PE PATCHED.RCS, RogueAV File.DCT, Rootkits

Hello,



My keyboard will not work during normal Window startup. It will only work in safe mode.

I am unable to log on as Adminstrator without password to test whether this is Account User based on system wide.

Last week, my PC was infected with some kind of redirect that led me to the following steps and results:

1. Ran Hijackthis to see if I noticed anything unrecognizable and found the following:

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe

I followed a couple of forum pages and followed instructions for removing. Upon removal,
I lost my internet connectivity. Another scan of Hijackthis log and noticed:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1212

I searched and found a forum on this and followed instructions to remove. Got internet back.

Once able to accces Trendmicro's Housecall, I ran a scan that Friday and found over 380 infected and cleaned files labeled as:

PE PATCHED.RCS


A scan for Spybot S&D found a handful of adware/spyware which were removed.

I also uninstalled the Dealio Toolbar, which I did not realized was installed.

The computer was accessed today (it was left powered up since last Friday) and suddenly the Logitech wireless keyboard will not work. Depsite numerous attempts at troubleshooting, it will only work in Safe Mode. I have tried the following:

Plugging in USB keyboard provided with PC. Will not work upon normal start up.
Uninstalled drivers for both keyboards. Will not work upon normal start up.

Note: the Logitech wireless mouse using the same wireless hub as the keyboard works.

Ran Trendmicro's updated Housecall today and found and removed:

sdra64.exe described as RogueAV File.DCT
5C.tmp described as HIDDEN FILE
1F8.tmp described as HIDDEN FILE

Still nothing. I tried restoring to last known configuration that worked and, of course, the viruses and RogueAV File.DCT were reinstalled along with the SearchSettings entries and the Dealio Toolbar

A seach of SeachSettings.exe led me to an entry in this forum. The following scans were requested for that entry. I have posted them below:


======= REPORT FROM AD-REMOVER | ONLY XP/VISTA/7 =======

Updated by C_XX on 13/06/10 at 20:40
Contact: AdRemover.contact@gmail.com
website: http://pagesperso-orange.fr/NosTools/ad_remover.html

C:\Program Files\Ad-Remover\main.exe (SCAN [2]) -> Launched at 14:24:59 on 15/06/2010, Safeboot mode

Microsoft Windows XP Professional Service Pack 3 (X86)
a37456, D1WL70D1 ( )

============== SEARCH ==============

Service: "Application Updater" Service found

0,File found: C:\Program Files\Mozilla FireFox\extensions\dealio@mybrowserbar.com
0,File found: C:\Program Files\Mozilla Firefox\extensions\searchsettings@spigot.com
0,Folder found: C:\Program Files\Application Updater
0,Folder found: C:\Documents and Settings\a37456\Application Data\Dealio
0,Folder found: C:\Program Files\Dealio Toolbar
0,Folder found: C:\Documents and Settings\a37456\Application Data\Search Settings
0,Folder found: C:\Program Files\Search Settings
0,Folder found: C:\Documents and Settings\All Users\Application Data\Viewpoint
3,File found: C:\WINDOWS\Installer\4acf1fe.msi
3,File found: C:\WINDOWS\Installer\4acf207.msi

1,Key found: HKLM\Software\Classes\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
1,Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
1,Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
1,Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
1,Key found: HKLM\Software\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
1,Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
1,Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
1,Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
1,Key found: HKLM\Software\Classes\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}
1,Key found: HKLM\Software\Classes\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}
0,Key found: HKLM\Software\Classes\SearchSettings.BHO
0,Key found: HKLM\Software\Classes\SearchSettings.BHO.1
0,Key found: HKLM\Software\Application Updater
0,Key found: HKLM\Software\Dealio
0,Key found: HKLM\Software\Search Settings
0,Key found: HKLM\Software\Viewpoint
0,Key found: HKCU\Software\Search Settings
0,Key found: HKCU\Software\AppDataLow\Software\Dealio
0,Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C878CD69-85DB-426B-81A3-E71175AAEB91}
0,Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager

0,Value found: HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SearchSettings
0,Value found: HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks|{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
0,Value found: HKLM\Software\Microsoft\Internet Explorer\Toolbar|{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
0,Value found: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440}


============== ADDITIONNAL SCAN ==============

** Mozilla Firefox Version [3.6.3 (en-US)] **

-- C:\Documents and Settings\a37456\Application Data\Mozilla\FireFox\Profiles\bnok4una.default\Prefs.js --
browser.download.lastdir, F:\\My Documents\\Downloads
browser.startup.homepage_override.mstone, rv:1.9.2.3

========================================

** Internet Explorer Version [8.0.6001.18702] **

[HKCU\Software\Microsoft\Internet Explorer\Main]
AutoHide: yes
Default_Page_URL: hxxp://business.dellnet.com/
Do404Search: 0x01000000
Enable Browser Extensions: yes
Local Page: C:\WINDOWS\system32\blank.htm
Search bar:
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Show_ToolBar: yes
Start Page: hxxp://www.marketwatch.com/?avatar=seen&dist=ctmw
Use Search Asst: yes

[HKLM\Software\Microsoft\Internet Explorer\Main]
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Delete_Temp_Files_On_Exit: yes
Local Page: C:\windows\system32\blank.htm
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
Use Custom Search URL: 0

[HKLM\Software\Microsoft\Internet Explorer\ABOUTURLS]
Tabs: res://ieframe.dll/tabswelcome.htm
Blank: res://mshtml.dll/blank.htm

========================================

C:\Program Files\Ad-Remover\Quarantine: 2 File(s)
C:\Program Files\Ad-Remover\Backup: 3 File(s)

C:\Ad-Report-SCAN[1].txt - 477 Byte(s)
C:\Ad-Report-SCAN[2].txt - 3167 Byte(s)

End at: 14:32:24, 15/06/2010

============== E.O.F ==============


-----------\\ ToolBar S&D 1.2.9 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ )
BIOS : )Phoenix - Award WorkstationBIOS v6.00PG
USER : a37456 ( Not Administrator ! )
BOOT : Fail-safe with network boot
Antivirus : Spyware Doctor with AntiVirus 7.0.0.102 (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:232 Go (Free:180 Go)
D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
E:\ (CD or DVD)
F:\ (Local Disk) - NTFS - Total:279 Go (Free:261 Go)

"C:\ToolBar SD" ( MAJ : 22-08-2009|18:42 )
Option : [1] ( Tue 06/15/2010|14:34 )

-----------\\ Searching for Files - Folders ...

C:\DOCUME~1\a37456\APPLIC~1\Dealio
C:\DOCUME~1\a37456\APPLIC~1\Dealio\res
C:\DOCUME~1\a37456\APPLIC~1\Dealio\temp
C:\Program Files\Mozilla Firefox\extensions\dealio@mybrowserbar.com
C:\Program Files\Mozilla Firefox\extensions\searchsettings@spigot.com
C:\DOCUME~1\a37456\APPLIC~1\Search Settings
C:\DOCUME~1\a37456\APPLIC~1\Search Settings\kb130
C:\DOCUME~1\a37456\APPLIC~1\Search Settings\kb130\temp
C:\DOCUME~1\a37456\APPLIC~1\Search Settings\kb130\temp\ws-14768.log
C:\DOCUME~1\a37456\APPLIC~1\Search Settings\kb130\temp\ws-14769.log
C:\DOCUME~1\a37456\APPLIC~1\Search Settings\kb130\temp\ws-14771.log
C:\Program Files\Search Settings
C:\Program Files\Search Settings\FF
C:\Program Files\Search Settings\res
C:\Program Files\Search Settings\SearchSettings.dll
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Search Settings\SearchSettingsRes409.dll
C:\Program Files\Search Settings\temp
C:\Program Files\Search Settings\FF\chrome
C:\Program Files\Search Settings\FF\chrome.manifest
C:\Program Files\Search Settings\FF\components
C:\Program Files\Search Settings\FF\install.rdf
C:\Program Files\Search Settings\FF\chrome\content
C:\Program Files\Search Settings\FF\chrome\locale
C:\Program Files\Search Settings\FF\chrome\skin
C:\Program Files\Search Settings\FF\chrome\content\plugin.js
C:\Program Files\Search Settings\FF\chrome\content\plugin.xul
C:\Program Files\Search Settings\FF\chrome\content\protection.js
C:\Program Files\Search Settings\FF\chrome\content\utils.js
C:\Program Files\Search Settings\FF\chrome\locale\en-US
C:\Program Files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
C:\Program Files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
C:\Program Files\Search Settings\FF\components\IFBHOSearch.xpt
C:\Program Files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
C:\Program Files\Search Settings\FF\components\IFHelperPreferences.xpt
C:\Program Files\Search Settings\FF\components\SearchSettingsFF.dll
C:\DOCUME~1\a37456\FAVORI~1\Uninstall Search settings.url

-----------\\ Extensions

(a37456) - {20a82645-c095-46ed-80e3-08825760534b} => chrome_user


-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page"="https://www.marketwatch.com/?avatar=seen&dist=ctmw"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Default_Page_URL"="https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fbusiness.dellnet.com%2f%3f"
"SearchMigratedDefaultURL"="https://www.google.com/webhp?gws_rd=ssl{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8"
"Url"="http://www.microsoft.com/atwork/community/rss.xml"
"Url"="http://www.microsoft.com/athome/community/rss.xml"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Local Page"="C:\\windows\\system32\\blank.htm"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
"Home_Page"="https://www.dell.com/fr-fr"
"Help_Page"="http://support.dell.com"


--------------------\\ Searching for other infections


No other infections found !


1 - "C:\ToolBar SD\TB_1.txt" - Tue 06/15/2010|14:37 - Option : [1]

-----------\\ Scan completed at 14:37:52.48