Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mired in spyware/malware/trojans


  • This topic is locked This topic is locked
16 replies to this topic

#1 grendelvamp

grendelvamp

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 06:46 PM

I'm trying to remove a ton of spyware from a pc. Although i've run several scans that tell me that it is clean, i get the feeling that something is still lurking inside. I'm having trouble updating AVG in safe mode. I've run avg, superantispyware, spybot, ccleaner/mbam & rougeremover, and adaware. All reports are coming back clean but i don't think that is correct. I've still got an error at startup "16 bit ms dos subsytem" error. NVCPL and illegal instructions and such. I tried using system file checker, but i don't have the XP cd. I've tried the workaround for it and it failed. I'm all out of ideas, please HELP.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 13 December 2008 - 08:10 PM

Hello can you tell us if this is XP? also would you post one of Mbams infected logs as we mat be able to find out what else from what was .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 08:22 PM

Thank you for your response. Yes it is windows XP. Here is my MBAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1491
Windows 5.1.2600 Service Pack 2

12/11/2008 9:45:41 PM
mbam-log-2008-12-11 (21-45-41).txt

Scan type: Quick Scan
Objects scanned: 92143
Time elapsed: 21 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 34
Files Infected: 95

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\surfingprogram.pornpro_bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{2ceaf59b-9412-c46a-69c6-df41a7cc6f15} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{018aeeb2-991d-1a04-bd95-3732724599d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{318f50fe-44be-3d0d-cd2e-086a2f9bea54} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{400edc65-3199-7508-e853-493259993d39} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07d0e913-ac2d-ccb8-3e5b-57632bfea5b7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07d0e913-ac2d-ccb8-3e5b-57632bfea5b7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07d0e913-ac2d-ccb8-3e5b-57632bfea5b7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c63ee42d-67c0-ceac-068a-b635f6e12f67} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ecb5edff-04e7-1131-808c-fb0072e9cdba} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\surfingprogram.pornpro_bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Trojan.Peed) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Trojan.Peed) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Trojan.Peed) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Trojan.Peed) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcerej0epeg (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Application Data\rhcerej0epeg\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Application Data\rhcerej0epeg\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\John\Application Data\rhcerej0epeg\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\PROGRAM FILES\SURFINGPROGRAM\SURFINGPROGRAM-2.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\10.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\11.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\12.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\13.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\14.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\15.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\16.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\17.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\18.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\19.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1A.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1B.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1C.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1D.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1E.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1F.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\20.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\33.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\47.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Trojan.Peed) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\21.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\22.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\23.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\24.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\25.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\26.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\27.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\28.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\29.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2A.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2B.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2C.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2D.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2E.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2F.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\30.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\31.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\32.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\34.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\36.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\37.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\38.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\39.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3A.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3B.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3C.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3D.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3E.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3F.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\40.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\42.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\43.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\44.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\45.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\46.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\48.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\49.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\56.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9B.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\temD4.tmp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\temDC.tmp.exe (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\temDD.tmp.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcarej0epeg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\PK\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michelle\Desktop\Click To Find and Fix Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 13 December 2008 - 09:30 PM

Hi ,you have rebooted and re run MBam and it it came back all 0's? If not run again. Please tell us if things remain.
Follow with SDFix..
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Edited by boopme, 13 December 2008 - 09:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 09:43 PM

Yes, I've run MBAM again, and it came back all 0's.
Adaware found more junk, i'm clearing that off then continuing on with your instructions.
Thank you.

#6 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 10:36 PM

SDfix is finished running, here is it's report:


SDFix: Version 1.240
Run by John on Sat 12/13/2008 at 09:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 21:28:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody Media Player"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Michelle\\Local Settings\\Temp\\.tt62.tmp"="C:\\Documents and Settings\\Michelle\\Local Settings\\Temp\\.tt62.tmp:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1145133652\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Fri 25 Jan 2008 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun 16 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 6 Jan 2008 7,040 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R10.tmp"
Sun 6 Jan 2008 4,808 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R12.tmp"
Sun 6 Jan 2008 5,508 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R14.tmp"
Wed 10 Dec 2008 27,144 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R23.tmp"
Wed 10 Dec 2008 28,056 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R27.tmp"
Wed 10 Dec 2008 13,284 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R29.tmp"
Wed 10 Dec 2008 12,176 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R2B.tmp"
Wed 10 Dec 2008 6,792 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@R2D.tmp"
Sun 6 Jan 2008 9,156 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@RC.tmp"
Sun 6 Jan 2008 5,804 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@RE.tmp"
Sun 6 Jan 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S11.tmp"
Sun 6 Jan 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S13.tmp"
Sun 6 Jan 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S15.tmp"
Wed 10 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S24.tmp"
Wed 10 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S28.tmp"
Wed 10 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S2A.tmp"
Wed 10 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S2C.tmp"
Wed 10 Dec 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@S2E.tmp"
Sun 6 Jan 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@SD.tmp"
Sun 6 Jan 2008 1,409 ...H. --- "C:\Documents and Settings\PK\Local Settings\Temp\Z@SF.tmp"
Sun 16 Apr 2006 4,348 ...H. --- "C:\Documents and Settings\John\My Documents\My Music\License Backup\drmv1key.bak"
Sun 16 Apr 2006 20 A..H. --- "C:\Documents and Settings\John\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 16 Apr 2006 312 ...H. --- "C:\Documents and Settings\John\My Documents\My Music\License Backup\drmv2key.bak"
Sun 16 Apr 2006 1,536 A..H. --- "C:\Documents and Settings\John\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 13 December 2008 - 11:05 PM

OK I see no rootkits are you still having the original issue? As that file NVCPL is an NVIDIA utility for the display control panel, which allows the configuration of extra display options. I has been known to be the Yanz.B Worm as a virus in disguise. Tho I don't see it.
I guess if all else is running well and you still want to be certain then post an HJT log for review.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 11:09 PM

I apologize, I told you the wrong file name earlier for the error message I am getting. It is "the ntvdm cpu has encountered an illegal instruction"
Should I post the log here or in the other forum?

#9 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:08:01 PM

Posted 13 December 2008 - 11:09 PM

Don't post HJT here though or the (other ;) ) mods are liable to move the thread...lose Limewire in a hurry, that stuff is bad news malware-wise

are you using NT workstation or server?

MS advisory on the error msg in #8

Edited by TSalarek, 13 December 2008 - 11:16 PM.


#10 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 11:24 PM

Well i'm running windows xp home edition sp2, does that tell you what you wanna know. If not lemme know where i should look for the information you want TSalarek.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:01 PM

Posted 13 December 2008 - 11:24 PM

Is this this same Computer??
http://www.bleepingcomputer.com/forums/t/186217/infected-with-spyware/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 11:30 PM

Yes boop, that is the same computer. The link that you gave me TS, it suggests that I replace the command.com file with the same file from another computer running that OS. I only have one other computer running XP and its running SP3 whereas this one is running SP2. Should I still attempt this fix?

Edited by grendelvamp, 13 December 2008 - 11:32 PM.


#13 TSalarek

TSalarek

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Kentucky and Florida, USA
  • Local time:08:01 PM

Posted 13 December 2008 - 11:40 PM

Do you have an NT install CD? Is your system custom or store/catalog bought?

If no and bought, then you're prolly not running NT and it's likely going to take bit more looking into.

That HJT looks ok to me, but i'm hardly an expert inHJT..Boop: opinion?

#14 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 11:42 PM

No, I'm not running NT. I may try that fix that you posted earlier.i'll just be sure to save the command.com file from the infected computer.

#15 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 December 2008 - 11:50 PM

Replaceing the command.com file didnt seem to do the trick. Same error message at startup. I wanted to see what programs were initializing at startup just to see which was the 16 bit application that is launching and causing the error. That was when I noticed that my add or remove programs list will not populate. I can remove programs through ccleaner, but not through the control panel. *Sigh* Any ideas?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users