Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove calc.dll and ntuser.dll


  • This topic is locked This topic is locked
106 replies to this topic

#1 JYJr

JYJr

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 18 November 2009 - 10:23 PM

Using Malwarebyte's Anti-Malware, I was able to remove most of my issues (I had CC.exe), but I can't get rid of calc.dll and ntuser.dll. And my brower is still redircting links to ads on occasion, but not all the time like it was doing before the Anti-Malware was run. As far as I can tell, those are the only issues I'm having. When I reboot or restart, I get a message along the lines of Unable to run command on calc.dll. And when I shut down, I get <<"The instruction "0x10001b2b" referenced memory at "0x10001b2b". The memory could not be "written".>> before closing. And also, I don't seem to be able to run in safe mode. When I hit F8 during startup, I go to the menu where I choose "Open in Safe mode", it goes to a dos-like screen where a bunch of lines go by and then it just goes back to a restart. Don't know if it is related to the issue.

Thanks!

DDS (Ver_09-10-26.01) - NTFSx86
Run by Compaq_Owner at 21:39:08.85 on Wed 11/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.466 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [calc] rundll32.exe c:\docume~1\compaq~2\ntuser.dll,_IWMPEvents@0
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AlcxMonitor] ALCXMNTR.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248049480890
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-7-21 193888]
S3 IPOD2CAR;ipod2car.sys driver;c:\windows\system32\drivers\ipod2car.sys [2009-8-12 49408]

=============== Created Last 30 ================

2009-11-18 04:14:03 0 d-----w- c:\docume~1\compaq~2\applic~1\Malwarebytes
2009-11-18 04:13:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-18 04:13:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-18 04:13:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 04:13:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-17 23:33:32 0 d-----w- c:\docume~1\compaq~2\applic~1\CC
2009-11-17 23:33:31 55 ----a-w- C:\xcrashdump.dat
2009-11-15 17:29:50 3242 ----a-w- c:\windows\system32\wbem\Outlook_01ca66193c5cbb6a.mof
2009-11-08 22:05:47 0 d-----w- c:\program files\FLAC

==================== Find3M ====================

2009-11-14 22:39:30 49408 ----a-w- c:\windows\system32\drivers\ipod2car.sys
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-23 20:37:13 249856 ------w- c:\windows\Setup1.exe
2009-08-23 20:37:08 73216 ----a-w- c:\windows\ST6UNST.EXE
2005-12-13 04:02:50 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 21:41:27.25 ===============

Attached Files


Edited by JYJr, 18 November 2009 - 11:00 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 08:48 AM

Hi JYJr,

Welcome to BC HijackThis forum . I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning with other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

  • Go to start > Run copy/paste the following text in the run box and click OK.

    cmd /c (dir /o:d /a "C:\" & dir /a /s C:\WINDOWS\tasks) >log.txt&start log.txt del

    A text file will be created on your desktop. Please post the content to your reply.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 10:25 AM

Thanks in advance for your help. I ran everything you instructed me to. It all ran well. I saw it go through the 60 or so stages and then it deleted files such as calc.dll and ntuser.dll and then it deleted folders before doing a reboot. However, during the reboot, my computer froze up while shutting down. (It sometimes does that - it has happened since I bought it.) So I had to manually unplug and plug back in. On restart, after explorer loaded, I got this error message:

rundll32.exe - bad image
The application or dll C:\Windows\System32\calc.dll is not a valid Windows image. Please check this against your installation diskette.

After closing that message, I got this one:

Error loading C:\Windows\System32\calc.dll
%1 is not a valid application

After closing that message, things seemed to be ok. However, this is all that was in my ComboFix.txt file:

ComboFix 09-11-18.07 - Compaq_Owner 11/19/2009 9:48:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.579 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

Not sure what I should do now...

Edited by JYJr, 19 November 2009 - 10:43 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 12:10 PM

Did you do the first step?

#5 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 12:30 PM

Did you do the first step?

Yes. I can tell because when I go to Start> Run, the following is still in the box:
cmd /c (dir /o:d /a "C:\" & dir /a /s C:\WINDOWS\tasks) >log.txt&start log.txt del

But there are no other .txt files written since I started running ComboFix

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 12:46 PM

Please from now on don't proceed to the next step unless the step before it is completed.

Go to Start => Run and copy/paste the following command and click OK.

cmd /c start log.txt

A text file opens, please post the log.

#7 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 12:52 PM

Perhaps I didn't say it well, but I DID do the steps in order the first time. And I didn't proceed to the next step until the first was completed.

Volume in drive C is PRESARIO
Volume Serial Number is 5038-B6A7

Directory of C:\

08/04/2004 07:00 AM 47,564 NTDETECT.COM
08/04/2004 07:00 AM 260,272 cmldr
08/04/2004 07:00 AM 250,032 ntldr
01/26/2005 11:53 PM 0 AUTOEXEC.BAT
01/26/2005 11:53 PM 0 MSDOS.SYS
01/26/2005 11:53 PM 0 CONFIG.SYS
01/26/2005 11:53 PM 0 IO.SYS
06/23/2005 05:54 AM <DIR> system.sav
06/23/2005 05:55 AM <DIR> Python22
08/08/2005 01:26 PM <DIR> System Volume Information
04/05/2006 08:02 PM 10,920 aolconnfix.exe
04/05/2006 08:02 PM 1,039 aolconnfix.txt
05/25/2006 10:09 PM 80 volumeid.zbx
11/20/2006 03:09 AM <DIR> 1dfddc194c9da56b7cc3ea60a90e
12/15/2006 01:22 AM 16,316 install.log
12/20/2006 11:15 PM <DIR> 0aeecfab3977f0a66fd3d1
01/27/2007 04:37 PM <DIR> temp
01/27/2007 05:17 PM <DIR> ps329
08/16/2008 03:11 PM 559 hpfr5550.xml
09/09/2008 08:56 PM 52,279 VETlog.dmp
09/09/2008 08:56 PM 5,574,493 VETlog.txt
09/13/2008 04:06 PM 303 T4Metrics.log
09/13/2008 04:10 PM <DIR> aolextras
09/13/2008 04:10 PM <DIR> AOL Instant Messenger
09/13/2008 04:10 PM <DIR> Install ICQ
09/13/2008 04:10 PM <DIR> Install iTunes
09/14/2008 11:15 AM 182 drwtsn32.log
10/13/2008 01:40 PM 1,101 net_save.dna
03/31/2009 09:09 PM <DIR> 3b1233af6e082fe484f82a9b
05/21/2009 07:25 PM 84,804 hph7350.log
06/11/2009 08:37 PM <DIR> Maxtor temp
07/19/2009 07:08 PM <DIR> cmdcons
07/19/2009 07:08 PM 283 boot.ini
07/19/2009 08:56 PM <DIR> mcafee_mcpr
07/19/2009 09:29 PM <DIR> MSOCache
07/20/2009 03:37 AM 213 BOOT.BAK
07/20/2009 03:38 AM <DIR> hp
07/20/2009 03:38 AM <DIR> sysprep
07/20/2009 03:42 AM <DIR> RECYCLER
08/01/2009 10:09 AM <DIR> Documents and Settings
11/17/2009 06:33 PM 55 xcrashdump.dat
11/17/2009 11:13 PM <DIR> Program Files
11/18/2009 06:32 PM <DIR> Config.Msi
11/18/2009 10:07 PM 2,808 RootRepeal report 11-18-09 (22-07-26).txt
11/19/2009 09:34 AM 1,407,188,992 pagefile.sys
11/19/2009 09:34 AM 939,053,056 hiberfil.sys
11/19/2009 09:35 AM <DIR> WINDOWS
24 File(s) 2,352,545,351 bytes
23 Dir(s) 6,611,214,336 bytes free
Volume in drive C is PRESARIO
Volume Serial Number is 5038-B6A7

Directory of C:\WINDOWS\tasks

11/17/2009 06:49 PM <DIR> .
11/17/2009 06:49 PM <DIR> ..
11/18/2009 01:08 PM 284 AppleSoftwareUpdate.job
11/18/2009 12:02 AM 356 At1.job
11/18/2009 09:00 AM 356 At10.job
11/18/2009 10:00 AM 356 At11.job
11/18/2009 11:00 AM 356 At12.job
11/18/2009 12:00 PM 356 At13.job
11/18/2009 01:00 PM 356 At14.job
11/18/2009 02:00 PM 356 At15.job
11/18/2009 03:00 PM 356 At16.job
11/18/2009 04:00 PM 356 At17.job
11/18/2009 05:00 PM 356 At18.job
11/18/2009 06:00 PM 356 At19.job
11/18/2009 01:00 AM 356 At2.job
11/18/2009 07:00 PM 356 At20.job
11/18/2009 08:00 PM 356 At21.job
11/18/2009 09:00 PM 356 At22.job
11/18/2009 10:00 PM 356 At23.job
11/17/2009 11:00 PM 356 At24.job
11/18/2009 02:00 AM 356 At3.job
11/18/2009 03:00 AM 356 At4.job
11/18/2009 04:00 AM 356 At5.job
11/18/2009 05:00 AM 356 At6.job
11/18/2009 06:00 AM 356 At7.job
11/18/2009 07:00 AM 356 At8.job
11/18/2009 08:00 AM 356 At9.job
08/04/2004 01:00 PM 65 desktop.ini
11/15/2009 02:09 AM 354 McDefragTask.job
11/01/2009 12:00 AM 332 McQcTask.job
11/19/2009 09:34 AM 6 SA.DAT
29 File(s) 9,585 bytes

Total Files Listed:
29 File(s) 9,585 bytes
2 Dir(s) 6,611,210,240 bytes free
2 Dir(s) 6,611,210,240 bytes free

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 01:11 PM

Yes, we had some miscommunacation and I had a big role in it. My apologies.
  • Please go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a/s "C:\Qoobox\Quarantine" > log.txt&start log.txt

    A text file (log.txt) will be opened. Please post its content to your reply.

  • We want ot run this command once more. Go to start > Run copy/paste the following text in the run box and click OK.

    cmd /c dir /a "C:\" C:\WINDOWS\tasks "%userprofile%\ntuser.dll" C:\WINDOWS\system32\calc.dll >log1.txt&start log1.txt

    A text file will be open. Please post the content to your reply.


#9 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 01:16 PM

Before I proceed, should my mcafee protection be back on? (I was instructed to take it down to run ComboFix.)

Here are the logs:

Volume in drive C is PRESARIO
Volume Serial Number is 5038-B6A7

Directory of C:\Qoobox\Quarantine

11/19/2009 09:46 AM <DIR> .
11/19/2009 09:46 AM <DIR> ..
11/19/2009 10:01 AM <DIR> C
11/19/2009 09:44 AM 51 catchme.log
11/19/2009 09:44 AM <DIR> Registry_backups
1 File(s) 51 bytes

Directory of C:\Qoobox\Quarantine\C

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
11/19/2009 10:01 AM <DIR> Documents and Settings
11/19/2009 10:01 AM <DIR> WINDOWS
11/17/2009 06:33 PM 55 xcrashdump.dat.vir
1 File(s) 55 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
11/19/2009 10:01 AM <DIR> Compaq_Owner
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
03/21/2009 09:18 AM 24,064 ntuser.dll.vir
11/19/2009 10:01 AM <DIR> Start Menu
1 File(s) 24,064 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Start Menu

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
11/19/2009 10:01 AM <DIR> Programs
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Start Menu\Programs

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
11/19/2009 10:01 AM <DIR> Startup
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
03/21/2009 09:18 AM 24,064 scandisk.dll.vir
11/18/2009 08:49 PM 655 scandisk.lnk.vir
2 File(s) 24,719 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
11/19/2009 10:01 AM <DIR> system32
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32

11/19/2009 10:01 AM <DIR> .
11/19/2009 10:01 AM <DIR> ..
03/21/2009 09:18 AM 24,064 calc.dll.vir
08/04/2004 07:00 AM 15,360 ctfmon .exe.vir
09/12/2003 02:13 PM 98,304 ps2.bat.vir
08/04/2004 07:00 AM 33,280 rundll32 .exe.vir
4 File(s) 171,008 bytes

Directory of C:\Qoobox\Quarantine\Registry_backups

11/19/2009 09:44 AM <DIR> .
11/19/2009 09:44 AM <DIR> ..
11/19/2009 09:59 AM 6,028 tcpip.reg
1 File(s) 6,028 bytes

Total Files Listed:
10 File(s) 225,925 bytes
29 Dir(s) 7,959,670,784 bytes free

Volume in drive C is PRESARIO
Volume Serial Number is 5038-B6A7

Directory of C:\

12/20/2006 11:15 PM <DIR> 0aeecfab3977f0a66fd3d1
11/20/2006 03:09 AM <DIR> 1dfddc194c9da56b7cc3ea60a90e
03/31/2009 09:09 PM <DIR> 3b1233af6e082fe484f82a9b
09/13/2008 04:10 PM <DIR> AOL Instant Messenger
04/05/2006 08:02 PM 10,920 aolconnfix.exe
04/05/2006 08:02 PM 1,039 aolconnfix.txt
09/13/2008 04:10 PM <DIR> aolextras
01/26/2005 11:53 PM 0 AUTOEXEC.BAT
07/20/2009 03:37 AM 213 BOOT.BAK
07/19/2009 07:08 PM 283 boot.ini
07/19/2009 07:08 PM <DIR> cmdcons
08/04/2004 07:00 AM 260,272 cmldr
11/19/2009 10:07 AM <DIR> ComboFix
11/18/2009 06:32 PM <DIR> Config.Msi
01/26/2005 11:53 PM 0 CONFIG.SYS
08/01/2009 10:09 AM <DIR> Documents and Settings
09/14/2008 11:15 AM 182 drwtsn32.log
11/19/2009 10:08 AM 939,053,056 hiberfil.sys
07/20/2009 03:38 AM <DIR> hp
08/16/2008 03:11 PM 559 hpfr5550.xml
05/21/2009 07:25 PM 84,804 hph7350.log
09/13/2008 04:10 PM <DIR> Install ICQ
09/13/2008 04:10 PM <DIR> Install iTunes
12/15/2006 01:22 AM 16,316 install.log
01/26/2005 11:53 PM 0 IO.SYS
06/11/2009 08:37 PM <DIR> Maxtor temp
07/19/2009 08:56 PM <DIR> mcafee_mcpr
01/26/2005 11:53 PM 0 MSDOS.SYS
07/19/2009 09:29 PM <DIR> MSOCache
10/13/2008 01:40 PM 1,101 net_save.dna
08/04/2004 07:00 AM 47,564 NTDETECT.COM
08/04/2004 07:00 AM 250,032 ntldr
11/19/2009 10:07 AM 1,407,188,992 pagefile.sys
11/17/2009 11:13 PM <DIR> Program Files
01/27/2007 05:17 PM <DIR> ps329
06/23/2005 05:55 AM <DIR> Python22
11/19/2009 09:44 AM <DIR> Qoobox
11/19/2009 10:01 AM <DIR> RECYCLER
11/18/2009 10:07 PM 2,808 RootRepeal report 11-18-09 (22-07-26).txt
07/20/2009 03:38 AM <DIR> sysprep
11/19/2009 09:45 AM <DIR> System Volume Information
06/23/2005 05:54 AM <DIR> system.sav
09/13/2008 04:06 PM 303 T4Metrics.log
01/27/2007 04:37 PM <DIR> temp
09/09/2008 08:56 PM 52,279 VETlog.dmp
09/09/2008 08:56 PM 5,574,493 VETlog.txt
05/25/2006 10:09 PM 80 volumeid.zbx
11/19/2009 09:58 AM <DIR> WINDOWS
23 File(s) 2,352,545,296 bytes

Directory of C:\WINDOWS\tasks

11/17/2009 06:49 PM <DIR> .
11/17/2009 06:49 PM <DIR> ..
11/18/2009 01:08 PM 284 AppleSoftwareUpdate.job
11/18/2009 12:02 AM 356 At1.job
11/18/2009 09:00 AM 356 At10.job
11/18/2009 10:00 AM 356 At11.job
11/19/2009 11:00 AM 356 At12.job
11/19/2009 12:00 PM 356 At13.job
11/19/2009 01:00 PM 356 At14.job
11/18/2009 02:00 PM 356 At15.job
11/18/2009 03:00 PM 356 At16.job
11/18/2009 04:00 PM 356 At17.job
11/18/2009 05:00 PM 356 At18.job
11/18/2009 06:00 PM 356 At19.job
11/18/2009 01:00 AM 356 At2.job
11/18/2009 07:00 PM 356 At20.job
11/18/2009 08:00 PM 356 At21.job
11/18/2009 09:00 PM 356 At22.job
11/18/2009 10:00 PM 356 At23.job
11/17/2009 11:00 PM 356 At24.job
11/18/2009 02:00 AM 356 At3.job
11/18/2009 03:00 AM 356 At4.job
11/18/2009 04:00 AM 356 At5.job
11/18/2009 05:00 AM 356 At6.job
11/18/2009 06:00 AM 356 At7.job
11/18/2009 07:00 AM 356 At8.job
11/18/2009 08:00 AM 356 At9.job
08/04/2004 01:00 PM 65 desktop.ini
11/15/2009 02:09 AM 354 McDefragTask.job
11/01/2009 12:00 AM 332 McQcTask.job
11/19/2009 10:08 AM 6 SA.DAT
29 File(s) 9,585 bytes

Directory of C:\Documents and Settings\Compaq_Owner

03/21/2009 09:18 AM 0 ntuser.dll
1 File(s) 0 bytes

Directory of C:\WINDOWS\system32

03/21/2009 09:18 AM 0 calc.dll
1 File(s) 0 bytes
0 Dir(s) 7,959,621,632 bytes free

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 01:22 PM

Okay, Please run Combofix once more.

#11 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 01:55 PM

I ran it again. I notice it did fewer stages (around 50) and didn't delete any files or folders before rebooting. When it rebooted, it came back to ComboFix and it appeared to be writting a log and then it reboots again and goes into a "checking file system on D:" before coming back to explorer. Unfortunately, it looks like the ComboFix.txt file failed to finish being created:

ComboFix 09-11-18.09 - Compaq_Owner 11/19/2009 13:30:33.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.530 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

But at least it seems like the calc.dll issue may be gone. Is there a way to check?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 02:14 PM

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


@echo off
net stop Schedule
ATTRIB -r -s -h c:\windows\Tasks\At*.job
del /a/f/q c:\windows\Tasks\At*.job
dir /a C:\WINDOWS\tasks >log.txt&start log.txt
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: remove.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click remove.bat on the desktop. It should look like this: Posted Image
    If everything goes well the remove.bat opens a command window and then a log file opens up. Please post the log.


#13 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 02:24 PM

Thanks for your help. I had to go in to my office for a few hours so I won't get to try this until later. I'll post the results. Does it matter whether my virus protection is on or off when I run the above proceedure?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:16 AM

Posted 19 November 2009 - 02:27 PM

You may enable your virus protection unless it is mentioned. We needed to disable it when running ComboFix, the rest of the time it should be enabled.

#15 JYJr

JYJr
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern VA
  • Local time:10:16 PM

Posted 19 November 2009 - 04:42 PM

Ran without a hitch


Volume in drive C is PRESARIO
Volume Serial Number is 5038-B6A7

Directory of C:\WINDOWS\tasks

11/19/2009 04:41 PM <DIR> .
11/19/2009 04:41 PM <DIR> ..
11/18/2009 01:08 PM 284 AppleSoftwareUpdate.job
08/04/2004 01:00 PM 65 desktop.ini
11/15/2009 02:09 AM 354 McDefragTask.job
11/01/2009 12:00 AM 332 McQcTask.job
11/19/2009 04:40 PM 6 SA.DAT
5 File(s) 1,041 bytes
2 Dir(s) 7,974,846,464 bytes free




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users