Unknown Malware

Windows XP

I beleive I have the a.exe virus. I have tried everything to remove it and it keeps shutting down my programs. Super Antisyware detected it after it had shut everything else off. I deleted all and had to restart to complete deletions and when it rebooted It shut all virus programs down. I am stumped
Update. Just ran com fix it fount a root and fȋxed it I was able to do an online scan and no virus detected. But my Malware Bytes and McAfee still won't allow me to scan from the computer.

Last edited by rlenihan on 29th October 2009, 8:37 pm; edited 2 times in total (Reason for editing : Update)

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Tried to run it it just created a blank icon never ran

Lets try this instead.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste BOTH LOGS back here, use more than one post if needed.
  

DDS (Ver_09-10-26.01) - NTFSx86
Run by Sean at 8:09:29.82 on Fri 10/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.495 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dldwcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Autorun Eater\billy.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\System32\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sean.BRADY-4RF4RHL8E\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225736007499
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256755323531
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5784/mcfscan.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-10-28 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-10-28 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 dldw_device;dldw_device;c:\windows\system32\dldwcoms.exe -service --> c:\windows\system32\dldwcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-5 210216]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-10-28 583640]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-4-22 185640]
S2 0242071256851223mcinstcleanup;McAfee Application Installer Cleanup (0242071256851223);c:\windows\temp\024207~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\024207~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-10-28 4368952]
S2 dldwCATSCustConnectService;dldwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldwserv.exe [2008-5-16 99568]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-11 33752]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-10-29 20:40:02 0 d-----w- c:\program files\Microsoft Security Essentials
2009-10-29 19:06:03 0 d-sha-r- C:\cmdcons
2009-10-29 19:04:31 77312 ----a-w- c:\windows\MBR.exe
2009-10-29 19:04:28 236544 ----a-w- c:\windows\PEV.exe
2009-10-29 19:04:28 161792 ----a-w- c:\windows\SWREG.exe
2009-10-29 19:04:27 98816 ----a-w- c:\windows\sed.exe
2009-10-29 17:36:21 12099 ----a-w- C:\MGlogs.zip
2009-10-29 17:35:59 0 d-----w- C:\MGTools
2009-10-29 16:06:17 56320 ------w- c:\windows\eventlog.dll
2009-10-29 16:05:43 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Autorun Eater
2009-10-29 16:05:28 0 d-----w- c:\program files\Autorun Eater
2009-10-29 11:16:27 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-29 11:16:27 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-28 21:53:57 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-10-28 21:53:57 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-10-28 21:53:57 0 d-----w- c:\program files\Prevx
2009-10-28 21:53:51 69 ----a-w- c:\windows\wininit.ini
2009-10-28 21:53:51 0 d-----w- c:\docume~1\alluse~1.win\applic~1\PrevxCSI
2009-10-28 21:47:27 0 d-----w- c:\documents and settings\sean.brady-4rf4rhl8e\log
2009-10-28 20:48:50 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 20:40:44 0 d-----w- C:\91a9ec9699f268bfd6aa
2009-10-28 20:01:36 0 d-sh--w- c:\documents and settings\sean.brady-4rf4rhl8e\IECompatCache
2009-10-28 20:00:29 0 d-sh--w- c:\documents and settings\sean.brady-4rf4rhl8e\PrivacIE
2009-10-28 19:58:24 0 d-----w- c:\docume~1\sean~1.bra\applic~1\Windows Search
2009-10-28 19:09:30 0 d-sh--w- c:\documents and settings\sean.brady-4rf4rhl8e\IETldCache
2009-10-28 19:04:12 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-28 19:03:51 0 d-----w- c:\windows\ie8updates
2009-10-28 19:03:31 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-28 19:03:30 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-28 19:00:35 0 dc-h--w- c:\windows\ie8
2009-10-28 18:58:06 0 d-----w- c:\docume~1\sean~1.bra\applic~1\Windows Desktop Search
2009-10-28 18:57:33 0 d-----w- c:\program files\Windows Desktop Search
2009-10-28 18:57:32 0 d-----w- c:\windows\system32\GroupPolicy
2009-10-28 18:56:47 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-10-28 18:56:47 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-10-28 18:56:47 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-10-28 18:54:38 0 d-----w- c:\windows\system32\LogFiles
2009-10-28 18:53:06 0 d-----w- c:\windows\system32\URTTEMP
2009-10-28 16:09:37 36 ----a-w- c:\windows\hdd.ini
2009-10-28 16:09:29 0 d-----w- c:\program files\R-Wipe&Clean
2009-10-28 16:09:29 0 d-----w- c:\docume~1\sean~1.bra\applic~1\R-Wipe&Clean
2009-10-28 14:44:02 0 d--h--w- c:\windows\PIF
2009-10-28 14:24:27 0 d-----w- c:\windows\McAfee.com
2009-10-28 14:13:11 0 d-----w- c:\docume~1\sean~1.bra\applic~1\McAfee
2009-10-28 13:44:39 0 d-----w- c:\windows\pss
2009-10-28 13:23:25 0 d-----w- c:\docume~1\sean~1.bra\applic~1\Registry Mechanic
2009-10-28 13:20:42 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-10-28 13:20:42 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-10-28 13:20:41 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-10-28 13:20:40 0 d-----w- c:\program files\common files\PC Tools
2009-10-28 13:07:09 0 d-----w- c:\program files\Trend Micro
2009-10-27 20:03:24 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-10-27 20:03:24 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2009-10-27 19:36:48 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-10-27 19:36:39 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 19:36:39 0 d-----w- c:\docume~1\sean~1.bra\applic~1\SUPERAntiSpyware.com
2009-10-27 19:36:16 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-27 18:49:03 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-27 18:10:18 0 d-----w- c:\program files\Belarc
2009-10-27 15:17:47 0 d-----w- c:\docume~1\sean~1.bra\applic~1\Avant Profiles
2009-10-27 15:17:33 0 d-----w- c:\program files\Avant Browser
2009-10-22 17:10:37 0 ----a-r- c:\windows\win32k.sys

==================== Find3M ====================

2009-10-29 20:35:45 24016 ----a-w- c:\windows\system32\drivers\sthdae.log
2009-10-08 18:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 18:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 18:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24:10 44768 ----a-w- c:\windows\system32\wups2(2).dll
2009-08-06 23:23:26 215904 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-10-22 14:36:55 11010 ----a-w- c:\program files\common files\afyfefeleh.dll

============= FINISH: 8:10:33.14 ===============
Second log file available if needed

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\program files\common files\afyfefeleh.dll
  c:\windows\win32k.sys
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== FILES ==========
LoadLibrary failed for c:\program files\common files\afyfefeleh.dll
c:\program files\common files\afyfefeleh.dll NOT unregistered.
c:\program files\common files\afyfefeleh.dll moved successfully.
c:\windows\win32k.sys moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 11022009_110345

We can remove OTMoveIt now.

• Please double-click OTM.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt, do the same for the reboot prompt.
  

How is the machine running now?

That did it Thank you very much for the help. I was able to run Malware bytes and everything looked good. I did have to reinstall Mcafee which was an issue because it would not install with Malwarebytes monitoring. Mcafee told me they were incomptable

MBAM doesn't monitor unless you have bought the paid for version, which includes the real time protection.

I did

Ah, okay.
You can turn the MBAM protection off if Mcafee is complaining about it.

I had to to reinstall Mcafee. But i tuned it back on after installation. At this point I trust malwarebytes for these type of problems more than Mcafee. That's why I paid for it. I also would like to donate to geekpolice for all your help. When I click on the button it only goes to paypal. I don't use that anymore

Hello.
You don't have to donate if you don't want to/can't for different reasons.