Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norman Malware Cleaner and W32/Liger


  • This topic is locked This topic is locked
4 replies to this topic

#1 slider1

slider1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 22 July 2009 - 09:58 AM

I had an infection of Trojan.Win32.Patched.aa or W32/Liger which had infected Services.exe lsass.exe winlogon.exe and svchost.exe. I used Norman malware cleaner to remove the virus. The problem is it must not of correctly disinfected those files. After the removal reboot I could not drag and drop files and programs would not minimize to the taskbar. My user account in control panel was blank, the extended services applet did not work correctly and was blank while the standard Services tab would show the services but right clicking did nothing. Also installing certain programs does not work sometimes giving no error while .vbs scripts give access denied error.

I booted into another xp operating system on the same computer and replaced services.exe, lsass.exe, winlogon.exe and svchost.exe and the problems with drag and drop, taskbar, blank user account and extended services plus right clicking standard services were all gone but the installation errors are still present. Also Internet Explorer has restrictions placed on the internet zone where I get an error I cannot run activex on my computer when I try to go to Windows update. Changing settings in IE7 does not correct this problem and there are no settings in group policy that I can see that would create this restriction on my computer.

I tried to reinstall SP3 and install IE8 over IE7 but I get the error that the cryptographic service may not be started when it is running in the services applet. I tried running a .vbs script to fix cryptographic services that I got from Kelly's Corner but it gives an error on line 19 :access denied which is a command to delete catroot2. I have manually renamed catroot2 and ran the commands to fix the cryptographic error but it made no difference to the installation errors.

I have a feeling that these errors are related and have something to do with permission settings in the registry and/or possibly a corrupt windows installer installation caused by removing the virus. None of these problems existed before the virus removal and any help is appreciated.

Here is the DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 7:51:37.03 on Wed 07/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.136 [GMT -7:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\system32\svchost.exe -k netsvcs
F:\Program Files\cFosSpeed\spd.exe
F:\WINDOWS\system32\dllhost.exe
F:\Program Files\FolderSize\FolderSizeSvc.exe
F:\WINDOWS\system32\nvsvc32.exe
svchost.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\WINDOWS\system32\taskmgr.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Internet Download Manager\IDMan.exe
F:\Program Files\Internet Download Manager\IEMonitor.exe
F:\Users\Administrator\My Documents\Downloads\Programs\Norman_Malware_Cleaner.exe
F:\WINDOWS\system32\mmc.exe
F:\WINDOWS\system32\dmremote.exe
F:\WINDOWS\System32\dmadmin.exe
F:\Program Files\Runtime Software\DriveImage XML\dixml.exe
F:\WINDOWS\system32\Notepad2.exe
F:\WINDOWS\system32\Notepad2.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
F:\Users\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uWindow Title = IE
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - f:\program files\internet download manager\IDMIECC.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - f:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - f:\program files\siber systems\ai roboform\roboform.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [IDMan] f:\program files\internet download manager\IDMan.exe /onboot
uRun: [Grab Text]
uRun: [uTorrent] "c:\program files\utorrent\utorrent.exe"
mRun: [UnlockerAssistant] "f:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [SystemTray] SysTray.Exe
mRun: [cFosSpeed] f:\program files\cfosspeed\cFosSpeed.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [PowerTweak Menu] f:\windows\system32\mmm.exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] f:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [NewUser] f:\windows\lastxp\NewUser.cmd
StartupFolder: f:\users\alluse~1\startm~1\programs\startup\bluetooth.lnk - f:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Customize Menu - file://f:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all links with IDM - f:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - f:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - f:\program files\internet download manager\IEExt.htm
IE: Fill Forms - file://f:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Lookup on Merriam Webster - file://f:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://f:\program files\iespell\wikipedia.HTM
IE: RoboForm Toolbar - file://f:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://f:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - f:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - f:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - f:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - f:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - f:\program files\java\jre1.6.0_07\bin\ssv.dll
LSP: f:\windows\system32\imon.dll
LSP: f:\windows\system32\idmmbc.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1223272907015
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245453029281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248220424187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - f:\users\admini~1\applic~1\mozilla\firefox\profiles\j3gdtuqr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: f:\program files\mozilla firefox\components\SABFF20.DLL
FF - component: f:\program files\siber systems\ai roboform\firefox\components\rfproxy_19.dll
FF - component: f:\users\administrator\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\program files\divx\divx web player\npdivx32.dll
FF - plugin: c:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npjpi160_04.dll
FF - plugin: c:\program files\java\jre1.6.0_04\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NP32DSW.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npBitCometAgent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsabffx.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\program files\windows media player\npdrmv2.dll
FF - plugin: c:\program files\windows media player\npdsplay.dll
FF - plugin: c:\program files\windows media player\npwmsdrm.dll
FF - plugin: c:\program files\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-pro xy - 16
FF - user.js: network.http.max-persistent-connections-per-s erver - 8
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Ndis3pkt;NDIS3PKT Driver for NAT32 (Windows 2000/XP Version);f:\windows\system32\drivers\ndis3pkt.sys [2008-10-5 58048]
R1 nod32drv;nod32drv;f:\windows\system32\drivers\nod32drv.sys [2008-10-5 15424]
S3 IKFileSec;File Security Driver;f:\windows\system32\drivers\ikfilesec.sys [2008-10-5 40840]
S3 IKSysFlt;System Filter Driver;f:\windows\system32\drivers\iksysflt.sys [2008-10-5 66952]
S3 IKSysSec;System Security Driver;f:\windows\system32\drivers\iksyssec.sys [2008-10-5 81288]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\spyware doctor\pctsAuxs.exe [2008-10-5 356920]
S3 sdCoreService;PC Tools Security Service;f:\program files\spyware doctor\pctsSvc.exe [2008-10-5 1079176]
S3 ultradfg;ultradfg;f:\windows\system32\drivers\ultradfg.sys [2007-8-3 22016]
S4 Netcom3;NetCom3 Service;f:\program files\netcom3 cleaner\netcom3d.exe --> f:\program files\netcom3 cleaner\Netcom3D.exe [?]
S4 NOD32krn;NOD32 Kernel Service;f:\program files\eset\nod32krn.exe [2008-10-5 552064]

============== File Associations ===============

inffile=f:\windows\system32\Notepad2.exe %1
inifile=f:\windows\system32\Notepad2.exe %1
txtfile="%WinDir%\NOTEPAD.EXE" %1

=============== Created Last 30 ================

2009-07-22 07:29 <DIR> --d----- f:\program files\Runtime Software
2009-07-20 16:02 0 a--sh--- f:\windows\S92FEA865.tmp
2009-07-14 05:35 <DIR> --dsh--- F:\Diskeeper
2009-07-12 19:50 1,116,536 a------- F:\fraglist.luar

==================== Find3M ====================

2009-07-22 05:15 80,263 a------- f:\windows\system32\nvModes.dat
2009-06-19 16:45 23,600 a------- f:\windows\system32\drivers\TVICHW32.SYS
2009-06-16 12:05 53,248 a------- f:\windows\system32\CSVer.dll
2009-05-07 08:32 345,600 a------- f:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- f:\windows\system32\dllcache\localspl.dll
2009-04-28 21:55 459,264 a------- f:\windows\system32\SET10B.tmp
2009-04-28 02:05 70,656 a------- f:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 a------- f:\windows\system32\dllcache\ieudinit.exe
2009-04-24 22:27 636,088 a------- f:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 a------- f:\windows\system32\dllcache\ieakui.dll
2004-09-27 18:00 26,240 a------- f:\windows\inf\RAMDSK.SYS
2008-10-04 11:28 16,384 a--sh--- f:\windows\system32\config\systemprofile\cookies\index.dat
2008-10-04 11:28 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-10-04 11:28 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat
2008-10-04 11:28 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 7:51:54.31 ===============


I have also run sfc /scannow and chkdsk and neither fixed the problem., I believe if I can get the installer working to where I can reinstall SP3 and install IE8 that these problems will be solved. I am running Windows XP Professional SP3.

Attached Files



BC AdBot (Login to Remove)

 


#2 slider1

slider1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 22 July 2009 - 10:32 AM

The previous log is from another OS on another partition sory here is the correct DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 8:19:31.57 on 22/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.319 [GMT -8:00]

AV: Norman Security Suite *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kerio WinRoute Firewall *enabled* {916dafda-8250-4a1d-9095-000da68ac4da}

============== Running Processes ===============

C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\Users\Administrator\My Documents\Downloads\Programs\IE8-WindowsXP-x86-ENU.exe
d:\c13ba03266c7f3a92c7b\update\iesetup.exe
C:\WINDOWS\system32\mrt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE
F:\Users\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============


================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\applic~1\mozilla\firefox\profiles\j3gdtuqr.default\
FF - prefs.js: browser.search.selectedEngine - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mozilla firefox\components\SABFF20.DLL
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_19.dll
FF - component: c:\users\administrator\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-pro xy - 16
FF - user.js: network.http.max-persistent-connections-per-s erver - 8
FF - user.js: browser.xul.error_pages.enabled - true

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-7-20 26624]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-2-21 33808]
R0 Ndis3pkt;NDIS3PKT Driver for NAT32 (Windows 2000/XP/2003 Version);c:\windows\system32\drivers\ndis3pkt.sys [2008-8-7 175104]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2008-10-3 3968]
R1 Ckdriver;Linkbyte Ckdriver;c:\windows\system32\drivers\ckdriver.sys [2008-8-8 106760]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-6-13 14464]
R1 is-ABS7Sdrv;is-ABS7Sdrv;c:\windows\system32\drivers\59001583.sys [2009-7-17 148496]
R1 is-BJO4Ndrv;is-BJO4Ndrv;c:\windows\system32\drivers\14240691.sys [2009-7-17 148496]
R1 is-KIMTJdrv;is-KIMTJdrv;c:\windows\system32\drivers\24396433.sys [2009-7-16 148496]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-7-16 226832]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2009-7-19 22712]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-8-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 CachemanXPService;CachemanXP;c:\program files\cachemanxp\CachemanXP.exe [2008-5-10 243200]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-14 211216]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2009-7-19 20448]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2009-2-25 408696]
R2 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2009-7-19 195640]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2009-7-19 126008]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R2 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2009-7-19 130104]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-2-16 24592]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-7-10 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-14 19096]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2009-7-19 310328]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-7-19 19512]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S1 is-KC0R7drv;is-KC0R7drv;c:\windows\system32\drivers\18540260.sys [2009-7-18 148496]
S1 nltdi;nltdi;\??\c:\windows\system32\drivers\nltdi.sys --> c:\windows\system32\drivers\nltdi.sys [?]
S1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2009-7-19 53816]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-11-27 3712]
S2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2009-7-19 121912]
S3 cpuz128;cpuz128;\??\c:\windows\temp\cpuz_x32.sys --> c:\windows\temp\cpuz_x32.sys [?]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2008-1-16 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys [2008-1-16 99840]
S3 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a1.tmp --> c:\windows\system32\A1.tmp [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-7-14 30946]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-8-19 7408]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-4-22 108032]
S4 atitray;atitray; [x]
S4 gmxfwsvc;Onlineeye Firewall Service; [x]

============== File Associations ===============

inffile=c:\windows\system32\Notepad2.exe %1
inifile=c:\windows\system32\Notepad2.exe %1
txtfile="%WinDir%\NOTEPAD.EXE" %1

=============== Created Last 30 ================

2009-07-20 16:00 286,993 a------- C:\Kelowna_Law_Courts-Completed_Provincial_Court_List.pdf
2009-07-20 15:19 <DIR> --d----- C:\Fix155990
2009-07-20 15:18 8,702,704 a------- C:\WindowsXP-KB895200-x86-Symbols-ENU.exe
2009-07-20 15:18 4,630,256 a------- C:\WindowsXP-KB895200-x86-ENU.exe
2009-07-20 15:00 <DIR> --d----- c:\windows\system32\Cache
2009-07-20 15:00 <DIR> --d----- c:\windows\system32\Logfiles
2009-07-20 14:45 <DIR> --d----- c:\program files\common files\ODBC
2009-07-20 13:55 <DIR> --d----- c:\users\alluse~1\applic~1\RegCure
2009-07-20 09:57 <DIR> --d----- c:\windows\system32\CatRoot2
2009-07-20 07:04 26,624 a------- c:\windows\system32\drivers\fsbts.sys
2009-07-20 05:54 202,776 ac------ c:\windows\system32\dllcache\wuweb.dll
2009-07-20 03:14 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-20 03:03 <DIR> --d----- C:\Hotfix
2009-07-19 23:53 <DIR> --d----- c:\windows\system32\CatRoot2.bak
2009-07-19 22:23 212,024 a------- c:\windows\system32\nscrnsav.scr
2009-07-19 22:23 19,512 a------- c:\windows\system32\drivers\nvcw32mf.sys
2009-07-19 22:22 <DIR> --d----- c:\program files\Norman
2009-07-19 20:56 16,757 a------- c:\windows\imsins.BAK
2009-07-19 04:04 166 a------- c:\windows\system32\Compress.res
2009-07-19 04:04 230 a------- c:\windows\reimage.ini
2009-07-18 18:00 2,843,136 a------- c:\windows\system32\msi.dll
2009-07-18 16:59 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-18 15:50 219,648 a------- c:\windows\PEV.exe
2009-07-18 14:08 1,344,115 a------- c:\windows\setupapi.log.0.old
2009-07-18 13:56 <DIR> --d----- C:\rei
2009-07-18 13:56 <DIR> --d----- c:\program files\Reimage
2009-07-18 13:25 <DIR> --d----- C:\sec31
2009-07-18 13:25 <DIR> --d----- C:\stdtsa
2009-07-18 11:28 <DIR> --d----- c:\program files\Sophos
2009-07-18 03:59 148,496 a------- c:\windows\system32\drivers\18540260.sys
2009-07-18 01:52 <DIR> --d----- c:\windows\system32\oldcatRoot2
2009-07-17 04:24 148,496 a------- c:\windows\system32\drivers\14240691.sys
2009-07-17 04:22 148,496 a------- c:\windows\system32\drivers\59001583.sys
2009-07-17 03:49 <DIR> --d----- c:\users\administrator\.housecall6.6
2009-07-17 02:53 1,426,915 a------- c:\windows\setupapi.log.1.old
2009-07-16 14:13 148,496 a------- c:\windows\system32\drivers\24396433.sys
2009-07-16 02:03 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-07-16 02:03 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-07-16 02:02 6,257,696 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-16 02:02 794,656 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-07-16 02:02 53,112 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-16 02:02 6,940 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-07-16 02:02 <DIR> --d----- c:\users\alluse~1\applic~1\Kaspersky Lab
2009-07-15 20:17 <DIR> --d----- c:\users\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-07-15 20:17 <DIR> --d----- c:\users\admini~1\applic~1\Kaspersky Lab Setup Files
2009-07-15 18:17 <DIR> --d----- c:\users\alluse~1\applic~1\Malwarebytes
2009-07-15 17:54 <DIR> --d----- c:\users\alluse~1\applic~1\DriverScanner
2009-07-15 17:54 <DIR> --d----- c:\program files\Uniblue
2009-07-15 17:54 <DIR> -cd-h--- c:\users\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-07-15 17:09 <DIR> -cd-h--- c:\users\alluse~1\applic~1\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-07-14 20:40 <DIR> --d----- c:\users\admini~1\applic~1\uniblue
2009-07-14 20:38 <DIR> -cd-h--- c:\users\alluse~1\applic~1\{F19A02B4-1684-448C-B152-43B554F2E722}
2009-07-14 20:25 30,946 a------- c:\windows\system32\drivers\Partizan.sys
2009-07-14 20:25 25,088 a------- c:\windows\system32\Partizan.exe
2009-07-14 20:22 <DIR> --d----- c:\users\alluse~1\applic~1\MicroWorld
2009-07-14 18:47 <DIR> --d----- c:\users\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-14 18:47 <DIR> --d----- c:\users\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-14 17:37 <DIR> --d----- c:\users\alluse~1\applic~1\Diskeeper Corporation
2009-07-14 16:11 3,980 a------- C:\cc_20090714_161149.reg
2009-07-14 16:11 77,422 a------- C:\cc_20090714_161127.reg
2009-07-14 01:15 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 01:15 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 01:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 22:48 <DIR> --dsh--- C:\Diskeeper
2009-07-13 21:45 165 a------- c:\windows\startUp manager.INI
2009-07-13 21:12 <DIR> --d----- c:\users\admini~1\applic~1\SUPERAntiSpyware.com
2009-07-13 21:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-13 21:00 817,807 a------- C:\fraglist.luar
2009-07-13 20:30 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-07-13 20:30 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-07-13 10:30 58,240 a------- c:\windows\system32\drivers\usbhub.sys
2009-07-13 10:30 361,600 a------- c:\windows\system32\drivers\tcpip.sys
2009-07-13 10:29 6,121,504 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-07-13 10:29 6,049,536 a------- c:\windows\system32\nv4_disp.dll
2009-07-13 09:15 160,256 a------- c:\windows\system32\drivers\b57xp32.sys
2009-07-13 07:25 3,153,920 a------- c:\windows\system32\secsetup.sdb
2009-07-13 07:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-13 04:10 <DIR> --d----- c:\users\admini~1\applic~1\FDRLab
2009-07-13 03:14 39,424 a------- c:\windows\zipinst.exe
2009-07-13 03:14 <DIR> --d----- c:\program files\WinUpdatesList
2009-07-12 19:11 <DIR> --d----- c:\program files\Bullzip
2009-07-12 18:51 193,242 a------- C:\fraglist.htm
2009-07-12 18:45 <DIR> --d----- c:\windows\UltraDefrag
2009-07-12 03:15 <DIR> --d----- c:\windows\system32\windows media
2009-07-12 03:15 7,168 a------- c:\windows\system32\asferror.dll
2009-07-12 03:15 <DIR> --d----- c:\windows\msdownld.tmp
2009-07-12 03:15 <DIR> --d----- c:\program files\Windows Media Components
2009-07-11 21:14 <DIR> --d----- c:\users\administrator\LocalLow
2009-07-10 16:51 46,592 a------- c:\windows\system32\libusb0.dll
2009-07-10 16:51 33,792 a------- c:\windows\system32\drivers\libusb0.sys
2009-07-10 16:51 19,456 a------- c:\windows\system32\libusbd-9x.exe
2009-07-10 16:51 18,944 a------- c:\windows\system32\libusbd-nt.exe
2009-07-10 16:51 <DIR> --d----- c:\program files\LibUSB-Win32-0.1.10.1
2009-07-10 14:56 91,632 a------- c:\windows\system32\dsofile.dll
2009-07-09 22:28 <DIR> --d----- c:\program files\Project64 1.7
2009-07-09 19:05 <DIR> --d----- c:\program files\Project64 1.6
2009-07-04 03:40 <DIR> --d----- c:\program files\Everything
2009-07-02 10:58 <DIR> --d----- C:\Downloads
2009-07-02 09:47 <DIR> --d-h--- C:\msdownld.tmp

==================== Find3M ====================

2009-07-17 03:50 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-16 02:56 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-07-14 23:24 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-07-12 18:40 47,360 a------- c:\users\admini~1\applic~1\pcouffin.sys
2009-06-13 04:54 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-11 18:08 4,096 a------- c:\windows\d3dx.dat
2009-06-08 20:02 249,856 a------- c:\windows\Setup1.exe
2009-06-08 20:02 73,216 a------- c:\windows\ST6UNST.EXE
2009-06-08 03:47 21,228 a---h--- c:\windows\system32\mlfcache.dat
2009-06-02 21:34 81,984 a------- c:\windows\system32\bdod.bin
2009-05-27 13:07 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 04:26 4,394 a------- C:\cc_20090526_042617.reg
2009-05-26 04:25 119,550 a------- C:\cc_20090526_042535.reg
2009-05-24 13:15 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-21 05:30 543 a------- C:\repair.reg
2009-05-19 05:05 1,380,403 a------- c:\windows\system32\avgsdk.dll
2008-11-18 00:50 738 a------- c:\users\administrator\CLsIDBackup.reg
2008-10-10 16:58 81,920 a------- c:\users\admini~1\applic~1\ezpinst.exe
2008-10-07 17:35 10,008 a------- c:\users\administrator\Com3Backup.reg
2008-10-07 15:58 94,208 a------- c:\users\admini~1\applic~1\ezplay.sys
2008-10-04 12:34 908 a------- c:\users\admini~1\applic~1\FolderPilot.dat
2008-10-04 06:47 87 a------- c:\users\administrator\fix.reg
2008-10-07 18:28 2 a--sh-ot c:\windows\winstart.bat
2002-07-31 19:55 108 a--sh--- c:\windows\WSYS049.SYS
2008-08-16 23:09 56 a--shr-- c:\windows\system32\EF51B3A5FB.sys
2008-08-16 23:09 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-06-11 10:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007061220070613\index.dat
2008-11-18 02:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111820081119\index.dat

============= FINISH: 8:21:04.04 ===============

Attached Files



#3 slider1

slider1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 23 July 2009 - 01:25 PM

Before I read not to make any changes I changed a setting which fixed the update.ini error denied permissions error and windows update errors I was getting and am writing it here in case anyone else has the same problem.

I fixed the error by following these instructions:


Start/Run
Type "gpedit.msc" ENTER
Click + by Computer Configuration
Click + by Windows Settings
Click + by Security Settings
Click + by Software Restriction Policies
Click + by Trusted Publishers
For "Allow the following users to select trusted
publishers," the default is "End users."
If you do not have this at all, this does not apply.
This is typically the activeX error or the 0x800b0004

"Local Computer Administrators" was checked instead of "End users". This caused multiple install errors and an inability to go to windows update.

The other problems I had such as blank user accounts, blank extended services, no right clicking standard services, no drag and drop on desktop or minimizing to taskbar were all fixed when I replaced lsass.exe services.exe winlogon.exe and svchost.exe with fresh versions of those files. This most likely needs to be done from windows repair or another OS.

I am still not sure that I have completely got rid of all viruses though since I found pev.exe on my computer which is reported to be a virus by some sites and no virus programs I ran (which is alot) found it.

Hello slider1,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 23 July 2009 - 05:43 PM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:14 PM

Posted 02 August 2009 - 11:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:14 PM

Posted 11 August 2009 - 03:34 PM

Due to lack of feedback, this topic has been closed.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users