Computer Woes

Started by Lonestar, June 09, 2010, 04:20:06 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2 3
User actions

Lonestar

#15
June 12, 2010, 03:28:53 AM
Quote from: Lonestar on June 12, 2010, 03:06:06 AM
Paddy - I'm unable to access the "add or remove programs" file - Error C:\WINDOWS\system32\rundll32.exe - application not found....

Corrine - Since I can't seem to remove or open it to disable AVG what are my options?

Sorry to be a bother and I do appreciate all the help!

Thanks Paddy I was able to remove AVG in safe mode. 
Although I still can't open any programs in normal mode and that includes combofix.  Try combofix in safe mode? Also should I still be starting rkill after ever restart?

Clark76

#16
June 12, 2010, 12:01:24 PM
QuoteTry combofix in safe mode?
Yes please

QuoteAlso should I still be starting rkill after ever restart?
Typically you should not have to but this time you may have to when you boot into safe mode and right before trying to run ComboFix.

If ComboFix will not run in safe mode then please try changing the file extension from a exe file to a com format. If you are not sure how to do this please post letting us know and we will post those instructions.
Proud Member of ASAP
Proud Member of UNITE

Lonestar

#17
June 12, 2010, 01:29:02 PM
ComboFix 10-06-11.01 - Administrator 06/12/2010   7:14.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.378 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\drivers\fad.sys
E:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2010-05-12 to 2010-06-12  )))))))))))))))))))))))))))))))
.

2010-06-11 21:13 . 2010-05-06 10:41   743424   ------w-   c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 20:43 . 2010-06-09 20:55   --------   d-----w-   c:\program files\trend micro
2010-06-09 20:43 . 2010-06-09 20:55   --------   d-----w-   C:\rsit
2010-06-09 20:12 . 2010-06-09 20:12   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-09 20:12 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-09 20:11 . 2010-06-09 20:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-06-09 20:11 . 2010-06-09 20:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-09 20:11 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-06-09 03:26 . 2010-06-09 03:26   --------   d--h--r-   c:\documents and settings\Administrator\Application Data\yahoo!
2010-06-09 03:15 . 2010-06-09 03:15   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-06-09 03:14 . 2010-06-09 03:14   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-06-09 01:05 . 2010-06-09 01:05   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-06-08 21:49 . 2008-04-14 00:11   21504   ----a-w-   c:\windows\system32\hidserv.dll
2010-06-08 21:49 . 2008-04-14 00:11   21504   ----a-w-   c:\windows\system32\dllcache\hidserv.dll
2010-06-08 21:49 . 2001-08-17 19:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-06-08 21:49 . 2001-08-17 19:48   12160   ----a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-06-08 21:48 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2010-06-08 21:48 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\dllcache\hidusb.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 09:31 . 2009-12-07 23:25   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-09 03:26 . 2007-01-15 05:13   --------   d-----w-   c:\program files\Yahoo!
2010-06-09 03:26 . 2007-01-15 05:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\yahoo!
2010-06-09 03:24 . 2005-11-05 03:19   --------   d-----w-   c:\program files\IrfanView
2010-06-09 03:21 . 2004-09-14 15:32   --------   d-----w-   c:\program files\Common Files\AOL
2010-06-09 03:20 . 2004-09-14 15:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\AOL
2010-05-06 10:41 . 2004-12-07 22:37   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-07-15 21:01   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2002-08-29 10:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-03-31 23:22 . 2010-03-31 23:22   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 17:57 . 2010-03-20 17:57   49152   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 17:57 . 2010-03-20 17:57   308808   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 17:57 . 2010-03-20 17:57   14848   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 17:57 . 2010-03-20 17:57   40960   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 17:57 . 2010-03-20 17:57   341600   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 17:53 . 2003-08-13 01:17   499712   ----a-w-   c:\windows\system32\msvcp71.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 16:55   206064   ----a-w-   c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04   122933   ----a-w-   c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 15:24   16384   ----a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 16:43   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6600 Series]
2004-03-01 02:00   98304   ----a-w-   c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATI9EA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 13:59   126976   ----a-w-   c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 13:59   155648   ----a-w-   c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 07:10   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-03-15 13:58   53248   ----a-w-   c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15   290816   ------w-   c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2010-03-20 17:53   488968   ----a-w-   c:\program files\real\realplayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 11:19   148888   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2003-02-28 11:28   1843200   ----a-w-   c:\program files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01   110592   ----a-w-   c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2009-01-30 17:34   1347584   ----a-w-   c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 12:47 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3111913734-1917848367-1923497382-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-06-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3111913734-1917848367-1923497382-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aimhome.netscape.com/aimhome.adp
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-SiteAdvisor - c:\program files\SiteAdvisor\4979\SiteAdv.exe
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 07:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3111913734-1917848367-1923497382-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,89,d3,76,ea,b5,39,46,a4,58,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,89,d3,76,ea,b5,39,46,a4,58,fc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\System32\l3codeca.acm
.
Completion time: 2010-06-12  07:26:57
ComboFix-quarantined-files.txt  2010-06-12 13:26

Pre-Run: 6,288,437,248 bytes free
Post-Run: 6,418,571,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - D451B39A0312544F1A1AB67D793A8D37

Clark76

#18
June 12, 2010, 02:27:31 PM
Hello


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the codebox below into it:

Code Select

Reglock::
[HKEY_USERS\S-1-5-21-3111913734-1917848367-1923497382-500\Software\Microsoft\Internet Explorer\User Preferences]

Save this as "CFScript"




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and if you prefer a smaller program you can get Foxit 2.0  from http://www.foxitsoftware.com/pdf/rd_intro.php

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts
When the installation is complete go to Add/Remove Programs and uninstall all previous versions.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 20 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
[/list]



Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


Please provide the following logs with your next post:

C:\ComboFix.txt
Kaspersky Report

Also include an update on how your system is running
Proud Member of ASAP
Proud Member of UNITE

Lonestar

#19
June 12, 2010, 08:09:36 PM
Quote from: Clark76 on June 12, 2010, 02:27:31 PM
Hello


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  Do the logs show I'm running anti virus or malware programs? If so I can't see them running on the pc

There is a newer version of Adobe Acrobat Reader available.
When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

I have downloaded Adobe Reader but am unable to run the software as windows is asking me to "open with" a program in normal mode. In safe mode I receive an error "Windows installer service couldn't be accessed in safe mode"

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

looks as though I may be able to run and update Java but haven't as your instruction say to remove old versions first and I can't access the add/remove folder.

Please provide the following logs with your next post:

C:\ComboFix.txt
done. Even though Im not certain that I may not have anti virus or malware disabled?

Kaspersky Report
not done only because I wasn't able to update adobe or java first
/quote]

Lonestar

#20
June 12, 2010, 08:10:33 PM
ComboFix 10-06-11.01 - Administrator 06/12/2010  12:02:50.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.308 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

(((((((((((((((((((((((((   Files Created from 2010-05-12 to 2010-06-12  )))))))))))))))))))))))))))))))
.

2010-06-11 21:13 . 2010-05-06 10:41   743424   ------w-   c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 20:43 . 2010-06-09 20:55   --------   d-----w-   c:\program files\trend micro
2010-06-09 20:43 . 2010-06-09 20:55   --------   d-----w-   C:\rsit
2010-06-09 20:12 . 2010-06-09 20:12   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-09 20:12 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-09 20:11 . 2010-06-09 20:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-06-09 20:11 . 2010-06-09 20:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-09 20:11 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-06-09 03:26 . 2010-06-09 03:26   --------   d--h--r-   c:\documents and settings\Administrator\Application Data\yahoo!
2010-06-09 03:15 . 2010-06-09 03:15   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-06-09 03:14 . 2010-06-09 03:14   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-06-09 01:05 . 2010-06-09 01:05   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-06-08 21:49 . 2008-04-14 00:11   21504   ----a-w-   c:\windows\system32\hidserv.dll
2010-06-08 21:49 . 2008-04-14 00:11   21504   ----a-w-   c:\windows\system32\dllcache\hidserv.dll
2010-06-08 21:49 . 2001-08-17 19:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-06-08 21:49 . 2001-08-17 19:48   12160   ----a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-06-08 21:48 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2010-06-08 21:48 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\dllcache\hidusb.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 09:31 . 2009-12-07 23:25   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-06-09 03:26 . 2007-01-15 05:13   --------   d-----w-   c:\program files\Yahoo!
2010-06-09 03:26 . 2007-01-15 05:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\yahoo!
2010-06-09 03:24 . 2005-11-05 03:19   --------   d-----w-   c:\program files\IrfanView
2010-06-09 03:21 . 2004-09-14 15:32   --------   d-----w-   c:\program files\Common Files\AOL
2010-06-09 03:20 . 2004-09-14 15:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\AOL
2010-05-06 10:41 . 2004-12-07 22:37   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-07-15 21:01   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2002-08-29 10:00   285696   ----a-w-   c:\windows\system32\atmfd.dll
2010-03-31 23:22 . 2010-03-31 23:22   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-20 17:57 . 2010-03-20 17:57   49152   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-20 17:57 . 2010-03-20 17:57   45056   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-20 17:57 . 2010-03-20 17:57   308808   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-20 17:57 . 2010-03-20 17:57   14848   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-20 17:57 . 2010-03-20 17:57   40960   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-20 17:57 . 2010-03-20 17:57   341600   ----a-w-   c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-20 17:53 . 2003-08-13 01:17   499712   ----a-w-   c:\windows\system32\msvcp71.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-20 202256]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 16:55   206064   ----a-w-   c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04   122933   ----a-w-   c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 15:24   16384   ----a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 16:43   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6600 Series]
2004-03-01 02:00   98304   ----a-w-   c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATI9EA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 13:59   126976   ----a-w-   c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 13:59   155648   ----a-w-   c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 07:10   142120   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2005-03-15 13:58   53248   ----a-w-   c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15   290816   ------w-   c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2010-03-20 17:53   488968   ----a-w-   c:\program files\real\realplayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 11:19   148888   ----a-w-   c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2003-02-28 11:28   1843200   ----a-w-   c:\program files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01   110592   ----a-w-   c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2009-01-30 17:34   1347584   ----a-w-   c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 12:47 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3111913734-1917848367-1923497382-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]

2010-06-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3111913734-1917848367-1923497382-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aimhome.netscape.com/aimhome.adp
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 12:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3111913734-1917848367-1923497382-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,89,d3,76,ea,b5,39,46,a4,58,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,89,d3,76,ea,b5,39,46,a4,58,fc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\System32\l3codeca.acm

- - - - - - - > 'explorer.exe'(1272)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-06-12  12:14:17
ComboFix-quarantined-files.txt  2010-06-12 18:14
ComboFix2.txt  2010-06-12 13:26

Pre-Run: 6,429,941,760 bytes free
Post-Run: 6,419,120,128 bytes free

- - End Of File - - 494D520FCBF63ED0F409638FF49A6281

Clark76

#21
June 12, 2010, 08:35:52 PM
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Let know if you still are not able to use add/remove programs after running exehelper.
Proud Member of ASAP
Proud Member of UNITE

Lonestar

#22
June 12, 2010, 09:13:14 PM
exeHelper by Raktor
Build 20100414
Run at 15:06:08 on 06/12/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Removing HKCR\secfile
Resetting userinit and shell values...
Resetting policies...
--Finished--



Thanks!  I can now access "add or remove" in normal mode.
I will now try and update Adobe and Java. Can you verify that I wasn't running anti virus or malware programs and they didn't conflict with ComboFix? 

Corrine

#23
June 12, 2010, 09:55:26 PM
Hi, Lonestar.

The ComboFix log confirms that you were not running anti-virus or anti-malware programs when running ComboFix.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Clark76

#24
June 13, 2010, 01:35:25 AM
Along with updating Java and Abobe, please do not forget about the Kaspersky Scan.
Proud Member of ASAP
Proud Member of UNITE

Lonestar

#25
June 13, 2010, 02:14:40 AM
Quote from: Clark76 on June 13, 2010, 01:35:25 AM
Along with updating Java and Abobe, please do not forget about the Kaspersky Scan.

Clark76 - I have not forgotten. I have updated both Java and Adobe and have been running Kaspersky scan for over an hour and a half. I'm currently sitting at only 1% completion with 20k objects scanned. Seems wierd to only be at one percent but Ill wait it out and see what happens :popcorn:

Clark76

#26
June 13, 2010, 01:18:23 PM
If the Kaspersky scan has not finished by now please try the following scan instead:

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
Proud Member of ASAP
Proud Member of UNITE

Lonestar

#27
June 13, 2010, 03:19:45 PM
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e555e96fac91064a9dd0fbc91b1ccfb7
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-13 03:08:51
# local_time=2010-06-13 09:08:51 (-0600, Central Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 232906 232906 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=172071
# found=7
# cleaned=0
# scan_time=5531
C:\Documents and Settings\Kendra\Local Settings\Temporary Internet Files\Content.IE5\G3Q40BQN\data[2].htm   JS/Exploit.Agent.NBC trojan   00000000000000000000000000000000   I
C:\Documents and Settings\Kendra\Shared\30h3- punkbitch .mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan   00000000000000000000000000000000   I
C:\Documents and Settings\Kendra\Shared\30h3-starstruck.mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan   00000000000000000000000000000000   I
C:\Documents and Settings\Kendra\Shared\g love babys got sauce.mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan   00000000000000000000000000000000   I
C:\RECYCLER\S-1-5-21-3111913734-1917848367-1923497382-1008\Dc6\Install_AIM.exe   Win32/Adware.WBug.A application   00000000000000000000000000000000   I
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1967\A0105349.EXE   Win32/Adware.WBug.A application   00000000000000000000000000000000   I
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts   Win32/Qhost trojan   00000000000000000000000000000000   I

Corrine

#28
June 13, 2010, 11:19:40 PM
Hi, Lonestar.

Let's clean up what ESET found.

1)  Please download  HostXpert.

  • Unzip HostsXpert.zip
  • Double-click on  HostsXpert.exe
  • Then click on "Restore ms Hosts file" to restore your Hosts file to its default condition..
  • Click on Make Read Only to secure it against further infection.
  • Close the program when complete.
2)  Delete the following mp3 files (Note:  if you cannot delete them in Normal mode, reboot to Safe Mode and navigate to and delete the files):

C:\Documents and Settings\Kendra\Shared\30h3- punkbitch .mp3
C:\Documents and Settings\Kendra\Shared\30h3-starstruck.mp3
C:\Documents and Settings\Kendra\Shared\g love babys got sauce.mp3   

3)  Please download ATF Cleaner by Atribune from http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25 . Save it to your Desktop.

Run ATF Cleaner

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.
  • Shutdown/restart the computer.

MBAM Fresh
Scan with MBAM again:

  • Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  • Once the update has been installed and the program has loaded, select Quick scan
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

    • Click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here on Windows XP: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt and C:\Users\UserName\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt on Windows Vista and Windows 7.
    • Please post contents of that file in your next reply.
    Let us know how the computer is now and we'll take care of the final steps.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Lonestar

#29
June 13, 2010, 11:57:45 PM
Quote from: Corrine on June 13, 2010, 11:19:40 PM
Hi, Lonestar.

Let's clean up what ESET found.

1)  Please download  HostXpert.

  • Unzip HostsXpert.zip
  • Double-click on  HostsXpert.exe
  • Then click on "Restore ms Hosts file" to restore your Hosts file to its default condition..
  • Click on Make Read Only to secure it against further infection.
  • Close the program when complete.

Corrine - When I double-click on hostsxpert a warning appears " Your HOSTS file is marked as a "systme file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit"  "*** HostsXpert will NOT reset these attributes. ***  Cancel obviously closes the program so I hit ok twice, as the warning appears two times.  I then tried clicking on "Restore MS Hosts File" and get an error " Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts.
Print
Go Up Pages 1 2 3
User actions