Home / Software / Computer viruses and spyware / Several Different Problems
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: 1 2 3 [All] - (Bottom) Print
Author Topic: Several Different Problems  (Read 1329 times)
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« on: December 09, 2010, 03:40:08 AM »
Recently I was having trouble with my computer and whenever I ran a program I received the error message, "Application cannot be executed. The file is infected." After running SUPER AntiSpyware, McAfee, rkill, Malwarebytes, Hijack This, and ESET scanner things seemed to be running fine.

Now suddenly every couple of minutes the user accounts selection appears on my screen, which never used to show up. I'm the only person who uses my computer, but now it will show my account, plus "ASP.NET Machine A... Limited account password protected." It also shows "Guest. Guest account is off." I never had the user accounts screen come up and don't remember if both of those were there, but I certainly don't remember ASP.NET and have no idea what this is. The user account screen also shows up when I start my computer, but only lists my account. Normally my computer would start without me having to click on anything.

After this started happening, I went to open Adobe Photoshop 7.0 which I have been using for years and never had any problems with. I plugged my Wacom tablet in, but there was no pen pressure sensitivity. This has happened before, but has always fixed itself once I closed and then reopened Photoshop. But when I tried that this time, the tablet stopped working altogether and wouldn't even move the cursor on the screen. I tried closing Photoshop and opening it again, but then I got an error message while "measuring memory" that after a while says, "Could not initialize Photoshop because of a program error." Another error message appeared, which unfortunately I did not write down and has not reappeared, but said something along the lines of something was preventing an application from running.

I have another version of Photoshop, CS4, which I'm able to open, but then the tablet had no pressure sensitivity still. I tried closing and then reopening Photoshop, but then the tablet wouldn't move again. I tried reinstalling the tablet driver, but while the pen would move, again there was no pressure sensitivity. I restarted the computer, but then the tablet wouldn't move at all again. Whenever I tried reinstalling the tablet driver the tablet would allow the cursor to move, but wouldn't have any pressure sensitivity with the pen, and would just stop moving at all if I closed Photoshop or restarted the computer.

Also, after this all started Malwarebytes cannot complete a scan session and crashes. I've run several other programs and none find anything wrong.

I also went to open my Recycle Bin, but received an error that it is corrupted. I was able to open the Recycle Bin, but several of the files would not delete and I would get a message saying, "Cannot delete D10. It is being used by another person or program." Even though this was not the name of the file and no other programs were open.

I pretty much only use my computer to work in Photoshop for my job and check my e-mail. But not being able to even open Photoshop 7.0 which I prefer to use, plus my tablet not working makes it useless. I'm worried about logging into e-mail and typing any passwords out with all this going on. If anyone could help I would greatly appreciate it!
IP logged
harry 48
Egghead



Thanked: 128
Posts: 3,134

Certifications: List
Computer: Specs
Experience: Familiar
OS: Windows 7


lay back , relax and chill out

1 1 1
« Reply #1 on: December 09, 2010, 05:44:02 AM »
try to run the link below and post 3 logs an expert will see them

http://www.computerhope.com/forum/index.php/topic,46313.0.html
IP logged
http://diy-help.forumotion.co.uk/   D.I.Y. help forum
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #2 on: December 13, 2010, 10:58:33 AM »
Quote from: harry 48 on December 09, 2010, 05:44:02 AM
try to run the link below and post 3 logs an expert will see them

http://www.computerhope.com/forum/index.php/topic,46313.0.html

The link just took me back to the main page.
IP logged
harry 48
Egghead



Thanked: 128
Posts: 3,134

Certifications: List
Computer: Specs
Experience: Familiar
OS: Windows 7


lay back , relax and chill out

1 1 1
« Reply #3 on: December 13, 2010, 11:07:46 AM »
Quote from: chibinuku on December 13, 2010, 10:58:33 AM
The link just took me back to the main page.


yes , scroll down and do all the tasks asked of you
IP logged
http://diy-help.forumotion.co.uk/   D.I.Y. help forum
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #4 on: December 13, 2010, 05:56:14 PM »
It just took me back to the main section of the Computer Hope forums. There were no instructions.
IP logged
harry 48
Egghead



Thanked: 128
Posts: 3,134

Certifications: List
Computer: Specs
Experience: Familiar
OS: Windows 7


lay back , relax and chill out

1 1 1
« Reply #5 on: December 14, 2010, 05:09:37 AM »
it takes you to the virus and malware guidelines section with 4 posts by evilfantasy full of instructions to complete

http://www.computerhope.com/forum/index.php/topic,46313.0.html
IP logged
http://diy-help.forumotion.co.uk/   D.I.Y. help forum
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #6 on: December 14, 2010, 12:53:37 PM »
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

What type of OS (Operating System) are you using?
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #7 on: December 14, 2010, 05:03:55 PM »
Quote from: SuperDave on December 14, 2010, 12:53:37 PM
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

What type of OS (Operating System) are you using?

Hi Dave, I am using Windows XP.
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #8 on: December 15, 2010, 01:05:02 PM »
    Please download
ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #9 on: December 16, 2010, 03:30:17 PM »
Hi Dave,

Thank you. The first time I ran combo fix I thought McAffee was turned off, but it wasn't. I closed it and restarted and the screen was blue saying there was a problem with a lot of files and that it was deleting things. Sorry if that isn't very descriptive, many things were scrolling past on that page too quick for me to write down. But when my computer started up again I ran combo fix and this is the log it created:

ComboFix 10-12-16.01 - Jen 12/16/2010  14:48:46.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1919.1461 [GMT -7:00]
Running from: c:\documents and settings\Jen\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe

.
(((((((((((((((((((((((((   Files Created from 2010-11-16 to 2010-12-16  )))))))))))))))))))))))))))))))
.

2010-12-16 19:04 . 2010-09-07 14:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-12-16 19:04 . 2010-09-07 14:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-12-16 19:04 . 2010-09-07 14:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-12-16 19:04 . 2010-09-07 14:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-12-16 19:04 . 2010-09-07 14:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-12-16 19:04 . 2010-09-07 14:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-12-16 19:04 . 2010-09-07 14:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-12-16 19:03 . 2010-09-07 15:12   38848   ----a-w-   c:\windows\avastSS.scr
2010-12-16 19:03 . 2010-09-07 15:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
2010-12-16 19:03 . 2010-12-16 19:03   --------   d-----w-   c:\program files\Alwil Software
2010-12-16 19:03 . 2010-12-16 19:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-15 21:09 . 2010-11-02 15:17   40960   -c----w-   c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 21:09 . 2010-10-11 14:59   45568   -c----w-   c:\windows\system32\dllcache\wab.exe
2010-12-14 14:28 . 2010-12-14 14:28   --------   d-----w-   c:\program files\CCleaner
2010-12-05 08:09 . 2010-12-05 08:09   --------   d-----w-   c:\program files\AIM Toolbar
2010-12-05 08:09 . 2010-12-05 08:09   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2010-12-05 01:54 . 2010-12-05 01:54   --------   d-----w-   c:\program files\TabletPlugins
2010-11-18 18:12 . 2010-11-18 18:12   81920   -c----w-   c:\windows\system32\dllcache\isign32.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-16 21:58 . 2009-07-10 05:39   6520   ----a-w-   c:\windows\system32\drivers\ghstwall.sys
2010-11-30 00:42 . 2010-11-04 02:15   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 00:42 . 2010-11-04 02:14   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-07-08 07:41   81920   ----a-w-   c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2001-08-23 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59   385024   ----a-w-   c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2001-08-23 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00   1853312   ----a-w-   c:\windows\system32\win32k.sys
2010-09-18 19:23 . 2001-08-23 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2008-02-08 04:46 . 2008-02-08 04:46   13624   ----a-w-   c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 04:46 . 2008-02-08 04:46   87360   ----a-w-   c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 04:46 . 2008-02-08 04:46   91448   ----a-w-   c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 04:46 . 2008-02-08 04:46   21824   ----a-w-   c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 04:46 . 2008-02-08 04:46   206136   ----a-w-   c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 04:46 . 2008-02-08 04:46   31544   ----a-w-   c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 04:46 . 2008-02-08 04:46   40248   ----a-w-   c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 00:27 . 2007-03-17 00:27   479232   ----a-w-   c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 00:27 . 2007-03-17 00:27   548864   ----a-w-   c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 00:27 . 2007-03-17 00:27   626688   ----a-w-   c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 19:47 . 2007-07-20 19:47   981170   ----a-w-   c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 04:46 . 2008-02-08 04:46   24384   ----a-w-   c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GhostWall"="c:\program files\GhostWall\ghostwall.exe" [2005-09-29 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-02 16049664]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Jen\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/16/2010 12:04 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2010 12:04 PM 17744]
R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [7/9/2009 10:39 PM 6520]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/10/2009 6:31 PM 5010288]
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-448539723-839522115-1004Core.job
- c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:54]

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-448539723-839522115-1004UA.job
- c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:10293
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jen\Application Data\Mozilla\Firefox\Profiles\89sau4uu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Jen\Application Data\Move Networks
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-nwiz - nwiz.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-M2416447 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-16 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]
@DACL=(02 0000)
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
"DllName"="antiwpa.dll"
"Startup"="onStartup"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEven t"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-12-16  15:06:11 - machine was rebooted
ComboFix-quarantined-files.txt  2010-12-16 22:06

Pre-Run: 15,102,398,464 bytes free
Post-Run: 14,880,346,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 49816B3BF7C2518CA93F4E1F1FBA2F2F
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #10 on: December 16, 2010, 07:37:56 PM »
The log show that you're running two Anti-Virus programs on your computer: avast! Antivirus and McAfee VirusScan Enterprise.You should on run one AV program and one Firewall on your computer because they conflict. One will have to be permanently disabled.

P2P - I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program (BitTorrent), it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*******************************************
Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    Quote
    KillAll::

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:10293
    FF - prefs.js: browser.search.selectedEngine - Ask.com

    Rootkit::

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see this log.
***************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #11 on: December 17, 2010, 12:51:54 AM »
Hi Dave,

Earlier I had renamed ComboFix to commy.exe, do I need to change the file name or download it again before doing these steps? Thank you!
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #12 on: December 17, 2010, 12:43:59 PM »
No. Even though you renamed it, it's still ComboFix.exe
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #13 on: December 17, 2010, 01:49:59 PM »
After I dragged CFScript.txt into ComboFix, ComboFix started, but then my screen went blue, restarted, and gave me a message that the computer had a serious error. I went to check if there was a log at C:\ComboFix.txt, but there's nothing in the ComboFix folder. Should I proceed with downloading Security Check by screen317 still?
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #14 on: December 17, 2010, 04:50:46 PM »
Forget about the ComboFix script for now. We'll deal with it later. Please continue with the other scans.
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #15 on: December 17, 2010, 06:36:46 PM »
Here are the contents of the Notepad document from Security Check:

 Results of screen317's Security Check version 0.99.7 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 ESET Online Scanner v3   
 Adobe After Effects CS3 Presets 
 McAfee VirusScan Enterprise   
 McAfee Security Scan Plus   
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 17 
 Out of date Java installed!
 Adobe Flash Player 10.0.32.18 
Adobe Reader 9.1.2
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 McAfee VirusScan Enterprise mcshield.exe 
 McAfee VirusScan Enterprise vstskmgr.exe 
 McAfee VirusScan Enterprise SHSTAT.EXE 
``````````End of Log````````````
IP logged
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #16 on: December 17, 2010, 06:46:55 PM »
Here's the log from SysProT Antirootkit:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B3D5E000
Module End: B3D76000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B8664000
Module End: B8666000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwTerminateProcess
At Address: 805D2982
Jump To: B271D19B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 80621D3A
Jump To: B271D185
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRenameKey
At Address: 806231EA
Jump To: B271D159
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 80624BA6
Jump To: B271D11B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteValueKey
At Address: 80623E34
Jump To: B271D16F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 80623C64
Jump To: B271D143
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateKey
At Address: 806237C8
Jump To: B271D12F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.11.26) BONNIE PINK - CHAIN\05 - CHAIN ~The Birth Cry~.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.12.10) Hello!Project - PETIT BEST 9\07 - ????·??.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.12.10) Hello!Project - PETIT BEST 9\10 - ??!LOVE???.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.12.10) Hello!Project - PETIT BEST 9\12 - C\C(?????\???????).mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\Maid Cafe\Music\Pa Letee\01+-+Zutto+-+?·?·????.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\Maid Cafe\Music\Pa Letee\02+-+???? ?????????.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\Maid Cafe\Music\Pa Letee\03+-+?????8?????.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Lolita\?????????????????????????????(?)????????????????????????:chocomint.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Lolita\?????????????????????????????(?)????????????????????????:chocomint_files
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Sale\MM Tulle Lace Frill Bolero\Mary Magdalene|?????????.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Sale\MM Tulle Lace Frill Bolero\Mary Magdalene|?????????_files
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\J-Fashion\Putumayo\Fukubukuro 2006\Winter Collection.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\J-Fashion\Putumayo\Fukubukuro 2006\Winter Collection_files
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\Webpages\????·????(????)?????????|???????????.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\Webpages\????·????(????)?????????|???????????_files
Status: Hidden
IP logged
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #17 on: December 17, 2010, 06:49:03 PM »
Sorry for making a separate post, but I believe the mp3s with the jumbled text are because they music files listed in Japanese on my computer if that is helpful.
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #18 on: December 18, 2010, 12:54:44 PM »
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
*************************************************
Please download: HiJackThis to your Desktop.
  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  • Accept the license agreement.
  • Click the Open the Misc Tools section button.
  • Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
  • Please post the log in your next reply.
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #19 on: December 18, 2010, 11:03:23 PM »
Hi Dave,

When I was trying to uninstall my previous version of Adobe Reader, it said there was a fatal error. The same thing happened when I tried to install the newer version. Then when I opened HijackThis, the Do a scan and save a log button was on the first page, but when I clicked on the Misc Tools button it wasn't there. So I assumed the first one was what I was supposed to do, here is the log (and thank you for taking the time to always respond, especially on the weekend : D):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:35 PM, on 12/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GhostWall\ghostwall.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:10293
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [GhostWall] "C:\Program Files\GhostWall\ghostwall.exe" -minimize
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" /Get1noarp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ViiKiiDesktopPlugin.lnk = C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247201927952
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 8570 bytes
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #20 on: December 19, 2010, 12:46:29 PM »
Quote
and thank you for taking the time to always respond, especially on the weekend : D):
I do most of my work on the weekends. We can try to update Adobe later.

1. Download this diagnostics tool MGADiag.ext and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.

IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #21 on: December 19, 2010, 12:58:42 PM »
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-XFJCX-877CK-G2P2G
Windows Product Key Hash: UQHqiRO3qZBl1XMJo/Wv/fUYaWU=
Windows Product ID: 55277-005-7154387-21207
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {0FE4B9D7-6C19-4D11-993E-A790839FAC41}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0FE4B9D7-6C19-4D11-993E-A790839FAC41}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</
Architecture><PKey>*****-*****-*****-*****-G2P2G</PKey><PID>55277-005-7154387-21207</PID>
<PIDType>5</PIDType><SID>S-1-5-21-1645522239-448539723-839522115</SID><SYSTEM><Manufacturer>
To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>
American Megatrends Inc.</Manufacturer><Version>P1.80</Version><SMBIOSVersion major="2" minor="4"/><Date>20070808000000.000000+000</Date></BIOS><HWID>689235F701848078</HWID><
UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>US Mountain Standard Time(GMT-07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID>
<OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="
{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office
Professional Edition 2003</Name><Ver>11</Ver><Val>AA88FD4C472BD00</Val><Hash>
o804ZmJWeRjQ49qf8P2ms5r9Q/c=</Hash><Pid>73931-640-9282824-57979</Pid><PidType>14</PidType>
</Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11"
 Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/>
<App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44"
Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
« Last Edit: December 19, 2010, 07:11:58 PM by SuperDave » IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #22 on: December 19, 2010, 07:37:34 PM »
    Download
Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
*************************************************

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:10293
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*****************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #23 on: December 20, 2010, 10:50:19 AM »
Hi Dave,

With HijackThis I was able to remove the first file. For the other two there were similar file names, but not exact so I left those.

When running commy I received a message saying that my McAfee VirusScan Enterprise was still running, but I disabled it and it was even showing up as disabled. I checked the link that was provided, but there wasn't any information about the VirusScan Enterprise, so commy went ahead and ran and here is the log:

ComboFix 10-12-16.01 - Jen 12/20/2010  10:37:46.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1919.1329 [GMT -7:00]
Running from: c:\documents and settings\Jen\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe

.
(((((((((((((((((((((((((   Files Created from 2010-11-20 to 2010-12-20  )))))))))))))))))))))))))))))))
.

2010-12-19 19:55 . 2010-12-19 19:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-12-19 05:37 . 2010-12-19 05:37   --------   d-----w-   c:\program files\Common Files\Java
2010-12-19 05:36 . 2010-11-13 01:53   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-19 05:36 . 2010-11-13 01:53   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-16 19:03 . 2010-12-17 07:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-16 19:03 . 2010-12-16 19:03   --------   d-----w-   c:\program files\Alwil Software
2010-12-15 21:09 . 2010-11-02 15:17   40960   -c----w-   c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 21:09 . 2010-10-11 14:59   45568   -c----w-   c:\windows\system32\dllcache\wab.exe
2010-12-14 14:28 . 2010-12-14 14:28   --------   d-----w-   c:\program files\CCleaner
2010-12-05 08:09 . 2010-12-05 08:09   --------   d-----w-   c:\program files\AIM Toolbar
2010-12-05 08:09 . 2010-12-05 08:09   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2010-12-05 01:54 . 2010-12-05 01:54   --------   d-----w-   c:\program files\TabletPlugins

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-17 20:44 . 2009-07-10 05:39   6520   ----a-w-   c:\windows\system32\drivers\ghstwall.sys
2010-11-30 00:42 . 2010-11-04 02:15   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 00:42 . 2010-11-04 02:14   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-07-08 07:41   81920   ----a-w-   c:\windows\system32\isign32.dll
2010-11-12 23:34 . 2010-01-20 15:15   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-11-06 00:26 . 2001-08-23 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59   385024   ----a-w-   c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2001-08-23 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00   1853312   ----a-w-   c:\windows\system32\win32k.sys
2008-02-08 04:46 . 2008-02-08 04:46   13624   ----a-w-   c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 04:46 . 2008-02-08 04:46   87360   ----a-w-   c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 04:46 . 2008-02-08 04:46   91448   ----a-w-   c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 04:46 . 2008-02-08 04:46   21824   ----a-w-   c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 04:46 . 2008-02-08 04:46   206136   ----a-w-   c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 04:46 . 2008-02-08 04:46   31544   ----a-w-   c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 04:46 . 2008-02-08 04:46   40248   ----a-w-   c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 00:27 . 2007-03-17 00:27   479232   ----a-w-   c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 00:27 . 2007-03-17 00:27   548864   ----a-w-   c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 00:27 . 2007-03-17 00:27   626688   ----a-w-   c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 19:47 . 2007-07-20 19:47   981170   ----a-w-   c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 04:46 . 2008-02-08 04:46   24384   ----a-w-   c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GhostWall"="c:\program files\GhostWall\ghostwall.exe" [2005-09-29 217088]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-02 16049664]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

c:\documents and settings\Jen\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 67656]
R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [7/9/2009 10:39 PM 6520]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/10/2009 6:31 PM 5010288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-448539723-839522115-1004Core.job
- c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:54]

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-448539723-839522115-1004UA.job
- c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jen\Application Data\Mozilla\Firefox\Profiles\89sau4uu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Jen\Application Data\Move Networks
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.

**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]
@DACL=(02 0000)
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
"DllName"="antiwpa.dll"
"Startup"="onStartup"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEven t"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
Completion time: 2010-12-20  10:45:47
ComboFix-quarantined-files.txt  2010-12-20 17:45
ComboFix2.txt  2010-12-16 22:06

Pre-Run: 14,746,644,480 bytes free
Post-Run: 14,766,329,856 bytes free

- - End Of File - - CAEC47A78EC23AD436190591F8C2493C
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #24 on: December 20, 2010, 04:33:27 PM »
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #25 on: December 20, 2010, 05:25:23 PM »
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B3D5E000
Module End: B3D76000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B8664000
Module End: B8666000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: B85AE000
Module End: B85B0000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Jen\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: B83C0000
Module End: B83C8000
Hidden: Yes

Module Name: \??\C:\commy\mbr.sys
Service Name: mbr
Module Base: B248F000
Module End: B2496000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwTerminateProcess
At Address: 805D2982
Jump To: B271D19B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 80621D3A
Jump To: B271D185
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRenameKey
At Address: 806231EA
Jump To: B271D159
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 80624BA6
Jump To: B271D11B
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteValueKey
At Address: 80623E34
Jump To: B271D16F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 80623C64
Jump To: B271D143
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateKey
At Address: 806237C8
Jump To: B271D12F
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.11.26) BONNIE PINK - CHAIN\05 - CHAIN ~The Birth Cry~.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.12.10) Hello!Project - PETIT BEST 9\07 - ????·??.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.12.10) Hello!Project - PETIT BEST 9\10 - ??!LOVE???.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\(2008.12.10) Hello!Project - PETIT BEST 9\12 - C\C(?????\???????).mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\Maid Cafe\Music\Pa Letee\01+-+Zutto+-+?·?·????.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\Maid Cafe\Music\Pa Letee\02+-+???? ?????????.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2008 Music\Maid Cafe\Music\Pa Letee\03+-+?????8?????.mp3
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Lolita\?????????????????????????????(?)????????????????????????:chocomint.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Lolita\?????????????????????????????(?)????????????????????????:chocomint_files
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Sale\MM Tulle Lace Frill Bolero\Mary Magdalene|?????????.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\2009\Sale\MM Tulle Lace Frill Bolero\Mary Magdalene|?????????_files
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\J-Fashion\Putumayo\Fukubukuro 2006\Winter Collection.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\J-Fashion\Putumayo\Fukubukuro 2006\Winter Collection_files
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\Webpages\????·????(????)?????????|???????????.htm
Status: Hidden

Object: C:\Documents and Settings\Jen\Desktop\Jen's New Stuff\Webpages\????·????(????)?????????|???????????_files
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #26 on: December 21, 2010, 01:08:26 PM »
How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #27 on: December 21, 2010, 05:39:16 PM »
Two things were found and this was what saved in the report:

C:\System Volume Information\_restore{014E5FBA-C90E-4DA8-82B6-82F4506DC7D8}\RP552\A0067849.exe   Win32/Toolbar.AskSBar application   deleted - quarantined
C:\System Volume Information\_restore{014E5FBA-C90E-4DA8-82B6-82F4506DC7D8}\RP552\A0067850.exe   probably a variant of Win32/Dialer.V application   cleaned by deleting - quarantined


And then the log that saved as log.txt is the following:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-04 05:18:06
# local_time=2010-11-04 10:18:06 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=247405
# found=19
# cleaned=19
# scan_time=31061
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\16\da23690-69370906   a variant of Java/Agent.A trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\2\1ea7eb82-77234fa5   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\20\3c61e454-232c4fc7   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\3\7d1ce743-3d87f183   OSX/Exploit.Smid.B trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\40\3f4dd0a8-6f9d70f3   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\48\70628d30-61a8a5b5   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\51\53dc8a73-4309a98c   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Desktop\Downloads\Nero-9.2.6.0_trial.exe   Win32/Toolbar.AskSBar application (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Desktop\Jen's Stuff\jen-neko-han's art\Tones\Open_4_you.exe   probably a variant of Win32/Dialer.V application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\jar_cache1534908056104406770.tmp   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\jar_cache2956179030170167897.tmp   a variant of Java/Mugademel.A trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\jar_cache5083570852514212757.tmp   a variant of Java/Exploit.Agent.NAL trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\jar_cache5732900284095714596.tmp   probably a variant of Win32/Agent.JWIIGAQ trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\jar_cache5925914732018722011.tmp   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\NERO1004803\unit_app_75\Toolbar.exe   Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\Local Settings\Temp\plugtmp-63\plugin-fmsz.pdf   JS/Exploit.Pdfka.OCB trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Documents and Settings\Jen\My Documents\Downloads\Nero-9.4.13.2b_trial.exe   Win32/Toolbar.AskSBar application (deleted - quarantined)   00000000000000000000000000000000   C
D:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP138.tmp\aspapp\setup.exe   probably a variant of Win32/Agent.MWCCTSP trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
D:\Documents and Settings\Jen\Desktop\Jen's Stuff\jen-neko-han's art\Tones\Open_4_you.exe   probably a variant of Win32/Dialer.V application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-09 04:31:49
# local_time=2010-11-08 09:31:49 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=236040
# found=0
# cleaned=0
# scan_time=21453
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-21 12:59:38
# local_time=2010-11-20 05:59:38 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 533837 533837 0 0
# compatibility_mode=8192 67108863 100 0 517280 517280 0 0
# scanned=12571
# found=0
# cleaned=0
# scan_time=2555
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetesets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-21 05:38:04
# local_time=2010-11-20 10:38:04 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 536466 536466 0 0
# compatibility_mode=8192 67108863 100 0 519909 519909 0 0
# scanned=154308
# found=0
# cleaned=0
# scan_time=16633
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-21 07:59:17
# local_time=2010-11-21 12:59:17 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 556180 556180 0 0
# compatibility_mode=8192 67108863 100 0 539623 539623 0 0
# scanned=40478
# found=0
# cleaned=0
# scan_time=5392
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-21 04:51:51
# local_time=2010-11-21 09:51:51 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 572581 572581 0 0
# compatibility_mode=8192 67108863 100 0 556024 556024 0 0
# scanned=236610
# found=0
# cleaned=0
# scan_time=20945
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-06 11:44:35
# local_time=2010-12-06 04:44:35 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1848942 1848942 0 0
# compatibility_mode=8192 67108863 100 0 1832385 1832385 0 0
# scanned=236943
# found=1
# cleaned=1
# scan_time=22147
C:\Documents and Settings\Jen\Application Data\Sun\Java\Deployment\cache\6.0\19\416192d3-6a5141f3   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=f9bba001cfdcfc42aeed80aa77f41a5c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-22 12:04:54
# local_time=2010-12-21 05:04:54 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 3198917 3198917 0 0
# compatibility_mode=768 16777215 100 0 351120 351120 0 0
# compatibility_mode=8192 67108863 100 0 3182360 3182360 0 0
# scanned=241756
# found=2
# cleaned=2
# scan_time=12591
C:\System Volume Information\_restore{014E5FBA-C90E-4DA8-82B6-82F4506DC7D8}\RP552\A0067849.exe   Win32/Toolbar.AskSBar application (deleted - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{014E5FBA-C90E-4DA8-82B6-82F4506DC7D8}\RP552\A0067850.exe   probably a variant of Win32/Dialer.V application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #28 on: December 22, 2010, 12:16:02 PM »
So, how's your computer working now? Any other issues?
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
chibinuku
Topic Starter
Rookie



Posts: 16

Experience: Beginner
OS: Unknown
« Reply #29 on: December 23, 2010, 12:13:29 AM »
Hi Dave, things still aren't running normally and I'm not sure what to do. When I start my computer up there's a message that says "Please select operating system to start" along with other text, but it vanishes too quickly for me to copy everything down. When my computer starts up and also when I've been idle from the computer for a bit, the screen still comes up where I have to click my name to begin, which has never come up on my system for the years I've been using it. The "ASP.NET Machine" is still listed under user accounts as well. Also, Malwarebytes still can't finish running and will crash during its scan whenever I try to run it.

I have been able to open my older Adobe Photoshop 7.0, but my tablet still isn't working. I downloaded the driver for it yet again and it seemed fine. I closed Photoshop and opened it again a few times and at first I have pen pressure, but when I restarted the tablet didn't work again.
IP logged
SuperDave
Malware Removal Specialist
Moderator
Prodigy



Thanked: 617
Posts: 6,998

Certifications: List
Experience: Experienced
OS: Windows XP
« Reply #30 on: December 23, 2010, 01:11:26 PM »
Quote
When I start my computer up there's a message that says "Please select operating system to start" along with other
That's probably the Recovery Console that was installed when you installed ComboFix. This could be very useful if Windows has problems starting.
Quote
The "ASP.NET Machine" is still listed under user accounts as well
You may have to go to another forum for help with this after we are finished with cleaning.

Quote
Also, Malwarebytes still can't finish running and will crash during its scan whenever I try to run it. Please post the log, if successful.
Please try running it in Safe Mode.

Quote
I have been able to open my older Adobe Photoshop 7.0, but my tablet still isn't working. I downloaded the driver for it yet again and it seemed fine. I closed Photoshop and opened it again a few times and at first I have pen pressure, but when I restarted the tablet didn't work again.
Again, you may have to search for help with this on another forum. It doesn't sound like an infection has caused this.
IP logged
AMD Athlon XP 1900+ 1.47 GHz  3 GB Ram Windows XP  Home with SP3, MicroSoft Security Essentials, Spybot S&D. SuperAntiSpyware  and Threatfire with Comodo Firewall & Windows Defender
Pages: 1 2 3 [All] - (Top) Print 
Home / Software / Computer viruses and spyware / Several Different Problems « previous next »
 


Login with username, password and session length

Old Forum Search | Forum Rules
Copyright © 2010 Computer Hope ® All rights reserved.
Powered by SMF 2.0 RC3 | SMF © 2006–2010, Simple Machines LLC
Page created in 0.566 seconds with 20 queries.