Disappearing taskbar and security centre virus

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Disappearing taskbar and security centre virus

Post by demoncurrie on Wed 11 Aug 2010, 8:10 am

I have suffered from a disappearing taskbar and Security Centre prompts which I believe to be a virus.

I have downloaded and run Malwarebytes Anti-Malware v1.46, in Safe Mode. It found 14 infected objects which I removed. I then rebooted and ran McAfee full scan, which found some additional tracker cookies.
However, I still am left with the same problems:
1 Taskbar appears initially , but during loading it disappears.
2 A Windows Security window opens - which I take to e a virus.
3 A prompt, from what would have been an Icon in the taskbar, appears.
4 Task Mgr is disabled. (NB I have re-enabled it via booting into Administrator and running regedit).
5 Porn icons appear on the desktop after several minutes. But, once deleted they do not reappear unil a reboot occurs.


I have since downloaded and run OTL. The output is pasted below. What action should i take to clean my pc?

OTL log:

OTL logfile created on: 10/08/2010 21:08:43 - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Yule family\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

446.00 Mb Total Physical Memory | 194.00 Mb Available Physical Memory | 43.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 49.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.59 Gb Total Space | 74.26 Gb Free Space | 68.39% Space Free | Partition Type: NTFS
Drive D: | 37.24 Gb Total Space | 37.17 Gb Free Space | 99.83% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YULES
Current User Name: Yule family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/10 21:07:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yule family\Desktop\OTL.exe
PRC - [2010/08/08 15:51:51 | 000,425,472 | ---- | M] () -- C:\Documents and Settings\Yule family\Local Settings\temp\wmsdk64_32.exe
PRC - [2010/07/01 12:07:20 | 001,361,128 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/04/27 17:16:24 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2009/10/02 14:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe
PRC - [2007/01/25 21:19:00 | 001,658,965 | ---- | M] (GlobespanVirata, Inc.) -- C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
PRC - [2007/01/25 21:18:00 | 000,016,384 | ---- | M] () -- C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
PRC - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2006/07/27 15:19:00 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (SafeList) ==========

MOD - [2010/08/10 21:07:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yule family\Desktop\OTL.exe
MOD - [2010/06/07 18:07:08 | 000,541,928 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/14 01:12:08 | 000,183,296 | ---- | M] () -- C:\WINDOWS\isiraqes.dll
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/10/02 14:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\mpqzwrpw.sys -- (mpqzwrpw)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\MpEngineStore\MpKslfb1eeb2a.sys -- (MpKslfb1eeb2a)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\MpEngineStore\MpKsl8b16be60.sys -- (MpKsl8b16be60)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\MpEngineStore\MpKsl56ce2b3f.sys -- (MpKsl56ce2b3f)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 5000(UVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvpopflt.sys -- (lvpopflt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LVMVDrv.sys -- (LVMVDrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LVcKap.sys -- (LVcKap)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Combo-Fix\catchme.sys -- (catchme)
DRV - [2010/07/01 12:07:30 | 000,166,632 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/07/01 12:07:30 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/04/03 22:55:32 | 010,232,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 13:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/12/17 07:01:20 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvusbsta.sys -- (LVUSBSta)
DRV - [2008/04/13 19:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 18:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2008/04/13 18:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/01/25 21:24:00 | 000,148,338 | ---- | M] (GlobespanVirata Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gwausb.sys -- (wanusb)
DRV - [2006/11/30 15:11:04 | 000,061,536 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se46bus.sys -- (se46bus) Sony Ericsson Device 070 driver (WDM)
DRV - [2006/07/27 15:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/06/19 00:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/05/17 12:03:24 | 000,044,544 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/02/20 19:17:40 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
DRV - [2004/08/04 11:00:00 | 000,008,832 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/23 22:54:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin File not found
FF - HKLM\software\mozilla\Firefox\Extensions\\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}: C:\Documents and Settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61} [2010/08/08 15:53:56 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/06/23 23:11:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100530161600.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe ()
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe (GlobespanVirata, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [Wbafaxagawo] C:\WINDOWS\isiraqes.DLL ()
O4 - HKCU..\Run: [{17EF41DC-E349-6689-DCB1-2FC2BF9291D9}] C:\Documents and Settings\Yule family\Application Data\Penuym\kaaw.exe File not found
O4 - HKCU..\Run: [{180DC3C3-6EAA-2F0C-B54E-B38A8AE6227A}] C:\Documents and Settings\Yule family\Application Data\Seqeu\xymy.exe File not found
O4 - HKCU..\Run: [{46E7C1E7-C95B-4EA1-E177-E5D93553CC2A}] C:\Documents and Settings\Yule family\Application Data\Zaupy\ytxa.exe File not found
O4 - HKCU..\Run: [{89276A52-42ED-95B5-8CEC-BD4CC18C09FF}] C:\Documents and Settings\Yule family\Application Data\Dyyde\edsi.exe File not found
O4 - HKCU..\Run: [{8C87FFC1-842F-5DD3-F38B-135CCDF6F3CA}] C:\Documents and Settings\Yule family\Application Data\Ucvead\zeyl.exe File not found
O4 - HKCU..\Run: [Qbiqeteriwedo] C:\WINDOWS\wpidvi.DLL (Dritek System Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [wmsdk64_32.exe] C:\Documents and Settings\Yule family\Local Settings\temp\wmsdk64_32.exe ()
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_19)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} [You must be registered and logged in to see this link.] (Domino Web Access 7 Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/10 21:07:48 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Yule family\Desktop\OTL.exe
[2010/08/10 20:51:57 | 000,000,000 | ---D | C] -- C:\Program Files\Shavlik Technologies
[2010/08/10 16:24:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/10 16:24:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/10 16:24:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware b
[2010/08/10 16:10:47 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Yule family\Desktop\mbam-setup-1.46.exe
[2010/08/08 15:53:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}
[2010/08/08 15:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\bpvagsmrj
[2010/07/20 22:36:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\iueahdice
[2010/07/20 19:38:34 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2010/07/20 19:38:34 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdkor.dll
[2010/07/20 19:38:33 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2010/07/20 19:38:33 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdjpn.dll
[2010/07/20 19:38:33 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101c.dll
[2010/07/20 19:38:33 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101c.dll
[2010/07/20 19:38:33 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd103.dll
[2010/07/20 19:38:33 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd103.dll
[2010/07/20 19:38:28 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101b.dll
[2010/07/20 19:38:28 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101b.dll
[2010/07/20 19:38:27 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2010/07/20 19:38:27 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll
[2010/07/19 22:34:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\dbokapvxt
[2010/07/18 22:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\slumyvxnq
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/10 21:10:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/10 21:10:01 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
[2010/08/10 21:07:53 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yule family\Desktop\OTL.exe
[2010/08/10 20:50:24 | 000,610,568 | ---- | M] () -- C:\Documents and Settings\Yule family\Desktop\hfnetchk_3.86.0.1.exe
[2010/08/10 20:48:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/10 20:34:03 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/08/10 20:32:12 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Security Center.lnk
[2010/08/10 20:32:12 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/10 20:31:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/10 20:31:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/10 20:30:38 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Yule family\ntuser.ini
[2010/08/10 20:30:37 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Yule family\NTUSER.DAT
[2010/08/10 20:30:26 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Yule family\Local Settings\Application Data\IconCache.db
[2010/08/10 19:51:16 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ypareziwakecofe.dat
[2010/08/10 16:25:02 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/10 16:10:57 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Yule family\Desktop\mbam-setup-1.46.exe
[2010/08/10 15:42:05 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Yule family\Desktop\Microsoft Word.lnk
[2010/08/10 00:35:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ozamogilimelu.bin
[2010/08/09 23:34:44 | 000,001,639 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2010/08/09 00:27:12 | 000,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/06 22:46:06 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Yule family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/06 00:04:03 | 000,003,350 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/08/03 10:04:39 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2010/08/01 15:31:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/24 10:13:39 | 000,003,926 | ---- | M] () -- C:\Documents and Settings\Yule family\DslTest.html
[2010/07/24 10:13:32 | 000,000,524 | ---- | M] () -- C:\Documents and Settings\Yule family\dsltest.cfg
[2010/07/21 20:17:06 | 000,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/10 20:50:14 | 000,610,568 | ---- | C] () -- C:\Documents and Settings\Yule family\Desktop\hfnetchk_3.86.0.1.exe
[2010/08/10 20:13:58 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Security Center.lnk
[2010/08/10 16:25:02 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/08 15:53:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ozamogilimelu.bin
[2010/08/08 15:53:58 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ypareziwakecofe.dat
[2010/06/13 19:08:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2010/06/12 19:05:36 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/05/15 23:44:19 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/09 22:49:06 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/04/09 22:49:06 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/02/18 14:25:09 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\System32\57E1DD82AC.sys
[2010/02/18 11:57:16 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/01/19 21:14:07 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\CoInst.dll
[2010/01/19 21:14:04 | 000,016,938 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2010/01/17 17:48:48 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2010/01/17 14:14:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/17 10:58:51 | 000,000,175 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2010/01/17 10:57:53 | 000,000,037 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2010/01/17 10:57:52 | 000,001,639 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/01/16 19:57:03 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2004/08/04 11:00:00 | 000,183,296 | ---- | C] () -- C:\WINDOWS\isiraqes.dll
[2004/08/04 11:00:00 | 000,008,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\rasacd.sys
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 19:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 09:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
< End of report >

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Belahzur on Wed 11 Aug 2010, 10:33 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    PRC - [2010/08/08 15:51:51 | 000,425,472 | ---- | M] () -- C:\Documents and Settings\Yule family\Local Settings\temp\wmsdk64_32.exe
    O4 - HKLM..\Run: [Wbafaxagawo] C:\WINDOWS\isiraqes.DLL ()
    O4 - HKCU..\Run: [{17EF41DC-E349-6689-DCB1-2FC2BF9291D9}] C:\Documents and Settings\Yule family\Application Data\Penuym\kaaw.exe File not found
    O4 - HKCU..\Run: [{180DC3C3-6EAA-2F0C-B54E-B38A8AE6227A}] C:\Documents and Settings\Yule family\Application Data\Seqeu\xymy.exe File not found
    O4 - HKCU..\Run: [{46E7C1E7-C95B-4EA1-E177-E5D93553CC2A}] C:\Documents and Settings\Yule family\Application Data\Zaupy\ytxa.exe File not found
    O4 - HKCU..\Run: [{89276A52-42ED-95B5-8CEC-BD4CC18C09FF}] C:\Documents and Settings\Yule family\Application Data\Dyyde\edsi.exe File not found
    O4 - HKCU..\Run: [{8C87FFC1-842F-5DD3-F38B-135CCDF6F3CA}] C:\Documents and Settings\Yule family\Application Data\Ucvead\zeyl.exe File not found
    O4 - HKCU..\Run: [Qbiqeteriwedo] C:\WINDOWS\wpidvi.DLL (Dritek System Inc.)
    O4 - HKCU..\Run: [wmsdk64_32.exe] C:\Documents and Settings\Yule family\Local Settings\temp\wmsdk64_32.exe ()
    [2010/08/08 15:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\bpvagsmrj
    [2010/07/20 22:36:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\iueahdice
    [2010/07/19 22:34:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\dbokapvxt
    [2010/07/18 22:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yule family\Local Settings\Application Data\slumyvxnq
    [2010/08/10 19:51:16 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ypareziwakecofe.dat
    [2010/08/10 00:35:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ozamogilimelu.bin

    :files
    C:\Documents and Settings\Yule family\Application Data\Penuym
    C:\Documents and Settings\Yule family\Application Data\Seqeu
    C:\Documents and Settings\Yule family\Application Data\Zaupy
    C:\Documents and Settings\Yule family\Application Data\Dyyde
    C:\Documents and Settings\Yule family\Application Data\Ucvead


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Thu 12 Aug 2010, 8:22 am

Here is the OTL log:

========== OTL ==========
Process wmsdk64_32.exe killed successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Wbafaxagawo deleted successfully.
C:\WINDOWS\isiraqes.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{17EF41DC-E349-6689-DCB1-2FC2BF9291D9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17EF41DC-E349-6689-DCB1-2FC2BF9291D9}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{180DC3C3-6EAA-2F0C-B54E-B38A8AE6227A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{180DC3C3-6EAA-2F0C-B54E-B38A8AE6227A}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{46E7C1E7-C95B-4EA1-E177-E5D93553CC2A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46E7C1E7-C95B-4EA1-E177-E5D93553CC2A}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{89276A52-42ED-95B5-8CEC-BD4CC18C09FF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{89276A52-42ED-95B5-8CEC-BD4CC18C09FF}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{8C87FFC1-842F-5DD3-F38B-135CCDF6F3CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C87FFC1-842F-5DD3-F38B-135CCDF6F3CA}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Qbiqeteriwedo deleted successfully.
C:\WINDOWS\wpidvi.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wmsdk64_32.exe deleted successfully.
C:\Documents and Settings\Yule family\Local Settings\temp\wmsdk64_32.exe moved successfully.
C:\Documents and Settings\Yule family\Local Settings\Application Data\bpvagsmrj folder moved successfully.
C:\Documents and Settings\Yule family\Local Settings\Application Data\iueahdice folder moved successfully.
C:\Documents and Settings\Yule family\Local Settings\Application Data\dbokapvxt folder moved successfully.
C:\Documents and Settings\Yule family\Local Settings\Application Data\slumyvxnq folder moved successfully.
C:\WINDOWS\Ypareziwakecofe.dat moved successfully.
C:\WINDOWS\Ozamogilimelu.bin moved successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\Yule family\Application Data\Penuym not found.
File\Folder C:\Documents and Settings\Yule family\Application Data\Seqeu not found.
File\Folder C:\Documents and Settings\Yule family\Application Data\Zaupy not found.
File\Folder C:\Documents and Settings\Yule family\Application Data\Dyyde not found.
File\Folder C:\Documents and Settings\Yule family\Application Data\Ucvead not found.

OTL by OldTimer - Version 3.2.9.1 log created on 08112010_222158

End of log.

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Thu 12 Aug 2010, 9:40 am

Having performed the above log, I discovered that Task Manager was still disabled. So I rebooted into Safe mode, and enabled it via regedit.
When I then rebooted into normal mode, I got 2 messages that errors occurred loading the following files: isiraqes.dll and wpidvi.dll.
No apparent impact has come to light!

However, the good news is that the taskbar remains in place and the Window Security Center windows and icons appear to have disappeared.

The system, though seems to be very slow.

These symptoms remained when I rebooted.

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Belahzur on Fri 13 Aug 2010, 11:06 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Sat 14 Aug 2010, 10:18 am

Hi,
This seems to hav eworked, thanks. The 2 error prompts on booting do not happen - and I note that their reference in MSCONFIG/STARTUP has disappeared. The running of Combofix took 2 restarts!!
The log is:
ComboFix 10-08-12.03 - Yule family 13/08/2010 23:34:17.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.44 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-13 22:28 . 2004-08-04 10:00 8832 -c--a-w- c:\windows\system32\dllcache\rasacd.sys
2010-08-13 22:28 . 2004-08-04 10:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-08-12 19:10 . 2010-08-12 19:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-11 21:19 . 2010-08-11 21:19 -------- d-----w- C:\_OTL
2010-08-10 19:51 . 2010-08-10 19:51 -------- d-----w- c:\program files\Shavlik Technologies
2010-08-10 15:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 15:24 . 2010-08-10 15:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware b
2010-08-10 15:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 14:53 . 2010-08-08 14:53 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}
2010-07-20 18:38 . 2001-08-17 21:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-20 18:38 . 2001-08-17 21:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-20 18:38 . 2001-08-17 21:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-20 18:38 . 2001-08-17 21:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-20 18:38 . 2001-08-17 13:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-20 18:38 . 2001-08-17 13:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-20 18:38 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-20 18:38 . 2008-04-13 23:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-18 21:53 . 2010-07-18 21:53 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\wbthkmldg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 10:34 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 21:13 . 2010-08-12 21:13 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-sse.dll
2010-08-12 21:13 . 2010-08-12 21:13 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcp71.dll
2010-08-12 21:13 . 2010-08-12 21:13 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\jmc.dll
2010-08-12 21:13 . 2010-08-12 21:13 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcr71.dll
2010-08-12 21:13 . 2010-08-12 21:13 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-d3d.dll
2010-08-12 19:14 . 2007-03-28 19:07 -------- d-----w- c:\program files\Java
2010-08-12 19:12 . 2007-03-28 19:07 -------- d-----w- c:\program files\Common Files\Java
2010-08-11 21:06 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-09 09:45 . 2010-08-09 09:45 664 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\d3d9caps.tmp
2010-08-07 10:23 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-08-07 10:23 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-08-05 23:01 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-08-04 19:27 . 2010-05-27 11:31 -------- d-----w- c:\documents and settings\Yule family\Application Data\Asunew
2010-08-01 19:58 . 2010-02-11 15:22 -------- d-----w- c:\documents and settings\Yule family\Application Data\Teotn
2010-08-01 16:47 . 2010-02-19 15:09 -------- d-----w- c:\documents and settings\Yule family\Application Data\Soes
2010-08-01 14:57 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-07-27 02:11 . 2010-06-03 16:05 -------- d-----w- c:\documents and settings\Yule family\Application Data\Xiygi
2010-07-26 21:33 . 2010-02-27 01:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\Ircie
2010-07-25 23:27 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-07-23 22:51 . 2010-01-25 07:56 -------- d-----w- c:\documents and settings\Yule family\Application Data\Uxhe
2010-07-23 22:51 . 2010-05-09 20:05 -------- d-----w- c:\documents and settings\Yule family\Application Data\Caoc
2010-07-23 22:20 . 2010-06-05 13:00 -------- d-----w- c:\documents and settings\Yule family\Application Data\Elowy
2010-07-23 19:06 . 2010-07-23 19:06 73728 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-07-23 19:06 . 2010-07-23 19:06 417792 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-07-23 18:31 . 2010-05-26 23:58 81496 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 19:17 . 2010-04-20 22:06 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-16 08:35 . 2010-03-28 21:57 -------- d-----w- c:\documents and settings\Yule family\Application Data\Ucibxa
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-27 18:40 . 2010-08-11 07:34 144328 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-24 19:38 . 2009-10-11 23:52 -------- d-----w- c:\program files\Common Files\Skype
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 23:37 . 2010-06-15 23:37 -------- d-----w- c:\program files\MSBuild
2010-06-15 23:36 . 2010-06-15 23:36 -------- d-----w- c:\program files\Reference Assemblies
2010-05-16 20:43 . 2010-05-16 20:43 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-01-17 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\
ewyxo.exe [2010-7-26 132608]
yxave.exe [2010-8-1 133632]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
azgeyx.exe [2010-7-26 132608]
kuem.exe [2010-8-1 133632]

c:\documents and settings\test\Start Menu\Programs\Startup\
dyycy.exe [2010-8-1 133632]
waixir.exe [2010-7-26 132608]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2007-4-7 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0 HD Edition.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0 HD Edition.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1725:TCP"= 1725:TCP:Services
"1950:TCP"= 1950:TCP:Services

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/05/2010 16:16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/05/2010 16:15 141792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S1 mpqzwrpw;mpqzwrpw;\??\c:\windows\system32\drivers\mpqzwrpw.sys --> c:\windows\system32\drivers\mpqzwrpw.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-08-13 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Qbiqeteriwedo - c:\windows\wpidvi.dll
HKLM-Run-Wbafaxagawo - c:\windows\isiraqes.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-13 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(344)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-08-13 23:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-13 22:58

Pre-Run: 80,306,585,600 bytes free
Post-Run: 80,750,227,456 bytes free

- - End Of File - - 4A7B18E1D5E837850A8B8897F3321303.

As I said, it seems to have been fixed, unless you spot something odd in the log.

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Belahzur on Sun 15 Aug 2010, 2:25 am

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\ewyxo.exe
    c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\yxave.exe
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\azgeyx.exe
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\kuem.exe
    c:\documents and settings\test\Start Menu\Programs\Startup\dyycy.exe
    c:\documents and settings\test\Start Menu\Programs\Startup\waixir.exe

    Folder::
    c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\wbthkmldg
    c:\documents and settings\Yule family\Application Data\Asunew
    c:\documents and settings\Yule family\Application Data\Teotn
    c:\documents and settings\Yule family\Application Data\Soes
    c:\documents and settings\Yule family\Application Data\Xiygi
    c:\documents and settings\Yule family\Application Data\Ircie
    c:\documents and settings\Yule family\Application Data\Uxhe
    c:\documents and settings\Yule family\Application Data\Caoc
    c:\documents and settings\Yule family\Application Data\Elowy

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1725:TCP"=-
    "1950:TCP"=-

    Driver::
    mpqzwrpw
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Mon 16 Aug 2010, 7:11 am

I thought I'd already posted a reply; so I apologise if you see this twice somehow!!

I did as requested and the log is below. NB I both turned my virus schecking off, and also disconnectd from teh Interent.
When Combofix was running, I was warned that "PEV.cfxxe" was closing.

System appears to be running ok; so I am happy to close this if you don't find something wrong. In that case, many thanks again for your help.

Log:
ComboFix 10-08-12.03 - Yule family 15/08/2010 20:19:51.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.155 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Yule family\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\azgeyx.exe"
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\kuem.exe"
"c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\ewyxo.exe"
"c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\yxave.exe"
"c:\documents and settings\test\Start Menu\Programs\Startup\dyycy.exe"
"c:\documents and settings\test\Start Menu\Programs\Startup\waixir.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\azgeyx.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\kuem.exe
c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\ewyxo.exe
c:\documents and settings\Default User.WINDOWS\Start Menu\Programs\Startup\yxave.exe
c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\wbthkmldg
c:\documents and settings\test\Start Menu\Programs\Startup\dyycy.exe
c:\documents and settings\test\Start Menu\Programs\Startup\waixir.exe
c:\documents and settings\Yule family\Application Data\Asunew
c:\documents and settings\Yule family\Application Data\Caoc
c:\documents and settings\Yule family\Application Data\Caoc\ydfoa.ahs
c:\documents and settings\Yule family\Application Data\Caoc\ydfoa.tmp
c:\documents and settings\Yule family\Application Data\Elowy
c:\documents and settings\Yule family\Application Data\Ircie
c:\documents and settings\Yule family\Application Data\Ircie\keom.tmp
c:\documents and settings\Yule family\Application Data\Ircie\keom.xac
c:\documents and settings\Yule family\Application Data\Soes
c:\documents and settings\Yule family\Application Data\Teotn
c:\documents and settings\Yule family\Application Data\Uxhe
c:\documents and settings\Yule family\Application Data\Uxhe\fubui.afy
c:\documents and settings\Yule family\Application Data\Uxhe\fubui.tmp
c:\documents and settings\Yule family\Application Data\Xiygi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mpqzwrpw


((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-13 23:17 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-13 22:28 . 2004-08-04 10:00 8832 -c--a-w- c:\windows\system32\dllcache\rasacd.sys
2010-08-13 22:28 . 2004-08-04 10:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-08-12 19:10 . 2010-08-12 19:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-11 21:19 . 2010-08-11 21:19 -------- d-----w- C:\_OTL
2010-08-10 19:51 . 2010-08-10 19:51 -------- d-----w- c:\program files\Shavlik Technologies
2010-08-10 15:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 15:24 . 2010-08-10 15:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware b
2010-08-10 15:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 14:53 . 2010-08-08 14:53 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}
2010-07-20 18:38 . 2001-08-17 21:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-20 18:38 . 2001-08-17 21:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-20 18:38 . 2001-08-17 21:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-20 18:38 . 2001-08-17 21:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-20 18:38 . 2001-08-17 13:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-20 18:38 . 2001-08-17 13:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-20 18:38 . 2001-08-17 13:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-20 18:38 . 2008-04-13 23:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-20 18:38 . 2008-04-13 23:09 6144 ----a-w- c:\windows\system32\kbd106.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 16:04 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-15 15:55 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-08-15 15:05 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-08-13 10:34 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 21:13 . 2010-08-12 21:13 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-sse.dll
2010-08-12 21:13 . 2010-08-12 21:13 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcp71.dll
2010-08-12 21:13 . 2010-08-12 21:13 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\jmc.dll
2010-08-12 21:13 . 2010-08-12 21:13 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcr71.dll
2010-08-12 21:13 . 2010-08-12 21:13 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-d3d.dll
2010-08-12 19:14 . 2007-03-28 19:07 -------- d-----w- c:\program files\Java
2010-08-12 19:12 . 2007-03-28 19:07 -------- d-----w- c:\program files\Common Files\Java
2010-08-09 09:45 . 2010-08-09 09:45 664 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\d3d9caps.tmp
2010-08-05 23:01 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-08-01 14:57 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-07-25 23:27 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-07-23 19:06 . 2010-07-23 19:06 73728 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-07-23 19:06 . 2010-07-23 19:06 417792 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-07-23 18:31 . 2010-05-26 23:58 81496 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 19:17 . 2010-04-20 22:06 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-16 08:35 . 2010-03-28 21:57 -------- d-----w- c:\documents and settings\Yule family\Application Data\Ucibxa
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 18:40 . 2010-08-11 07:34 144328 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-24 19:38 . 2009-10-11 23:52 -------- d-----w- c:\program files\Common Files\Skype
2010-06-24 12:22 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2010-01-16 16:41 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2007-4-7 57344]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0 HD Edition.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0 HD Edition.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/05/2010 16:16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/05/2010 16:15 141792]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-15 20:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3600)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************
.
Completion time: 2010-08-15 20:43:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-15 19:43

Pre-Run: 80,179,752,960 bytes free
Post-Run: 80,221,134,848 bytes free

- - End Of File - - FD23DA6DBDDAEB0240BB06AA7D75D56C

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Belahzur on Tue 17 Aug 2010, 9:14 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Wed 18 Aug 2010, 7:10 am

I didn't disable McAfee; after completing the operation, McAfee told me that it had found a virus wjhich would be removed after rebooting.

Combofix was unistalled, but some directories stioll remain.
SHould I delete them and uninstall EST?

The log is:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=79a5b4059a3f1a4197661145fb80a500
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-08-17 08:01:13
# local_time=2010-08-17 09:01:14 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776533 100 75 6837051 13862722 0 0
# compatibility_mode=8192 67108863 100 0 224 224 0 0
# scanned=112770
# found=4
# cleaned=4
# scan_time=5183
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\aqfo.exe Win32/Spy.Zbot.ZP trojan (cleaned by deleting - quarantined) EB417D4C0C456527B40BE2886858F687 C
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\usnyv.exe Win32/Spy.Zbot.YW trojan (cleaned by deleting - quarantined) BB04FE6F6232DCC0661435AE9A6DA513 C
C:\_OTL\MovedFiles\08112010_222158\C_Documents and Settings\Yule family\Local Settings\temp\wmsdk64_32.exe a variant of Win32/Kryptik.FZH trojan (cleaned by deleting - quarantined) D3CB59E4143C69E89DA4C52B343D7459 C
C:\_OTL\MovedFiles\08112010_222158\C_WINDOWS\isiraqes.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 6765692047F52E9D539AB755660FB4D6 C

END OF LOG.

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Belahzur on Thu 19 Aug 2010, 8:47 am

Hello.

Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Sun 22 Aug 2010, 9:11 am

Hi ,
Here's the txt file:
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Athlon 64 Processor Driver
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
BT Voyager 105 ADSL Modem
ClickArt Fonts 3
Corel MediaOne
Dell Resource CD
ESET Online Scanner v3
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
iPod for Windows 2005-02-07
iTunes
Java(TM) 6 Update 21
K-Lite Codec Pack 3.2.5 Standard
McAfee SecurityCenter
McAfee Virtual Technician
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Modem Diagnostic Tool
Moyea FLV Player version: 2.0.2.96
MP4 Player
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
PHOTOfunSTUDIO 4.0 HD Edition
Quicken 2004
QuickTime
Rapport
Rapport
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SigmaTel Audio
Skype Toolbars
Skype™ 4.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3

END of txt file

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sneakyone on Sun 22 Aug 2010, 9:58 am

Hi.

Please download HAMeb_check.exe and save it to your desktop.

  • Double-click on HAMeb_check.exe to run the utility and it will create a log.
  • Copy and paste the contents of that log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Sun 22 Aug 2010, 9:16 pm

Hi
The log is posted below. Since you are obviously worried about something or investigating something - what is it by the way?? - the only other odd thing that I notice is that I get a msg on logging off that ppears and then disappears: re "McSvcHost.exe error".

C:\Documents and Settings\Yule family\Desktop\HAMeb_check.exe
22/08/2010 at 11:03:58.21

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-220523388-1275210071-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3029:TCP"=3029:TCP:*:Enabled:Services
"4558:TCP"=4558:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
80:TCP=80:TCP:*:Enabled:Services
443:TCP=443:TCP:*:Enabled:Services
"1725:TCP"=1725:TCP:*:Enabled:Services
"1950:TCP"=1950:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sneakyone on Mon 23 Aug 2010, 4:59 am

Hi.

Belahzur is away for the week, and he asked me to take his threads, and I noticed a really bad infection you have called HelpAssistant.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

  • Make sure you leave a space between helpasst and -mbrt
  • When it completes, a log will open.
  • Please post the contents of that log.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Mon 23 Aug 2010, 9:21 am

Thanks - I did this, and noticed that the Helpassitant directory in Docs & Settings has gone.
NB I still get the McSvHos.exe error on closing down.
The log is:
C:\Documents and Settings\Yule family\Desktop\HelpAsst_mebroot_fix.exe
22/08/2010 at 22:52:28.21

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3029:TCP"=-
"4558:TCP"=-
"3389:TCP"=-
80:TCP=-
443:TCP=-
"1725:TCP"=-
"1950:TCP"=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-220523388-1275210071-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user\store\user
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user\store
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user\logs
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 22/08/2010 at 23:15:32.82

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services
443:TCP=443:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Mon 23 Aug 2010, 9:41 am

Update, after rebooting several times, the MCsvHost.exe error has disappeared too.
Is all now ok?
thanks

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sneakyone on Mon 23 Aug 2010, 11:21 am

Hi.

Could you please run HA_Check again?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Tue 24 Aug 2010, 3:19 am

I note that I have a directory - C:\Help_Asst_backup, containing what looks like my old C drive! Should I delete this?

HA initially came up with "Profile not found"; however, I pressed a key and it completed. I then di "Run helpasst -mbrt as before. The log follows:

C:\Documents and Settings\Yule family\Desktop\HelpAsst_mebroot_fix.exe
23/08/2010 at 17:13:48.65

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
80:TCP=-
443:TCP=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 23/08/2010 at 17:15:06.06

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services
443:TCP=443:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sneakyone on Tue 24 Aug 2010, 9:20 am

Hi.

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    Folder::
    C:\Documents and Settings\HelpAssistant

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list]
    80:TCP=-
    443:TCP=-

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Tue 24 Aug 2010, 10:48 am

Hi again!
Although I had downloaded Combo-fix earlier, I reloaded it (as per Poat 5), since I had uninstalled it.
I ran Combofix; during Stage 2 I got a msg that PEV.cfxxe had a problem and was terminating.
After Stage 50, the system auto rebooted.
After completion I can see that I still have a directory c:\HelpAsst_backup, containing copies of my C drive.
The log is as follows:
ComboFix 10-08-23.01 - Yule family 24/08/2010 0:06.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.111 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yule family\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-22 21:52 . 2010-08-22 21:52 -------- d-----w- C:\HelpAsst_backup
2010-08-21 22:09 . 2010-08-21 22:09 -------- d-----w- c:\program files\TrendMicro
2010-08-17 18:31 . 2010-08-17 18:31 -------- d-----w- c:\program files\ESET
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- C:\Combo-Fix17331C
2010-08-15 19:14 . 2010-08-15 19:43 -------- d-----w- C:\Combo-Fix940C
2010-08-13 23:17 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-13 22:28 . 2004-08-04 10:00 8832 -c--a-w- c:\windows\system32\dllcache\rasacd.sys
2010-08-13 22:28 . 2004-08-04 10:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-08-12 19:10 . 2010-08-12 19:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-11 21:19 . 2010-08-11 21:19 -------- d-----w- C:\_OTL
2010-08-10 19:51 . 2010-08-10 19:51 -------- d-----w- c:\program files\Shavlik Technologies
2010-08-08 14:53 . 2010-08-08 14:53 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 16:47 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-08-22 10:06 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-08-22 08:55 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-08-21 22:09 . 2010-08-21 22:09 388096 ----a-r- c:\documents and settings\Yule family\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-08-21 21:41 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-17 20:31 . 2010-08-17 20:31 349416 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportMR.dll
2010-08-17 20:31 . 2010-08-17 20:31 12544 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportIaso.sys
2010-08-13 10:34 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 21:13 . 2010-08-12 21:13 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-sse.dll
2010-08-12 21:13 . 2010-08-12 21:13 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcp71.dll
2010-08-12 21:13 . 2010-08-12 21:13 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\jmc.dll
2010-08-12 21:13 . 2010-08-12 21:13 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcr71.dll
2010-08-12 21:13 . 2010-08-12 21:13 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-d3d.dll
2010-08-12 19:14 . 2007-03-28 19:07 -------- d-----w- c:\program files\Java
2010-08-12 19:12 . 2007-03-28 19:07 -------- d-----w- c:\program files\Common Files\Java
2010-08-09 09:45 . 2010-08-09 09:45 664 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\d3d9caps.tmp
2010-08-05 23:01 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-07-25 23:27 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-07-23 19:06 . 2010-07-23 19:06 73728 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-07-23 19:06 . 2010-07-23 19:06 417792 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-07-23 18:31 . 2010-05-26 23:58 81496 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 19:17 . 2010-04-20 22:06 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-16 08:35 . 2010-03-28 21:57 -------- d-----w- c:\documents and settings\Yule family\Application Data\Ucibxa
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 18:40 . 2010-08-11 07:34 144328 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-24 12:22 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2010-01-16 16:41 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0 HD Edition.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0 HD Edition.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-08-23 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89C30F0F8BD011D2.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-24 00:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-08-24 00:34:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 23:34

Pre-Run: 80,693,653,504 bytes free
Post-Run: 80,900,644,864 bytes free

- - End Of File - - A8DD55844813DFA72BA309F835D5D45C

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sneakyone on Tue 24 Aug 2010, 1:02 pm

Hi.

The HelpAssistant backup, is a backup of your files that shouldn't be messed with in case of emergency.

HelpAssistant Mebroot seems removed, is it still there at C:\Documents and Settings\HelpAssistant?



I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Wed 25 Aug 2010, 9:06 am

Yes, that directory has gone.

Should I uninstall all the virus stuff that I have downloaded?
Is it adequate to do this via Add/rmv?
And should I delete any directories left that are named similary, eg
Combo-fix?
_OTL
5de2baedc3ac8e9e6c2275410292
Qoobox

thanks again.

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sneakyone on Wed 25 Aug 2010, 1:11 pm

Hi.

Download MBRCheck to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by demoncurrie on Fri 27 Aug 2010, 5:09 am

Herr it is:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7497000 MountMgr.sys
0xF7328000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF74A7000 VolSnap.sys
0xF7310000 atapi.sys
0xF7717000 cercsr6.sys
0xF72F8000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF74B7000 disk.sys
0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72D8000 fltmgr.sys
0xF72C6000 sr.sys
0xF7269000 mfehidk.sys
0xF74D7000 PxHelp20.sys
0xF7252000 KSecDD.sys
0xF71C5000 Ntfs.sys
0xF7198000 NDIS.sys
0xF717E000 Mup.sys
0xF7657000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF6773000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6719000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF66F5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77D7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7667000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7677000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xF7687000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7697000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66D2000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77DF000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF66AA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7AF8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6696000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF795B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF667F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF666E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF664A000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7807000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79B1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6579000 \SystemRoot\system32\DRIVERS\update.sys
0xF7156000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6466000 \SystemRoot\system32\drivers\sthda.sys
0xF6442000 \SystemRoot\system32\drivers\portcls.sys
0xF7507000 \SystemRoot\system32\drivers\drmk.sys
0xF7517000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7537000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79BB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7923000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79C5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AFC000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF782F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7837000 \SystemRoot\System32\drivers\vga.sys
0xF79C9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79CB000 \SystemRoot\SYSTEM32\DRIVERS\RDPCDD.SYS
0xF783F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7847000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF792B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3D82000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3D29000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF3D16000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xF3CF0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3CC9000 \SystemRoot\System32\Drivers\Mpfp.sys
0xF7597000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xF3CA1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7943000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF3C57000 \SystemRoot\System32\drivers\afd.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3C2C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3C04000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xF75C7000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
0xF3B94000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF75E7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7767000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF3B71000 \SystemRoot\system32\DRIVERS\gwausb.sys
0xF6622000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6422000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF6412000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7777000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF6386000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF777F000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7787000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF7146000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7142000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF3A63000 \SystemRoot\System32\Drivers\usbvideo.sys
0xF63C2000 \SystemRoot\system32\drivers\usbaudio.sys
0xF63B2000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF792F000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF3A4B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF799D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF3C91000 \SystemRoot\System32\drivers\Dxapi.sys
0xF778F000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A8F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB86E0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB83EB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8254000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7FD9000 \SystemRoot\system32\drivers\mfefirek.sys
0xF788F000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB7E7A000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB7BBD000 \SystemRoot\system32\drivers\wdmaud.sys
0xB831B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB84A8000 \SystemRoot\system32\drivers\cfwids.sys
0xB7566000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB7AD7000 \SystemRoot\system32\drivers\mfebopk.sys
0xB745D000 \SystemRoot\System32\Drivers\HTTP.sys
0xB6106000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
588 C:\WINDOWS\system32\smss.exe
956 csrss.exe
980 C:\WINDOWS\system32\winlogon.exe
1024 C:\WINDOWS\system32\services.exe
1036 C:\WINDOWS\system32\lsass.exe
1172 C:\WINDOWS\system32\nvsvc32.exe
1216 C:\WINDOWS\system32\svchost.exe
1284 svchost.exe
1340 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1372 C:\WINDOWS\system32\svchost.exe
1424 svchost.exe
1520 svchost.exe
1636 C:\WINDOWS\system32\spoolsv.exe
1720 svchost.exe
1756 C:\WINDOWS\system32\bgsvcgen.exe
1792 svchost.exe
1856 C:\Program Files\Java\jre6\bin\jqs.exe
1948 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1964 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
2024 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
2040 C:\Program Files\McAfee\MSK\msksrver.exe
148 C:\WINDOWS\system32\HPZipm12.exe
224 C:\WINDOWS\system32\PSIService.exe
280 C:\WINDOWS\system32\svchost.exe
332 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
540 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
1416 alg.exe
2468 C:\WINDOWS\explorer.exe
2492 C:\WINDOWS\system32\rundll32.exe
2560 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
3008 C:\WINDOWS\stsystra.exe
3020 C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
3028 C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
3092 C:\WINDOWS\system32\rundll32.exe
3104 C:\Program Files\McAfee.com\Agent\mcagent.exe
3120 C:\WINDOWS\system32\rundll32.exe
3172 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3216 C:\WINDOWS\system32\ctfmon.exe
3252 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
3912 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
4088 C:\WINDOWS\system32\taskmgr.exe
3380 C:\Program Files\Internet Explorer\iexplore.exe
688 C:\Program Files\Internet Explorer\iexplore.exe
600 C:\Documents and Settings\Yule family\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001b`27f54600 (NTFS)

PhysicalDrive0 Model Number: ST3160812AS, Rev: 3.ADJ

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

demoncurrie

Rookie Surfer
Rookie Surfer

Posts : 123
Joined : 2010-05-14
Operating System : Windows XP Home

View user profile

Back to top Go down

Re: Disappearing taskbar and security centre virus

Post by Sponsored content Today at 5:51 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum