Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot boot in safe mode, cannot install IE


  • Please log in to reply
22 replies to this topic

#1 3cases

3cases

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 15 September 2009 - 08:35 PM

I had been working with someone in a different section of the forum and I was told to look here for further assistance. Here's the other post if you'd like to see what's been done thus far...

http://www.bleepingcomputer.com/forums/t/247781/started-as-a-google-redirect-issue-now-cant-access-internet-at-all/

I ran the DDS, but when I try to run Root Repeal, first I get an error saying there isn't enough virtual memory, then I get a window saying "TpwrTray.exe" "Cannot load PowrProf.dll" The dialog box for Root Repeal says "initializing, please wait..." and it just sits there forever. The computer is completely locked up at that point & I have to hard kill it to get out of it. I've tried increasing the virtual memory setting and running it again, but I get the same error. Thanks in advance for any assistance you may be able to lend!!


DDS (Ver_09-07-30.01) - NTFSx86
Run by CINDY at 21:01:20.72 on Tue 09/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.158 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\RAMASST.exe
C:\TOSHIBA\Ivp\netint\netint.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Documents and Settings\CINDY\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
uRun: [Zwo2RSJ4P] cew32spl.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [PmProxy] "c:\program files\analog devices\soundmax\PmProxy.exe"
mRun: [LtMoh] "c:\program files\ltmoh\Ltmoh.exe"
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [TFNF5] TFNF5.exe
mRun: [TFncKy] TFncKy.exe /Type 28
mRun: [TouchED] "c:\program files\toshiba\touched\TouchED.Exe"
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [ezShieldProtector for Px] c:\windows\system32\EZSP_PX.EXE
mRun: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [o77S32l] ciamsrv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175482555216
DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} - file://d:\mathplayer\deltacvx.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
LSA: Notification Packages = :\windows\system32\srrstr.dll cli

============= SERVICES / DRIVERS ===============

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [2003-8-12 26880]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [2003-4-24 248448]
S1 c50cba7b;c50cba7b;c:\windows\system32\drivers\c50cba7b.sys [2009-7-9 0]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [2003-8-12 26112]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-8-12 156672]

=============== Created Last 30 ================

2009-09-15 20:31 --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-08-13 18:49 144,066 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-08-13 18:48 77,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2005-12-15 21:28 1,112 ac------ c:\docume~1\cindy\applic~1\ViewerApp.dat
2005-10-01 09:07 140,700 ac--h--- c:\docume~1\cindy\applic~1\ptads.bin

============= FINISH: 21:01:28.66 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 20 September 2009 - 09:17 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 20 September 2009 - 05:17 PM

Here's the combofix log. The windows recovery console was not installed, and since I don't have an internet connection to that computer, the program could not install it for me.

***EDIT*** If you look to the next post, you'll see that I manually installed the recovery console & ran combofix again. I didn't know if you would need to see both logs or not, so they are both here just in case.



ComboFix 09-09-18.02 - CINDY 09/20/2009 17:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.190 [GMT -4:00]
Running from: c:\documents and settings\CINDY\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CINDY\Application Data\ptads.bin
c:\recycler\S-1-5-21-1390067357-764733703-839522115-1003
c:\recycler\S-1-5-21-3010599806-841414442-3136671617-1003
c:\windows\enuct.dll
c:\windows\Installer\3893f.msp
c:\windows\Installer\3f482.msp
c:\windows\Installer\676b9.msp
c:\windows\Installer\676ba.msp
c:\windows\system32\_002523_.tmp.dll
c:\windows\system32\_002529_.tmp.dll
c:\windows\system32\_002566_.tmp.dll
c:\windows\system32\_002692_.tmp.dll
c:\windows\system32\_002693_.tmp.dll
c:\windows\system32\_002694_.tmp.dll
c:\windows\system32\_002695_.tmp.dll
c:\windows\system32\_002702_.tmp.dll
c:\windows\system32\_002703_.tmp.dll
c:\windows\system32\_002704_.tmp.dll
c:\windows\system32\_002705_.tmp.dll
c:\windows\system32\_002707_.tmp.dll
c:\windows\system32\_002708_.tmp.dll
c:\windows\system32\_002711_.tmp.dll
c:\windows\system32\_002712_.tmp.dll
c:\windows\system32\_002714_.tmp.dll
c:\windows\system32\_002715_.tmp.dll
c:\windows\system32\_002716_.tmp.dll
c:\windows\system32\_002718_.tmp.dll
c:\windows\system32\_002719_.tmp.dll
c:\windows\system32\_002721_.tmp.dll
c:\windows\system32\_002725_.tmp.dll
c:\windows\system32\_002726_.tmp.dll
c:\windows\system32\_002728_.tmp.dll
c:\windows\system32\_002731_.tmp.dll
c:\windows\system32\_002733_.tmp.dll
c:\windows\system32\_002734_.tmp.dll
c:\windows\system32\_002735_.tmp.dll
c:\windows\system32\_002736_.tmp.dll
c:\windows\system32\_002737_.tmp.dll
c:\windows\system32\_002738_.tmp.dll
c:\windows\system32\_002739_.tmp.dll
c:\windows\system32\0pvg35u8.dat
c:\windows\system32\Cache
c:\windows\system32\drivers\Sonyhcp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sfx
-------\Legacy_sfxdrv
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-16 00:31 . 2009-09-16 00:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\CINDY\Application Data\SUPERAntiSpyware.com
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 22:32 . 2009-07-13 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-09 20:03 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\CINDY\Application Data\Malwarebytes
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 18:58 . 2009-07-10 02:40 0 ----a-w- c:\windows\system32\drivers\c50cba7b.sys
2009-07-13 16:05 . 2004-10-20 02:58 47832 ----a-w- c:\documents and settings\CINDY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-08-12 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-5-8 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-5-8 106496]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S1 c50cba7b;c50cba7b;c:\windows\system32\drivers\c50cba7b.sys [7/9/2009 10:40 PM 0]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Zwo2RSJ4P - cew32spl.exe
HKLM-Run-o77S32l - ciamsrv.exe
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
Notify-dimsntfy - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-lt8jv4do - c:\windows\lt8jv4do.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 18:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-09-20 18:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 22:09

Pre-Run: 50,206,584,832 bytes free
Post-Run: 50,105,843,712 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
158 --- E O F --- 2008-10-10 22:32

Edited by 3cases, 20 September 2009 - 06:31 PM.


#4 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 20 September 2009 - 06:28 PM

I followed the steps to install the recovery console manually & then reran combo fix. Here's that log:

ComboFix 09-09-18.02 - CINDY 09/20/2009 18:51.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.192 [GMT -4:00]
Running from: c:\documents and settings\CINDY\Desktop\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-16 00:31 . 2009-09-16 00:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\CINDY\Application Data\SUPERAntiSpyware.com
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 22:32 . 2009-07-13 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-09 20:03 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\CINDY\Application Data\Malwarebytes
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 18:58 . 2009-07-10 02:40 0 ----a-w- c:\windows\system32\drivers\c50cba7b.sys
2009-07-13 16:05 . 2004-10-20 02:58 47832 ----a-w- c:\documents and settings\CINDY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-08-12 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-5-8 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-5-8 106496]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S1 c50cba7b;c50cba7b;c:\windows\system32\drivers\c50cba7b.sys [7/9/2009 10:40 PM 0]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-20 18:58
ComboFix-quarantined-files.txt 2009-09-20 22:57
ComboFix2.txt 2009-09-20 22:09

Pre-Run: 50,151,387,136 bytes free
Post-Run: 50,133,032,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
91 --- E O F --- 2008-10-10 22:32

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 20 September 2009 - 09:36 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\c50cba7b.sys
c:\windows\System32\cnxqdoq.exe

Driver::
c50cba7b

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#6 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 September 2009 - 07:20 AM

Here's the log from combofix W/the CFScript:

ComboFix 09-09-18.02 - CINDY 09/21/2009 7:56.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.172 [GMT -4:00]
Running from: c:\documents and settings\CINDY\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-16 00:31 . 2009-09-16 00:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\CINDY\Application Data\SUPERAntiSpyware.com
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 22:32 . 2009-07-13 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-09 20:03 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\CINDY\Application Data\Malwarebytes
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 18:58 . 2009-07-10 02:40 0 ----a-w- c:\windows\system32\drivers\c50cba7b.sys
2009-07-13 16:05 . 2004-10-20 02:58 47832 ----a-w- c:\documents and settings\CINDY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-08-12 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-5-8 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-5-8 106496]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S1 c50cba7b;c50cba7b;c:\windows\system32\drivers\c50cba7b.sys [7/9/2009 10:40 PM 0]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-21 8:03
ComboFix-quarantined-files.txt 2009-09-21 12:03
ComboFix2.txt 2009-09-20 22:58
ComboFix3.txt 2009-09-20 22:09

Pre-Run: 50,147,409,920 bytes free
Post-Run: 50,128,920,576 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
85 --- E O F --- 2008-10-10 22:32

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 21 September 2009 - 08:26 AM

Can you post the contents of the cfscript.txt you made? Just double-click on it and paste it as a reply.

#8 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 September 2009 - 09:27 AM

here ya go:

File::
c:\windows\system32\drivers\c50cba7b.sys
c:\windows\System32\cnxqdoq.exe

Driver::
c50cba7b

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]


I didn't save the script to the desktop. Will that make a difference? I just dragged it out of the thumb drive (E drive) and on top of the combofix.

Edited by 3cases, 21 September 2009 - 09:35 AM.


#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 21 September 2009 - 10:35 AM

I dont think it should make a difference, but try saving it to the desktop and dragging it over the combofix.exe icon from there.

#10 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 September 2009 - 10:52 AM

I ran it again. Here's the new log:

ComboFix 09-09-18.02 - CINDY 09/21/2009 11:42.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.168 [GMT -4:00]
Running from: c:\documents and settings\CINDY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CINDY\Desktop\CFScript.txt

FILE ::
"c:\windows\System32\cnxqdoq.exe"
"c:\windows\system32\drivers\c50cba7b.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\c50cba7b.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_c50cba7b


((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-16 00:31 . 2009-09-16 00:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\CINDY\Application Data\SUPERAntiSpyware.com
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 22:32 . 2009-07-13 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-09 20:03 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\CINDY\Application Data\Malwarebytes
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 16:05 . 2004-10-20 02:58 47832 ----a-w- c:\documents and settings\CINDY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-08-12 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-5-8 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-5-8 106496]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 11:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-09-21 11:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-21 15:51
ComboFix2.txt 2009-09-21 12:03
ComboFix3.txt 2009-09-20 22:58
ComboFix4.txt 2009-09-20 22:09

Pre-Run: 50,144,243,712 bytes free
Post-Run: 50,104,852,480 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
105 --- E O F --- 2008-10-10 22:32

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 21 September 2009 - 11:06 AM

Please make a new cfscript.txt that contains these two lines:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]


Then drag it on top of Combofix.exe and post the resulting log. Also run rootrepeal now, it should work, and post a log from that too.

I think you are clean now though.

#12 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 September 2009 - 12:35 PM

Here's the new combofix log, & I'm running RootRepeal now

ComboFix 09-09-18.02 - CINDY 09/21/2009 13:24.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.187 [GMT -4:00]
Running from: c:\documents and settings\CINDY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CINDY\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-16 00:31 . 2009-09-16 00:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\CINDY\Application Data\SUPERAntiSpyware.com
2009-08-13 21:43 . 2009-08-09 20:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 22:32 . 2009-07-13 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-09 20:03 . 2009-08-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\CINDY\Application Data\Malwarebytes
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-13 16:05 . 2004-10-20 02:58 47832 ----a-w- c:\documents and settings\CINDY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-03-01 40960]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-22 126976]
"ezShieldProtector for Px"="c:\windows\System32\EZSP_PX.EXE" [2002-08-20 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 159744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-08-12 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-04 73728]
"TFncKy"="TFncKy.exe" [BU]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-12-10 237568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-5-8 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-5-8 106496]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-8-12 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [8/12/2003 5:43 PM 26880]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [4/24/2003 7:39 PM 248448]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [8/12/2003 5:36 PM 26112]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [8/12/2003 5:37 PM 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b245d299-57ba-4a6c-b303-cfe1cecbe90e]
c:\windows\System32\cnxqdoq.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 13:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1952)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-09-21 13:32
ComboFix-quarantined-files.txt 2009-09-21 17:31
ComboFix2.txt 2009-09-21 15:52
ComboFix3.txt 2009-09-21 12:03
ComboFix4.txt 2009-09-20 22:58
ComboFix5.txt 2009-09-21 17:23

Pre-Run: 50,118,721,536 bytes free
Post-Run: 50,099,986,432 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
87 --- E O F --- 2008-10-10 22:32

#13 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 September 2009 - 12:40 PM

Rootrepeal still won't run. It went longer this time, about 5 minutes, but then I got the same error saying the Windows virtual memory minimum is too low. And then the computer locks up. Rootrepeal never gets past the screen that says "Initalizing, please wait..."

Edited by 3cases, 21 September 2009 - 12:42 PM.


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 21 September 2009 - 12:43 PM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Then post ark.txt as a reply to this topic.

#15 3cases

3cases
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 21 September 2009 - 02:27 PM

It finished and said that it didn't find any modifications. There wasn't a log created.

Edited by 3cases, 21 September 2009 - 02:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users