36 replies to this topic

[lilfirecat69]

hi,
ok this problem started after shaw secure started removing a virus, it wont open so I cant even tell you what one. after shaw removed it the blue screen of death came up with a stop error, stop 0x00000024, saying to chkdsk/f which I did, and I am now able to boot even tho it take a long time. once it starts up , and a box apears in the top left saying that its setting personal settings back up for C:Program Data(x86)/restore csrss/csrss/csrss.exe also alerts saying please report prob to ms as there is a prob with Msdrv32b.exe. also there is no calendar in the system restore. I have done an HJT scan I will post the log.
Thankyou I am running xp home sp3



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:03:31 AM, on 18/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Shaw Secure\Common\FSHDLL32.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\TEMP\spoolsrv.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\explorer.exe
C:\ProgramData (x86)\Windows Backup Settings\Restore\csrss\csrss.exe
C:\Documents and Settings\mine\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\mine\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\mine\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\mine\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\mine\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {5ba73b24-4614-4d17-b58e-0d9d95847e14} - C:\Program Files\AIR MILES TOOLBAR\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FCTBPos00Pos - {169A78DB-CFC2-4DA4-A9BD-A67B28D41FA7} - C:\Program Files\AIR MILES TOOLBAR\Toolbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AIR MILES TOOLBAR - {789D9334-A44A-486E-8234-313A78E66E61} - C:\Program Files\AIR MILES TOOLBAR\Toolbar.dll
O4 - HKLM\..\Run: [HKLM] C:\ProgramData (x86)\Windows Backup Settings\Restore\csrss\csrss.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl]

O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\siuloader.exe /notify
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Application Layer Gateway] C:\Program Files\Common Files\alg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [HKCU] C:\ProgramData (x86)\Windows Backup Settings\Restore\csrss\csrss.exe
O4 - HKCU\..\Run: [winlogon] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Internet Explorer] C:\ProgramData (x86)\Windows Backup Settings\Restore\csrss\csrss.exe
O4 - HKCU\..\Policies\Explorer\Run: [Internet Explorer] C:\ProgramData (x86)\Windows Backup Settings\Restore\csrss\csrss.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Cool Hand Poker - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\coolhandMPP\MPPoker.exe (file missing) (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://cdn2.zone.msn...k.cab102118.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mythic%20Mahjong/Images/stg_drm.ocx
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/...in/iS3DCtrl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} (3DVista Viewer Control) - http://www.3dvista.c...s/viewer3dv.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1171096834937
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://pfeiffershell...ad/MsnPUpld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mythic%20Mahjong/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail....ol/MSNPUpld.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valu...ashax/iefax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: csbdll - csbdll.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 15198 bytes

[LDTate]

C:Program Data(x86)restore csrss/csrss/csrss.exe
That's really weird as (x86) is only seen with windows 64Bit and you're running 32Bit.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.


If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.



Please do not delete anything unless instructed to.


We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache


Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• 
• Then click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use [b]"copy/paste".

[lilfirecat69]

Hi, ok, I finally got through this, every time I tried to run anything the system would auto shut down, now that it has scanned with mbam, its running faster, not hanging when opening a window or freezing and making loud long beeps when is freezes. it did however, after I ran mbam and it needed to restart to delete the rest of the infected files on the reboot up it crashed with the blue screen and the stop error 0x0000008e, I then rebooted and it came up ok, mind you when the f-secure virus center came up saying that the virus could not be removed. it hasnt come back up yet with anything like it was. here is the mbam log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4217 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 19/06/2010 6:13:07 PM mbam-log-2010-06-19 (18-13-07).txt Scan type: Quick scan Objects scanned: 146234 Time elapsed: 42 minute(s), 59 second(s) Memory Processes Infected: 1 Memory Modules Infected: 2 Registry Keys Infected: 7 Registry Values Infected: 8 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 22 Memory Processes Infected: C:\Program Files\Common Files\alg.exe (Trojan.Backdoor) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\irasuvarukurur.dll (Trojan.Hiloti) -> Delete on reboot. C:\WINDOWS\system32\csbdll.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{16ms825v-41sy-n428-v460-i2x7psm8sja7} (Generic.Bot.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnoxifuyi (Trojan.Hiloti) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application layer gateway (Trojan.Backdoor) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\internet explorer (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\internet explorer (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully. Files Infected: C:\ProgramData (x86)\Windows Backup Settings\Restore\csrss\csrss.exe (Generic.Bot.H) -> Delete on reboot. C:\WINDOWS\irasuvarukurur.dll (Trojan.Hiloti) -> Delete on reboot. C:\Program Files\Common Files\alg.exe (Trojan.Backdoor) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Application Data\cpx.exe (Trojan.MultiDropper) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Application Data\cpx.exe (Trojan.MultiDropper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\vjqbrcgt.sys (Trojan.Rootkit) -> Delete on reboot. C:\Documents and Settings\HelpAssistant\Local Settings\Temp\auwses.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Local Settings\Temp\Temporary Internet Files\Content.IE5\5P3FRTR7\e4u-pfatch[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Local Settings\Temp\Temporary Internet Files\Content.IE5\NPAZUCIF\kksahc[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\auwses.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\Temporary Internet Files\Content.IE5\5P3FRTR7\e4u-pfatch[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\Temporary Internet Files\Content.IE5\NPAZUCIF\kksahc[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\csbdll.dll (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\HelpAssistant\Local Settings\Temp\MSN.abc (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\MSN.abc (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\UuU.uUu (Malware.Trace) -> Delete on reboot. C:\Documents and Settings\HelpAssistant\Local Settings\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\XxX.xXx (Malware.Trace) -> Delete on reboot. C:\Documents and Settings\HelpAssistant\Local Settings\Temp\xxxyyyzzz.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\mine\Local Settings\Temp\xxxyyyzzz.dat (Malware.Trace) -> Quarantined and deleted successfully.

[LDTate]

C:\Program Files\Common Files\alg.exe (Trojan.Backdoor) -> Unloaded process successfully.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

[lilfirecat69]

Hi, Thankyou. ok , only , I wasnt given a restore disk when I bought this comp from dell. so how can this be cleaned otherwise? and I will change all my pass words via my other comp.

[LDTate]

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[lilfirecat69]

hi, ok , combofix is not running, it keeps freezing, tryed running it a few times, each time it gets a lil further then freezes again for well over 2 hrs. once its rebooted and i try to see if I can access the web, the pages are still hanging , its still stop error crashing,it crashes if you try to have more than one process at a time, ie) having a window open and opening a tab in said window. this comp has its own product key for its version of windows. should I try combo fix in safe mode? it also has not produced a log.

[LDTate]

Yes, try it in Safe Mode

[lilfirecat69]

I was finally able to get combofix to run, heres the log


ComboFix 10-06-20.03 - mine 20/06/2010 19:36:16.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.499 [GMT -6:00]
Running from: c:\documents and settings\mine\Desktop\ComboFix.exe
AV: Shaw Secure 9.01 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 9.01 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\driVERs\vjqbrcgt.sys

Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rstrui.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vjqbrcgt
-------\Service_vjqbrcgt


((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2020-01-25 04:49 . 2020-01-25 04:49 -------- d-----w- c:\windows\Paltalk Messenger
2020-01-25 04:48 . 2020-01-25 04:48 -------- d-----w- C:\88058f1f4ec15c490d
2020-01-25 04:48 . 2020-01-25 04:48 -------- d-----w- c:\documents and settings\mine\Application Data\SlySoft
2020-01-25 04:24 . 2020-01-25 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel(3)
2020-01-25 04:24 . 2020-01-25 04:47 -------- d-----w- c:\documents and settings\mine\Application Data\Intel(3)
2010-10-13 00:50 . 2009-05-24 15:54 -------- d-----w- c:\program files\SlySoft
2010-06-21 00:41 . 2010-06-21 00:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-19 23:14 . 2010-06-19 23:14 -------- d-----w- c:\documents and settings\mine\Application Data\Malwarebytes
2010-06-19 23:13 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 23:13 . 2010-06-19 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-19 23:12 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-19 23:12 . 2010-06-19 23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 20:05 . 2010-06-19 22:49 0 ----a-w- c:\windows\Mpovegizutazeti.bin
2010-06-18 20:05 . 2010-06-19 22:47 120 ----a-w- c:\windows\Eyubuzimocine.dat
2010-06-18 15:33 . 2010-06-18 15:33 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-06-18 15:33 . 2010-06-20 00:06 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-06-18 15:33 . 2010-06-18 15:33 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-06-18 15:32 . 2010-06-18 15:33 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2010-06-18 15:32 . 2010-06-20 00:05 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-06-17 05:51 . 2010-06-21 00:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-17 04:50 . 2010-06-21 01:15 -------- d-----w- c:\documents and settings\HelpAssistant
2010-06-10 18:05 . 2010-06-10 18:05 -------- d-----w- C:\ProgramData (x86)
2010-06-10 03:01 . 2010-06-10 03:01 -------- d-----w- c:\program files\ISO Image Burner
2010-06-10 02:03 . 2010-06-10 02:03 -------- d-----w- c:\program files\uTorrent
2010-06-10 02:03 . 2010-06-10 23:45 -------- d-----w- c:\documents and settings\mine\Application Data\uTorrent
2010-06-10 00:46 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-30 03:38 . 2010-05-30 03:38 -------- d-----w- c:\documents and settings\mine\dwhelper
2010-05-30 00:50 . 2010-01-30 17:48 266552 ----a-w- c:\windows\system32\HMIPCore.dll
2010-05-30 00:15 . 2010-05-30 01:07 -------- d-----w- C:\Hotspot Shield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2020-01-25 04:49 . 2007-01-13 07:54 -------- d-----w- c:\program files\Windows Media Connect 2
2020-01-25 04:48 . 2007-01-05 03:54 -------- d-----w- c:\program files\Replay Converter
2020-01-25 04:47 . 2006-12-17 23:12 -------- d-----w- c:\program files\Windows Defender
2020-01-25 04:24 . 2006-12-17 23:30 -------- d-----w- c:\program files\Ahead
2010-06-19 23:15 . 2010-06-20 00:05 0 ----a-w- c:\documents and settings\HelpAssistant\ntuser.tmp
2010-06-13 08:45 . 2007-03-11 22:41 -------- d-----w- c:\documents and settings\mine\Application Data\Skype
2010-06-12 06:15 . 2010-01-24 03:28 -------- d-----w- c:\program files\Google
2010-06-04 23:54 . 2009-08-01 06:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-21 20:14 . 2009-10-03 15:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-14 18:56 . 2006-04-23 07:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-14 00:30 . 2006-03-24 18:36 -------- d-----w- c:\program files\Java
2010-05-13 22:05 . 2010-05-13 22:05 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-05-11 02:28 . 2010-05-11 02:28 -------- d-----w- c:\program files\FriendFinder
2010-05-06 10:41 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 18:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 18:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 23:29 . 2010-05-14 00:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-30 16:33 . 2008-11-12 22:14 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2004-10-01 21:00 . 2006-12-17 22:44 40960 ----a-w- c:\program files\UNINSTALL_CDS.0XE
2009-07-26 22:06 . 2006-04-07 12:13 104 --sh--r- c:\windows\system32\38C8C11354.sys
2009-07-26 22:06 . 2006-04-07 12:13 4600 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5ba73b24-4614-4d17-b58e-0d9d95847e14}"= "c:\program files\AIR MILES TOOLBAR\Helper.dll" [2009-05-11 219648]

[HKEY_CLASSES_ROOT\clsid\{5ba73b24-4614-4d17-b58e-0d9d95847e14}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{DF11073E-3AFF-410F-9AC8-72459F32C80F}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{169A78DB-CFC2-4DA4-A9BD-A67B28D41FA7}]
2009-05-11 22:54 1292288 ------w- c:\program files\AIR MILES TOOLBAR\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{789D9334-A44A-486E-8234-313A78E66E61}"= "c:\program files\AIR MILES TOOLBAR\Toolbar.dll" [2009-05-11 1292288]

[HKEY_CLASSES_ROOT\clsid\{789d9334-a44a-486e-8234-313a78e66e61}]
[HKEY_CLASSES_ROOT\FCTB000056939.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{3AA580F6-AE52-436E-A24D-69082DF84CF9}]
[HKEY_CLASSES_ROOT\FCTB000056939.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{789D9334-A44A-486E-8234-313A78E66E61}"= "c:\program files\AIR MILES TOOLBAR\Toolbar.dll" [2009-05-11 1292288]

[HKEY_CLASSES_ROOT\clsid\{789d9334-a44a-486e-8234-313a78e66e61}]
[HKEY_CLASSES_ROOT\FCTB000056939.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{3AA580F6-AE52-436E-A24D-69082DF84CF9}]
[HKEY_CLASSES_ROOT\FCTB000056939.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\mine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-08 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="
" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-24 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\LIvVE\\System\\mIC.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\mine\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2519:TCP"= 2519:TCP:Services
"3538:TCP"= 3538:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"5434:TCP"= 5434:TCP:Services
"3467:TCP"= 3467:TCP:Services
"6106:TCP"= 6106:TCP:Services
"6107:TCP"= 6107:TCP:Services
"5435:TCP"= 5435:TCP:Services
"9370:TCP"= 9370:TCP:Services

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [12/11/2008 4:14 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [27/04/2007 11:03 PM 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [12/11/2008 4:04 PM 68064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [27/04/2007 11:45 PM 113864]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [12/11/2008 4:04 PM 55992]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 4:06 AM 21632]
S3 DCamUSBUVT;ICM532A;c:\windows\system32\drivers\usbuvt.sys [06/06/2008 9:17 AM 95232]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [27/04/2007 11:03 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [27/04/2007 11:03 PM 25184]
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789029489-1268896404-705703666-1006Core.job
- c:\documents and settings\mine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-08 21:14]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789029489-1268896404-705703666-1006UA.job
- c:\documents and settings\mine\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-08 21:14]

2010-06-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.ca/ig?hl=en
mWindow Title = Internet Explorer Provided by SHAW Internet
mSearch Bar = hxxp://ca.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://ca.search.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} - hxxp://www.pc.gc.ca/apps/dci/source/bin/iS3DCtrl.cab
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} - hxxp://www.3dvista.com/downloads/viewer3dv.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\azy7vojz.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&p=
FF - component: c:\documents and settings\mine\Application Data\Mozilla\Firefox\Profiles\azy7vojz.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\mine\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\mine\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\mine\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 19:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll ACPI.sys >>UNKNOWN [0x85FB478A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf757af28
\Driver\ACPI -> ACPI.sys @ 0xf740dcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> 0x8601ab00
PacketIndicateHandler -> NDIS.SYS @ 0xf716ca21
SendHandler -> NDIS.SYS @ 0xf714a87b
copy of MBR has been found in sector 0x0B77F389
malicious code @ sector 0x0B77F38C !
PE file found in sector at 0x0B77F3A2 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(708)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'explorer.exe'(3184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(628)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dllhost.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\FSGK32.EXE
c:\program files\Shaw Secure\Common\FSHDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Shaw Secure\FWES\Program\fsdfwd.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\Anti-Virus\fsav32.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\documents and settings\mine\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Digital Line Detect\DLG.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-06-20 20:07:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 02:07
ComboFix2.txt 2010-06-20 09:19
ComboFix3.txt 2007-02-03 19:38

Pre-Run: 57,004,158,976 bytes free
Post-Run: 56,932,306,944 bytes free

- - End Of File - - 967833B0DE40D0BCA731C8FBA496CD3C

[LDTate]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll ACPI.sys >>UNKNOWN [0x85FB478A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf757af28
\Driver\ACPI -> ACPI.sys @ 0xf740dcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> 0x8601ab00
PacketIndicateHandler -> NDIS.SYS @ 0xf716ca21
SendHandler -> NDIS.SYS @ 0xf714a87b
copy of MBR has been found in sector 0x0B77F389
malicious code @ sector 0x0B77F38C !
PE file found in sector at 0x0B77F3A2 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

You have a RootKit onboard.

Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• It doesn't take long to run, once it is finished move onto the next step

Download TDSSKiller and save it to your Desktop.

• Make sure all other windows are closed and to let it run uninterrupted.
• Extract the file and run it.
• Reboot your machine and see if the infection is gone

[lilfirecat69]

gooredfix log: GooredFix by jpshortstuff (08.01.10.1) Log created at 08:41 on 21/06/2010 (mine) Firefox version 3.6.3 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [04:47 24/01/2008] {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [20:48 23/03/2008] {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [17:06 26/07/2008] {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [15:11 23/11/2008] {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [23:56 10/03/2009] {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:39 04/04/2009] {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [07:05 11/06/2009] {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [04:29 18/08/2009] {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [22:01 05/11/2009] {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [08:04 31/03/2010] {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [00:30 14/05/2010] C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\azy7vojz.default\extensions\ illimitux@illimitux.net [03:36 30/05/2010] {20a82645-c095-46ed-80e3-08825760534b} [03:10 23/10/2009] {b9db16a4-6edc-47ec-a1f4-b86292ed211d} [00:07 30/05/2010] {f02289b7-b23a-49b1-a7da-b60880e69629} [15:06 28/02/2010] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:53 18/08/2009] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:56 10/03/2009] -=E.O.F=-

[LDTate]

Did TDSSKiller report any findings?

[LDTate]

Download and run HAMeb_check.exe
Post the contents of the resulting log.

[lilfirecat69]

yes it did, it removed it on reboot, but didnt bring up a log, running HAMeb now

[LDTate]

yes it did, it removed it on reboot, but didnt bring up a log, running HAMeb now