[Inactive] Got 'Antivirus Soft' malware...

[cshaw]

Hello,
Okay, I've followed your instructions, and there's just a few issues I was wondering about.

- In the %Temp% folder, it said that there were 2 hidden files which I'd have to change the settings to delete.  I haven't done that, because I thought I'd check with you first.  Also, there were two files it would not delete, ~DF472E.tmp and ~DFED0p.tmp  It said they were in use.  I'm going to give it another try in a minute.
I went ahead with the rest of the scans in any case.
- Panda Cloud Antivirus won't connect now; it gives me an error message when I click on it.  Should I try reinstalling it?  If I try to access it through my Start menu, it say I need to sign in, and when I try that, it tell sme I'm not connected to the internet, though I clearly am.
- Last night, the computer seemed to be running a bit faster after the scan/defrag/reboot, but then Firefox froze the computer again.  Today, when I restarted, it's been very slow and twice frozen before I was able to get Firefox open. 

I'm wondering if I ought to delete both the hidden temp files and the visible ones, then go through the rest of your instructions again?
If the temp files are in use, what can I do to figure out what's using them and halt it?

Thanks so much,
Candace

[cshaw]

Okay, I've changed the settings so that I can see hidden files, and they are:
- etilqs_aJDnr3QHOten1xbQljl
- etilqs_aJDnr3QH0ten1xbQljks-journal

Not sure if that's any help!

I'll wait until I've heard from you to do anything else.
Thanks!
Candace

[cshaw]

Sorry, one more stupid question - I'm now seeing loads of .tmp files on my desktop that were hidden before. Is that normal? 

[1972vet]

These are fine to leave as they are...they relate to SQLite:
- etilqs_aJDnr3QHOten1xbQljl
- etilqs_aJDnr3QH0ten1xbQljks-journal

...the files in use by Windows should not be deleted. You won't be able to delete them until they expire tomorrow. Don't concern yourself about doing that again tomorrow, it's not necessary.

What temp files are now appearing on your desktop?

[cshaw]

I 'unhid' all hidden files, so now I see a bunch of Word docs, and a bunch of .tmp files - about 18 files in all, on my desktop.

I'm also having all of the same problems, still:
- Firefox freezes, and with it the whole computer - can't access Start menu, cntl-alt-dlt does nothing, have to reboot the computer with the switch.
- on reboot, Windows is very slow to start - the taskbar and Start Menu/clock will appear, but the desktop icons take a few minutes.  The desktop usually shows the 'Active Desktop Recovery' screen.
- Firefox takes a long time to start up.
- Panda isn't working, gives me an 'Unexpected error.  Error Code 11.' message when I click on it.

I s there anything we can do to get the computer back to a state where I can use it for longer than 15 minutes at a time?

Thanks!
Candace

[1972vet]

How long have you used Registry Mechanic 9.0? Sounds like you may have removed things you shouldn't have. Restore any backups that it created and uninstall it.

Update your antivirus product. Boot to safe mode and perform a complete system scan. Allow the software to quarantine whatever it complains of. Reboot when finished. Post back the results.

[cshaw]

I've had Registry Mechanic on my computer for a while, but had been running it more lately.

I restored to a Feb 3 2010 backup.  At that point, the computer got even slower.

New issues:
- computer sometimes freezes while booting up, while Windows is loading but before the screen where you choose which account to sign in under or just as I reach that screen.  I've been pressing F8 and going in through the 'most recent successful settings' which has been at least getting me into Windows.
- Panda won't start, and when I try to sign in it tells me I don't have an internet connection.  When I tried downloading and reinstalling the software, I end up getting an error message in Spanish telling me that it can't uninstall the old version.  When I try using CCleaner to  uninstall it, I get the same message in Spanish.
- I downloaded and installed AVG Free, and ran a scan.  It froze, having identified issues with about 204 files that were in the Panda Cloud Antivirus folder.  I tried running it in Safe Mode, but it does a 'Command Line' scan, and seemed to finish without any messages. 
I've run it a few more times in regular mode, and each times it freezes sometimes after finding about 204 files.  I tried stopping the scan at 202, and it said that it had dealt with the files it found and needed to reboot, which I did.  On the next scan, it found the same (I think) 204 files and then froze.

Any suggestions are very much appreciated.
Thanks,
Candace

[1972vet]

I restored to a Feb 3 2010 backup.  At that point, the computer got even slower.

You keep going from bad to worse lol...what you did was to restore all the malware that was removed.

what I said was:

"Restore any backups that it created and uninstall it"...the word "it" refers to the object in the previous sentence. What I suggested was to restore the backups that were made by the software Registry Mechanic.

Allow me to explain myself in detail. A program such as registry mechanic is quite notorious for causing some heartburn for many users who go about happily clicking away the "OK" button to remove the registry entries it presents during a scan.

Those entries, in spite of what the software tells you, should be researched to verify that they are indeed "safe to remove". I have seen some users chop the legs off their systems with such programs and ended up turning their computers into something on the order of just a very expensive paper weight.

I have played with such software myself for testing purposes. In one instance I can vouch for, I was presented with a scan result which recommended removing a certain registry key with the term "safe to remove" having labeled the key as "Orphaned". Once removed, I would have found that the next time I tried to start my printer, it would have just sat there like a deaf mute.

You have complained of such things as "not responding" and "slow performance"...and, although the same types of behavior is from having a badly fragmented disk, the fact is it can also be from having badly hacked away at your registry.

I would suggest we start this over by performing another "system restore", which is what I think you are saying you did back to February...and select the "undo previous" if it's still there. Otherwise, try to restore using the latest date which should put you back where you were before you restored to February.

When you finish kiddo, post back so we can pick this up where we left off.

[cshaw]

Okay - I'm confused.

I restored a Feb 3 backup in Registry Mechanic; that was the last backup prior to finding the malware. If that isn't what you wanted me to do, I really don't understand what it was that you were asking.  And I don't understand what you are asking me to do now.   
I understand that anything deleting registry files can mess up your computer; this particular program was recommended to me, and I guess it was a bad price of advice; fair enough.
In any event, Registry Mechanic won't open now, so I can't make any changes.
What should I do?

Thanks do much for all of this.
C   

[1972vet]

OK, let's open registry mechanic and find every single backup entry it made. Restore each one of them until there are none left. At this point, uninstall registry mechanic and reboot. Next, please follow the instructions in the added edit below...

Edit added:
In spite of this entry having been reported in your last combofix log:
original MBR restored successfully !
...I suspect you are nonetheless harboring one of the latest variants of the MBR rootkit.


Please download HelpAsst_mebroot_fix.exe  by noahdfear, save it to your desktop.

• Double-click on it to run the tool.
• HelpAsst fix will create a log when done.
• Copy and paste the contents of that log into your next reply.

Please download Profiles.exe  by noahdfear and save it to your desktop.

• Double-click profiles.exe to run the tool.
• Profiles.exe will create a log when done.
• Copy and paste the contents of that log into your next reply.

Please download mbr.exe  and save it to your desktop <- (Important!).

• Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  
• A black DOS window will open and quickly disappear. This is normal.
• A log file named mbr.log will be created and saved on your desktop.
  
• Copy and paste the results of the mbr.log in your next reply.

Reports/logs to post in your next reply:

• HelpAsst
  
• ProfileList log
  
• mbr.log

[cshaw]

Okay, I had just run a ComboFix scan and hadn't seen your updated instructions, so I'll paste it in below, then them a go.
Thanks!

ComboFix 10-03-05.01 - Candace 03/05/2010  22:29:57.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2558.1759 [GMT -5:00]
Running from: c:\documents and settings\Candace\Desktop\ComboFix.exe
AV:  *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV:  *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

(((((((((((((((((((((((((   Files Created from 2010-02-06 to 2010-03-06  )))))))))))))))))))))))))))))))
.

2010-03-06 01:25 . 2010-03-06 01:25   --------   d-----w-   c:\documents and settings\mdg\Application Data\Apple Computer
2010-03-05 15:56 . 2010-03-05 17:04   --------   d-----w-   C:\$AVG
2010-03-05 15:55 . 2010-03-05 15:55   25608   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2010-03-05 15:55 . 2010-03-05 15:55   161800   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2010-03-05 15:55 . 2010-03-05 15:55   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-03-05 15:55 . 2010-03-05 15:55   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-03-05 15:55 . 2010-03-05 15:55   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-03-05 15:55 . 2010-03-05 21:48   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-03-05 15:54 . 2010-03-05 15:13   30104   ----a-w-   c:\windows\system32\drivers\avgfwdx.sys
2010-03-05 15:13 . 2010-03-05 15:13   50968   ----a-w-   c:\windows\system32\avgfwdx.dll
2010-03-05 15:13 . 2010-03-05 15:13   --------   d-----w-   c:\program files\AVG
2010-03-05 15:13 . 2010-03-06 01:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-03-03 01:28 . 2010-03-05 15:41   --------   d-----w-   c:\windows\SxsCaPendDel
2010-02-27 20:16 . 2010-02-27 20:16   --------   d-----w-   c:\program files\Trend Micro
2010-02-26 20:50 . 2010-02-26 20:50   --------   d-----w-   c:\program files\TrendMicro
2010-02-26 19:48 . 2010-02-26 19:48   --------   d-----w-   c:\documents and settings\HelpAssistant.MDG-8A316849C7C\WINDOWS
2010-02-26 16:39 . 2010-02-26 16:39   --------   d-----w-   c:\documents and settings\Candace\Application Data\Registry Mechanic
2010-02-25 05:15 . 2010-02-25 05:15   --------   d-----w-   c:\documents and settings\HelpAssistant\UserData
2010-02-25 05:15 . 2010-02-25 05:15   --------   d-----w-   c:\documents and settings\HelpAssistant\PrivacIE
2010-02-25 05:15 . 2010-02-25 05:15   --------   d-----w-   c:\documents and settings\HelpAssistant\IETldCache
2010-02-25 05:05 . 2010-02-25 05:05   --------   d-----w-   c:\documents and settings\HelpAssistant\.DownloadManager
2010-02-04 20:20 . 2010-02-04 20:20   --------   d-----w-   c:\program files\MoRUN.net

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 01:50 . 2008-04-01 04:53   --------   d-----w-   c:\program files\Google
2010-03-06 01:30 . 2008-12-07 20:33   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-03 01:25 . 2009-10-09 13:41   --------   d-----w-   c:\program files\Xtranormal
2010-03-03 01:21 . 2008-01-26 03:03   --------   d-----w-   c:\program files\Java
2010-03-03 01:18 . 2007-11-25 23:53   --------   d-----w-   c:\program files\Canon
2010-03-03 01:13 . 2009-04-25 06:31   --------   d-----w-   c:\documents and settings\Candace\Application Data\Dropbox
2010-03-03 01:12 . 2009-11-02 21:25   --------   d-----w-   c:\program files\3D Christmas Night Screensaver
2010-03-01 19:07 . 2009-08-17 22:48   --------   d-----w-   c:\program files\WebEx
2010-02-27 19:55 . 2009-09-27 22:27   --------   d-----w-   c:\program files\Hotspot Shield
2010-02-27 18:18 . 2009-11-18 03:45   --------   d-----w-   c:\documents and settings\Candace\Application Data\Skype
2010-02-27 15:01 . 2008-12-07 20:53   --------   d-----w-   c:\documents and settings\Candace\Application Data\skypePM
2010-02-25 17:20 . 2009-09-22 20:40   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-25 15:53 . 2009-09-22 17:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-25 04:21 . 2009-09-24 21:00   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-02-02 16:06 . 2008-09-16 14:37   --------   d-----w-   c:\program files\iTunes
2010-02-02 16:05 . 2010-02-02 16:05   --------   d-----w-   c:\program files\iPod
2010-02-02 16:05 . 2008-02-09 04:11   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-02 16:00 . 2010-02-02 15:59   --------   d-----w-   c:\program files\QuickTime
2010-01-07 21:07 . 2009-09-22 20:40   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-22 20:40   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-07 00:35 . 2010-01-07 00:35   --------   d-----w-   c:\documents and settings\Candace\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-01-07 00:34 . 2009-03-18 01:47   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2009-12-31 16:50 . 2004-08-10 12:00   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 12:00   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-10-25 18:22   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-16 14:48 . 2009-12-16 14:48   102684   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-12-14 07:08 . 2004-08-10 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 12:00   2145280   ------w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59   2023936   ------w-   c:\windows\system32\ntkrnlpa.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((   SnapShot_2010-03-02_19.50.40   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 01:54 . 2009-07-12 01:54   65536              c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
- 2009-07-12 00:54 . 2009-07-12 00:54   65536              c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   57344              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   57344              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   65536              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   65536              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   45056              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   45056              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
- 2009-07-12 00:32 . 2009-07-12 00:32   40960              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32   40960              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 06:07 . 2009-07-12 06:07   57856              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
- 2009-07-12 05:07 . 2009-07-12 05:07   57856              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
- 2009-07-12 05:19 . 2009-07-12 05:19   69632              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 06:19 . 2009-07-12 06:19   69632              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 00:41 . 2009-07-12 00:41   97280              c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
- 2009-07-11 23:41 . 2009-07-11 23:41   97280              c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2010-03-06 01:50 . 2010-03-06 01:50   47104              c:\windows\Installer\ffd4a.msi
+ 2010-03-05 15:13 . 2010-03-05 15:13   424448              c:\windows\Installer\e7e10.msi
- 2009-07-12 00:46 . 2009-07-12 00:46   1093120              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 01:46 . 2009-07-12 01:46   1093120              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
- 2009-07-12 00:46 . 2009-07-12 00:46   1105920              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
+ 2009-07-12 01:46 . 2009-07-12 01:46   1105920              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 14:00   312576   ----a-w-   c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 14:00   312576   ----a-w-   c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 14:00   312576   ----a-w-   c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-10 8740864]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-18 185872]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"V0420Mon.exe"="c:\windows\V0420Mon.exe" [2007-04-30 32768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-13 110592]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.32.lnk]
backup=c:\windows\pss\Wireless Configuration Utility HW.32.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.32.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-19 22:17   133104   ----atw-   c:\documents and settings\Candace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2008-02-26 01:23   443968   ----a-w-   c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Documents and Settings\\Candace\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Candace\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\Candace\\Local Settings\\Apps\\2.0\\CPX7YQZB.RM5\\MNT15V7Z.RHD\\maht..tion_0000000000000000_0002.0006_1347748a011296de\\MahTweets2.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MoRUN.net\\StickerLite\\sticker.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3945:TCP"= 3945:TCP:Services
"4071:TCP"= 4071:TCP:Services

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [3/5/2010 10:55 AM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/5/2010 10:55 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/5/2010 10:55 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/5/2010 10:55 AM 360584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [10/13/2009 3:50 PM 114312]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:54 AM 285392]
R2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [10/30/2009 5:29 PM 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [10/30/2009 4:18 PM 146952]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [10/13/2009 3:50 PM 95880]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [10/13/2009 3:50 PM 101512]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [3/5/2010 10:54 AM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [3/5/2010 10:54 AM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [3/5/2010 10:54 AM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [3/5/2010 10:54 AM 25736]
S2 avgfws9;AVG Firewall;"c:\program files\AVG\AVG9\avgfws9.exe" --> c:\program files\AVG\AVG9\avgfws9.exe [?]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [3/5/2010 10:54 AM 5832712]
S2 gupdate1c893b4620678cd;Google Update Service (gupdate1c893b4620678cd);c:\program files\Google\Update\GoogleUpdate.exe [7/13/2008 9:59 AM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [3/5/2010 10:54 AM 30104]
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\drivers\SiS163u.sys [12/31/2004 4:46 PM 167424]
S3 V0420VID;Live! Cam Vista IM (VF0420);c:\windows\system32\drivers\V0420Vid.sys [9/25/2009 3:30 PM 99648]
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-13 15:57]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-13 15:57]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3344883620-3832729900-1966993547-1006Core.job
- c:\documents and settings\Candace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-07 22:17]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3344883620-3832729900-1966993547-1006UA.job
- c:\documents and settings\Candace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-07 22:17]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Candace\Application Data\Mozilla\Firefox\Profiles\ce31zdfi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\Candace\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Candace\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-05 22:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ADD4048]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> 0x8add4048
\Driver\atapi -> atapi.sys @ 0xb7f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x89fc9330
 PacketIndicateHandler -> NDIS.sys @ 0xb7e2aa21
 SendHandler -> NDIS.sys @ 0xb7e0887b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2508)
c:\windows\system32\WININET.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-05  22:59:43
ComboFix-quarantined-files.txt  2010-03-06 03:59
ComboFix2.txt  2010-03-03 05:01
ComboFix3.txt  2010-03-02 19:59
ComboFix4.txt  2009-09-22 19:52

Pre-Run: 88,661,438,464 bytes free
Post-Run: 90,034,561,024 bytes free

- - End Of File - - 80DB23B91B88CEB9A975C3AD20B6C91F

[cshaw]

Okay; I've run all three.  I can't figure out where the HelpAsst log is - it didn't pop up in Notepad; do you have any idea where it generally saves to?
The other two are below.  Thanks!

Prof.txt:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile  REG_SZ  Default User
    AllUsersProfile  REG_SZ  All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath  REG_EXPAND_SZ  %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3344883620-3832729900-1966993547-1003
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\mdg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3344883620-3832729900-1966993547-1006
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\Candace

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3344883620-3832729900-1966993547-500
    ProfileImagePath  REG_EXPAND_SZ  %SystemDrive%\Documents and Settings\Administrator

    SystemRoot  REG_SZ  C:\WINDOWS


mbr.log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8add4048
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0x89fc9330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

[1972vet]

When the HelpAsst_mebroot_fix.exe tool completes it will inform you that either "HelpAssistant was successfully removed", or it may require a reboot. It may also have indicated "HelpAssistant account does not exist" with the instruction to "Press any key to continue...

Do you recall which it was? Regardless, continue with the below instructions:

Open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.


Make sure mbr.exe is still on your desktop or the next set of instructions will not work. <- (Important!)

Click start-->Run...then, in the run box, copy/paste the following command:
"%userprofile%\desktop\mbr.exe" -f

Click OK or press Enter, then reboot the comuter.
A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

[1972vet]

Still with us cshaw?

[1972vet]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send me a Private Message and I will report the request to one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.