WiredWX Hobby Weather ToolsLog in

 


Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

2 posters

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
DDS (Ver_09-09-29.01) - NTFSx86
Run by Jesse Cohen at 21:49:53.82 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1711 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AutoClickExtreme\AutoClicker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jesse Cohen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090110
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autocl~1.lnk - c:\program files\autoclickextreme\AutoClicker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-10 201320]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-10 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-10 144704]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-1-10 84992]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-10 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-10 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-10 40488]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-10 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-10 33832]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]

=============== Created Last 30 ================

2009-10-01 13:53 --dsh--- c:\documents and settings\jesse cohen\PrivacIE
2009-10-01 13:53 --dsh--- c:\documents and settings\jesse cohen\IECompatCache
2009-10-01 13:44 --dsh--- c:\documents and settings\jesse cohen\IETldCache
2009-10-01 13:41 --d----- c:\windows\ie8updates
2009-10-01 13:39 -cd-h--- c:\windows\ie8
2009-10-01 13:37 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-10-01 13:37 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-10-01 13:37 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-10-01 13:21 --d----- c:\docume~1\jessec~1\applic~1\Malwarebytes
2009-10-01 13:21 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 13:21 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-01 13:21 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 13:21 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-30 18:18 --d----- c:\program files\Trend Micro
2009-09-30 11:35 43,520 a------- c:\windows\system32\fcachdll.dll
2009-09-30 11:35 23,040 a------- c:\windows\system32\regtrace.exe
2009-09-30 11:35 21,791 a------- c:\windows\system32\smtpctrs.ini
2009-09-30 11:35 12,288 a------- c:\windows\system32\smtpctrs.dll
2009-09-30 11:35 8,002 a------- c:\windows\system32\smtpctrs.h
2009-09-30 11:35 7,168 a------- c:\windows\system32\snprfdll.dll
2009-09-30 11:35 5,632 a------- c:\windows\system32\adsiisex.dll
2009-09-30 11:35 1,037 a------- c:\windows\system32\ntfsdrct.ini
2009-09-30 11:35 773 a------- c:\windows\system32\ntfsdrct.h
2009-09-30 11:34 --d----- c:\program files\MSN Gaming Zone
2009-09-30 09:16 26,112 ac------ c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-30 09:16 12,288 ac------ c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-09-30 09:16 7,168 ac------ c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-09-30 09:16 65,536 ac------ c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-30 09:16 57,856 ac------ c:\windows\system32\dllcache\EXCH_scripto.dll
2009-09-30 09:16 45,056 ac------ c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-09-30 09:16 43,520 ac------ c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-09-30 09:16 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-09-30 09:16 23,040 ac------ c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-09-30 09:16 5,632 ac------ c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-09-30 00:11 --d----- c:\windows\setupupd
2009-09-29 23:40 --d----- c:\windows\setup.pss
2009-09-29 23:06 --d----- c:\windows\system32\NtmsData
2009-09-26 10:12 151 a------- c:\windows\PhotoSnapViewer.INI
2009-09-12 16:48 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

============= FINISH: 21:50:19.90 ===============

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 CF_download_FF

    Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
ComboFix 09-10-01.05 - Jesse Cohen 10/03/2009 20:10.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2705 [GMT -4:00]
Running from: c:\documents and settings\Jesse Cohen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-01 17:53 . 2009-10-01 17:53 -------- d-sh--w- c:\documents and settings\Jesse Cohen\PrivacIE
2009-10-01 17:53 . 2009-10-01 17:53 -------- d-sh--w- c:\documents and settings\Jesse Cohen\IECompatCache
2009-10-01 17:44 . 2009-10-01 17:44 -------- d-sh--w- c:\documents and settings\Jesse Cohen\IETldCache
2009-10-01 17:44 . 2009-10-01 17:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-01 17:41 . 2009-10-01 17:41 -------- d-----w- c:\windows\ie8updates
2009-10-01 17:39 . 2009-10-01 17:41 -------- dc-h--w- c:\windows\ie8
2009-10-01 17:37 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-01 17:37 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-01 17:37 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-01 17:21 . 2009-10-01 17:21 -------- d-----w- c:\documents and settings\Jesse Cohen\Application Data\Malwarebytes
2009-10-01 17:21 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 17:21 . 2009-10-01 17:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 17:21 . 2009-10-01 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-01 17:21 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 22:18 . 2009-10-01 12:59 -------- d-----w- c:\program files\Trend Micro
2009-09-30 15:35 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\regtrace.exe
2009-09-30 15:35 . 2001-08-18 02:36 7168 ----a-w- c:\windows\system32\snprfdll.dll
2009-09-30 15:35 . 2001-08-18 02:36 12288 ----a-w- c:\windows\system32\smtpctrs.dll
2009-09-30 15:35 . 2001-08-18 02:36 43520 ----a-w- c:\windows\system32\fcachdll.dll
2009-09-30 15:35 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\adsiisex.dll
2009-09-30 13:24 . 2009-09-30 14:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-09-30 13:16 . 2001-08-18 02:36 7168 -c--a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-09-30 13:16 . 2001-08-18 02:36 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-09-30 13:16 . 2001-08-18 02:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-30 13:16 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-09-30 13:16 . 2001-08-18 02:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-09-30 13:16 . 2001-08-18 02:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-09-30 13:16 . 2001-08-18 02:36 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-30 13:16 . 2001-08-18 02:36 43520 -c--a-w- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-09-30 13:16 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-09-30 13:16 . 2001-08-18 02:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-09-30 03:06 . 2009-09-30 03:08 -------- d-----w- c:\windows\system32\NtmsData
2009-09-12 20:48 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 16:17 . 2009-08-23 13:44 -------- d-----w- c:\program files\AutoClickExtreme
2009-09-30 03:08 . 2009-01-26 21:26 -------- d-----w- c:\documents and settings\Jesse Cohen\Application Data\uTorrent
2009-08-18 13:54 . 2009-01-10 21:45 22992 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2008-04-25 21:27 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-04-25 21:27 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-10-16 20:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-04-25 21:27 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2008-04-25 16:16 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-04-25 21:27 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-04-25 21:27 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:07 . 2009-01-10 21:31 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2009-01-26 17:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-10 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-10 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-22 37888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoClicker.lnk - c:\program files\AutoClickExtreme\AutoClicker.exe [2009-8-23 1892352]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-10 21:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\MM2k\\MudMaster.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [1/10/2009 7:20 PM 84992]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/10/2009 5:37 PM 30192]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 9:18 PM 23680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-10 19:32]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-10 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Jesse Cohen\Desktop\HijackThis.exe
AddRemove-SearchAssist - c:\dell\SearchAssist\UninstSA.bat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 20:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\program files\AutoClickExtreme\auxiliar.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-10-04 20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 00:20

Pre-Run: 224,498,122,752 bytes free
Post-Run: 225,949,573,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

222 --- E O F --- 2009-09-21 14:29

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Hmm... I tried that, but didn't think to disable McAfee beforehand, and I'm getting tons of error messages. First, McAfee popped up a Potentially Unwanted Program alert: name Tool-NirCmd, location C:\32788P22FWJFW\n.pif. Then I got repetitive error messages saying that I didn't have access to the specified file name or path, and finally a message from ComboFix saying that the contents of ComboFix may have been compromised, and I may be infected with a file patching virus "Virut". Hopefully this is just because I forgot to disable McAfee, and I should disable it and repeat this last step...? Or is this virus actually still around?

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see Here

Instructions how to format and reinstall Windows can be found Here

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Gah. I didn't notice this reply for several days, and was starting to wonder what the deal was. I think I'd rather have had no reply, no offense to you; this is definitely not welcome news. Oh well, before I get on with the business of backing-up and reformatting, a few more questions for you...

  • I'm assuming that if I don't know what an OEM recovery partition is, it doesn't apply to me. Is this correct, that I probably don't have one and can't take advantage of this option?

  • I have another computer connected to this one via LAN, and before I realized what I was dealing with I copied several directories over for backup. I expect the executable files in those directories were compromised; is it possible for them to have had any effect on the other computer, if they were merely stored on that computer & never accessed?

  • I have some older programs that I'll have extreme difficulty finding to re-install. Is there a way to check and possibly disinfect only these? nȯne of them are integral to system function, mainly just games in fact, but I'd be disappointed to lose them forever.

  • On the same note, is it possible for the virus to infect anything else besides .exe and .scr files? The blog page you directed me to suggested that HTML and PHP files could be compromised, but were quite easy to clean; have mine already been cleaned, or should I avoid backing those up as well?

  • You also mentioned archives; are all archives vulnerable, or merely the executable files within those archives? Will any archive with an executable file be compromised in itself, or will deleting the executables within my archives help?

  • Is there any potential for this virus to replicate in document files, mp3s, videos, saved game files, etc., and if so do I have any recourse for them?


Again, thanks for all your help; despite the end result being slightly less than ideal, I really appreciate it. Smile...

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Hello.

I'll try to answer your quests now.

I'm assuming that if I don't know what an OEM recovery partition is, it doesn't apply to me. Is this correct, that I probably don't have one and can't take advantage of this option?


Not really, depends who the machine was made by, was/is it Dell?

I have another computer connected to this one via LAN, and before I realized what I was dealing with I copied several directories over for backup. I expect the executable files in those directories were compromised; is it possible for them to have had any effect on the other computer, if they were merely stored on that computer & never accessed?


The files will be compromised, but as long as you haven't run them, they wont effect your other machine.

I have some older programs that I'll have extreme difficulty finding to re-install. Is there a way to check and possibly disinfect only these? nȯne of them are integral to system function, mainly just games in fact, but I'd be disappointed to lose them forever.


There is a way we can do online scans and see what the scanners report, but that depends if the scanner see anything. If they are infect, they CANNOT be cleaned, Virut is an extremely buggy piece of malware.

On the same note, is it possible for the virus to infect anything else besides .exe and .scr files? The blog page you directed me to suggested that HTML and PHP files could be compromised, but were quite easy to clean; have mine already been cleaned, or should I avoid backing those up as well?


If you have edited your php/html files to remove any code you didn't put there, then they should be okay.

You also mentioned archives; are all archives vulnerable, or merely the executable files within those archives? Will any archive with an executable file be compromised in itself, or will deleting the executables within my archives help?


The exe file INSIDE the archive is infected, but the archive file itself (.zip/.rar) are okay.

Is there any potential for this virus to replicate in document files, mp3s, videos, saved game files, etc., and if so do I have any recourse for them?


Yes, if you run a patched file, it will re-infect your machine again, many experts now suggest that you drop everything and make a fresh start, because as I said above, it will just spread like wild fire if it returns again.

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz

I'm assuming that if I don't know what an OEM recovery partition is, it doesn't apply to me. Is this correct, that I probably don't have one and can't take advantage of this option?

Not really, depends who the machine was made by, was/is it Dell?

Yep, it's a Dell Inspiron 530.

I have some older programs that I'll have extreme difficulty finding to re-install. Is there a way to check and possibly disinfect only these? nȯne of them are integral to system function, mainly just games in fact, but I'd be disappointed to lose them forever.

There is a way we can do online scans and see what the scanners report, but that depends if the scanner see anything. If they are infect, they CANNOT be cleaned, Virut is an extremely buggy piece of malware.

Think you could direct me towards those online scanners? I'd like to save what I can of my older programs, if possible.

Is there any potential for this virus to replicate in document files, mp3s, videos, saved game files, etc., and if so do I have any recourse for them?

Yes, if you run a patched file, it will re-infect your machine again, many experts now suggest that you drop everything and make a fresh start, because as I said above, it will just spread like wild fire if it returns again.

I think either you misunderstood this last question, or I misunderstood your answer... I was asking about data files such as documents, spreadsheets, mp3s, videos, saved games, etc. These aren't runnable per se, they're opened by programs, so they should be safe as I understand it. Just trying to confirm that the programs themselves can be, and probably are, compromised - but a file that I've opened with a compromised program isn't ruined and can be safely backed up.

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Yep, it's a Dell Inspiron 530.


Hopefully, it MIGHT have a recovery partition, we'll check soon.

Think you could direct me towards those online scanners? I'd like to save what I can of my older programs, if possible.


www.virustotal.com
www.virscan.org
www.virusscan.jotti.org/en

I think either you misunderstood this last question, or I misunderstood your answer... I was asking about data files such as documents, spreadsheets, mp3s, videos, saved games, etc. These aren't runnable per se, they're opened by programs, so they should be safe as I understand it. Just trying to confirm that the programs themselves can be, and probably are, compromised - but a file that I've opened with a compromised program isn't ruined and can be safely backed up.


I think there might have been a misunderstanding on both our behalfs, see this topic too:
http://evilfantasy.wordpress.com/2009/02/21/vitut-on-the-rise/

Virut is now spreading through mp3 files also (I know my speech needs updating!), and even though mp3 files are opened via WMP and not an executable file per se, but they can still trigger the infection all over again.

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
I've been reluctant to format, since as I said I have lots of files on here that aren't properly backed up and would be difficult to replace. Since your last post I've basically been biding my time to see if any more symptoms pop up, and haven't seen anything wrong. My virus scanners are working again; I scanned the computer with the MS Safety Scan, and it didn't find anything wrong; port 65520 is showing no activity; I've also been uploading files to the 3 scanning sites you provided, and nȯne of them have found anything in any of my files, aside from likely false positives (e.g. 2/41 virus-scanners showing a result that looks nothing like Virut). I've gotta say, for a virus that infects every file on the computer, this looks like a bit of a dud from where I'm sitting... Is it possible that ComboFix gave me a false positive?

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
It's possible it's a false positive, yes, but Combofix is widely trusted and your the person behind the screen, not me, I can't see what is happening personally.

Virut is a horrible infection, and weighing up the options of formatting or leave it, formatting would be the best option as leaving it lets the bad guys use your machine to spread the infection to other people, and if caught, YOU would be held responsible for it. That's why were here, to put a stop to that.

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Ok. Do you think I can be at all confident about doing an online scan of the files that I'm most concerned about keeping? I'd be copying them to an external hard drive, then scanning them with the sites you recommended from another, uncompromised computer. I'm just leery of doing a full format and losing all my data if there's a good chance that I don't need to, and it seems very odd if ComboFix is the ONLY virus scanner out there that can find any trace of this virus. From all the information I've seen, the last release of this virus was in Feb 2009. Is it really likely that the 41 virus scanners virustotal.com runs, all updated within the last few days, are missing this while ComboFix catches it?

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
Virut can infect legit system files though, it's not every day that people upload their system files for a scan, or just run a regular scan with their AV either.

You can upload the files you want to keep and see if anything gets flagged, and if nȯne of the scanners say anything, you can keep them on an external hardrive as you wished. Smile...

descriptionPoprock b.exe virus, blocking McAfee & other anti-viral/malware progs - Page 2 EmptyRe: Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum