Question for Johnb35

[JHM]

I am running F-Secure and generally am satisfied with it; but sometimes when I am surfing the internet, I get something that looks like a Microsoft program butting in and telling me my machine is infected with about 2 dozen viruses total. The butt in program breaks this down into different types of viruses in different locations. I have been leery of installing the software it is pushing, because once when I did that with one of these things, I wound up with some crap that was preventing me from doing anything; that was rather hard to get rid of.

Question 1) : Can I run Malwarebytes with F-Secure installed ?
Question 2) : If I install Malwarebytes, (Just to run a check to see if F-Secure is missing some things), can it readily be uninstalled afterwards ?

I have seen the reports generated by these programs you reccommend, and they are way over my head, so I wouldn't want to run this software permanently.

 

[powerpack]

Do this!

Yes you are infected, its a fake scanner. Please do the following.


Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

That said I would suggest you do as you suspect. This is bogus software. Do not click on and you will never have to do JohnB's fix!

JohnB is driving home right now.

 

[JHM]

Thanks Powerpack for the answer, I already downloaded the Free version (Not the free full version) of Malwarebytes, but I haven't installed it yet, cause I don't know if it will cause probs with F-Secure; and long term, I want to go on using F-Secure, I just want to run a onetime check to see if F-Secure is missing anything.

 

[johnb35]

Yes, you can run Malwarebytes with F-secure installed with no problems. You are indeed infected with a fake scanner. As usual with these types of infections, you will need to run the rkill program to temporarily kill the active infection to allow malwarebytes to run. Just follow those instructions that powerpack quoted from one of my posts and post the requested logs.

 

[JHM]

Thanks Johnb35 --- will do.

 

[JHM]

Well I shutdown F-Secure, then installed Malwarebytes; but what I am getting is a message that Mbam.exe cannot run. So I tried to download the killbits thing from all 3 links and I keep getting a blank screen, saying that a download has been blocked for my safety, and click on the yellow band at the top to allow the download, which I do, but I'm not getting any download I can see, just a blank screen. Now what ?

 

[johnb35]

Do you have a usb flash drive available? Or your best bet would be to run rkill in safe mode. Let me know if you still can't get rkill to run. I'll give you another program to run. Also try running this as its actually rkill but renamed to Iexplore.

http://download.bleepingcomputer.com/grinler/iExplore.exe

And sometimes those other rkill files need to be ran in succession if they are giving you message saying they are infected. Just close out of the message and run rkill again and again until it overpowers the infection. Try the new link i gave you first though.

 

[JHM]

K, well I got around the download being blocked by resetting the IE options to allow file downloads and shutting down the popup blocker. Got Kill Bits downloaded, and ran it several times getting a report each time, which I saved. -- But still unable to run Malwarebytes. When I try, I get a message screen that flashes on and off so quick that I can't see what it says. -- And now ? -- Should I post the 7 killbits reports ?

 

[johnb35]

You can post them if you want but since malwarebytes still won't run then download the following file and run it in safe mode. You may have to disable your antivirus program before hand.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  http://www.bleepingcomputer.com/download/anti-virus/combofix
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[JHM]

K, couple of details. 1) when I first ran KillBits, I HAD to do a restart, because after it ran, my desktop, startmenu, and taskbar were gone. Couldn't access anything except Taskmanager, by pressing control alt delete. I tried to use Task Manager to run Malwarebytes but it was no go. So I did a restart then reran Killbits. After the first run my desktop, start menu, and taskbar stayed OK on all the subsequent runs. Don't know if this makes a difference cause it does say NOT to reboot in the instructions posted.

2) I have not yet downloaded Hijack This, so I guess that is the next step, before I try combofix. Yes - No ?

 

[johnb35]

Yeah, if you rebooted then the reboot reactivated the infection. Sounds like you will still need to run combofix so go ahead and run it. Remember to disable your antivirus and you most likely will have to do it in safe mode.

 

[JHM]

K, did that. Couple details though. 1) I shut down my F-Secure AV and everything else that I could shut down from the taskbar before rebooting into safe mode to run ComboFix. Once in safemode I ran it, only to find out that it wanted the latest version of MS Recovery console installed. -- Don't have.

2) While it was running it said not to start any programs till it was finished. I let it run as it would and while it was still running it rebooted the machine, which caused some of the programs on my taskbar to restart on the new boot. I just let things go on as they would until ComboFix was finished. F-Secure was amoung the programs that started up on the reboot. -- Don't know if that matters.

REPORT FOLLOWS :

ComboFix 11-01-29.01 - J. H. McGOWAN 29/01/2011 23:52:34.1.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.3034 [GMT -5:00]
Running from: e:\xp software\Utilities\System\ComboFix\ComboFix.exe
AV: F-Secure Anti-Virus Client Security 6.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Anti-Virus Client Security 6.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~.exe
c:\documents and settings\J. H. McGOWAN\Application Data\SystemProc
c:\documents and settings\J. H. McGOWAN\Start Menu\Programs\System Tool
c:\documents and settings\J. H. McGOWAN\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\system32\awttut.dll
c:\windows\system32\awuvsr.dll
c:\windows\system32\bywurr.dll
c:\windows\system32\cbxurs.dll
c:\windows\system32\ddbbca.dll
c:\windows\system32\dddbbb.dll
c:\windows\system32\efddbx.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-30 )))))))))))))))))))))))))))))))
.

2011-01-30 02:26 . 2011-01-30 02:26 -------- d-----w- c:\documents and settings\J. H. McGOWAN\Application Data\Malwarebytes
2011-01-30 02:24 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 02:24 . 2011-01-30 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-30 02:24 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-29 07:11 . 2011-01-29 07:12 -------- d-----w- c:\program files\AVG Antivirus 2011
2011-01-09 03:37 . 2011-01-09 03:37 -------- d-----w- C:\cabs
2011-01-02 18:30 . 2011-01-02 18:30 -------- d-----w- c:\documents and settings\J. H. McGOWAN\Application Data\WinCare2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2004-06-16 106571]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"F-Secure Manager"="e:\xp software\Utilities\System\F-Secure\Common\FSM32.EXE" [2005-10-26 122929]
"F-Secure TNB"="e:\xp software\Utilities\System\F-Secure\TNB\TNBUtil.exe" [2004-05-27 684032]
"InCD"="e:\xp software\CD Creator\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336]
"fontnav"="e:\xp software\Writing\Font Navigator\FontNav.exe" [1998-08-10 401408]
"CloneCDTray"="e:\xp software\CD Creator\CloneCD\CloneCDTray.exe" [2002-04-15 57344]
"CloneCDElbyCDFL"="e:\xp software\CD Creator\CloneCD\ElbyCheck.exe" [2001-12-06 45056]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-22 40960]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400]
"QuickTime Task"="e:\xp software\Video\Quick Time 7.62\qttask.exe" [2009-05-26 413696]

c:\documents and settings\J. H. McGOWAN\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-27 113664]
emesene.lnk - c:\program files\emesene\emesene.exe [2010-1-8 66560]
InterVideo WinCinema Manager.lnk - e:\xp software\Video\WinDVD4\Common\Bin\WinCinemaMgr.exe [2009-9-27 114688]
PowerReg Scheduler.exe [2010-10-17 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F-Secure Automatic Update.lnk - e:\xp software\Utilities\System\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2010-1-11 32807]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\J. H. McGOWAN\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\J. H. McGOWAN\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^J. H. McGOWAN^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\J. H. McGOWAN\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-03-04 16:45 19456 ----a-w- c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-12-17 19:51 94208 ------w- e:\xp software\Utilities\Disk\Norton\Ghost2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ------w- c:\program files\Common Files\Ahead\lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ------w- e:\xp software\Video\Quick Time 7.62\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-05-15 19:55 1628208 ------w- e:\xp software\CD Creator\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskBar]
2003-05-30 05:00 122880 ------w- c:\program files\Creative\TaskBar\CTLTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskTray]
2001-06-29 05:00 163840 ------w- c:\program files\Creative\TaskBar\CTLTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2009-03-04 16:45 19456 ----a-w- c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
2010-09-29 18:43 4861720 ----a-w- e:\xp software\Utilities\System\Anti Spyware\XoftSpySE6\XoftSpySE.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\XP Software\\Utilities\\File\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\update.exe"=
"c:\\Program Files\\Gigabyte\\ETC\\ETC.exe"=
"e:\\XP Software\\Utilities\\System\\SiSoftware Sandra Lite 2009.SP4\\RpcAgentSrv.exe"=
"e:\\XP Software\\Utilities\\System\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=
"e:\\XP Software\\Utilities\\System\\SiSoftware Sandra Lite 2009.SP4\\WNt500x86\\RpcSandraSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [11/01/2010 10:20 AM 70896]
R1 GhPciScan;GhostPciScanner;e:\xp software\Utilities\Disk\Norton\Ghost2003\GhPciScan.sys [17/12/2003 2:41 PM 5632]
S2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;e:\xpsoft~1\UTILIT~1\System\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [11/01/2010 10:20 AM 32807]
S2 F-Secure Filter;F-Secure File System Filter;e:\xp software\Utilities\System\F-Secure\Anti-Virus\win2k\FSfilter.sys [11/01/2010 10:19 AM 48816]
S2 F-Secure Gatekeeper;F-Secure Gatekeeper;e:\xp software\Utilities\System\F-Secure\Anti-Virus\win2k\fsgk.sys [11/01/2010 10:19 AM 48256]
S2 F-Secure Recognizer;F-Secure File System Recognizer;e:\xp software\Utilities\System\F-Secure\Anti-Virus\win2k\FSrec.sys [11/01/2010 10:19 AM 16720]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 4:10 PM 135664]
S2 NProtectService;Norton Unerase Protection;e:\xp software\Utilities\System\Norton System Works 2002\Norton Utilities\NPROTECT.EXE [14/06/2009 1:18 PM 135168]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [04/03/2009 1:42 PM 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [04/03/2009 1:42 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [25/10/2010 6:36 PM 79360]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [04/03/2009 1:42 PM 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [04/03/2009 1:42 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [04/03/2009 1:42 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [04/03/2009 1:42 PM 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [04/03/2009 1:42 PM 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [04/03/2009 1:42 PM 566296]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [27/09/2009 7:14 PM 13792]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\xp software\Utilities\System\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe [11/11/2009 9:40 PM 99176]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [29/09/2010 1:43 PM 582424]
.
Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:10]

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:10]

2011-01-07 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2009-09-28 03:03]

2011-01-29 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]

2011-01-22 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]

2011-01-26 c:\windows\Tasks\XoftSpySE.job
- e:\xp software\Utilities\System\Anti Spyware\XoftSpySE6\XoftSpySELauncher.exe [2010-09-29 18:43]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ssrrqnaudio - (no file)
HKCU-Run-jkhgebsys - cbxurs.dll
HKCU-Run-iifdaaaudio - efddbx.dll
HKLM-Run-QD FastAndSafe - (no file)
HKLM-Run-yaxutuaudio - (no file)
HKLM-Run-pmkjgfsys - cbxurs.dll
HKLM-Run-fccbxxaudio - efddbx.dll
HKU-Default-Run-ddaxyaaudio - (no file)
HKU-Default-Run-cbbaabsys - cbxurs.dll
HKU-Default-Run-pmklklaudio - efddbx.dll
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\J. H. McGOWAN\Application Data\SystemProc\lsass.exe
MSConfigStartUp-Norton Ghost 9 - e:\xp software\Utilities\Disk\N Ghost 9\Agent\GhostTray.exe
AddRemove-Creative Installer Setup - c:\program files\Creative\Uninstall\Installer.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-30 00:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????>3?????\??? ??? ???\???\???????????5?B~e?B~\???\???????@Ga??????C@?\???\??????s????\??????s\????=3?A??s?=3??C@?x???`|?w\?????@
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\J. H. McGOWAN\Application Data\SystemProc\lsass.exe???????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE1"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1860)
c:\windows\system32\WININET.dll
c:\docume~1\JHD221~1.MCG\LOCALS~1\Temp\IadHide5.dll
c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\CTsvcCDA.exe
e:\xp software\Utilities\Disk\Diskeeper 8\DkService.exe
e:\xp software\Utilities\System\F-Secure\Anti-Virus\fsgk32st.exe
e:\xp software\Utilities\System\F-Secure\Anti-Virus\FSGK32.EXE
e:\xp software\Utilities\System\F-Secure\BackWeb\7681197\program\fsbwsys.exe
e:\xp software\Utilities\System\F-Secure\Anti-Virus\fssm32.exe
e:\xp software\Utilities\System\F-Secure\Common\FSMA32.EXE
e:\xp software\Utilities\System\F-Secure\Common\FSMB32.EXE
e:\xp software\Utilities\Disk\Norton\Ghost2003\GhostStartService.exe
e:\xp software\Utilities\System\F-Secure\Common\FCH32.EXE
e:\xp software\CD Creator\Nero 7\InCD\InCDsrv.exe
e:\xp software\Utilities\System\F-Secure\Common\FAMEH32.EXE
e:\xp software\Utilities\System\F-Secure\Anti-Virus\fsqh.exe
e:\xp software\Utilities\System\F-Secure\Anti-Virus\fsrw.exe
e:\xp software\Utilities\Disk\Perfect Disk 10\PDAgent.exe
c:\windows\System32\snmp.exe
e:\xpsoft~1\UTILIT~1\System\NORTON~1\SPEEDD~1\nopdb.exe
c:\windows\system32\MsPMSPSv.exe
e:\xp software\Utilities\System\F-Secure\Common\FNRB32.EXE
e:\xp software\Utilities\System\F-Secure\Common\FIH32.EXE
e:\xp software\Utilities\System\F-Secure\FWES\Program\fsdfwd.exe
e:\xp software\Utilities\Disk\Perfect Disk 10\PDEngine.exe
e:\xp software\Utilities\System\F-Secure\Anti-Virus\fsav32.exe
e:\xpsoft~1\UTILIT~1\System\F-Secure\ANTI-S~1\fsaw.exe
e:\xp software\Utilities\System\F-Secure\FSGUI\fsguidll.exe
.
**************************************************************************
.
Completion time: 2011-01-30 00:10:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-30 05:10

Pre-Run: 24,487,141,376 bytes free
Post-Run: 24,330,932,224 bytes free

- - End Of File - - 31FF1D809C0E2A20F442DDDF04104C9B

 

[JHM]

Well after that ran I was able to run Malwarebytes; and it found 44 viruses. Hmmm!! F-Secure ain't working so good is it ? Thanks again for your help John.

 

[johnb35]

I Need to see the malwarebytes log and a hijackthis log please. Open malwarebytes, click on the logs tab and then open the logfile and copy and paste it back here.

Also do you know anything about this program?

WinCare2008

Hits refer this as a cracked program.

Download Security Check from here or here
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

 

[JHM]

Malwarebytes Log :

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5637

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

30/01/2011 12:59:51 AM
mbam-log-2011-01-30 (00-59-51).txt

Scan type: Quick scan
Objects scanned: 137011
Time elapsed: 15 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fcyvtu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\opmmkk.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\opollm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pmljih.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pmlklj.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rqpmkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tustqo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tutstt.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ddddde.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\efcaab.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\efdaaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gebcdb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gebyaw.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gedcby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\geecde.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\khifcc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mlijij.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\jkjjkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ssqrsq.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cbbyxw.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wvvwts.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wvvwus.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yaaxuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yaxvvs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yaxwwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hgdaxv.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hgfcby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\hgffdb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ljgdba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ljifcd.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ljklmj.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\iifcyv.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\iiheda.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\qomkij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\qonnli.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nnmjge.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nnmlli.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nnmlmm.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nnmnki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nnolih.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\nnoolk.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vtrrpn.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vttqnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vtutut.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

Apart from that :
1) I have not yet run Hijack This. Do you want me to ?
2) Have never heard of WinCare2008
3) Given the above, do you still want me to download and run "Security Check" ? and if so what do you want me to do first ? Hijack This or Security Check ?

 

[johnb35]

Give me both hijackthis and security check logs. Doesn't matter which one you run first.

 

[JHM]

HiJack This Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:06:11 PM, on 30/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
E:\XPSOFT~1\UTILIT~1\System\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
E:\XP Software\Utilities\Disk\Diskeeper 8\DkService.exe
E:\XP Software\Utilities\System\F-Secure\Anti-Virus\fsgk32st.exe
E:\XP Software\Utilities\System\F-Secure\Anti-Virus\FSGK32.EXE
E:\XP Software\Utilities\System\F-Secure\BackWeb\7681197\program\fsbwsys.exe
E:\XP Software\Utilities\System\F-Secure\Common\FSMA32.EXE
E:\XP Software\Utilities\System\F-Secure\Common\FSMB32.EXE
E:\XP Software\Utilities\Disk\Norton\Ghost2003\GhostStartService.exe
E:\XP Software\Utilities\System\F-Secure\Common\FCH32.EXE
E:\XP Software\CD Creator\Nero 7\InCD\InCDsrv.exe
E:\XP Software\Utilities\System\F-Secure\Anti-Virus\fsqh.exe
E:\XP Software\Utilities\System\F-Secure\Common\FAMEH32.EXE
E:\XP Software\Utilities\System\Norton System Works 2002\Norton Utilities\NPROTECT.EXE
E:\XP Software\Utilities\System\F-Secure\Anti-Virus\fsrw.exe
E:\XP Software\Utilities\Disk\Perfect Disk 10\PDAgent.exe
C:\WINDOWS\System32\snmp.exe
E:\XPSOFT~1\UTILIT~1\System\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
E:\XP Software\Utilities\System\F-Secure\Common\FNRB32.EXE
E:\XP Software\Utilities\System\F-Secure\FWES\Program\fsdfwd.exe
E:\XP Software\Utilities\System\F-Secure\Common\FIH32.EXE
E:\XP Software\Utilities\Disk\Perfect Disk 10\PDEngine.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
E:\XP Software\Utilities\System\F-Secure\Common\FSM32.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\XP Software\CD Creator\Nero 7\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
E:\XP Software\CD Creator\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
E:\XP Software\Utilities\System\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Program Files\emesene\emesene.exe
E:\XP Software\Video\WinDVD4\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\XP Software\Utilities\System\F-Secure\Anti-Virus\fsav32.exe
E:\XPSOFT~1\UTILIT~1\System\F-Secure\ANTI-S~1\fsaw.exe
E:\XP Software\Utilities\System\F-Secure\FSGUI\fsguidll.exe
E:\XP Software\Utilities\System\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\msiexec.exe
E:\XP Software\Utilities\System\Hijack This\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [F-Secure Manager] "E:\XP Software\Utilities\System\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "E:\XP Software\Utilities\System\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [InCD] E:\XP Software\CD Creator\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [fontnav] "E:\XP Software\Writing\Font Navigator\FontNav.exe" *1
O4 - HKLM\..\Run: [CloneCDTray] "E:\XP Software\CD Creator\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "E:\XP Software\CD Creator\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\XP Software\Video\Quick Time 7.62\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Adobe Gamma Loader.lnk = ?
O4 - Startup: emesene.lnk = C:\Program Files\emesene\emesene.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = E:\XP Software\Video\WinDVD4\Common\Bin\WinCinemaMgr.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = E:\XP Software\Utilities\System\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - E:\XP Software\Writing\IE Spell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - E:\XP Software\Writing\IE Spell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - E:\XP Software\Writing\IE Spell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - E:\XP Software\Writing\IE Spell\iespell.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - E:\XP Software\Utilities\System\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - E:\XP Software\Utilities\System\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254004079734
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - E:\XPSOFT~1\UTILIT~1\System\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\XP Software\Utilities\Disk\Diskeeper 8\DkService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - E:\XP Software\Utilities\System\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - E:\XP Software\Utilities\System\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - Unknown owner - E:\XP Software\Utilities\System\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - E:\XP Software\Utilities\System\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - E:\XP Software\Utilities\System\F-Secure\Common\FSMA32.EXE
O23 - Service: GhostStartService - Symantec Corporation - E:\XP Software\Utilities\Disk\Norton\Ghost2003\GhostStartService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\XP Software\CD Creator\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - E:\XP Software\CD Creator\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Unknown owner - E:\XP Software\Utilities\Disk\N Ghost 9\Agent\PQV2iSvc.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\XP Software\Utilities\System\Norton System Works 2002\Norton Utilities\NPROTECT.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - E:\XP Software\Utilities\Disk\Perfect Disk 10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\XP Software\Utilities\Disk\Perfect Disk 10\PDEngine.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - E:\XP Software\Utilities\System\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\XPSOFT~1\UTILIT~1\System\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

--
End of file - 11207 bytes

Could you please tell me what we learn from that ?

 

[johnb35]

Basically what startsup when your system boots browser plugins and other pertinent information. I have to leave for work in a few minutes but still need you to post the security check log. I will look over the logs tonight when I get home.

 

[JHM]

Security Check Log :

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
F-Secure Anti-Virus Client Security - Virus & Spy Protection
F-Secure Anti-Virus Client Security - Automatic Update Agent
F-Secure Anti-Virus Client Security - E-Mail Scanning
F-Secure Anti-Virus Client Security - Internet Shield
F-Secure Anti-Virus Client Security - Web Traffic Scanning
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Utilities System F-Secure Anti-Virus\fsgk32st.exe
Utilities System F-Secure Anti-Virus\FSGK32.EXE
Utilities System F-Secure Anti-Virus\fsqh.exe
Utilities System F-Secure Anti-Virus\fsrw.exe
Utilities System F-Secure Anti-Virus\fsav32.exe
Utilities System F-Secure Anti-Virus\fssm32.exe

 

[johnb35]

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

Also please post an uninstall list using hijackthis. Open hijackthis and click on open misc tools section, click on open uninstall manager, click on save list and save it, then copy and paste it back here.