Service_vbmac8a7

    ((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
    .
    2010-11-05 01:18 . 2010-11-05 01:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
    2010-11-01 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC9D3B-368A-47F9-AE98-16B9C377E81E}\mpengine.dll
    2010-10-12 21:18 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-12 21:18 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-12 21:11 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 20:51 . 2009-10-02 20:25 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2009-11-12 23:16 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-09-18 18:23 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 05:36 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 05:36 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 05:36 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38 . 2002-08-29 10:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
    2010-09-08 15:57 . 2004-08-04 05:59 389120 ----a-w- c:\windows\system32\html.iec
    2010-09-04 20:17 . 2010-09-04 20:17 42112 ----a-w- c:\windows\system32\drivers\IMAPI.SYS
    2010-09-01 11:51 . 2001-08-17 21:55 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2002-08-29 09:14 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 05:36 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 05:36 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 05:24 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-16 02:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2002-08-29 10:40 617472 ------w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-12 155648]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
    2008-08-13 20:34 1891416 ----a-w- c:\garmin\gStart.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
    2005-06-08 20:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
    2005-06-08 21:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
    2005-06-08 21:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    2005-07-19 23:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2009-11-10 16:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2007-10-18 17:34 5724184 ----a-w- c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
    2010-09-15 10:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenDNS Updater]
    2009-11-16 19:58 839168 ----a-w- c:\program files\OpenDNS Updater\OpenDNSUpdater.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-07-12 04:46 155648 ----a-w- c:\program files\QuickTime\qttask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
    2010-10-05 06:52 304448 ----a-w- c:\documents and settings\Michelle\Application Data\Smilebox\SmileboxTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
    2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-11-19 01:59 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LiveUpdate"=3 (0x3)
    "Automatic LiveUpdate Scheduler"=2 (0x2)
    "WLSetupSvc"=3 (0x3)
    "usnjsvc"=3 (0x3)
    "ose"=3 (0x3)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "gupdate1c95c931cacec94"=2 (0x2)
    "MsMpSvc"=2 (0x2)
    "MDM"=2 (0x2)
    "LeapFrog Connect Device Service"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    R2 Halt;Halt;c:\program files\Soccerwinners\Halt\Halt.exe [10/1/2007 3:39 PM 45056]
    R2 HaltMonitor;HaltMonitor;c:\program files\Soccerwinners\Halt\HaltMonitor.exe [10/1/2007 3:39 PM 20480]
    S2 gupdate1c95c931cacec94;Google Update Service (gupdate1c95c931cacec94);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 1:52 PM 133104]
    S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Rick\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [9/20/2007 5:10 PM 32768]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
    2010-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 08:22]
    2010-10-31 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]
    2010-11-05 c:\windows\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.theglobeandmail.com/
    mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = localhost
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-04 21:59
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'explorer.exe'(2028)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Canon\CAL\CALMAIN.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-04 22:03:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-05 04:03
    ComboFix2.txt 2010-11-05 01:42
    Pre-Run: 6,908,182,528 bytes free
    Post-Run: 6,900,883,456 bytes free
    - - End Of File - - ED82497536ED5DE89F7E3BF3A90A34EA




    Junction v1.05 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2007 Mark Russinovich
    Systems Internals - http://www.sysinternals.com

    Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.
    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
    ...

    .\\?\c:\\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Mnt\000100130017F614\0: MOUNT POINT
    Substitute Name: Volume{073e84df-3de3-11df-8e85-0002e33dcb0d}\
    \\?\c:\\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Mnt\000100130017F614\1: MOUNT POINT
    Substitute Name: Volume{073e84e0-3de3-11df-8e85-0002e33dcb0d}\

    Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.
    Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin: Access is denied.
    ..

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    .
    Failed to open \\?\c:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE: Access is denied.
    ..

    ...

    ...

    ...

    ...

    ...

    ...

    ..
    Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.
    .

    ...

    ...
    Failed to open \\?\c:\\Program Files\Microsoft Security Essentials\MsMpEng.exe: Access is denied.

    ...

    ...
    Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.

    .
    Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.
    ..

    ...

    ...

    ...

    ...

    ...

    ...

    ..
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\callcont.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\gdi32.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\h323.tsp: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\h323msp.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\helpctr.exe: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\lsasrv.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\mf3216.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\msasn1.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\msgina.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\mst120.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\netapi32.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\nmcom.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\rtcdll.dll: Access is denied.
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB835732$\schannel.dll: Access is denied.
    .

    ...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
    Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
    Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
    \\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
    Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
    Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e


    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...
     
  9. oldman960

    oldman960 Malware Specialist

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi rdizy,

    Let's see if we can get this batchfile to restore the permissions. We will also need a tool.

    Please download Inherit by sUBs and save it to your Desktop or the usb device.

    Next, create this batch file on the clean computer.


    Open a new Notepad session
    • Click the Start button, click run
    • in the run box type notepad
    • click ok
    • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
    • Copy and paste all the text in the code box below into the Notepad.
    Do Not copy the word CODE

    Code:
    "%userprofile%\desktop\Inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
    "%userprofile%\desktop\Inherit.exe" "c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
    "%userprofile%\desktop\Inherit.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp"
    "%userprofile%\desktop\Inherit.exe" "Program Files\Microsoft Security Essentials\MsMpEng.exe"
    "%userprofile%\desktop\Inherit.exe" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
    

    In the notepad
    • Click File, Save as..., and set the Save in to your Desktop or the usb device.
    • In the filename box, type (including quotation marks) as the filename: "myfix.bat"
    • Click save
    The file will be called myfix.bat with an icon that looks like a gear.


    Transfer the file along with the program, Inherit.exe to the infected computer's desktop.

    Double click myfix.bat to run it.

    Next


    Click your start button, click run
    • in the run box type msconfig and click ok
    • click the startup tab
    • place a checkmark next to MSSE c:\program files\Microsoft Security Essentials\msseces.exe
    • click apply, click ok
    • reboot your computer
    Can you access the programs now?

    We'll look at your network adapter after you post back.

    Thanks
     
  10. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    Hi,
    Still can't "Start Now" Microsoft Security Essentials.

    Malware Bytes and HijackThis now open. I did not try to run a scan.

    I noticed in msconfig, that mssecs was in there twice, one was checked as a startup item and the other was not. I checked the one that was not and restarted.

    MSE does start, but the service is stopped... I'm not sure I made that clear on previous posts.
    The message is "Microstf Security Essentials isn't monitoring your computer becuase the program's service stopped. You should restart it now"

    When I click "Start Now" I get "Couldn't start Microsoft Security Essentials service. Access Denied."
     
  11. oldman960

    oldman960 Malware Specialist

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi rdizy,

    I replied last night but I don't see the post. :confused:


    Please download SystemLook from one of the links below and save it to your usb and transfer it to your infected computer's desktop.

    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield
    • Do not copy the word CODE , please note the script starts with the :

      Code:
      :filefind
      ndis.*
       
      :reg
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis] /s
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc]
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\security]
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt





    Next
    • Click your start button, click run
    • type rsop.msc and click ok
    • click the + signs beside Computer Configuration - Windows Settings - Security Settings
    • click on System Services
    • Look for Microsoft Antimalware Service
    Any restictions listed there?

    Thanks
     
  12. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    Hi again,

    SystemLook.txt output is below.

    I didn't see any restrictions in Resultant Set of Policy.
    All System Servcies are startup = undefined and permission = undefined
    If I double click Microsoft Antimalware Service the startup mode options are greyed out (i.e. I can't change them) but I can see that the default startup mode = disabled.

    SystemLook 04.09.10 by jpshortstuff
    Log created at 21:15 on 06/11/2010 by Rick
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "ndis.*"
    C:\i386\NDIS.SY_ --a---- 87077 bytes [18:38 17/05/2007] [14:00 31/03/2003] D032D6F2D040400F7CEDDAF57701176A
    C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -----c- 182912 bytes [03:29 24/08/2008] [06:14 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
    C:\WINDOWS\ERDNT\cache\ndis.sys --a---- 182656 bytes [03:34 20/11/2009] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
    C:\WINDOWS\ServicePackFiles\i386\ndis.sys ------- 182656 bytes [06:14 04/08/2004] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
    C:\WINDOWS\system32\drivers\ndis.sys --a---- 182656 bytes [09:09 29/08/2002] [19:20 13/04/2008] 1DF7F42665C94B825322FAE71721130D
    Searching for " "
    No files found.
    ========== reg ==========
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis]
    "DisplayName"="NDIS System Driver"
    "ErrorControl"= 0x0000000001 (1)
    "Group"="NDIS Wrapper"
    "Start"= 0x0000000000 (0)
    "Type"= 0x0000000001 (1)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\MediaTypes]
    (No values found)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\Parameters]
    "ProcessorAffinityMask"= 0x00ffffffff (-1)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndis\Enum]
    "0"="Root\LEGACY_NDIS\0000"
    "Count"= 0x0000000001 (1)
    "NextInstance"= 0x0000000001 (1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc]
    "ServiceSidType"= 0x0000000001 (1)
    "RequiredPrivileges"="SeLoadDriverPrivilege SeImpersonatePrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege SeSecurityPrivilege SeShutdownPrivilege SeIncreaseQuotaPrivilege SeAssignPrimaryTokenPrivilege"
    "Type"= 0x0000000010 (16)
    "Start"= 0x0000000002 (2)
    "ErrorControl"= 0x0000000001 (1)
    "ImagePath"=""c:\Program Files\Microsoft Security Essentials\MsMpEng.exe""
    "DisplayName"="Microsoft Antimalware Service"
    "Group"="COM Infrastructure"
    "DependOnService"="RpcSs"
    "DependOnGroup"=" "
    "ObjectName"="LocalSystem"
    "Description"="Helps protect users from malware and other potentially unwanted software"
    "FailureActions"=80 51 01 00 01 00 00 00 01 00 00 00 03 00 00 00 48 00 4f 00 01 00 00 00 98 3a 00 00 01 00 00 00 98 3a 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\Security]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\Enum]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc\security]
    "Security"=01 00 14 80 a8 00 00 00 b4 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 78 00 05 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 21 02 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

    -= EOF =-
     
  13. oldman960

    oldman960 Malware Specialist

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi rdizy,


    We may need to download a driver for your Network Adapter. What brand of computer do you have?

    Still looking into the MSE problem.


    Try this. Copy and paste the following into a notepad, name it something you will remember and transfer it to the infected computer.

    Code:
    "%userprofile%\desktop\Inherit.exe" "c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin"

    On the infected computer
    • open the notepad you just made
    • right click in the notepad and click select all
    • right click in the notepad again and select copy
    Click your start button click run. In the small white field in the run box, right click and select paste. Click ok.


    Let's try to start MSE from a different location


    Click your start button click run.
    • In the run box type services.msc
    • hit enter
    In the list locate Microsoft Antimalware Service
    • right click on it and select properties
    • In the service status section click Start
    Did it start or did you recieve an error message?


    While you are in there please check the status of Windows Management Instrumentation

    Thanks
     
  14. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
    Hi,
    I have an older machine. Its an HP D220.

    I ran the script and it said OK.

    I tried starting the service the way you suggested but again get Access Denied.

    The Windows Management Instrumentation is Started.


    I'm wondering if the MSE service cannot start because AntiVirus 2010 is still on my PC (at least in some shape or form). In Add/Remove Programs I see Antivirus 2010. That is bogus software. I wonder if I should try to remove it?
     
  15. rdizy

    rdizy Thread Starter

    Joined:
    Sep 4, 2010
    Messages:
    25
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/959973