Computer Hope

Software => Computer viruses and spyware => Topic started by: UnstableWingman on February 08, 2009, 07:28:09 PM

Title: Virus?
Post by: UnstableWingman on February 08, 2009, 07:28:09 PM

Okay, my HP, built, computer has not started in two days.

About a week ago, it restarted with no warning, and I got a flash of a blue screen error before it gave me an option to go to safe mode. I tried system restore to no avail. I got in safe mode and deleted a driver I recently downloaded, and it seemed to work. I could get back in normal mode. But I turned it off for the night, and the next day it gave bme the same flash of hardware error message for 1 second and went to safe mode options. So I went back in, and deleted all drivers downloaded or updated in 2009.
That worked again. But the same thing happened yesterday. SO I went in, and deleted more things downloaded in 2009. But it didnt work this time. And, it wont let me in safe mode, because it says the copy of windows needs to be registered, and can only be registered in normal mode. Which I cant get into.

Anyone have a clue what I can do?

EDIT:
For about a month before the crash, I kept getting an error saying I was missing a file. C:\WINDOWS\system32\fawrjjob.dll

EDIT EDIT:
My computer logged on no problems just now. Still getting the above error message.

Title: Re: Virus?
Post by: evilfantasy on February 11, 2009, 04:58:29 PM

Start here http://www.computerhope.com/forum/index.php/topic,46313.0.html

Post the 3 logs when complete.

Title: Re: Virus?
Post by: UnstableWingman on February 14, 2009, 08:46:24 PM

Still not booting in normal mode.



[attachment deleted by admin]

Title: Re: Virus?
Post by: tgp1994 on February 14, 2009, 08:54:16 PM

So, you can't boot into normal mode, but can boot into Safe mode?

My first recommendation is to boot into Safe Mode with Networking and get any Windows updates that you can find. (They actually tend to fix things, even after Vista :))

My next suggestion is to download CCleaner, (http://www.filehippo.com/download_ccleaner/ (http://www.filehippo.com/download_ccleaner/)) which is pretty much known as Crap Cleaner, and run a Registry scan and clean it up. (Of course, before you do the cleaning part, make sure you save the backup of your registry when it prompts you to do so.) Reboot, and at least see if that fixes the error.

Next, if you still can't boot into normal mode, I recommend you download Spybot Search & Destroy (http://www.safer-networking.org/en/mirrors/index.html (http://www.safer-networking.org/en/mirrors/index.html)) and do a full system scan with it. It tends to be pretty thorough.

And if all else fails, and no one else can help you, pop in the Windows installation disk and do a repair installation.

Hope I helped!

Title: Re: Virus?
Post by: UnstableWingman on February 14, 2009, 09:13:35 PM

CCleaner hasnt worked, im in Safe mode with networking.
I have all the windows updates, have deleted about 20 virus files, but it still will not boot. It boots sometimes and not others. For the past 3 days now.

Title: Re: Virus?
Post by: tgp1994 on February 14, 2009, 09:25:53 PM

Did you try Spybot Search & Destroy?

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 12:05:59 AM

Just tried it. I deleted many more files. Now, the BSoD stays instead of flashing for a second and going away.  Even though I had it set to not restart, it would anyway.
Still not booting in normal mode.

EDIT:
Put in the XP CD into the CD-ROM drive, without prompting it booted normally.

Title: Re: Virus?
Post by: kpac on February 15, 2009, 05:26:28 AM

CCleaner and Spybot won't do much against new malware.

UnstableWingman: Yes, you are still infected after the scans but you'll have to wait for an expert to review the HJT log.

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 11:42:43 AM

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.     
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK  button.

Code: [Select]

C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 07:28:49 PM

SDFix: Version 1.240
Run by Jimmy George on Sun 02/15/2009 at 04:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DLLHOS~1.EXE - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 17:49:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
"h0"=dword:00000000
"ujdew"=hex:56,4f,18,37,d4,c3,5e,36,b0,60,29,2a,cd,df,87,0c,cc,a6,ba,ab,a3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 52\"
"h0"=dword:00000000
"ujdew"=hex:56,4f,18,37,d4,c3,5e,36,b0,60,29,2a,cd,df,87,0c,cc,a6,ba,ab,a3,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Steam\\steamapps\\renji_taicho\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\renji_taicho\\counter-strike source\\hl2.exe:*:Enabled:hl2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 26 Jan 2009     1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009     5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009     2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 20 Mar 2008         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 13 Sep 2008        99,328 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL0002.tmp"
Tue 11 Nov 2008        24,576 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL0005.tmp"
Tue 11 Nov 2008        27,648 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL0456.tmp"
Thu  1 May 2008        29,696 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL0673.tmp"
Wed 30 Apr 2008        29,184 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL1912.tmp"
Wed 28 Jan 2009     1,157,632 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL2103.tmp"
Thu  1 May 2008        29,696 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL2272.tmp"
Wed 28 Jan 2009     1,157,632 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL2731.tmp"
Tue 11 Nov 2008        26,624 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL3300.tmp"
Thu  1 May 2008        29,696 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\~WRL3987.tmp"
Mon 10 Nov 2008           460 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti127.tmp"
Thu  5 Jul 2007       146,432 ..SHR --- "C:\Program Files\Verizon Wireless\V CAST Music Manager\Setup.exe"
Mon  7 May 2007        53,248 A.SHR --- "C:\Program Files\Verizon Wireless\V CAST Music Manager\_Setupx.dll"
Sat 19 Apr 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 13 Nov 2006       319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Thu 20 Mar 2008         4,348 ...H. --- "C:\Documents and Settings\Jimmy George\My Documents\My Music\License Backup\drmv1key.bak"
Thu 20 Mar 2008            20 A..H. --- "C:\Documents and Settings\Jimmy George\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 20 Mar 2008         9,655 A.SH. --- "C:\Documents and Settings\Jimmy George\My Documents\My Music\License Backup\drmv2key.bak"

Finished!



[attachment deleted by admin]

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 07:32:09 PM

Getting closer.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 07:49:57 PM

ComboFix 09-02-15.01 - Jimmy George 2009-02-15 18:42:45.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2047.1421 [GMT -8:00]
Running from: c:\documents and settings\Jimmy George\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\vxignpmm.job

.
(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.

2009-02-15 16:43 . 2009-02-15 16:44   <DIR>   d--------   c:\windows\ERUNT
2009-02-15 16:37 . 2009-02-15 17:51   <DIR>   d--------   C:\SDFix
2009-02-14 20:10 . 2009-02-14 20:10   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2009-02-14 20:10 . 2009-02-14 22:59   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 20:02 . 2009-02-14 20:02   <DIR>   d--------   c:\documents and settings\Jimmy George\.SunDownloadManager
2009-02-14 17:00 . 2009-02-14 17:00   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-14 16:59 . 2009-02-14 19:42   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-02-14 16:59 . 2009-02-14 16:59   <DIR>   d--------   c:\documents and settings\Jimmy George\Application Data\SUPERAntiSpyware.com
2009-02-14 16:57 . 2009-02-14 16:57   <DIR>   d--------   c:\program files\CCleaner
2009-02-11 18:28 . 2009-02-11 18:28   <DIR>   d--------   C:\c598fe486e6c00070a0f9c29dff0
2009-02-11 18:28 . 2009-02-11 18:28   <DIR>   d--------   C:\89200b32165d195b00b4
2009-02-11 16:25 . 2009-02-11 16:25   <DIR>   dr-h-----   C:\AHCache
2009-02-11 16:25 . 2009-02-11 16:25   <DIR>   d--------   C:\59655147b6d111e15c88
2009-02-11 16:25 . 2009-02-11 16:25   <DIR>   d--------   C:\27f6147b376fc2bb44d9abe7ce9957b9
2009-02-08 20:44 . 2009-02-08 20:44   <DIR>   d--------   c:\program files\Trend Micro
2009-02-08 20:41 . 2009-02-08 20:41   <DIR>   d--------   c:\program files\Avira
2009-02-08 20:41 . 2009-02-08 20:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2009-02-08 20:39 . 2009-02-08 20:39   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-08 20:39 . 2009-02-08 20:39   <DIR>   d--------   c:\documents and settings\Jimmy George\Application Data\Malwarebytes
2009-02-08 20:39 . 2009-02-08 20:39   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 20:39 . 2009-01-14 16:11   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 20:39 . 2009-01-14 16:11   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-05 21:08 . 2009-02-15 18:46   13,646   --a------   c:\windows\system32\wpa.dbl
2009-01-31 15:26 . 2009-01-31 15:26   <DIR>   d--------   c:\program files\Aspyr
2009-01-29 21:36 . 2009-01-29 21:36   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-01-29 21:36 . 2009-01-29 21:36   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-01-29 21:35 . 2009-02-02 16:51   <DIR>   d--------   c:\program files\Microsoft Xbox 360 Accessories
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(6).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(5).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(4).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(3).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(2).dll
2009-01-29 21:06 . 2009-02-02 16:51   <DIR>   d--------   c:\program files\XBCD
2009-01-29 20:42 . 2009-02-02 16:51   <DIR>   d--------   c:\program files\Frets on Fire
2009-01-29 20:42 . 2009-02-02 16:51   <DIR>   d--------   c:\documents and settings\Jimmy George\Application Data\fretsonfire

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 02:47   ---------   d-----w   c:\documents and settings\Jimmy George\Application Data\LimeWire
2009-02-16 02:46   ---------   d-----w   c:\program files\Steam
2009-02-16 01:19   ---------   d-----w   c:\documents and settings\Jimmy George\Application Data\Hamachi
2009-02-15 03:55   90,112   ----a-w   c:\windows\DUMP31ed.tmp
2009-02-15 00:59   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-02-12 02:18   90,112   ----a-w   c:\windows\DUMP3894.tmp
2009-02-06 05:11   98,304   ----a-w   c:\windows\DUMP3884.tmp
2009-02-06 05:10   98,304   ----a-w   c:\windows\DUMP3cab.tmp
2009-02-04 22:28   98,304   ----a-w   c:\windows\DUMP45e2.tmp
2009-02-04 22:26   98,304   ----a-w   c:\windows\DUMP4d35.tmp
2009-02-04 22:25   98,304   ----a-w   c:\windows\DUMP4621.tmp
2009-02-04 22:22   98,304   ----a-w   c:\windows\DUMP4d74.tmp
2009-02-04 22:21   98,304   ----a-w   c:\windows\DUMP4cf7.tmp
2009-02-04 22:17   98,304   ----a-w   c:\windows\DUMP4cd7.tmp
2009-02-04 22:14   98,304   ----a-w   c:\windows\DUMP4df1.tmp
2009-02-04 22:12   98,304   ----a-w   c:\windows\DUMP46fb.tmp
2009-02-04 22:10   98,304   ----a-w   c:\windows\DUMP4b70.tmp
2009-02-04 22:09   98,304   ----a-w   c:\windows\DUMP4cb9.tmp
2009-02-04 22:07   98,304   ----a-w   c:\windows\DUMP4cb8.tmp
2009-02-04 22:06   98,304   ----a-w   c:\windows\DUMP593b.tmp
2009-02-03 01:03   98,304   ----a-w   c:\windows\DUMP48e0.tmp
2009-02-03 01:02   98,304   ----a-w   c:\windows\DUMP44e8.tmp
2009-02-03 00:57   ---------   d-----w   c:\documents and settings\Jimmy George\Application Data\uTorrent
2009-02-03 00:41   98,304   ----a-w   c:\windows\DUMP4bdd.tmp
2009-02-03 00:39   98,304   ----a-w   c:\windows\DUMP535f.tmp
2009-01-24 06:02   ---------   d-----w   c:\documents and settings\All Users\Application Data\TrackMania
2008-06-20 02:59   604   ---ha-w   c:\program files\STLL Notifier
2001-03-30 00:19   718   ----a-w   c:\program files\player.nfx
2001-03-29 19:21   328   ----a-w   c:\program files\player.nfo
2001-03-20 04:14   563   ----a-w   c:\program files\player1.hki
2000-09-01 08:53   22,431   ----a-w   c:\program files\Readme_a.rtf
2000-09-01 08:47   1,173,558   ----a-w   c:\program files\crack.zip
2000-09-01 08:16   2,643,424   ----a-w   c:\program files\age2upa.exe
2000-08-09 00:44   340   ----a-w   c:\program files\setup.bat
2000-08-09 00:39   45,056   ----a-w   c:\program files\SETUPREG.EXE
2000-08-09 00:18   34   ----a-w   c:\program files\fonts.bat
2000-08-09 00:17   0   ----a-w   c:\program files\STPENUX.DLL
2000-08-09 00:17   0   ----a-w   c:\program files\EBUSetup.sem
2000-08-08 10:13   2,695,213   ----a-w   c:\program files\age2_x1.exe
2000-08-07 10:11   20,992   ----a-w   c:\program files\mythxpak.exe
2000-06-28 10:00   44,452   ----a-w   c:\program files\Readmex.rtf
2000-06-13 10:09   339,968   ----a-w   c:\program files\language_x1.dll
2000-06-13 09:59   53,299   ----a-w   c:\program files\ebueulax.dll
2000-05-27 10:58   39,647   ----a-w   c:\program files\EULAx.RTF
2000-04-01 07:47   301,568   ----a-w   c:\program files\myth.acm
1999-11-17 22:00   32,768   ----a-w   c:\program files\SETUPENU.DLL
1999-09-22 12:32   57,363   ----a-w   c:\program files\Readme.rtf
1999-09-22 12:32   53,304   ----a-w   c:\program files\EBUEula.dll
1999-09-22 12:32   499,712   ----a-w   c:\program files\language.dll
1999-09-22 12:32   40,507   ----a-w   c:\program files\EULA.RTF
1999-09-22 12:32   365,568   ----a-w   c:\program files\HA312W32.DLL
1999-09-22 12:32   158,902   ----a-w   c:\program files\scenariobkg.bmp
1999-09-22 12:32   112,688   ----a-w   c:\program files\SHW32.DLL
1999-09-22 03:46   2,560,000   ----a-w   c:\program files\empires2.exe
2007-06-13 22:07   6,276,080   ----a-w   c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856]
"Steam"="c:\program files\steam\steam.exe" [2008-10-08 1410296]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-08-08 148760]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SkyTel"="SkyTel.EXE" [2008-02-25 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-11-06 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-25 c:\windows\RTHDCPL.exe]

c:\documents and settings\Jimmy George\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-05-30 624416]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-06-19 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=fnpear.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\renji_taicho\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-26 24652]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-02-23 30720]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-11-09 40832]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-01-25 25088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f627f16-158a-11dd-a61d-001d60272211}]
\Shell\AutoRun\command - I:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{3C3F8F62-8061-4874-8925-5066D6AC1F9B} - c:\windows\system32\jkkJdCUk.dll


.
------- Supplementary Scan -------
.
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jimmy George\Application Data\Mozilla\Firefox\Profiles\5lrhd2kh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 18:47:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-02-15 18:48:55 - machine was rebooted
ComboFix-quarantined-files.txt  2009-02-16 02:48:52

Pre-Run: 375,930,830,848 bytes free
Post-Run: 375,849,598,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

234   --- E O F ---   2008-12-11 07:35:37

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 08:05:57 PM

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Also let me know how the computer is running now.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 09:30:37 PM

ComboFix 09-02-15.01 - Jimmy George 2009-02-15 19:52:16.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2047.1444 [GMT -8:00]
Running from: c:\documents and settings\Jimmy George\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jimmy George\My Documents\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.

2009-02-15 16:43 . 2009-02-15 16:44   <DIR>   d--------   c:\windows\ERUNT
2009-02-15 16:37 . 2009-02-15 17:51   <DIR>   d--------   C:\SDFix
2009-02-14 20:10 . 2009-02-14 20:10   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2009-02-14 20:10 . 2009-02-14 22:59   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 20:02 . 2009-02-14 20:02   <DIR>   d--------   c:\documents and settings\Jimmy George\.SunDownloadManager
2009-02-14 17:00 . 2009-02-14 17:00   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-14 16:59 . 2009-02-14 19:42   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-02-14 16:59 . 2009-02-14 16:59   <DIR>   d--------   c:\documents and settings\Jimmy George\Application Data\SUPERAntiSpyware.com
2009-02-14 16:57 . 2009-02-14 16:57   <DIR>   d--------   c:\program files\CCleaner
2009-02-11 18:28 . 2009-02-11 18:28   <DIR>   d--------   C:\c598fe486e6c00070a0f9c29dff0
2009-02-11 18:28 . 2009-02-11 18:28   <DIR>   d--------   C:\89200b32165d195b00b4
2009-02-11 16:25 . 2009-02-11 16:25   <DIR>   dr-h-----   C:\AHCache
2009-02-11 16:25 . 2009-02-11 16:25   <DIR>   d--------   C:\59655147b6d111e15c88
2009-02-11 16:25 . 2009-02-11 16:25   <DIR>   d--------   C:\27f6147b376fc2bb44d9abe7ce9957b9
2009-02-08 20:44 . 2009-02-08 20:44   <DIR>   d--------   c:\program files\Trend Micro
2009-02-08 20:41 . 2009-02-08 20:41   <DIR>   d--------   c:\program files\Avira
2009-02-08 20:41 . 2009-02-08 20:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2009-02-08 20:39 . 2009-02-08 20:39   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-08 20:39 . 2009-02-08 20:39   <DIR>   d--------   c:\documents and settings\Jimmy George\Application Data\Malwarebytes
2009-02-08 20:39 . 2009-02-08 20:39   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-08 20:39 . 2009-01-14 16:11   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 20:39 . 2009-01-14 16:11   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-05 21:08 . 2009-02-15 19:57   13,646   --a------   c:\windows\system32\wpa.dbl
2009-01-31 15:26 . 2009-01-31 15:26   <DIR>   d--------   c:\program files\Aspyr
2009-01-29 21:36 . 2009-01-29 21:36   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2009-01-29 21:36 . 2009-01-29 21:36   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-01-29 21:35 . 2009-02-02 16:51   <DIR>   d--------   c:\program files\Microsoft Xbox 360 Accessories
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(6).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(5).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(4).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(3).dll
2009-01-29 21:35 . 2006-09-28 16:04   68,888   --a------   c:\windows\system32\xinput1_3(2).dll
2009-01-29 21:06 . 2009-02-02 16:51   <DIR>   d--------   c:\program files\XBCD
2009-01-29 20:42 . 2009-02-02 16:51   <DIR>   d--------   c:\program files\Frets on Fire
2009-01-29 20:42 . 2009-02-02 16:51   <DIR>   d--------   c:\documents and settings\Jimmy George\Application Data\fretsonfire

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 03:57   ---------   d-----w   c:\program files\Steam
2009-02-16 03:54   90,112   ----a-w   c:\windows\DUMP4381.tmp
2009-02-16 02:52   ---------   d-----w   c:\documents and settings\Jimmy George\Application Data\LimeWire
2009-02-16 02:47   ---------   d-----w   c:\documents and settings\Jimmy George\Application Data\Hamachi
2009-02-15 03:55   90,112   ----a-w   c:\windows\DUMP31ed.tmp
2009-02-15 00:59   ---------   d-----w   c:\program files\Common Files\Wise Installation Wizard
2009-02-12 02:18   90,112   ----a-w   c:\windows\DUMP3894.tmp
2009-02-06 05:11   98,304   ----a-w   c:\windows\DUMP3884.tmp
2009-02-06 05:10   98,304   ----a-w   c:\windows\DUMP3cab.tmp
2009-02-04 22:28   98,304   ----a-w   c:\windows\DUMP45e2.tmp
2009-02-04 22:26   98,304   ----a-w   c:\windows\DUMP4d35.tmp
2009-02-04 22:25   98,304   ----a-w   c:\windows\DUMP4621.tmp
2009-02-04 22:22   98,304   ----a-w   c:\windows\DUMP4d74.tmp
2009-02-04 22:21   98,304   ----a-w   c:\windows\DUMP4cf7.tmp
2009-02-04 22:17   98,304   ----a-w   c:\windows\DUMP4cd7.tmp
2009-02-04 22:14   98,304   ----a-w   c:\windows\DUMP4df1.tmp
2009-02-04 22:12   98,304   ----a-w   c:\windows\DUMP46fb.tmp
2009-02-04 22:10   98,304   ----a-w   c:\windows\DUMP4b70.tmp
2009-02-04 22:09   98,304   ----a-w   c:\windows\DUMP4cb9.tmp
2009-02-04 22:07   98,304   ----a-w   c:\windows\DUMP4cb8.tmp
2009-02-04 22:06   98,304   ----a-w   c:\windows\DUMP593b.tmp
2009-02-03 01:03   98,304   ----a-w   c:\windows\DUMP48e0.tmp
2009-02-03 01:02   98,304   ----a-w   c:\windows\DUMP44e8.tmp
2009-02-03 00:57   ---------   d-----w   c:\documents and settings\Jimmy George\Application Data\uTorrent
2009-02-03 00:41   98,304   ----a-w   c:\windows\DUMP4bdd.tmp
2009-02-03 00:39   98,304   ----a-w   c:\windows\DUMP535f.tmp
2009-01-24 06:02   ---------   d-----w   c:\documents and settings\All Users\Application Data\TrackMania
2008-06-20 02:59   604   ---ha-w   c:\program files\STLL Notifier
2001-03-30 00:19   718   ----a-w   c:\program files\player.nfx
2001-03-29 19:21   328   ----a-w   c:\program files\player.nfo
2001-03-20 04:14   563   ----a-w   c:\program files\player1.hki
2000-09-01 08:53   22,431   ----a-w   c:\program files\Readme_a.rtf
2000-09-01 08:47   1,173,558   ----a-w   c:\program files\crack.zip
2000-09-01 08:16   2,643,424   ----a-w   c:\program files\age2upa.exe
2000-08-09 00:44   340   ----a-w   c:\program files\setup.bat
2000-08-09 00:39   45,056   ----a-w   c:\program files\SETUPREG.EXE
2000-08-09 00:18   34   ----a-w   c:\program files\fonts.bat
2000-08-09 00:17   0   ----a-w   c:\program files\STPENUX.DLL
2000-08-09 00:17   0   ----a-w   c:\program files\EBUSetup.sem
2000-08-08 10:13   2,695,213   ----a-w   c:\program files\age2_x1.exe
2000-08-07 10:11   20,992   ----a-w   c:\program files\mythxpak.exe
2000-06-28 10:00   44,452   ----a-w   c:\program files\Readmex.rtf
2000-06-13 10:09   339,968   ----a-w   c:\program files\language_x1.dll
2000-06-13 09:59   53,299   ----a-w   c:\program files\ebueulax.dll
2000-05-27 10:58   39,647   ----a-w   c:\program files\EULAx.RTF
2000-04-01 07:47   301,568   ----a-w   c:\program files\myth.acm
1999-11-17 22:00   32,768   ----a-w   c:\program files\SETUPENU.DLL
1999-09-22 12:32   57,363   ----a-w   c:\program files\Readme.rtf
1999-09-22 12:32   53,304   ----a-w   c:\program files\EBUEula.dll
1999-09-22 12:32   499,712   ----a-w   c:\program files\language.dll
1999-09-22 12:32   40,507   ----a-w   c:\program files\EULA.RTF
1999-09-22 12:32   365,568   ----a-w   c:\program files\HA312W32.DLL
1999-09-22 12:32   158,902   ----a-w   c:\program files\scenariobkg.bmp
1999-09-22 12:32   112,688   ----a-w   c:\program files\SHW32.DLL
1999-09-22 03:46   2,560,000   ----a-w   c:\program files\empires2.exe
2007-06-13 22:07   6,276,080   ----a-w   c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856]
"Steam"="c:\program files\steam\steam.exe" [2008-10-08 1410296]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2007-08-08 148760]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SkyTel"="SkyTel.EXE" [2008-02-25 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-11-06 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-25 c:\windows\RTHDCPL.exe]

c:\documents and settings\Jimmy George\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-05-30 624416]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-06-19 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\renji_taicho\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-26 24652]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-02-23 30720]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-11-09 40832]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-01-25 25088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f627f16-158a-11dd-a61d-001d60272211}]
\Shell\AutoRun\command - I:\LaunchU3.exe
.
.
------- Supplementary Scan -------
.
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jimmy George\Application Data\Mozilla\Firefox\Profiles\5lrhd2kh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 19:57:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-02-15 20:00:47 - machine was rebooted [Jimmy George]
ComboFix-quarantined-files.txt  2009-02-16 04:00:45
ComboFix2.txt  2009-02-16 02:48:56

Pre-Run: 375,805,448,192 bytes free
Post-Run: 375,782,617,088 bytes free

222   --- E O F ---   2008-12-11 07:35:37

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 09:33:15 PM

How is the computer is running now?

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 09:33:58 PM

I tried booting it without the XP cd in the cd-rom drive, and it kept giving me the BSoD
With the cd in the drive, it boots fine.

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 09:45:05 PM

Hmm. Not sure what to think about that.

Have you changed your boot order?

Title: Re: Virus?
Post by: BC_Programmer on February 15, 2009, 09:52:58 PM

what was the bluescreen error code?

can you get into the recovery console via the CD and run fixboot,fixmbr, and perhaps a chkdsk /f for good measure.

This can occur when NTLDR, NTDETECT, or one of the other core boot files is corrupted or missing on the HD. I've only seen it with floppy disks and those three files, but I imagine it applies equally well to CD drives since they can be higher in the boot order then the HD.

Title: Re: Virus?
Post by: tgp1994 on February 15, 2009, 09:55:49 PM

How about this, for looking at the BSOD error:

Get a video camera, and record the portion of the startup where the BSOD appears. Then play it back frame by frame to see if you can get a good look at the BSOD, and report it here.

Title: Re: Virus?
Post by: BC_Programmer on February 15, 2009, 10:04:18 PM

???

or use F8 and "disable automatic restart on system failure"...

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 10:08:30 PM

Quote

can you get into the recovery console via the CD and run fixboot,fixmbr

That sparked a thought. (http://www.feuerwerk-forum.de/images/icons/icon3.gif) And since we are dealing with a malware issue it could be the MBR Rootkit.

Download mbr.exe (http://www2.gmer.net/mbr/mbr.exe) to your Desktop.

• Doubleclick mbr.exe and follow prompts.
  
• When mbr.exe is ready, it will create a log.
• Copy and paste contents of that file to your next reply.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 10:19:35 PM

mbr wont open. It just flashes a black box.

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 10:23:03 PM

That's all it does. There should be a new log file on your desktop called mbr.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 10:26:37 PM

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x3a384c41 size 0x1c0 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Title: Re: Virus?
Post by: BC_Programmer on February 15, 2009, 10:29:37 PM

well speak of the devil!  :o     ;D

Thar be beasts in that thar MBR!

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 10:42:16 PM

Stinking rootkits are going to be the death of me man I swear. Sneaky b*stards.

Thanks BC, your diagnosis tipped of the perps location ;D

OK, here we go...

Copy the MBR.exe on your desktop and place it in the C:\Windows folder

Now click Start > Run

Type in mbr.exe -f <- Note the space between mbr.exe and -f

Then click OK.

Should fix it.

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 10:48:36 PM

I should have had you put that in the C:\ directory so unless you have already started just put it there.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 10:56:43 PM

Do I get another log saying its gone?

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 10:59:14 PM

Look where you placed the MBR.exe and there should be a mbr.log

Please post that log.

Title: Re: Virus?
Post by: tgp1994 on February 15, 2009, 10:59:36 PM

I think your comfirmation will be your computer starting up without the disk.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 11:03:08 PM

I think this is it..?

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Title: Re: Virus?
Post by: tgp1994 on February 15, 2009, 11:05:35 PM

Ok, reboot your computer without the CD and see if it works.

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 11:07:58 PM

tgp1994 , please. I have this under control and we need to do things in a certain order.

Now since we found that hiding we need to run more scans.

Run CCleaner and then restart the computer (hopefully without the disk)

The F-Secure scan can take a while so you might want to be sure you have enough time, over an hour...

You can go and delete the MBR.exe and all of the log files it created.

Run the  F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols.shtml) for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
  
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.

.
----------

Now run GMER and post the log along with the F-Fecure log.

Please read this carefully.

Download GMER (http://www.gmer.net/gmer.zip) and save it to your desktop

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 11:14:50 PM

Okay.
Reboot worked without the CD.
I have run Firefox for the past year, so what program would you suggest instead of F-Secure?

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 11:16:37 PM

Nothing. IE is the only way.

You still have to use IE to go to Windows Updates so it can't be completely abandoned.

Title: Re: Virus?
Post by: UnstableWingman on February 15, 2009, 11:21:16 PM

Can I run GMER and F-Secure at the same tiime?

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 11:22:59 PM

No, never a good idea. GMER won't take very long. It's the full version of the MBR.exe you ran.

Title: Re: Virus?
Post by: evilfantasy on February 15, 2009, 11:23:49 PM

But I need F-secure to find/remove anything it encounters before GMER is run.

Title: Re: Virus?
Post by: UnstableWingman on February 16, 2009, 12:05:06 AM

Kay, done.

[attachment deleted by admin]

Title: Re: Virus?
Post by: evilfantasy on February 16, 2009, 12:16:08 AM

(http://i66.photobucket.com/albums/h276/DianneOnly/clap2.gif) Clean!! The computer is running OK now right?

Time to clean up the mess.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
*  Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Check out  Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.

Title: Re: Virus?
Post by: UnstableWingman on February 16, 2009, 12:33:18 AM

 ;D

Thank you so much! My parents kept bugging me to take it in, and I didnt want to go through all the trouble. If anyone I know has any problems, ill make sure to direct them here.

Thanks again!!

Title: Re: Virus?
Post by: evilfantasy on February 16, 2009, 12:36:50 AM

Your welcome, and thanks to BC_Programmer also for mentioning the MBR.

Safe surfing... (http://smiley.onegreatguy.net/badger.gif)

Title: Re: Virus?
Post by: tgp1994 on February 16, 2009, 08:11:52 AM

Lol I seem to remember someone on this topic telling me CCleaner is worthless in this situation... And then restart your computer? I feel plagiarized  :-X

Title: Re: Virus?
Post by: BC_Programmer on February 16, 2009, 09:31:29 AM

Quote from: tgp1994 on February 16, 2009, 08:11:52 AM

Lol I seem to remember someone on this topic telling me CCleaner is worthless in this situation

It was worthless since he had a MBR rootkit.

CCleaner was suggested after the computer was declared clean from malware as a set of final steps- it of course does not in and of itself clean any malware infections, especially not MBR viruses.

In any case, regardless of the quality of advice offered by non-malware specialists, people seeking help are advised that they follow such advice at their own risk- And, generally, such advice should only be given before a malware expert has responded to the thread (An ideal example of which is to point the person seeking help to the malware removal guide (http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095), which also helps the malware expert that comes along as they won't need to do the same thing, and it gives the person something to do as they wait for said expert), responses made after a malware expert has "taken the case" so to speak is generally considered rude regardless of the quality of such advice.

If you really want to provide malware removal assistance, though:

http://www.computerhope.com/forum/index.php/topic,57605.0.html


Also, don't take it personally, as I said, it's not a declaration that your advice isn't sound- it's merely to protect the visitor from various cases where a non-experts advice can make the problem worse- the visitor has no way to judge good or bad information- if they could do that they could likely solve the issue on their own - so the suggestions given to the visitor in the "read before..." thread is to take all posts from non-malware experts with a grain of salt.

personally, I kind of consider the "computer viruses and spyware" forum more or less the territory of the malware experts. Being that they are shortstaffed (as usual  ::)) it does help to make sure posters run through the malware guide and post their logs, since that is almost always the first step required in order to gain information about the "victim" machine, but other then that (and stuff I'm 100% certain is causing the issue) I myself refrain from posting as I have learned through several posts that I can't read logs from computers other then my own very well at all- since unlike with my own PC I haven't a clue what hardware and software environment the log was generated under.


Another point of note is seemingly useless "informational" posts. To draw another analogy from myself, I once posted a large rant about Javascript not being Java and blah blah blah- this post wasn't addressed at all but I thought about it shortly afterward and realized that I was being more annoying then informational. the experts, after all, know what they are doing and have a very high success rate at removing malware, and my little speel likely did nothing but confuse the poor soul trying to receive help.


EDIT:

why do I always start posting before somebody else, but then somebody else posts something else that essentially sums up what I say...  lol

Title: Re: Virus?
Post by: kpac on February 16, 2009, 09:37:36 AM

Quote from: tgp1994 on February 16, 2009, 08:11:52 AM

Lol I seem to remember someone on this topic telling me CCleaner is worthless in this situation... And then restart your computer? I feel plagiarized  :-X

CCleaner doesn't clean malware does it? ::)

Title: Re: Virus?
Post by: tgp1994 on February 16, 2009, 09:53:56 AM

No, but it could probably fix a few keys that malware messes with.

Title: Re: Virus?
Post by: BC_Programmer on February 16, 2009, 09:55:07 AM

Quote from: tgp1994 on February 16, 2009, 09:53:56 AM

No, but it could probably fix a few keys that malware messes with.

 ::)

Title: Re: Virus?
Post by: kpac on February 16, 2009, 10:00:52 AM

Quote from: tgp1994 on February 16, 2009, 09:53:56 AM

No, but it could probably fix a few keys that malware messes with.

And wipe out the OS completely? Are you joking!

Title: Re: Virus?
Post by: BC_Programmer on February 16, 2009, 10:05:43 AM

regardless as I said in my previous post (which was oddly ignored, sometimes I wonder why I bother...) CCleaner would not have done anything to remove the MBR, and it also does nothing to remove either infected files or registry entries. the keys aren't "broken" to be fixed.

CCleaner scans HKEY_CLASSES_ROOT, with very minimal accesses to the other keys. It mostly looks for unused file extensions and invalid CLSID InProcServer32 references. None of the keys it accesses can harbor malware, and if it does CCleaner doesn't do anything since it still contains valid data.

Title: Re: Virus?
Post by: kpac on February 16, 2009, 10:06:49 AM

Also, we know we should never use registry cleaners, don't we?

Title: Re: Virus?
Post by: BC_Programmer on February 16, 2009, 10:11:45 AM

CCLeaner is different in that regard. missing InProcServer32 entries are essentially useless cruft that can inhibit the ability to register the same ProgIDs later on- useful for more then just gained space. I'm too lazy to run it since it keeps deleting my Programs Registry key, and then it forgets all about it's plugins and defaults, which confuses the heck out of me when I'm debugging it.

Title: Re: Virus?
Post by: evilfantasy on February 16, 2009, 10:55:44 AM

Quote

And then restart your computer? I feel plagiarized

There is an easy way to avoid that. Stop hijacking a thread that's 3 pages deep with a one line "oh I know what to do now" statement.

You want to claim glory for suggesting a restart after the problem has been found, after about 12 hours of troubleshooting by others, and fixed? Pretty sad...

Title: Re: Virus?
Post by: tgp1994 on February 16, 2009, 02:29:41 PM

Oh, sorry for offering help...

BC_Programmer, does CCleaner really have plugins, or are we talking about something different? I guess I would suggest to check for an updated CCleaner, and I think there's an option to save it's settings to an INF file.

Title: Re: Virus?
Post by: BC_Programmer on February 16, 2009, 03:01:37 PM

CCleaner does not have plugins. And I have absolutely no clue where that query came from. Additionally I don't see how checking for a new version or it's ability to export INF files has any relevance in this context.

Title: Re: Virus?
Post by: tgp1994 on February 16, 2009, 03:03:02 PM

Umm, it was when you said it confused the heck out of you. Updating usually helps.

Title: Re: Virus?
Post by: evilfantasy on February 16, 2009, 03:05:30 PM

http://www.ccleaner.com/features

Title: Re: Virus?
Post by: BC_Programmer on February 16, 2009, 03:06:22 PM

Quote from: BC_Programmer on February 16, 2009, 10:11:45 AM

CCLeaner is different in that regard. missing InProcServer32 entries are essentially useless cruft that can inhibit the ability to register the same ProgIDs later on- useful for more then just gained space. I'm too lazy to run it since it keeps deleting my Programs Registry key, and then it forgets all about it's plugins and defaults, which confuses the heck out of me when I'm debugging it(my program).

CCleaner erases the registry entries that my program creates to keep track of it's Parser Plugins. CCleaner decides they aren't being used for some reason and deletes them. This confuses me when I'm debugging the Program (BASeParser XP), since code follows unexpected paths (it works, but I'll sometimes think that my initialization code is broken, when in fact there are simply no plugins to initialize.)

Title: Re: Virus?
Post by: tgp1994 on February 16, 2009, 05:17:27 PM

Oh, I'm pretty sure that you can have CCleaner ignore those keys in specific. I haven't had to avoid certain keys, but I guess it can be a difficult process going through 100+ keys, while making sure to avoid one or two.