mystery virus

kesuki · December 14, 2007, 12:59am

here is a complete list of ‘symptoms’ i’ve noticed.

autoplay disabled
3-5 times a day the ‘desktop’ appears (while playing full screen games)
certain websites are ‘unavailable’ in ie, (sorta like a transparent proxy would do for sites the admin banned, EXCEPT it doesnt affect vmware (linux)) i double checked ie, no proxy is set in lan settings.
recodrdable ‘multi-session’ cd-r add ‘mysterious sessions’ 1 disc still loaded in linux(only 1 extra session), the second disk was unreadable in linux (3 extra sessions had been written to that 1)
extentions mysteriously became unhidden (i rarely change this on a test system, this was how i figured out that a cd-r i though was clean actually had the virus on it)
on at least 1 system built-in cd recording ‘crashed’ instead of opening an ‘add files window’
screen saver/power managment settings ‘reset’ to default windows settings (10 min sreen saver/ 20 min monitor off) when certain applications launched (so far my list of application that were effected included dvd shrink and comodo a/v)
my dad’s pc is running really slowly lately (he has the slowest system, the filesystem was just reinstalled a month ago so its not fragmentaion… i know the cpu was upgraded to try to keep the system from being slow, and it’s almost as fast as the cpu in my mom’s pc but his runs wayyyyy slower) i was thinking it was because he ‘upgraded’ mcafee to their full ‘suite’ and only had 256mb of ram, but i test ran his system with my 512mb module and it was still slow.

grue155 · December 14, 2007, 1:46am

The two DSS logs show the same content, so far as a diff can tell. Some report format differences, but nothing in terms of executables.

But, that it took renaming DSS to get a run is a very strong indication there is a rootkit installed. Another indication of a problem is this, from the log

-- System Event Log ------------------------------------------------------------
Event Record #/Type2013 / Warning
Event Submitted/Written: 12/13/2007 05:46:21 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

That would imply that something has taken over port 123/UDP, and is keeping the time service from doing its job. There are reports of malware doing just that. If you can get a clear system, and get Wireshark, or some other packet sniffer, and check port 123 traffic, you could confirm that guess.

And to confirm this entry:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled: [ at ] xpsp2res.dll,-22019" "C:\\Program Files\\Cerberus\\Cerberus.exe"="C:\\Program Files\\Cerberus\\Cerberus.exe:*:Enabled:Cerberus FTP Server" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled: [ at ] xpsp3res.dll,-20000"

That you do have an FTP server installed?

And your notation

3. certain websites are 'unavailable' in ie, (sorta like a transparent proxy would do for sites the admin banned, EXCEPT it doesnt affect vmware (linux)) i double checked ie, no proxy is set in lan settings.

is consistent with malware controlling your TCP/IP stack and DNS lookups.

The next step is getting a rootkit scan done. I’d suggest doing all three of the scanners listed in my earlier post. A rootkit problem with these kinds of symptoms is leading me to believe that the only certain cleanup is going to be a zero wipe of the disk, and a reinstall from vendor original media. We’re not to that point yet, but it looks to be leading that way, as there still isn’t an identification of what the thing is so as to be able to use the tools to get rid of it.

kesuki · December 17, 2007, 12:05am

i installed cerberus to transfer back up files from old linux/bsd partitions using a vmware linux program. some of those hds failed in mid process it was far overdue to get my files onto backed up media…

okay the 1st site (rootkitrevealer) was ‘unable to start service’ and failed to install. im doing the 2nd site now.

kesuki · December 17, 2007, 12:18am

f-secure ‘failed to dl’ running gmer now. and yeah the cd-r media was how my system that is at home was getting re-infected. once i burned a ‘clean’ mobo driver disc from vmware (vmware busies the cd-r drive so windows doesn’t interupt it) i was able to remove all symptoms from That pc.
so far gmer has found 2 ‘red’ entries. and it said it found rootkit activity.
i can’t paste the whole thing so here is the ‘red flaged listing’ if you need more of it i can break it up.

---- Processes - GMER 1.0.13 ----

Library C:\DOCUME~1\Ryan\LOCALS~1\Temp\CmdLineExt02.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1224] 0x011A0000
Library C:\Documents (*** hidden *** ) @ C:\Documents [3936] 0x00400000

---- EOF - GMER 1.0.13 ----

grue155 · December 17, 2007, 12:40am

I’d like to eyeball the full report that gmer produces. You can attach it as a txt file to a posting here, or upload it to a file service. One such service that I’ve seen used in these kinds of situations is at savefile.com. You would create a free account, upload your file up to 60meg, and post a link here. Either an attachment here, or a link, is your choice.

kesuki · December 17, 2007, 1:00am

full log

[attachment deleted by admin]

kesuki · December 17, 2007, 1:35am

well something is definitely wrong with the filesystem. i tried to boot an ubuntu 7.10 cd (i burned it for my mp3 playing computer) and it kept giving this ‘squashfs’ error about a specific block on the filesystem. after about 20 minutes and 768 of the same errors i gave up on it, and reboted to windows, so i am a bit worried about trying to scan the drive as a ‘slave’ if the rootkit can spread by connecting the drive to another windows machine that would double my work. it took me quite a while to figure out how to get my system that is off the net to operate without getting reinfected.

building a bart pe scanning media would be easier since if the cd-r is finalized it doesnt matter if the virus tries to write itself to the end of the disk because the original session is the only valid one when a disk is finalized. plus i can burn to a blank dvd, since only my system has a dvd-rw drive and my parents only have dvd-rom/cd-rw drives that would be fool proof.

grue155 · December 17, 2007, 2:06am

Got the log. Thank you. I’ve been going thru it, but beyond those two processes you pointed out, I’m not seeing anything. The CmdLineExt02 seems to be related to gameplay. The C:\Documents is definitely out of place, and I’m suspecting it is a controller process. I suspect that it will re-seed itself as soon as it gets stopped. Before stopping it, I’d like to check the two more common ways of programs getting restarted: the Windows equivalent of a cron job, that Windows knows as a “Scheduled Task”, and a background service.

Windows keeps scheduled tasks in C:\Windows\Tasks. If there is a re-seed task here, it will likely be in one or more hidden files, and kick up every 5 or 10 minutes. Check the folder to see whats there, and show all file names, extensions, hidden & system files, the whole works. Either move files that look suspicious off to another directory (so you can restore them later, if need be), or rename then so the task scheduler can’t find them. Moving is better than renaming.

Use the GMER “Services” tab to see what services are running. Order by “started” will make searching easier, to find Auto, Boot, and System services. Look at the path names, and see if there is anything unusal. Especially executables running out of \temp folders, or under the “documents and settings” tree.

The goal is to kill the C:\documents process, and it’s reseeder at the same time. Then it should be possible to get a good for-real DSS scan, and get this thing malware nailed down.

kesuki · December 17, 2007, 2:11am

here’s the thing… i dont own a copy of unreal tournament, much less play it. that was the first google link for the file.

grue155 · December 17, 2007, 2:13am

Not knowing your hardware, I don’t know if this would make sense. But would it be possible to more the cd-r burner to your working machine? Just for a while, to get a clean bartpe build.

Running a disk as a slave drive is a safe thing to do, so long as you are very very careful not to run anything from the slave drive itself. In a FreeBSD environment, the equivalent would be a “mount -o noexec”. To my knowledge, Windows has no such equivalent, so it would mean running very carefully. The cd-r would be safer, if you can get one.

grue155 · December 17, 2007, 2:17am

That makes it a removal target. When c:\Documents goes out, the cmdlineext02 is going to go with it. These two may be working together to prevent either from being stopped. So a straightforward process-kill may not work. It’s going to take trying it to find out.

kesuki · December 17, 2007, 2:41am

found a few services.
C:\docume~1\ryan\locals~1\temp\ehsxbupoyf.exe
C:\docume~1\ryan\locals~1\temp\gotc.exe
C:\docume~1\ryan\locals~1\temp\pbt.exe

kesuki · December 17, 2007, 2:44am

yes and the first thing windows does when a slave drive is attached is to auto run the drive, well at least with the usb drive thing, no clue what windows does on startup when it detects a slave drive.

kesuki · December 17, 2007, 2:56am

well here’s the thing windows keeps saying that dll and that directory dont exist when i try to delete them or go to that directory. but the rootkit scanner found them… as far as making a secure barts pe goes, i just will use vmware to dl and burn the files needed on the bart’s pe and burn them from my clean machine at home. because of the way vmware works even if the virus wanted to ■■■■■ this up it couldn’t because vmware clearly shows if the cdr is attached (for use with vmware) or ‘detached’ for use with the host os. a cdr can only be used by 1 application at a time and since vmware totally locks the drive from any other process not even the worst virus can infect the cd-r while vmware has the drive in it’s control. that was how i made a ‘clean’ driver disk on a system with a rootkit in the first place. but barts pe needs to run from windows so that i have to do at home. its the only system i know is clean.

(vmware is a big dl and so is a ‘linux’ vmware appliance, but both dls are ‘free’ for non commercial use, the second being completely free (although a vmware appliance is just a bunch of files without the app to run it) ) i was about to run the scanning programs on my dad’s pc (the slow one) ill post logs when they finish.

grue155 · December 17, 2007, 3:23am

So much for the slave drive thought. You’re right, in that the cd-r is the way to go. And it sounds like you’ve got a workaround thru the VM to keep the malware at bay.

The rootkit stuff isn’t letting you get to the c:\documents stuff, but it’s there. Having found those services, and the two processes, we can probably disable the rootkit to get rid of it.

Download “OTMoveit by Oldtimer” from http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Give it these 5 pathnames:

C:\docume~1\ryan\locals~1\temp\ehsxbupoyf.exe
C:\docume~1\ryan\locals~1\temp\gotc.exe
C:\docume~1\ryan\locals~1\temp\pbt.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\CmdLineExt02.dll
C:\Documents

Run the program, and it will undoubtedly ask you to reboot. That’s when it will move those 5 files off to a backup directory. It will create a log and backup directory in c:_OTMoveit.

After the reboot, do a Deckard’s scan. There should be something more observable that what there has been, if the rootkit has been disabled.

kesuki · December 17, 2007, 3:41am

good news. opera still loads this page, although ie blocks it (w/ default 'no page error)
had opera installed on dad’s pc because i thought it was faster than ie with his low ram.

here are the logs.
Deckard’s System Scanner v20071014.68
Run by ryan on 2007-12-16 20:58:29
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
78: 2007-12-17 04:59:08 UTC - RP152 - Deckard’s System Scanner Restore Point
77: 2007-12-15 07:32:50 UTC - RP151 - System Checkpoint
76: 2007-12-14 06:35:30 UTC - RP150 - System Checkpoint
75: 2007-12-13 05:32:35 UTC - RP149 - System Checkpoint
74: 2007-12-12 04:32:36 UTC - RP148 - System Checkpoint

– First Restore Point –
1: 2007-09-17 14:32:04 UTC - RP75 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).

– HijackThis (run as ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:47 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\Comodo\Firewall\cmdagent.exe
F:\Program Files\McAfee\MBK\MBackMonitor.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\SiteAdvisor\6172\SAService.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\Explorer.EXE
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
F:\PROGRA~1\Comodo\CBOClean\BOC425.exe
F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Comodo\Firewall\CPF.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Program Files\Opera\Opera.exe
F:\Documents and Settings\ryan\Application Data\Opera\Opera\nyet.exe
F:\Documents and Settings\ryan\Desktop\gmer\gmer.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - f:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ATICCC] “F:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [FLMK08KB] F:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SiteAdvisor] F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM..\Run: [BOC-425] F:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [McAfee Backup] F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM..\Run: [MBkLogOnHook] F:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM..\Run: [COMODO Firewall Pro] “F:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [HXDL.EXE] F:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from=“HXIUL.EXE” -to=“HXIUL.EXE” -run
O4 - HKCU..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E249E087-04D9-408A-8225-7E6BC91415DF}: NameServer = 66.115.71.53,24.196.64.53
O20 - AppInit_DLLs:
O23 - Service: McAfee Application Installer Cleanup (0149351197866411) (0149351197866411mcinstcleanup) - Unknown owner - F:\WINDOWS\TEMP\014935~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - F:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - F:\WINDOWS\system32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - F:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - F:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - F:\Program Files\SiteAdvisor\6172\SAService.exe

–
End of file - 8377 bytes

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BOCore - f:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>

S2 0149351197866411mcinstcleanup (McAfee Application Installer Cleanup (0149351197866411)) - f:\windows\temp\014935~1.exe f:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Scheduled Tasks -------------------------------------------------------------

2007-12-15 01:00:17 364 --a------ F:\WINDOWS\Tasks\McDefragTask.job
2007-12-01 01:00:12 366 --a------ F:\WINDOWS\Tasks\McQcTask.job

– Files created between 2007-11-16 and 2007-12-16 -----------------------------

2007-12-16 20:57:47 0 d-------- F:\Program Files\Trend Micro
2007-12-16 20:39:52 0 d-------- F:\WINDOWS\LastGood
2007-11-22 15:37:02 229 --a------ F:\WINDOWS\PowerReg.dat
2007-11-22 15:36:40 0 d-------- F:\Program Files\Hasbro Interactive

– Find3M Report ---------------------------------------------------------------

2007-12-16 20:39:50 0 d-------- F:\Program Files\McAfee
2007-11-23 08:29:22 0 d-------- F:\Documents and Settings\ryan\Application Data\Comodo
2007-11-23 07:20:25 0 d-------- F:\Program Files\Comodo
2007-11-18 07:48:21 0 d-------- F:\Program Files\Common Files\McAfee
2007-11-05 22:55:26 0 d-------- F:\Program Files\Common Files\Adobe

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
09/19/2007 06:15 AM 329032 --a------ f:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SoundMan”=“SOUNDMAN.EXE” [01/09/2004 01:54 AM F:\WINDOWS\SOUNDMAN.EXE]
“ATICCC”=“F:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [01/02/2006 03:41 PM]
“FLMK08KB”=“F:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE” [07/15/2007 06:09 PM]
“SunJavaUpdateSched”=“F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [07/12/2007 03:00 AM]
“NvCplDaemon”=“F:\WINDOWS\system32\NvCpl.dll” [10/22/2006 11:22 AM]
“nwiz”=“nwiz.exe” [10/22/2006 11:22 AM F:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“F:\WINDOWS\system32\NvMcTray.dll” [10/22/2006 11:22 AM]
“SiteAdvisor”=“F:\Program Files\SiteAdvisor\6172\SiteAdv.exe” [03/30/2007 07:42 AM]
“BOC-425”=“F:\PROGRA~1\Comodo\CBOClean\BOC425.exe” [08/08/2007 06:49 PM]
“WinampAgent”=“F:\Program Files\Winamp\winampa.exe” [05/14/2007 02:22 PM]
“McAfee Backup”=“F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe” [01/16/2007 12:59 PM]
“MBkLogOnHook”=“F:\Program Files\McAfee\MBK\LogOnHook.exe” [01/08/2007 10:22 AM]
“Adobe Photo Downloader”=“F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [03/09/2007 11:09 AM]
“mcagent_exe”=“F:\Program Files\McAfee.com\Agent\mcagent.exe” [08/03/2007 10:33 PM]
“COMODO Firewall Pro”=“F:\Program Files\Comodo\Firewall\CPF.exe” [11/23/2007 09:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“HXDL.EXE”=“F:\Program Files\Cosmi\HelpExpress\HXDL.exe” []
“ctfmon.exe”=“F:\WINDOWS\system32\ctfmon.exe” [02/28/2006 04:00 AM]
“swg”=“F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [08/18/2007 09:35 AM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 12:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=“”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=“”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3cdf0fe4-5776-11dc-b872-0004615d60ab}]
AutoRun\command- E:\LaunchU3.exe -a

Newly Created Service - GMER

– End of Deckard’s System Scanner: finished at 2007-12-16 21:07:33 ------------

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 255.48 MiB / 119.64 MiB
Pagefile Memory (total/avail): 636.16 MiB / 132.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.96 MiB

A: is Removable (No Media)
D: is CDROM (No Media)
F: is Fixed (NTFS) - 37.27 GiB total, 9.09 GiB free.

\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - F:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee) Disabled
FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000”
“F:\Program Files\Common Files\McAfee\MNA\McNASvc.exe”=“F:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\ryan\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=NONE-0BC89BFF5D
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\ryan
LOGONSERVER=\NONE-0BC89BFF5D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem;F:\Program Files\ATI Technologies\ATI.ACE;F:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ryan\LOCALS~1\Temp
TMP=F:\DOCUME~1\ryan\LOCALS~1\Temp
USERDOMAIN=NONE-0BC89BFF5D
USERNAME=ryan
USERPROFILE=F:\Documents and Settings\ryan
windir=F:\WINDOWS

– User Profiles ---------------------------------------------------------------

roy and dena I[/I]
ryan I[/I]
Administrator (new local, admin)

– Add/Remove Programs ---------------------------------------------------------

→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX → F:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe® Photoshop® Album Starter Edition 3.2 → MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
ATI - Software Uninstall Utility → F:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center → MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver → rundll32 F:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Axis & Allies Iron Blitz → F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Hasbro Interactive\Axis & Allies Iron Blitz\Uninst.isu"
BOClean → F:\WINDOWS\UNBOC.EXE
COMODO Firewall Pro → F:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Easy CD Creator 5 Basic → MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eMusic - 50 Free MP3 offer → “F:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe”
Google Toolbar for Internet Explorer → MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer → regsvr32 /u /s “f:\program files\google\googletoolbar1.dll”
HijackThis 2.0.2 → “F:\Program Files\Trend Micro\HijackThis\HijackThis.exe” /uninstall
Java™ 6 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Lexmark Supplies Monitor → F:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z55 → F:\WINDOWS\system32\spool\drivers\w32x86\3\LXAKUN5C.EXE -dLexmark Z55
McAfee SecurityCenter → F:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstall Wizard → F:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
Microsoft Office 2000 SR-1 Professional → MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Muiltmedia keyboard utility 1.1 → F:\Program Files\Muiltmedia keyboard utility\1.1\uninst00.exe
NVIDIA Drivers → F:\WINDOWS\system32\nvudisp.exe UninstallGUI
Opera 9.10 → MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
Photo Editor Plus → F:\WINDOWS\uninst.exe -f"F:\Program Files\Cosmi\Photo Editor Plus\DeIsL1.isu" -c"F:\Program Files\Cosmi\Photo Editor Plus_ISREG32.DLL"
pic2print → F:\WINDOWS\Unprint.exe F:\WINDOWS\Unprint.log “Uninstall pic2print”
Realtek AC’97 Audio → RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “F:\Program Files\InstallShield Installation Information{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe” REMOVE
VIA Rhine-Family Fast Ethernet Adapter → Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VideoLAN VLC media player 0.8.6c → F:\Program Files\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products → F:\WINDOWS\War3Unin.exe F:\WINDOWS\War3Unin.dat
Winamp (remove only) → “F:\Program Files\Winamp\UninstWA.exe”

– Application Event Log -------------------------------------------------------

Event Record #/Type52781 / Error
Event Submitted/Written: 12/16/2007 08:01:38 PM / 12/16/2007 08:01:39 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2460 (0x99c)

Thread address : 0x12209B9C

Thread message :

Build VSCORE.14.0.0.349 / 5100.194
Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
by F:\WINDOWS\Explorer.EXE
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Event Record #/Type52771 / Error
Event Submitted/Written: 11/29/2007 06:06:19 PM / 11/29/2007 06:06:21 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2896 (0xb50)

Thread address : 0x7C90EB94

Thread message :

Build VSCORE.14.0.0.349 / 5100.194
Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
by F:\WINDOWS\Explorer.EXE
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Event Record #/Type52770 / Error
Event Submitted/Written: 11/29/2007 05:13:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16544, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type52759 / Error
Event Submitted/Written: 11/23/2007 09:42:55 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1072 (0x430)

Thread address : 0x12209B9C

Thread message :

Build VSCORE.14.0.0.349 / 5100.194
Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
by F:\WINDOWS\Explorer.EXE
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Event Record #/Type52752 / Error
Event Submitted/Written: 11/23/2007 09:14:56 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1096 (0x448)

Thread address : 0x12209B9C

Thread message :

Build VSCORE.14.0.0.349 / 5100.194
Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
by F:\WINDOWS\Explorer.EXE
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type3991 / Error
Event Submitted/Written: 12/16/2007 08:23:06 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3990 / Error
Event Submitted/Written: 12/16/2007 08:23:06 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer ‘time.windows.com,0x1’. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type3989 / Error
Event Submitted/Written: 12/16/2007 08:22:51 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3988 / Error
Event Submitted/Written: 12/16/2007 08:22:51 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer ‘time.windows.com,0x1’. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type3983 / Error
Event Submitted/Written: 12/16/2007 08:10:29 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

– End of Deckard’s System Scanner: finished at 2007-12-16 21:07:33 ------------

[attachment deleted by admin]

kesuki · December 17, 2007, 3:44am

dad’s pc opera loads here, not sure if it can upload files though. heres the deckards.

Deckard’s System Scanner v20071014.68
Run by ryan on 2007-12-16 20:58:29
Computer is in Normal Mode.