Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware? (mbr.exe) keeps changing my fonts


  • This topic is locked This topic is locked
16 replies to this topic

#1 Scooter B

Scooter B

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 30 January 2010 - 05:54 PM

My PC has had some intermittent strange behavior that had not shown on up anything depite a multitude of Malware Scans.

The last two weeks something keeps resetting my default fonts to a nearly unlegible version of Wingings or something like it making it difficult to navigate any menu's which is a rather effective and simple defense mechanism for malware unfortunately.

I run MBAM as my installed primary antimalware and have Windows defender and ran a new version of the Windows Security Suite. Also in the mix are Registry Mechanic which seems to find anywhere from 10-80 issues but occasionally finds none, CCleaner and SpyBot SD, HJTL etc.

GMER and FSBL were also coming up clean but last night after the newer ddsr also came up with zilch the Root Repeal came up with MBR.exe flagged as Malware on my M:drive which is an HP Simple Save portable back up drive which can be read from but will not let me back up any more files with a "not enough space" message. This error message does not match the properties of the drive and the amount of data I am trying to back up.

I have been told these appear to be consistent with Worm type malware behavior.

For reference I have my system set up for
WinXP SP3

C: to be OS and programs only (My Documents is linked to my J drive) There are some flags regarding My Documents on C not being accessible so I wanted to clarify.
D: OEM back up/ Restore partition
J: Primary storage drive
M: HP Simple Save back up drive with an L: partition installed OEM

Below are the recent scan results starting with the Root Repeal flagging MBR.exe;

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/30 09:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA69BF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85EC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA24D2000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\All Users\Start Menu\HP Photosmart Premier.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmsrvc_exe.txt
Status: Size mismatch (API: 54708, Raw: 54246)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\BQ49BQDC.2Y0\1AY4WXLZ.GR8\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\BQ49BQDC.2Y0\1AY4WXLZ.GR8\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: Volume M:\
Status: MBR Rootkit Detected!

Path: Volume M:\, Sector 1
Status: Sector mismatch

Path: Volume M:\, Sector 2
Status: Sector mismatch

Path: Volume M:\, Sector 3
Status: Sector mismatch

Path: Volume M:\, Sector 4
Status: Sector mismatch

Path: Volume M:\, Sector 5
Status: Sector mismatch

Path: Volume M:\, Sector 6
Status: Sector mismatch

Path: Volume M:\, Sector 7
Status: Sector mismatch

Path: Volume M:\, Sector 8
Status: Sector mismatch

Path: Volume M:\, Sector 9
Status: Sector mismatch

Path: Volume M:\, Sector 10
Status: Sector mismatch

Path: Volume M:\, Sector 11
Status: Sector mismatch

Path: Volume M:\, Sector 12
Status: Sector mismatch

Path: Volume M:\, Sector 13
Status: Sector mismatch

Path: Volume M:\, Sector 14
Status: Sector mismatch

Path: Volume M:\, Sector 15
Status: Sector mismatch

Path: Volume M:\, Sector 16
Status: Sector mismatch

Path: Volume M:\, Sector 17
Status: Sector mismatch

Path: Volume M:\, Sector 18
Status: Sector mismatch

Path: Volume M:\, Sector 19
Status: Sector mismatch

Path: Volume M:\, Sector 20
Status: Sector mismatch

Path: Volume M:\, Sector 21
Status: Sector mismatch

Path: Volume M:\, Sector 22
Status: Sector mismatch

Path: Volume M:\, Sector 23
Status: Sector mismatch

Path: Volume M:\, Sector 24
Status: Sector mismatch

Path: Volume M:\, Sector 25
Status: Sector mismatch

Path: Volume M:\, Sector 26
Status: Sector mismatch

Path: Volume M:\, Sector 27
Status: Sector mismatch

Path: Volume M:\, Sector 28
Status: Sector mismatch

Path: Volume M:\, Sector 29
Status: Sector mismatch

Path: Volume M:\, Sector 30
Status: Sector mismatch

Path: Volume M:\, Sector 31
Status: Sector mismatch

Path: Volume M:\, Sector 32
Status: Sector mismatch

Path: Volume M:\, Sector 33
Status: Sector mismatch

Path: Volume M:\, Sector 34
Status: Sector mismatch

Path: Volume M:\, Sector 35
Status: Sector mismatch

Path: Volume M:\, Sector 36
Status: Sector mismatch

Path: Volume M:\, Sector 37
Status: Sector mismatch

Path: Volume M:\, Sector 38
Status: Sector mismatch

Path: Volume M:\, Sector 39
Status: Sector mismatch

Path: Volume M:\, Sector 40
Status: Sector mismatch

Path: Volume M:\, Sector 41
Status: Sector mismatch

Path: Volume M:\, Sector 42
Status: Sector mismatch

Path: Volume M:\, Sector 43
Status: Sector mismatch

Path: Volume M:\, Sector 44
Status: Sector mismatch

Path: Volume M:\, Sector 45
Status: Sector mismatch

Path: Volume M:\, Sector 46
Status: Sector mismatch

Path: Volume M:\, Sector 47
Status: Sector mismatch

Path: Volume M:\, Sector 48
Status: Sector mismatch

Path: Volume M:\, Sector 49
Status: Sector mismatch

Path: Volume M:\, Sector 50
Status: Sector mismatch

Path: Volume M:\, Sector 51
Status: Sector mismatch

Path: Volume M:\, Sector 52
Status: Sector mismatch

Path: Volume M:\, Sector 53
Status: Sector mismatch

Path: Volume M:\, Sector 54
Status: Sector mismatch

Path: Volume M:\, Sector 55
Status: Sector mismatch

Path: Volume M:\, Sector 56
Status: Sector mismatch

Path: Volume M:\, Sector 57
Status: Sector mismatch

Path: Volume M:\, Sector 58
Status: Sector mismatch

Path: Volume M:\, Sector 59
Status: Sector mismatch

Path: Volume M:\, Sector 60
Status: Sector mismatch

Path: Volume M:\, Sector 61
Status: Sector mismatch

Path: Volume M:\, Sector 62
Status: Sector mismatch

==EOF==

Since they came up clean I will attach the ddsr and HJT file to keep my post more brief.

UPDATE
We have or had a registry infection(s) it would aappear but I'm not sure if its cleaned or in hiding.

Questionable Malware Behavior Update regarding changing fonts;
- Unauthorized system wide font switch beginning with the log on screen and desk top plus extends to all folder menus until manually switched back under Settings/Fonts/
- Behavior seemingly began day after automatic Windows updates were selected to install before shutting down however I routinely run Ccleaner just before shutting down (reference explained later).
- Eventually after several intermittent I deleted all versions of Windings fonts from My Fonts folder just out of desperation.
- After a couple of cycles lately I noticed a pattern of behavior when running Ccleaner to scan and fix my registry AND that a whole list of MS font files were showing up as files related to identified registry errors.
- When I select fix errors and save back up option there seems to be a direct association with the font change on the very next re-start. The font change begins from the sign on greeting forward. The last time I ran the Registry Error Check in Ccleaner I received the same or similar list of font files tied to flagged registry errors but did NOT choose to fix the errors and my fonts have remained as they should.
All scan logs were saved “as is” before running any automated repair/remove/ or quarantine
Steps taken so far;
1. Jan 30, 2010 Root Repeal scan finally identifies and flags first detected malware identified on my M Drive (HP Simple Save USB back up drive).

In addition to the identified malware sectors 1-64 on volume M were identified as having “sector mismatches”

This drive lost any form of “Simple” functioning a few weeks ago preventing any auto or synchronized backups. I could still manually copy files to the drive and review visible stored files that had been backed up. Attempts to run the Simple Save Application either did nothing or returned an error message regarding “not enough room on the disk” which was not consistent with information available about the drive.

+ Scan Result
Root Repeal Jan 30 2010
Path: Volume M:\
Status: MBR Rootkit Detected!
Used the automated remove malware option in Root Repeal, rebooted and ran yet another overnight FULL System Scan (wireless IP access disabled) with MBAM (Malware Antibytes) on all drives; C, D, J and M.



2. Jan 31, 2010 MBAM (which had previously been “-“ for infection the day before) flags one detected Registry Infection identified as a Home Page hijack malware with either four events or four separate registry changes (screen shot attached) dated 01/06, 01/29 x2 and 01/31.

Ran MBAM’s repair tool to remove/repair/quarantine the following flagged item;
MBAM log Jan 31 2010 Registry Infection Hijack Home Page
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Although the M drive came up “-“ on the MBAM full scan I thought it wise at this point to remove it from my system and it has limited function at this point anyway. Once assured my registry is clean and restored I/we will need to make sure the M drive is completely cleaned out….I may need to copy the HD backup files onto to DVD’s as well, reformat and reinstall the backup drive anyway since it is not working as intended.


3. MBAM log Jan 29, 2010 (back tracking)

Reviewing saved scan logs and it appears I overlooked one event or I cleaned it and forgot about it….. sorry I have a very bad “hypersomnia of central origin” sleep disorder that both makes me sleep 10 hours a day AND live in a perpetually sleep deprived state that has turned my cognitive focal, attention and memory functions into mush.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> No action taken

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> No action taken.

4. Feb 2, 2010 Root Repeal Report regarding Hidden/Locked Files

Path: C:\Documents and Settings\HP Administrator\Recent\hijackthis.log.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP Administrator\Recent\gmer CDJ.log.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP Administrator\Local Settings\Temp\tmp88.tmp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\all users\application data\microsoft\microsoft antimalware\support\mpwpptracing.bin
Status: Allocation size mismatch (API: 524288, Raw: 262144)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\BQ49BQDC.2Y0\1AY4WXLZ.GR8\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\BQ49BQDC.2Y0\1AY4WXLZ.GR8\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: J:\My Documents\My PC HPMC\Networking\~$9E841DA3.docx
Status: Visible to the Windows API, but not on disk.

I have the complete scan logs for the above along with recent system event logs so just let me know what other info is needed to “help you help me”.

Regarding attachments - I know the add attachment icon was here on the original post but I just spent five minutes reviewing my thread and the UI over and over....... I cannot find the add attachment icon anywhere. Please let me know what esle you mught need and I will try again.

Thanks and (Soap Box Alert)

I propose a constitutional amendment to allow reinstatement of public floggings for authors and perpetuators of intentional malware distribution that would rotate said convicted offender through each and every community where damage was time. Nothing else is working as a deterrent so far….if you can’t stop them with reason you shouldn’t stop from beating some sense or at least a little apprehension into them. Such waste of time, nerves etc.

Merged posts. Given presence of RootRepeal log, moving to log forum. ~ OB

Attached Files


Edited by Orange Blossom, 20 February 2010 - 08:26 PM.

Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 21 February 2010 - 05:07 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif

Edited by m0le, 21 February 2010 - 05:19 AM.

Posted Image
m0le is a proud member of UNITE

#3 Scooter B

Scooter B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 23 February 2010 - 09:37 PM

m0le

Thank you for your response. I am currently out of town but will be back home in two days where I can gladly comply with your kind assistance.

Scott thumbup2.gif
Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 24 February 2010 - 02:55 PM

That's okay. Let me know when you're back thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 27 February 2010 - 09:32 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 Scooter B

Scooter B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 28 February 2010 - 04:58 PM

I'm so sorry.

I came down with a BADD stomach bug or food poisening while there and had to have a Dr come to the motel.

Back in the saddle and holding most liquids down so I will be around and on the PC again Monday AM forward.

Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 28 February 2010 - 05:02 PM

thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#8 Scooter B

Scooter B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 28 February 2010 - 05:43 PM

Thanks,

It happens and luckily I had a friend along to help out.

I'm trying to knock out a little clean up in my room and can run something now or post what I eventually found to start things off a little. Unfortunately I'm fairly typing impaired so I'm not too quick getting sentences out so I try to avoid chat session types of exchanges.

Since you are online at the moment let me know where I can start to help you help me LOL.

I did discover later that my reported registry issues was a setting incompatibility between SpyBot and Malwarebytes (my primary virus protection and the MBR.exe reference)

Later Panda Cloud found two worms, two Trojans and some generic malware that it cleaned and quaranteed; but one "Trj/CI.A" it reported could only be auto fixed with a paid subcription. I think I cleaned this one manually with some research and saved all my scan logs etc to bring things up to date.

After I cleaned out the one identified by Panda Cloud MBR found additional malware it did not detect before and Panda Cloud had not picked up.


Image 1 (attached) screen shot "Panda Deep Scan 1"
Image 2 (attached) "Not Neutralized" the Trj/CI.A is seperate screen shot from Panda Scan that was on a second page of the report.

Below is the 1st Panda Scan summary that lists two suspicious files indicated as having had back up or restore file.

Panda Cloud Scan Summary 02 09, 2010

Event More details Date/Time Status
Scan Scanning: All My Computer 2/9/2010 9:00:30 PM Finished.
Scan Scanning: All My Computer 2/9/2010 5:14:52 PM Started
Scan Quick scan 2/9/2010 5:14:33 PM Finished.
Scan Quick scan 2/9/2010 5:14:21 PM Started
Scan Scanning: J:\System Volume Information 2/9/2010 5:14:06 PM Finished.
Scan Scanning: J:\System Volume Information 2/9/2010 5:14:06 PM Started
Scan Quick scan 2/9/2010 5:08:43 PM Finished.
Scan Quick scan 2/9/2010 5:08:16 PM Started
Scan Scanning: M: 2/9/2010 4:50:21 PM Finished.
Cookie detected Location: M:\Backup Files\1\1\V0\C\Documents and Settings\HP_Administrator_2\Cookies\hp_administrator_2@www.myaffiliateprogram[1].txt 2/9/2010 4:35:31 PM Deleted
Cookie detected Location: M:\Backup Files\1\1\V0\C\Documents and Settings\HP_Administrator_2\Cookies\hp_administrator_2@ccbill[2].txt 2/9/2010 4:35:31 PM Deleted
Scan Scanning: M: 2/9/2010 4:33:56 PM Started
Scan Scanning: C:\RECYCLER|C:\System Volume Information|C:\system.sav|C:\temp|C:\WINDOWS 2/9/2010 4:14:00 PM Finished.
Scan Scanning: C:\RECYCLER|C:\System Volume Information|C:\system.sav|C:\temp|C:\WINDOWS 2/9/2010 3:54:08 PM Started
Scan Scanning: J:\RECYCLER 2/9/2010 3:52:57 PM Finished.
Scan Scanning: J:\RECYCLER 2/9/2010 3:52:56 PM Started
Scan Scanning: J:\System Volume Information 2/9/2010 3:52:21 PM Finished.
Scan Scanning: J:\System Volume Information 2/9/2010 3:52:20 PM Started
Scan Scanning: J:\RECYCLER|J:\System Volume Information 2/9/2010 3:51:08 PM Finished.
Scan Scanning: J:\RECYCLER|J:\System Volume Information 2/9/2010 3:51:07 PM Started
Trojan detected <A href="malwareinfo">Trj/CI.A</A> Location: J:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP295\A0082112.exe 2/9/2010 2:27:33 PM Neutralized
Trojan detected <A href="malwareinfo">Trj/CI.A</A> Location: J:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP295\A0082112.exe[²èÇ] 2/9/2010 2:27:26 PM
Suspicious file detected Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP308\A0085540.exe 2/9/2010 1:26:01 PM Neutralized

Suspicious file detected Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP308\A0085539.exe 2/9/2010 1:26:00 PM Neutralized

Trojan detected <A href="malwareinfo">Generic Malware</A> Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP304\A0085103.dll 2/9/2010 1:25:36 PM Neutralized
Worm detected <A href="malwareinfo">Generic Worm</A> Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP304\A0085102.exe 2/9/2010 1:25:36 PM Neutralized
Trojan detected <A href="malwareinfo">Trj/Nabload.DPS</A> Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP304\A0085101.exe 2/9/2010 1:25:36 PM Neutralized
Worm detected <A href="malwareinfo">Generic Worm</A> Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP304\A0085100.exe 2/9/2010 1:25:36 PM Neutralized
Trojan detected <A href="malwareinfo">Trj/Nabload.DPS</A> Location: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP304\A0085099.exe 2/9/2010 1:25:36 PM Neutralized
Suspicious file detected Location: C:\hp\recovery\wizard\SWR_Wizard.exe 2/9/2010 12:36:19 PM Neutralized
Suspicious file detected Location: C:\Downloaded Programs\PhotoCutterSetup.exe 2/9/2010 12:35:20 PM Neutralized

Attached Files


Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 28 February 2010 - 06:14 PM

Let's assume this is an MBR rootkit and run Combofix to check that.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 02 March 2010 - 09:08 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#11 Scooter B

Scooter B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 03 March 2010 - 10:35 AM

Thanks Mole,

I'm not sure if I am having some kind of e-mail delay but I had not received any updates via e-mail until now although I checked yesterday morning....

I will follow the directions for combo fix and get back this evening.
Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

#12 Scooter B

Scooter B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 03 March 2010 - 01:57 PM

ComboFix text posted below however I'm not sure if I saw successful in getting all virus scanning off.

1. I did turn Tea Timer off and restarted.
2. My task bar said Panda was off and I only use the online scan feature.
3. When I opened Malware Bytes (to disable) I discovered the free version does not offer "active scanning" which was news to me and I assume this means it does not run automatically when I am online but I am not sure if it could have affected the combofix scan.
4. Just returned home and restarted PC to post here and the task bar indicates Panda is active where it was supposed to be a manual run only.......not sure when that changed but it may have "turned itself on" after turning off Tea Timer and restarting.

I may need to run it again but I will post what I do have now and wait to see if you can tell if I need to re-run it with additional steps to disable all possible virus scanning programs.... My apologies but I am disabled with a serious sleep disorder that leaves me foggy brained plus I developed Post Traumatic Stress Disorder in the midst of dealing with job loss, marriage etc from the sleep disorder. I struggle with multistep processes and have limited memory and situational awareness issues but I keep working at it.

Thanks,


ComboFix 10-03-02.08 - HP Administrator 03/03/2010 10:12:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2917 [GMT -6:00]
Running from: c:\documents and settings\HP Administrator\Desktop\ComFix.exe
AV: Panda Cloud Antivirus *On-access scanning enabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 16:10 . 2010-03-04 00:06 -------- d-----w- C:\32788R22FWJFW
2010-03-03 15:50 . 2010-03-03 16:00 -------- d-----w- C:\ComFix
2010-02-10 15:43 . 2010-02-10 15:43 -------- d-----w- c:\documents and settings\HP Administrator\Local Settings\Application Data\radiojazz
2010-02-10 15:42 . 2010-02-10 15:42 -------- d-----w- c:\program files\radiojazz
2010-02-09 17:42 . 2010-02-09 17:42 375552 ----a-w- c:\documents and settings\LocalService\GlobalExe.exe
2010-02-09 17:23 . 2010-02-09 17:23 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\Panda Security
2010-02-09 17:20 . 2010-02-09 17:20 264 ----a-w- c:\windows\system32\PSUNCpl.dat
2010-02-09 17:20 . 2010-02-09 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-02-08 02:05 . 2010-02-08 02:05 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\Apple Computer
2010-02-08 02:04 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-08 02:04 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-02-08 02:04 . 2010-02-08 02:04 -------- d-----w- c:\program files\iPod
2010-02-08 02:03 . 2010-02-08 02:04 -------- d-----w- c:\program files\iTunes
2010-02-08 02:03 . 2010-02-08 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-08 02:03 . 2010-02-08 02:03 -------- d-----w- c:\program files\Bonjour
2010-02-08 02:02 . 2010-02-08 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-08 02:00 . 2010-02-08 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-02 18:45 . 2010-02-02 18:45 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\Registry Mechanic
2010-02-02 18:06 . 2010-02-02 18:06 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 16:04 . 2009-09-28 04:55 99 ----a-w- c:\windows\system32\mhncache.dat
2010-03-03 15:40 . 2009-10-12 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 15:22 . 2009-11-14 21:18 -------- d-----w- c:\program files\Everything
2010-03-01 18:27 . 2009-09-26 00:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-01 16:27 . 2009-09-20 12:05 -------- d-----w- c:\program files\IrfanView
2010-02-21 02:14 . 2009-11-05 02:14 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\Image Zone Express
2010-02-20 22:10 . 2009-09-29 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-02-14 20:31 . 2009-11-08 07:03 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\XnView
2010-02-12 18:18 . 2009-10-12 22:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-09 17:20 . 2009-11-19 18:24 -------- d-----w- c:\program files\Panda Security
2010-02-08 02:04 . 2009-09-21 19:42 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 02:03 . 2009-09-21 19:23 -------- d-----w- c:\program files\QuickTime
2010-02-03 03:17 . 2009-09-20 01:19 -------- d-----w- c:\program files\HP
2010-01-31 18:45 . 2010-01-31 18:45 -------- d-----w- c:\program files\Easy Duplicate Finder
2010-01-31 07:28 . 2009-11-01 03:35 58392 ----a-w- c:\documents and settings\HP Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-31 00:22 . 2009-11-04 09:33 2880 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-31 00:22 . 2009-11-04 09:33 2880 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-31 00:18 . 2009-10-05 15:00 -------- d-----w- c:\program files\Microsoft Pro Photo Tools
2010-01-30 19:20 . 2010-01-30 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-01-30 19:13 . 2010-01-30 19:13 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\Bump Technologies, Inc
2010-01-30 19:06 . 2010-01-30 19:06 -------- d-----w- c:\program files\ACW
2010-01-30 18:25 . 2009-11-08 19:52 78136 ----a-w- c:\documents and settings\HP Administrator\Application Data\HP SimpleSave Application\MagAppFramework.dll
2010-01-30 02:08 . 2009-09-20 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-30 02:05 . 2010-01-30 00:33 -------- d-----w- c:\program files\ATI
2010-01-30 00:34 . 2010-01-29 23:47 -------- d-----w- c:\program files\ATI Technologies
2010-01-30 00:34 . 2010-01-30 00:34 10134 ----a-r- c:\documents and settings\HP Administrator\Application Data\Microsoft\Installer\{F69B48D3-1C5B-1C79-70B8-8B00E9625276}\ARPPRODUCTICON.exe
2010-01-30 00:10 . 2010-01-30 00:10 -------- d-----w- c:\documents and settings\HP Administrator\Application Data\ATI
2010-01-30 00:10 . 2010-01-30 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-01-29 23:48 . 2009-09-20 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-29 23:48 . 2010-01-29 23:48 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-01-29 21:51 . 2010-01-29 21:46 -------- d-----w- c:\program files\McAfee
2010-01-29 21:46 . 2010-01-29 21:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-29 21:38 . 2010-01-29 21:38 503808 ----a-w- c:\documents and settings\HP Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7cb457dc-n\msvcp71.dll
2010-01-29 21:38 . 2010-01-29 21:38 499712 ----a-w- c:\documents and settings\HP Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7cb457dc-n\jmc.dll
2010-01-29 21:38 . 2010-01-29 21:38 348160 ----a-w- c:\documents and settings\HP Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7cb457dc-n\msvcr71.dll
2010-01-29 21:38 . 2010-01-29 21:38 61440 ----a-w- c:\documents and settings\HP Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-420a28ac-n\decora-sse.dll
2010-01-29 21:38 . 2010-01-29 21:38 12800 ----a-w- c:\documents and settings\HP Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-420a28ac-n\decora-d3d.dll
2010-01-29 21:37 . 2010-01-29 21:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-29 21:37 . 2009-09-20 00:58 -------- d-----w- c:\program files\Java
2010-01-29 21:02 . 2010-01-29 21:02 10314752 ----a-w- c:\program files\cbSetup.exe
2010-01-29 20:23 . 2010-01-29 20:23 -------- d-----w- c:\program files\Photobie
2010-01-29 20:23 . 2009-11-16 14:05 -------- d-----w- c:\program files\PhotoFiltre
2010-01-25 23:48 . 2010-01-25 23:48 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-23 12:34 . 2009-12-26 00:17 58784 ----a-w- c:\documents and settings\Scott Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 01:51 . 2010-01-23 01:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-22 15:53 . 2009-09-30 01:10 -------- d-----w- c:\program files\Canon
2010-01-21 23:40 . 2009-09-20 14:14 -------- d-----w- c:\program files\Google
2010-01-21 07:32 . 2009-11-10 07:45 1196664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-21 04:31 . 2010-01-21 04:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NeatImage PS
2010-01-21 04:14 . 2009-12-26 01:10 565248 ----a-w- C:\HPLauncher.exe
2010-01-21 04:12 . 2010-01-21 04:12 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\ArcSoft
2010-01-21 03:38 . 2009-09-20 03:45 58784 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-18 04:34 . 2009-11-16 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\contrast
2010-01-16 19:45 . 2009-12-25 23:41 58784 ----a-w- c:\documents and settings\Autumn Bell\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-16 08:40 . 2010-01-12 04:05 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\ZoomBrowser EX
2010-01-15 16:46 . 2009-11-02 18:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-14 17:12 . 2010-01-30 02:29 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 16:25 . 2009-11-29 04:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 15:14 . 2009-12-25 23:34 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-13 01:14 . 2010-01-13 01:14 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\HP
2010-01-13 01:13 . 2009-12-26 04:45 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\Image Zone Express
2010-01-12 08:36 . 2010-01-12 08:36 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\Registry Mechanic
2010-01-12 04:05 . 2009-09-30 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-10 21:56 . 2009-10-31 03:30 -------- d-----w- c:\program files\Motorola Phone Tools
2010-01-09 19:43 . 2009-11-16 13:03 -------- d-----w- c:\program files\WhatsRunning
2010-01-07 23:27 . 2010-01-07 23:25 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\XnView
2010-01-07 22:07 . 2009-11-29 04:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-11-29 04:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 05:12 . 2009-10-31 03:31 -------- d-----w- c:\program files\Motorola
2010-01-07 05:12 . 2009-10-31 03:31 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-01-07 05:09 . 2010-01-07 05:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-01-07 05:09 . 2010-01-07 05:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-01-06 16:38 . 2010-01-06 16:38 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\Sonic
2010-01-06 16:38 . 2010-01-06 16:38 -------- d-----w- c:\documents and settings\Scott Administrator\Application Data\Leadertech
2010-01-05 19:32 . 2009-11-08 19:57 -------- d-----w- c:\program files\HP SimpleSave Application
2010-01-05 19:18 . 2009-11-08 11:43 10134 ----a-r- c:\documents and settings\HP Administrator\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-12-29 00:05 . 2009-12-26 00:17 142 ----a-w- c:\documents and settings\Scott Administrator\Local Settings\Application Data\fusioncache.dat
2009-12-21 19:14 . 2009-09-19 22:59 916480 ------w- c:\windows\system32\wininet.dll
2009-12-15 06:05 . 2009-10-24 09:40 56320 --sha-w- c:\program files\Thumbs.db
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-12 04:29 . 2009-12-12 04:29 0 ----a-w- c:\windows\ativpsrm.bin
2009-12-11 21:02 . 2009-09-20 20:39 4525056 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-12-11 20:45 . 2009-07-02 16:27 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-12-11 20:44 . 2009-07-02 16:26 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-12-11 20:43 . 2009-07-02 16:25 3620864 ----a-w- c:\windows\system32\aticaldd.dll
2009-12-11 20:41 . 2009-12-12 04:29 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-12-11 20:26 . 2009-12-12 04:29 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-12-11 20:25 . 2009-07-02 16:54 13434880 ----a-w- c:\windows\system32\atioglxx.dll
2009-12-11 20:09 . 2009-07-02 17:06 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-12-11 20:09 . 2009-07-02 17:05 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-12-11 20:09 . 2009-07-02 17:05 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-12-11 20:08 . 2009-07-02 17:05 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-12-11 20:08 . 2009-07-02 17:05 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-12-11 20:07 . 2009-12-12 04:29 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-12-11 20:07 . 2009-12-12 04:29 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-12-11 20:07 . 2009-07-02 17:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-12-11 20:05 . 2009-07-02 17:02 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-12-11 20:01 . 2009-07-02 16:28 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-12-11 19:59 . 2009-07-02 16:26 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-12-11 19:58 . 2009-07-02 16:26 17408 ----a-w- c:\windows\system32\atitvo32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2009-11-02 15:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Pending Delete Icon]
@="{0847B599-9191-4A27-BD61-DE11598D3B1B}"
[HKEY_CLASSES_ROOT\CLSID\{0847B599-9191-4A27-BD61-DE11598D3B1B}]
2009-11-02 15:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2009-11-02 15:00 312576 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WizMouse"="c:\program files\WizMouse\WizMouse.exe" [2009-11-06 694008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"PCDrSmartMonitor"="c:\program files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [2006-05-10 376832]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2009-10-30 361728]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

c:\documents and settings\Scott Administrator\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-31 27136]

c:\documents and settings\Autumn Bell\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-31 27136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\K:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP Administrator^Start Menu^Programs^Startup^dBpowerAMP.lnk]
backup=c:\windows\pss\dBpowerAMP.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Corel File Shell Monitor"=c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe"
"ehTray"=c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Everything\\Everything.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/19/2009 12:25 PM 28552]
R0 snapman;Acronis Snapshots Manager;c:\windows\system32\drivers\snapman.sys [10/8/2009 12:32 AM 132224]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;c:\windows\system32\drivers\tdrpman.sys [10/8/2009 12:32 AM 368480]
R0 timounter;Seagate DiscWizard Image Backup Archive Explorer;c:\windows\system32\drivers\timntr.sys [10/8/2009 12:32 AM 441760]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [10/13/2009 3:50 PM 114312]
R1 Tcpip6;Microsoft IPv6 Protocol Driver;c:\windows\system32\drivers\tcpip6.sys [9/19/2009 4:58 PM 225856]
R2 Apple Mobile Device;Apple Mobile Device;c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [8/28/2009 7:42 PM 144672]
R2 ARSVC;ARSVC;c:\windows\arservice.exe [8/2/2005 5:19 PM 58880]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [11/16/2009 11:58 AM 12672]
R2 ehRecvr;Media Center Receiver Service;c:\windows\ehome\ehrecvr.exe [8/10/2004 4:04 AM 237568]
R2 ehSched;Media Center Scheduler Service;c:\windows\ehome\ehSched.exe [8/10/2004 4:04 AM 102912]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [1/29/2010 3:37 PM 153376]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [1/29/2010 3:46 PM 93320]
R2 MHN;MHN;c:\windows\System32\svchost.exe -k netsvcs [9/19/2009 4:57 PM 14336]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [1/6/2010 11:12 PM 91392]
R2 NanoServiceMain;NanoServiceMain;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [10/30/2009 5:29 PM 136448]
R2 nmservice;Pure Networks Platform Service;c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [12/12/2008 6:06 PM 642856]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol;c:\windows\system32\drivers\nwlnkipx.sys [9/19/2009 4:57 PM 88320]
R2 NwlnkNb;NWLink NetBIOS;c:\windows\system32\drivers\nwlnknb.sys [9/19/2009 4:57 PM 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol;c:\windows\system32\drivers\nwlnkspx.sys [9/19/2009 4:57 PM 55936]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [9/19/2009 4:57 PM 14336]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/1/2010 8:03 PM 583640]
R2 pnarp;Pure Networks Device Discovery Driver;c:\windows\system32\drivers\pnarp.sys [12/12/2009 1:29 AM 23984]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [7/24/2007 11:15 AM 185632]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [10/30/2009 4:18 PM 146952]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [10/13/2009 3:50 PM 95880]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [10/13/2009 3:50 PM 101512]
R2 purendis;Pure Networks Wireless Driver;c:\windows\system32\drivers\purendis.sys [12/12/2009 1:29 AM 25264]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 6:56 PM 431384]
R2 tifsfilter;Seagate DiscWizard FS Filter;c:\windows\system32\drivers\tifsfilt.sys [10/8/2009 12:32 AM 44384]
R3 aracpi;aracpi;c:\windows\system32\drivers\aracpi.sys [8/2/2005 5:19 PM 22784]
R3 arhidfltr;MS Ar HID Filter Driver;c:\windows\system32\drivers\arhidfltr.sys [8/2/2005 5:19 PM 19200]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;c:\windows\system32\drivers\arkbcfltr.sys [8/2/2005 5:19 PM 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter;c:\windows\system32\drivers\armoucfltr.sys [8/2/2005 5:19 PM 4992]
R3 ARPolicy;ARPolicy;c:\windows\system32\drivers\arpolicy.sys [8/2/2005 5:19 PM 10112]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [6/5/2009 3:20 AM 99856]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/19/2009 7:15 PM 82048]
R3 HidIr;Microsoft Infrared HID Driver;c:\windows\system32\drivers\hidir.sys [9/19/2009 6:55 PM 19200]
R3 HSX_DP;HSX_DP;c:\windows\system32\drivers\HSX_DP.sys [9/19/2009 7:15 PM 936448]
R3 HSXHWBS2;HSXHWBS2;c:\windows\system32\drivers\HSXHWBS2.sys [9/19/2009 7:15 PM 241664]
R3 IrBus;Infrared bus filter driver for eHome remote controls;c:\windows\system32\drivers\irbus.sys [9/19/2009 6:55 PM 46592]
R3 MHNDRV;MHN driver;c:\windows\system32\drivers\mhndrv.sys [8/10/2004 3:45 AM 11008]
R3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [5/10/2006 4:26 PM 21248]
R3 Ps2;PS2;c:\windows\system32\drivers\PS2.sys [9/19/2009 7:41 PM 19072]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/12/2009 1:29 AM 709248]
R3 tunmp;Microsoft Tun Miniport Adapter Driver;c:\windows\system32\drivers\tunmp.sys [8/10/2004 5:00 AM 12288]
R3 winachsx;winachsx;c:\windows\system32\drivers\HSX_CNXT.sys [9/19/2009 7:15 PM 670208]
S0 ftsata2;ftsata2;c:\windows\system32\DRIVERS\ftsata2.sys --> c:\windows\system32\DRIVERS\ftsata2.sys [?]
S2 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [9/19/2009 4:57 PM 14336]
S2 nvcap;nVidia WDM Video Capture (universal);c:\windows\system32\drivers\NVCAP.SYS [11/16/2009 11:24 PM 141582]
S2 NVSvc;NVIDIA Display Driver Service;c:\windows\system32\nvsvc32.exe [9/27/2009 6:19 PM 172100]
S2 odserv;Microsoft Office Diagnostics Service;c:\program files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [11/4/2008 12:06 AM 441712]
S3 DX4323;Dynex Wireless N USB Adapter Driver;c:\windows\system32\drivers\DX4323.sys [9/24/2009 12:56 AM 483200]
S3 Fax;Fax;c:\windows\system32\fxssvc.exe [9/19/2009 7:17 PM 267776]
S3 LPDSVC;TCP/IP Print Server;c:\windows\system32\tcpsvcs.exe [9/19/2009 4:58 PM 19456]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/6/2010 11:12 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/31/2009 11:43 AM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [1/6/2010 11:12 PM 42752]
S3 motmodem;Motorola USB CDC ACM Driver;c:\windows\system32\drivers\motmodem.sys [1/6/2010 11:12 PM 23936]
S3 NdisIP;Microsoft TV/Video Connection;c:\windows\system32\drivers\ndisip.sys [9/19/2009 7:17 PM 10880]
S3 NuidFltr;NUID filter driver;c:\windows\system32\drivers\nuidfltr.sys [10/2/2009 1:42 PM 14736]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [9/29/2009 12:22 PM 90352]
S3 SLIP;BDA Slip De-Framer;c:\windows\system32\drivers\slip.sys [9/19/2009 7:17 PM 11136]
S3 SNMP;SNMP Service;c:\windows\system32\snmp.exe [9/20/2009 2:41 PM 33280]
S3 SNMPTRAP;SNMP Trap Service;c:\windows\system32\snmptrap.exe [9/20/2009 2:41 PM 8704]
S3 Wdf01000;Wdf01000;c:\windows\system32\drivers\wdf01000.sys [11/2/2006 6:22 AM 503008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2007-02-28 08:06]

2010-03-03 c:\windows\Tasks\User_Feed_Synchronization-{2EE59C89-D2E1-408B-B63F-968534C4BC05}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2010-03-03 c:\windows\Tasks\User_Feed_Synchronization-{E0C9C21A-FB31-4736-8685-CEE21263D661}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A57F0B9B89E2E.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: trymedia.com
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCD5SRVC{8A863ACB-F5F6CC6A-05010004}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4264980555-254830597-2235428652-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,de,6e,85,35,40,1d,48,b9,6f,4e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,de,6e,85,35,40,1d,48,b9,6f,4e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,de,6e,85,35,40,1d,48,b9,6f,4e,\

[HKEY_USERS\S-1-5-21-4264980555-254830597-2235428652-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1456)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1512)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(6096)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-03 10:23:38
ComboFix-quarantined-files.txt 2010-03-03 16:23
ComboFix2.txt 2010-03-03 16:00

Pre-Run: 248,119,152,640 bytes free
Post-Run: 248,070,021,120 bytes free

- - End Of File - - 09382C2910FD1854FF02088E197F997E

Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 03 March 2010 - 07:53 PM

Okay, thanks for letting me know about that Scooter. I will keep the steps to a minimum.

MBR is not a problem according to Combofix, which would show it regardless of antiviruses running unprompted.

It also found nothing in your PC to remove - a definite rarity here. smile.gif


If the M drive device is being flagged as MBR-infected then let's try Gmer, a similar scanner, to get some verification. It may be a false positive by RootRepeal.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks smile.gif

Posted Image
m0le is a proud member of UNITE

#14 Scooter B

Scooter B
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 03 March 2010 - 09:31 PM

Thanks Mole,

I forgot to mention that after cleaning the things mentioned previously mentioned I connected and scanned the M drive although I don't recall what I may or may not have cleaned however eventually it passed gmer, fsblk and all the scans mentioned above.

The M drive however would not save any more back ups indicating it was full. Looking at the properties of the drive indicated it was less than half full but I decided to see if defragging it would help. Drefragging freed up a little space but I continued to receive the same message regarding the drive being full. Registry Mechanic did not find anything to fix or repair.

At that point I concluded my main drives were stable and the simplest option would be to just reformat the back up. If something was still hiding on "M" that should clear it and I would start clean with the back up.

Its still not cooperating with the Simple Save application and after reformating I remember it did not ship with a CD but the software just came preoaded.

Fortunately its still under warranty for tech support so I just have to call or e-mail HP support later.


Since it looks like everything on the other drives appears clean I guess we can close this one out. With the wierd intermittent font changes I was getting paranoid something very bad could happen and with my back up drive not working I backed up all my pics and documents on DVDs and was preparing to reload the OS but only as a last ditch effort.

I guess the Panda online scan caught and cleaned most of the bugs and did my own research to fix the remaining bug.

Since Malwarebytes free version does not provide "active scanning" what overall malware service would you recomend?


I had a McAffee subscription through my dads cable ISP but if I ever had problems with it or needed to reinstall it I had to get my dad to log in with his password to the ISP just to redownload it and they RV during the summer. Too much hassle.


I do have Windows Defender and had installed the newer Microsoft Virus protection but Panda or one of the others ones required me to uninstall it.


I don't mind paying for one reliable virus scan subscription however I have previously picked up bugs that got through the paid service and like in this case I had to install several others to detect and remove them. Everyone says you can't rely on just on or that none of them are capable of staying up to date on everything which makes sense.

The thing that just irritates the snot out of me however is the installed versions all want to be the ONLY and exclusive virus protection on your PC so you have to uninstall or disable existing services just to double check.
Refusing to make waves is not an indicator of a life well lived. Refusing to make waves is the state that precedes drowning. - Paul Coughlin author

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:48 PM

Posted 04 March 2010 - 07:31 AM

QUOTE
what overall malware service would you recomend?


One antivirus, one antispyware, one third party firewall and a good removal tool, such as MBAM.

No suite covers everything to an extent that you can buy/download just one program.


Your log is clean. Good stuff! thumbup2.gif

Let's firstly do some housekeeping

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it Scooter, happy surfing!

Cheers,


m0le


Edited by m0le, 04 March 2010 - 07:45 AM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users