Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im having serious trouble.....please help


  • Please log in to reply
28 replies to this topic

#1 sugarcane64

sugarcane64

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 02 January 2010 - 12:45 AM

I have used this forum before and it was a great help and now I am in need of help again........

About 2 weeks ago, I started having trouble with browser redirects and search results hijacking, I do have MBAM installed on my computer from a previous helping from this site, also have SpyBot Search and Destroy and AVG Free. I began using these to try and find my problems, which on every search, I would get results and would quarantine or do whatever was recommended. The problem persisted so I visited this site and probably should have posted then but read a few postings and saw some people with similiar problems so I then installed SuperAntiSpyware which was recommened here, it also found results but again the problem came back. I read some post and again maybe not following your website's instructions, I installed Dr Web, and upon its first scan, found a backdoor tdds plus other malware, i followed the described instructions and it showed backdoor tdds as being "eradicated". My problem seemed to be fix then but over the last day, my computer has been freezing up bad, now to the point of the windows start up screen doesnt even finish loading......I may be in serious trouble, I read some of your instructions on what to do but I guess I wrongfully tried to take matters in my own hands. Im not sure what type of problems I have now and plus Im notsure how to get to recover or anything. I can get the boot screen and setup screens to come up but dont know what to do from there.......please, if anyone can help...... save me If this isnt the right forum, please move me also... thanks. I am on my daughters lap-top right now so I will be checking back as often as I can. Thanks again in advance.

Edited by sugarcane64, 02 January 2010 - 05:40 PM.


BC AdBot (Login to Remove)

 


#2 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 02 January 2010 - 05:40 PM

Here's an update:
After about 10-12 tries to get my computer on today, it finally allowed me to log on and get online BUT I also noticed it is still redirecting my browser searches SO Im sure I still have a virus or malware...I dont want to run anything else with out some advice So Im now in limbo until someone can help me. :thumbsup:

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:18 PM

Posted 02 January 2010 - 05:50 PM

Please update and rerun Malwarebytes. Post the fresh log and we can start from there.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 02 January 2010 - 07:20 PM

thanks for replying...heres my log and its loaded, I havent taken any action yet...not sure what to do now



Malwarebytes' Anti-Malware 1.43
Database version: 3482
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2010 6:18:14 PM
mbam-log-2010-01-02 (18-18-09).txt

Scan type: Quick Scan
Objects scanned: 149789
Time elapsed: 44 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 12
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BtwSrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cd547c56-8195-40f7-a583-653e2a5116ec}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.2.1 -> No action taken.

Folders Infected:
C:\Program Files\PersonalSec (Rogue.PersonalSecurity) -> No action taken.

Files Infected:
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -> No action taken.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> No action taken.
C:\WINDOWS\system32\bwsb.gio (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\drivers\flzvr.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\Temp\B7.tmp (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Temp\tmp0_78722822215.bk.old (Backdoor.Bot) -> No action taken.
C:\Program Files\PersonalSec\psecurity.exe (Rogue.PersonalSecurity) -> No action taken.
C:\Program Files\PersonalSec\system.dat (Rogue.PersonalSecurity) -> No action taken.
C:\Documents and Settings\George\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HelpAssistant\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> No action taken.
C:\haypsixd.exe (Trojan.Downloader) -> No action taken.

#5 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 02 January 2010 - 07:24 PM

Heres my system info...if needed


Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3

Intel
Pentium 4 CPU 3.06 Ghz
3.06 Ghz 0.99 of Ram


if you need any more info..please ask

#6 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 02 January 2010 - 09:44 PM

I went ahead and hit remove selected and heres the log after that:




Malwarebytes' Anti-Malware 1.43
Database version: 3482
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2010 6:29:37 PM
mbam-log-2010-01-02 (18-29-37).txt

Scan type: Quick Scan
Objects scanned: 149789
Time elapsed: 44 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 12
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BtwSrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cd547c56-8195-40f7-a583-653e2a5116ec}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.2.1 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\PersonalSec (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\bwsb.gio (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\flzvr.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\B7.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_78722822215.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Program Files\PersonalSec\psecurity.exe (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Program Files\PersonalSec\system.dat (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\George\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\haypsixd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#7 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 02 January 2010 - 11:01 PM

one more update:

After using MBAM to remove the first scan's virus's and other findings, computer worked fine for about an hour then it froze up again...so now Im not sure what to do again....

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:18 PM

Posted 02 January 2010 - 11:02 PM

You have the indications of a backdoor bot that likes to steal passwords and other personal information. I would change all online passwords from a known clean computer as soon as you can.

Let's continue..

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Next:

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 03 January 2010 - 03:24 AM

Here's the SDfix log:



SDFix: Version 1.240
Run by Administrator on Sat 01/02/2010 at 11:04 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 23:40:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\flzvr]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\flzvr]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Group"="Boot Bus Extender"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AOL Games\\Super SpongeBob Collapse!\\SBCollapse.exe"="C:\\Program Files\\AOL Games\\Super SpongeBob Collapse!\\SBCollapse.exe:*:Enabled:Super SpongeBob Collapse!"
"C:\\Program Files\\SecondLife\\SLVoice.exe"="C:\\Program Files\\SecondLife\\SLVoice.exe:*:Enabled:SLVoice"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\iHabbix V3\\iHabbix.exe"="C:\\Program Files\\iHabbix V3\\iHabbix.exe:*:Enabled:iHabbix"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"="C:\\Program Files\\AVG\\AVG9\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG9\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 10 Jan 2008 2,731,104 ...H. --- "C:\Program Files\7 Wonders II\7WondersII.exe"
Thu 3 Jul 2008 2,143,560 ...H. --- "C:\Program Files\Ancient Quest of Saqqarah\Saqqarah.exe"
Thu 3 Apr 2008 3,142,984 ...H. --- "C:\Program Files\Azada\Azada.exe"
Mon 27 Jul 2009 2,970,960 ...H. --- "C:\Program Files\Burger Shop 2\BurgerShop2.exe"
Fri 11 Jan 2008 2,876,744 ...H. --- "C:\Program Files\Cradle of Persia\CradleOfPersia.exe"
Fri 11 Jul 2008 1,762,632 ...H. --- "C:\Program Files\Enchanted Cavern\EnchantedCavern.exe"
Wed 17 Sep 2008 3,278,152 ...H. --- "C:\Program Files\Go-Go Gourmet\Go Go Gourmet.exe"
Wed 18 Jun 2008 6,817,096 ...H. --- "C:\Program Files\Hidden Expedition - Amazon\Hidden Expedition Amazon.exe"
Tue 28 Apr 2009 1,193,296 ...H. --- "C:\Program Files\Hidden Mysteries - Buckingham Palace\Buckingham.exe"
Thu 27 Mar 2008 4,592,968 ...H. --- "C:\Program Files\IQ - Identity Quest\IQ - Identity Quest.exe"
Fri 22 May 2009 857,424 ...H. --- "C:\Program Files\Megaplex Madness - Now Playing\MegaplexMadness.exe"
Tue 9 Dec 2008 25,564,496 ...H. --- "C:\Program Files\Mystery Case Files - Return to Ravenhearst\ReturnToRavenhearst.exe"
Mon 5 Jan 2009 12,330,320 ...H. --- "C:\Program Files\Mystery Case Files - Prime Suspects\PrimeSuspects.exe"
Thu 10 Jan 2008 2,205,000 ...H. --- "C:\Program Files\Pizza Chef\PizzaChef.exe"
Fri 11 Jan 2008 1,787,208 ...H. --- "C:\Program Files\SpongeBob SquarePants Diner Dash 2\SpongeBob Diner Dash 2.exe"
Thu 10 Jan 2008 2,024,776 ...H. --- "C:\Program Files\SpongeBob SquarePants Bubble Rush!\SpongeBob SquarePants Bubble Rush!.exe"
Wed 17 Oct 2007 145,920 ..SHR --- "C:\Program Files\Sprint music manager\Setup.exe"
Wed 1 Aug 2007 53,248 A.SHR --- "C:\Program Files\Sprint music manager\_Setupx.dll"
Wed 4 Nov 2009 1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 13 Jul 2009 2,622,800 ...H. --- "C:\Program Files\Tri-Peaks 2 - Quest for the Ruby Ring\Tri-Peaks 2.exe"
Mon 21 Jan 2008 2,766,152 ...H. --- "C:\Program Files\Turbo Subs\TurboSubs.exe"
Tue 3 Feb 2009 1,955,152 ...H. --- "C:\Program Files\Zuma Deluxe\Zuma Deluxe.exe"
Mon 28 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 Sep 2009 26,176 A..H. --- "C:\WINDOWS\system32\drivers\hamachi.sys"
Sun 4 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 15 Mar 2009 444 ...HR --- "C:\Documents and Settings\George\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 15 Mar 2009 444 A..HR --- "C:\Documents and Settings\HelpAssistant\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

#10 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 03 January 2010 - 03:29 AM

Im getting the log from Superspyware now


update: computer froze up on reboot after Superspyware scanned in safe mode......sat froze up all night...when i woke this morning, wasnt sure what to do so I pressed power button AND now it wont restart.....it freezes again during rundown of windows drivers after telling computer to start in safe mode..AND wont even get to windows logo during a normal startup..... now Im really stuck

Edited by sugarcane64, 03 January 2010 - 11:32 AM.


#11 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 03 January 2010 - 03:09 PM

Sunday afternoon update.....computer still not starting up....freezes after Dell screen but before Windows screen comes up

AND does allow me to go to Safe mode by pressing F8 but when I try to start in safe mode, it freezes after about 14 lines of drivers began scrolling on screen


still stuck and hope its not fatal........

#12 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 03 January 2010 - 06:43 PM

This is what I get from booting it in safe mode and when it freezes



multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\ntoskrnl.exe
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\hal.dll
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\KDCOM.DLL
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\BOOTVID.dll
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\config\system
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\C_1252.nls
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\C_437.nls
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\FONTS\vgaoem.fon
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\AppPatch\drumain.sdb
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\DRIVERS\ACPI.sys
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\DRIVERS\WIMILIB.SYS
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\DRIVERS\pci.sys
multi(0)disk(0)rdisk(0)partition(1)WINDOWS\system32\DRIVERS\isapnp.sys




thats all the lines of info I get in the safe mode boot up and it stays frozen however long you leave the power on

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:18 PM

Posted 03 January 2010 - 10:43 PM

Do you have your XP operating system CD? We need to try repair install.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 sugarcane64

sugarcane64
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisiana
  • Local time:05:18 PM

Posted 04 January 2010 - 12:51 AM

I think so....its the Reinstallation CD Microsoft Windows XP Home Edition Service Pack 2 and it also says "Operating System" "Already Installed On Your Computer"??? if so, yeah I have it right here

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:18 PM

Posted 05 January 2010 - 08:21 AM

Okay... lets attempt a repair install for the boot problems..

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users