Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe keeps restarting


  • This topic is locked This topic is locked
17 replies to this topic

#1 cmdrblake88

cmdrblake88

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 26 December 2008 - 05:12 PM

Hello,

I've been having a lot of trouble with my computer lately. I'm running Windows XP Professional Service Pack 3. Here is the story thus far:

I was downloading something from rapidshare (I know, bad idea, but I hadn't been there before) and all of a sudden my system went to hell. The first indication was when Internet Explorer windows started popping up (I was using Firefox at the time and almost never use IE). I realized something was wrong so an error message telling me that my firewall was shut off. So I turned off my internet connection and clicked the bubble. I clicked on "recommendations" and the enable firewall option was no longer there. It only had a link to a website to get an antivirus program. I didn't click this because I figured it to be phony. To make a long story shorter, I ran all my anti-virus and anti-spyware programs and they found some things which I cleaned and restarted. I ran my anti virus in safemode and it found some more problems. After I cleaned these things I restarted and my firewall was no longer coming down.

But explorer.exe kept resetting. On a suggestion from my dad, I removed my former anti-virus (McAfee, but there are some elements I can't still remove) and now am running NOD32 from Eset. It got more things cleaned up but alas, explorer.exe still screws up. About every 10 seconds explorer will turn off and reset. This doesn't impact any of my programs already running though.

Here's the DDS log:


DDS (Version 1.1.0) - NTFSx86
Run by Kevin Ivers at 16:59:52.21 on Fri 12/26/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070509
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: BHO Class: {15421b84-3488-49a7-ad18-cbf84a3efaf6} - c:\program files\webtools\webtools.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\awtturrr.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Mjcore Class: {d88e1558-7c2d-407a-953a-c044f5607cea} - c:\program files\mjcore\Mjcore.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f259ca35-62e3-45d5-a03f-f5d687ebe08d} - c:\windows\system32\byXQIBqq.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
uRun: [Aim6]
uRun: [iTunesHelper]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [gadcom] "c:\documents and settings\kevin ivers\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [SpeedRunner] c:\documents and settings\kevin ivers\application data\speedrunner\SpeedRunner.exe
uRun: [SfKg6wIP] c:\documents and settings\kevin ivers\application data\microsoft\windows\txyyjx.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SetDefPrt] c:\program files\brother\brmfl06b\BrStDvPt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Fyade] rundll32.exe "c:\windows\asefucip.dll",e
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {75C9223A-409A-4795-A3CA-08DE6B075B4B} - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Notify: awtturrr - awtturrr.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\awtturrr.dll
LSA: Authentication Packages = msv1_0 wvauth nwprovau c:\windows\system32\byXQIBqq

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevini~1\applic~1\mozilla\firefox\profiles\hgweztkg.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {67BFB86D-0824-48E4-9FC9-10AA59E49A7B} - c:\documents and settings\kevin ivers\local settings\application data\{67BFB86D-0824-48E4-9FC9-10AA59E49A7B}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-25 17:55 <DIR> --d----- c:\windows\E31C348B63A94CBF8D7FD932ABB63244.TMP
2008-12-25 17:36 <DIR> --d----- C:\_backupD
2008-12-25 17:36 280,286 a------- C:\win32delfkil.exe
2008-12-25 17:36 53,248 a------- c:\windows\system32\process.exe
2008-12-25 17:36 16,384 a------- c:\windows\system32\restart.exe
2008-12-25 17:36 4,096 a------- c:\windows\system32\reboot.exe
2008-12-25 17:36 90,112 a------- c:\windows\system32\regdacl.exe
2008-12-25 17:36 42,496 a------- c:\windows\system32\swreg.exe
2008-12-25 17:36 <DIR> --d----- c:\windows\system32\regdacl
2008-12-25 17:34 <DIR> --d----- c:\program files\Trend Micro
2008-12-25 15:49 892,691 a--sh--- c:\windows\system32\qqBIQXyb.ini2
2008-12-25 15:49 892,691 a--sh--- c:\windows\system32\qqBIQXyb.ini
2008-12-25 15:49 294,400 a------- c:\windows\system32\byXQIBqq.dll
2008-12-25 15:41 512,096 a------- c:\windows\system32\drivers\amon.sys
2008-12-25 15:41 298,104 a------- c:\windows\system32\imon.dll
2008-12-25 15:41 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2008-12-25 15:09 <DIR> --d----- c:\docume~1\kevini~1\applic~1\SpeedRunner
2008-12-25 14:59 <DIR> --d----- c:\program files\Webtools
2008-12-25 14:54 <DIR> --d----- c:\program files\Mjcore
2008-12-22 02:02 369 a--sh--- c:\windows\system32\OXbadfii.ini
2008-12-22 01:57 <DIR> --d----- c:\docume~1\kevini~1\applic~1\gadcom
2008-12-22 01:57 58,880 a------- c:\windows\system32\awtturrr.dll
2008-12-22 01:56 70,656 a------- c:\windows\system32\prunnet.exe
2008-12-19 01:42 <DIR> --d----- c:\program files\iPod
2008-12-19 01:42 <DIR> --d----- c:\program files\iTunes
2008-12-19 01:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 01:40 <DIR> --d----- c:\program files\Bonjour
2008-12-09 02:05 <DIR> --d----- c:\program files\Moleskinsoft Clone Remover 3.3
2008-12-05 00:31 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-05 00:31 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-01 23:07 0 a------- c:\windows\iPlayer.INI
2008-12-01 21:06 <DIR> --d----- c:\program files\InterActual

==================== Find3M ====================

2008-12-26 16:52 82,919 ac------ c:\windows\system32\nvModes.dat
2008-12-25 17:58 15,648 a------- c:\windows\system32\drivers\NSDriver.sys
2008-12-25 17:57 15,648 a------- c:\windows\system32\drivers\AWRTRD.sys
2008-12-25 17:57 12,960 a------- c:\windows\system32\drivers\AWRTPD.sys
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 02:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2007-09-16 18:17 8 ac------ c:\docume~1\kevini~1\applic~1\usb.dat.bin

============= FINISH: 17:03:00.81 ===============



Thanks for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 26 December 2008 - 07:07 PM

Hi, cmdrblake88 :thumbsup:

Welcome.

RIGHT-CLICK HERE and select Save Link As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 26 December 2008 - 08:43 PM

Hi JSntgRvr,

I'm so happy you responded to my post! I've been desperate for help. However, I can't complete the first part! :thumbsup:

Once I run the quick scan in MBAM after about 5 seconds an error comes up saying, "Run-time error "9": Subscript out of range"

There are different files it stops on, but they are all in the system32 folder. How should I get by this?

And I've tried to manually delete these but "Access is denied"

Edited by cmdrblake88, 26 December 2008 - 08:44 PM.


#4 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 26 December 2008 - 08:44 PM

And I've tried to manually delete these but "Access is denied"

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 26 December 2008 - 09:03 PM

Hi, vheilman :thumbsup:

Download the enclosed folder. Save and extract its contents to the desktop. A new folder, Jumpstart_F, will be created. Don't do anything with it yet.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Perform the following steps in safe mode:

Go to the Control Panel. Select System -> Hardware -> Device Manager. Select View from the Menu, then "Show hidden Devices". Expand "Non Plug and Play Drivers". , Right click on the TDSSserv.sys driver (If present) and select Properties, Stop and Disable it. You will be asked to restart the computer. Select No at this time.

Open the Jumpstart_F folder and double click on the Runme.bat. Disregard any error message. The Computer will Restart . (Give it some time to complete the process)

Back in normal mode:

Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 26 December 2008 - 09:41 PM

Hi,

I tried what you said and logged into safe mode. Once I went to disable that driver, it wasn't there at all. So I ran the bat file you gave me anyway while still in safe mode and tried to run MBAM again in normal mode, but it gave me the same error in the same place.

I've noticed that explorer is no longer restarting though- it's not coming up at all! I have to access my programs through the task manager now.

Edited by cmdrblake88, 26 December 2008 - 09:42 PM.


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 26 December 2008 - 10:00 PM

I will get back to you. Need to contact a colleague that is working on these situations.

See of you can do this.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Leave an empty line at the end of the script.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the fix.bat file. The MSDOS Window will be displayed. That is normal.
  • Post the contents of the Notepad document it will produce.

@Echo Off
Reg Query "HKEY_LOCAL_MACHINE\SYSTEM" >%SystemDrive%\Log.txt
Start Notepad %SystemDrive%\Log.txt
Del /q %SystemDrive%\Log.txt
Del /q Fix.bat


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 27 December 2008 - 12:34 AM

I did this and a prompt came up saying, "Cannot find the C:/log.txt file. Do you want to create a new file?" When I clicked yes, a new, blank notepad file was created named "log". When I clicked no, it simply had an untitled file come up. The encoding of the save file was "ANSI"- I don't know what that would do, but an MSDOS window did come up.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 27 December 2008 - 02:42 AM

From the Task Manager -> Run a New Task. Copy and Paste the following command:

CMD /C Reg Query "HKEY_LOCAL_MACHINE\SYSTEM" >>C:\Log.txt

Then open Notepad and locate the C:\log.txt. Post its contents.

Edited by JSntgRvr, 27 December 2008 - 02:43 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 27 December 2008 - 03:01 AM

cmdrblake88, please boot your cmputer into Safe Mode with Networking. That should give you a chance to download Combofix and run it in Safe Mode.

To reboot your computer in Safe Mode with Networking follow these steps :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the option to run Windows in Safe Mode with Networking, then press Enter.
  • Choose your usual account.
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Edited by JSntgRvr, 27 December 2008 - 03:09 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 27 December 2008 - 11:31 AM

Hi, JSntgRvr

Good news! :thumbsup: Explorer.exe is no longer resetting! My internet loading times are slower but the main problems seem to be fixed. I noticed ComboFix deleted Speedrunner and Mjcore which were two pieces of malware I noticed when doing multiple virus scans. Apparently they weren't deleted before, but now they are. At the end of this post I've listed some programs or processes that were listed in the add/remove programs window that I don't remember seeing before and would like to make sure those are okay to leave as is or if I need to remove them.


Either way, here is the ComboFix Log:


ComboFix 08-12-26.03 - Kevin Ivers 2008-12-27 11:00:08.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.797 [GMT -5:00]
Running from: c:\documents and settings\Kevin Ivers\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Kevin Ivers\Application Data\gadcom
c:\documents and settings\Kevin Ivers\Application Data\SpeedRunner
c:\documents and settings\Kevin Ivers\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Kevin Ivers\Application Data\SpeedRunner\SRUninstall.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\awtturrr.dll
c:\windows\system32\byXQIBqq.dll
c:\windows\system32\OXbadfii.ini
c:\windows\system32\qqBIQXyb.ini
c:\windows\system32\qqBIQXyb.ini2

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-26 21:35 . 2008-12-27 00:20 17,384 --a------ c:\windows\system32\nvModes.dat
2008-12-26 21:35 . 2008-12-27 11:06 17,384 --a------ c:\windows\system32\nvModes.001
2008-12-26 21:35 . 2008-12-27 11:06 0 --a------ c:\windows\system32\NvwsApps.xml
2008-12-26 21:14 . 2008-12-27 11:06 2,148 --a------ c:\windows\system32\wpa.dbl
2008-12-26 20:27 . 2008-12-27 10:55 3,592 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-12-26 19:43 . 2008-12-26 19:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 19:43 . 2008-12-26 19:43 <DIR> d-------- c:\documents and settings\Kevin Ivers\Application Data\Malwarebytes
2008-12-26 19:43 . 2008-12-26 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 19:43 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 19:43 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 17:55 . 2008-12-25 17:56 <DIR> d-------- c:\windows\E31C348B63A94CBF8D7FD932ABB63244.TMP
2008-12-25 17:36 . 2008-12-25 17:36 <DIR> d-------- c:\windows\system32\regdacl
2008-12-25 17:36 . 2008-12-25 17:36 <DIR> d-------- C:\_backupD
2008-12-25 17:36 . 2008-12-25 17:23 280,286 --a------ C:\win32delfkil.exe
2008-12-25 17:34 . 2008-12-25 17:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 15:41 . 2008-12-25 15:38 512,096 --a------ c:\windows\system32\drivers\amon.sys
2008-12-25 15:41 . 2008-12-25 15:38 298,104 --a------ c:\windows\system32\imon.dll
2008-12-25 15:41 . 2008-12-25 15:38 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2008-12-25 15:00 . 2008-12-25 15:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\StumbleUpon
2008-12-25 14:59 . 2008-12-25 16:27 <DIR> d-------- c:\program files\Webtools
2008-12-19 01:42 . 2008-12-19 01:42 <DIR> d-------- c:\program files\iTunes
2008-12-19 01:42 . 2008-12-19 01:42 <DIR> d-------- c:\program files\iPod
2008-12-19 01:42 . 2008-12-19 01:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 01:40 . 2008-12-19 01:40 <DIR> d-------- c:\program files\Bonjour
2008-12-09 02:05 . 2008-12-09 02:05 <DIR> d-------- c:\program files\Moleskinsoft Clone Remover 3.3
2008-12-08 22:31 . 2008-12-08 22:31 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-05 00:31 . 2008-12-05 00:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-05 00:31 . 2008-12-05 00:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-05 00:21 . 2008-12-05 00:21 <DIR> d-------- c:\program files\NOS
2008-12-05 00:21 . 2008-12-08 22:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-01 23:07 . 2008-12-01 23:07 0 --a------ c:\windows\iPlayer.INI
2008-12-01 21:06 . 2008-12-01 21:06 <DIR> d-------- c:\program files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 16:07 --------- d-----w c:\program files\Steam
2008-12-27 15:43 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 22:58 15,648 ----a-w c:\windows\system32\drivers\NSDriver.sys
2008-12-25 22:57 15,648 ----a-w c:\windows\system32\drivers\AWRTRD.sys
2008-12-25 22:57 12,960 ----a-w c:\windows\system32\drivers\AWRTPD.sys
2008-12-25 22:56 --------- d-----w c:\program files\Lavasoft
2008-12-25 22:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-25 22:30 --------- d-----w c:\program files\Eset
2008-12-23 20:45 --------- d-----w c:\documents and settings\Kevin Ivers\Application Data\StumbleUpon
2008-12-19 06:39 --------- d-----w c:\program files\QuickTime
2008-12-19 06:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-05 05:30 --------- d-----w c:\program files\Java
2008-11-20 17:25 --------- d-----w c:\program files\The Weather Channel Toolbar
2008-11-20 17:24 --------- d-----w c:\program files\The Weather Channel FW
2008-11-16 14:17 --------- d-----w c:\program files\AIM6
2008-11-16 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 14:16 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-06 03:09 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-06 03:04 --------- d-----w c:\program files\Starcraft
2008-11-06 03:03 --------- d-----w c:\documents and settings\Kevin Ivers\Application Data\Yahoo!
2008-11-06 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-06 03:01 --------- d-----w c:\program files\Kali95
2008-11-06 02:56 --------- d-----w c:\program files\DivX
2008-11-02 01:08 --------- d-----w c:\program files\iPowerHour
2008-11-02 01:05 --------- d-----w c:\program files\Winamp
2008-10-30 06:59 --------- d-----w c:\documents and settings\All Users\Application Data\MGTEK
2008-10-29 05:36 --------- d-----w c:\program files\LimeWire
2007-09-16 23:17 8 -c--a-w c:\documents and settings\Kevin Ivers\Application Data\usb.dat.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-10-06 793712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"SetDefPrt"="c:\program files\Brother\Brmfl06b\BrStDvPt.exe" [2005-01-26 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-12-25 949376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= JpegCode.dll
"vidc.dmb1"= m3jpeg32.dll
"VIDC.NSVI"= NSVIDEO.DLL
"VIDC.JPEG"= JpegCode.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
--a--c--- 2007-08-30 13:23 88024 c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra--c--- 2005-10-07 12:13 176128 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a--c--- 2006-06-29 12:13 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 04:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
--a--c--- 2006-09-08 08:32 102400 c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-12-09 20:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a--c--- 2007-05-17 13:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
-----c--- 2003-09-10 02:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a--c--- 2006-01-19 08:14 7401472 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart Start UP]
--a--c--- 2003-01-21 13:25 98304 c:\program files\NewSoft\Smart Start UP\PnPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a--c--- 2007-04-10 13:46 709992 c:\windows\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a--c--- 2006-01-19 08:14 73728 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-01-19 08:14 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-24 16:30 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Westwood\\RA2\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"41150:TCP"= 41150:TCP:LimeWire
"41150:UDP"= 41150:UDP:LimeWire

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\Drivers\Achernar.sys [2007-06-19 17920]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-25 15424]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-11 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-01-03 24652]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\Drivers\Aldebaran.sys [2007-06-19 13824]
S3 DSCVc;Video Capture;c:\windows\system32\DRIVERS\CoachVc.sys [2007-06-19 44256]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-05 33752]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-26 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchBFII.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-27 c:\windows\Tasks\tpqzlrkr.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A8A6F7D4-0AA8-489F-BF73-2ACC9C055E5B} - c:\windows\system32\byXQIBqq.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKCU-Run-Aim6 - (no file)
HKCU-Run-iTunesHelper - (no file)
HKLM-Run-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE
HKLM-Run-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
HKLM-Run-Fyade - c:\windows\asefucip.dll
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_02\bin\jusched.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\Kevin Ivers\Application Data\Mozilla\Firefox\Profiles\hgweztkg.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 11:06:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1184)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-12-27 11:10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 16:10:28

Pre-Run: 38,418,784,256 bytes free
Post-Run: 37,185,613,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

294 --- E O F --- 2008-12-19 08:01:16



****And here is the hijackthis log*************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:29 AM, on 12/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070509
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06b\BrStDvPt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9852 bytes






****Quick Questions****

I went to add/remove programs in control panel and I saw the following entries that I don't recall seeing before and which I couldn't delete (if I wanted to). I want to make sure these programs/processes are safe to have on my computer:

mcore
mDrWifi
mHlpDell
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
MWlsSafe
mWMI
mXML
MZConfig


Thanks again for all of your help! I think my system is running almost as well as it was in the beginning!

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 27 December 2008 - 12:05 PM

They are all safe. Most of them are developed by Intel, and those with a number, such as (KB927978), are Microsoft Updates.

Lets scan for remnants.

Run Malwarebites and post its report.

Then, please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 27 December 2008 - 12:28 PM

I've run my anti-virus things multiple times and Malwarebytes did detect files that I took care of before, so the log I've posted here doesn't reflect any other problems. But here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/27/2008 12:24:03 PM
mbam-log-2008-12-27 (12-24-03).txt

Scan type: Quick Scan
Objects scanned: 56273
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)


*********************************************

I'll post the Kaspersky log in the next post


I've attached a hijackthis log too in case you'd like to see it too.

Attached Files


Edited by cmdrblake88, 27 December 2008 - 12:33 PM.


#14 cmdrblake88

cmdrblake88
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:03:08 PM

Posted 27 December 2008 - 03:12 PM

Here's the Kaspersky Report.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 13:28:06
Records in database: 1520697
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\


Scan statistics:
Files scanned: 89362
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:51:26


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Kevin Ivers\Application Data\SpeedRunner\SRUninstall.exe.vir Infected: Trojan-Downloader.Win32.Agent.aldb 1
C:\Qoobox\Quarantine\C\Program Files\Mjcore\Mjcore.dll.vir Infected: Trojan.Win32.BHO.ilw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\awtturrr.dll.vir Infected: Trojan.Win32.Monder.afdk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXQIBqq.dll.vir Infected: Trojan.Win32.Monder.aftl 1

The selected area was scanned.


****Here is the C:\log file you requested previously*************************************************************************************


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003

HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

HKEY_LOCAL_MACHINE\SYSTEM\Select

HKEY_LOCAL_MACHINE\SYSTEM\Setup

HKEY_LOCAL_MACHINE\SYSTEM\WPA

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:08 PM

Posted 27 December 2008 - 03:17 PM

Hi, cmdrblake88. :thumbsup:

All looks clear, congratulations.Posted Image

The findings are files already quarantined by Combofix.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users