Can't Delete From System Volume Information
Someone (my wife) downloaded something (a virus) onto her laptop running XP home. Now there are the usual **** icons on the desktop and windows popping up all over the place pretending to be virus scanners. It is not a subtle infection. Unfortuantely the CD drive is busted and I can't run my recovery disk to wipe things. I don't think the laptop is worth paying for repair so I'd like to salvage the current system if possible.
I went into safe mode and ran a manual bitdefender scan. It found many problems and couldn't delete four files. I manually deleted two of the four, but the other two are in the "system volume information" folder and XP won't let me open that folder.
This is the part of the manual scan log containing the two bad files:
<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{AA6C8498-140E-441D-9DDE-0826BE9E5F33}\RP230\A0046968.exe=](ZIP Sfx o)=]7.exe" threatType="virus" threatName="BehavesLike:Trojan.Downloader" action="none" finalStatus= "infected" error= "infected archive"/>
<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{AA6C8498-140E-441D-9DDE-0826BE9E5F33}\RP232\A0048056.exe=](ZIP Sfx o)=]7.exe" threatType="virus" threatName="BehavesLike:Trojan.Downloader" action="none" finalStatus= "infected" error= "infected archive"/>
Here is my HJT log Can someone tell me what do now?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:39 PM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O1 - Hosts: 64.78.20.51 EXVBE012-2
O1 - Hosts: 64.78.20.51 EXVBE012-2.exch012.intermedia.net
O1 - Hosts: 64.78.20.14 DC012-1.exch012.intermedia.net
O1 - Hosts: 64.78.20.15 DC012-2.exch012.intermedia.net
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [\VIE85.exe] C:\Windows\System32\VIE85.exe
O4 - HKLM\..\Run: [\VIE86.exe] C:\Windows\System32\VIE86.exe
O4 - HKLM\..\Run: [\VIE87.exe] C:\Windows\System32\VIE87.exe
O4 - HKLM\..\Run: [\VIE88.exe] C:\Windows\System32\VIE88.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\MSA\MSA.exe
O4 - HKLM\..\Run: [\VIE89.exe] C:\Windows\System32\VIE89.exe
O4 - HKLM\..\Run: [\VIE2.exe] C:\Windows\System32\VIE2.exe
O4 - HKLM\..\Run: [\VIE1.exe] C:\Windows\System32\VIE1.exe
O4 - HKLM\..\Run: [\VIE3.exe] C:\Windows\System32\VIE3.exe
O4 - HKLM\..\Run: [\VIE4.exe] C:\Windows\System32\VIE4.exe
O4 - HKLM\..\Run: [\VIEA5.exe] C:\Windows\System32\VIEA5.exe
O4 - HKLM\..\Run: [\VIEA6.exe] C:\Windows\System32\VIEA6.exe
O4 - HKLM\..\Run: [\VIEA7.exe] C:\Windows\System32\VIEA7.exe
O4 - HKLM\..\Run: [\VIEA8.exe] C:\Windows\System32\VIEA8.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 7481 bytes
Comments
-
Hello Mark Hahn,
Please do this in safe mode:
Click on start,right click on my computer choose properties,high light the system restore tab,check the option Disable System Restore (on all stations) confirm it. Wait a few seconds that depends how many restore points that are created. I recommend that you temporary disable system restore to prevent that your restore points got infected.
After you have done that please do this:
Press the windows button together with r now type msconfig press enter. Go to the startup tab and uncheck the startup items :
that begins with VIE* (*= stands for a random number or numbers).
MSA.exe
Reboot your pc again.
Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.
Kind regards,
Niels0 -
Here is the combofix log ....
ComboFix 08-09-05.02 - linda 2008-09-05 19:40:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -7:00]
Running from: C:\Documents and Settings\linda\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\linda\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\linda\Cookies\linda@a.seenon[1].txt
C:\Documents and Settings\linda\Cookies\linda@imiclk[2].txt
C:\Documents and Settings\linda\Cookies\linda@insightexpressai[2].txt
C:\Documents and Settings\linda\Cookies\linda@my.clearchannelradio[2].txt
C:\Documents and Settings\linda\Cookies\linda@revsci[1].txt
C:\Documents and Settings\linda\Cookies\linda@secure1.healthierwaytogo[2].txt
C:\Documents and Settings\linda\Cookies\linda@turn[1].txt
C:\Documents and Settings\linda\Cookies\linda@www35.vzw[1].txt
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\1.ico
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\2.ico
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sc.html
.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.
2008-09-04 17:09 . 2008-09-04 17:09 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml
2008-09-04 17:09 . 2008-09-04 17:09 385 --a------ C:\WINDOWS\system32\user_gensett.xml
2008-09-04 17:00 . 2008-09-04 17:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 16:51 . 2008-09-04 16:50 7,236 --a------ C:\1220572212_1_02.xml
2008-09-04 16:50 . 2008-09-04 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender
2008-09-04 13:40 . 2008-09-04 13:40 <DIR> d-------- C:\Documents and Settings\linda\Application Data\BitDefender
2008-09-04 13:39 . 2008-09-04 13:39 <DIR> d-------- C:\Program Files\BitDefender
2008-09-04 13:39 . 2008-09-04 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-09-04 13:37 . 2008-09-04 13:40 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-09-04 10:43 . 2008-09-04 10:43 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-09-04 10:32 . 2008-09-04 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-09-04 10:28 . 2008-09-04 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2008-09-04 10:26 . 2008-09-04 13:33 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-09-03 22:03 . 2008-09-04 13:33 <DIR> d-------- C:\Program Files\Panda Security
2008-09-03 21:18 . 2004-08-10 13:23 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-03 21:18 . 2004-08-10 14:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-09-03 21:18 . 2004-08-10 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-09-03 21:18 . 2004-08-10 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-03 21:18 . 2004-08-16 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-09-03 21:18 . 2004-08-10 15:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-09-03 21:18 . 2007-06-03 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-09-03 21:18 . 2008-09-03 21:18 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-03 19:48 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-03 19:44 . 2008-09-05 19:44 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-03 19:44 . 2008-09-05 19:45 <DIR> d-------- C:\Program Files\MSA
2008-09-03 19:44 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-03 19:39 . 2008-09-03 19:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-03 19:39 . 2008-09-03 19:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-14 03:15 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys
2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a------ C:\WINDOWS\system32\drivers\bdfm.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-04 23:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-04 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 23:45 --------- d-----w C:\Program Files\Yahoo!
2008-09-04 17:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-21 03:41 --------- d-----w C:\Program Files\Flickr Uploadr
2008-07-21 03:41 --------- d-----w C:\Documents and Settings\linda\Application Data\Flickr
2008-07-19 05:26 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-27 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-06-14 638976]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 135168]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-14 53248]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-18 155648]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 716800]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" [bU]
C:\Documents and Settings\linda\Start Menu\Programs\Startup\
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-11-08 577536]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-17 124856]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-10 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 108864]
S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-\VIE85.exe - C:\Windows\System32\VIE85.exe
HKCU-Run-\VIE86.exe - C:\Windows\System32\VIE86.exe
HKCU-Run-\VIE87.exe - C:\Windows\System32\VIE87.exe
HKCU-Run-\VIE88.exe - C:\Windows\System32\VIE88.exe
HKCU-Run-\VIE89.exe - C:\Windows\System32\VIE89.exe
HKCU-Run-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKCU-Run-\VIE2.exe - C:\Windows\System32\VIE2.exe
HKCU-Run-\VIE1.exe - C:\Windows\System32\VIE1.exe
HKCU-Run-\VIE3.exe - C:\Windows\System32\VIE3.exe
HKCU-Run-\VIE4.exe - C:\Windows\System32\VIE4.exe
HKCU-Run-\VIEA5.exe - C:\Windows\System32\VIEA5.exe
HKCU-Run-\VIE5.exe - C:\Windows\System32\VIE5.exe
HKCU-Run-\VIEA4.exe - C:\Windows\System32\VIEA4.exe
HKCU-Run-\VIEA6.exe - C:\Windows\System32\VIEA6.exe
HKCU-Run-\VIEA7.exe - C:\Windows\System32\VIEA7.exe
HKCU-Run-\VIEA8.exe - C:\Windows\System32\VIEA8.exe
HKLM-Run-APVXDWIN - C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
HKLM-Run-Device Detector - DevDetect.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-Antivirus - C:\Program Files\MSA\MSA.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://toshibadirect.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 19:46:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2008-09-05 19:51:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-06 02:51:52
Pre-Run: 46,993,235,968 bytes free
Post-Run: 47,249,580,032 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
208 --- E O F --- 2008-08-16 00:43:200 -
P.S. It appears to be fixed now.
Thanks so much.0 -
Hello Mark Hahn,
Please do this open wordpad and type this:
Folder::
C:\Program Files\PCHealthCenter
C:\Program Files\MSA
Save the worpad file as CFScript. Now drag and drop the wordpad file you just created on the Combofix program.
See if you still can find VIE entries when you open the windows folder and afterwards the system 32 subfolder.
Kind regards,
Niels0
