Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected


  • This topic is locked This topic is locked
64 replies to this topic

#1 MalibuMurray

MalibuMurray

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 15 February 2010 - 10:02 AM

I don't know exactly what it is that is infecting my system, but I noticed about two weeks ago that it would not let a user log off and when I tried to pull up task manager, it said that the administrator disabled it. Since I am the administrator, I know that not to be true. and that was the first sign. I was unable to boot in safe mode, it just froze up. I have malwarebytes and super antispyware installed but after running they could not find anything and I still have the same problem.

So here I am, I have followed the instructions and attached are the logs and I pray that you are able to help me clean my system once and for all. I am not sure about the gmer file (ark.txt) because the program stopped and I restarted it and both times it ran for hours, the second time it didn't say finished but it had stopped scanning and I just saved the file hopefully it was complete.

Thank you.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Elaine at 14:12:53.54 on 02/13/10
Internet Explorer: 8.0.6001.18702
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7171
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {E92BEFBA-E79D-4F41-9733-68DA49C4492B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EPSON Stylus CX5800F Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222562255593
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149113039734
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v64/swapit/swapit.cab
DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} - hxxps://ca.cdc.gov/vsimport.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B57F9ACB-FD32-433E-8F30-515B2D8226F6} - hxxps://ca.cdc.gov/sdncode/sdnapp/common/chkperm.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtvpro.com/images/app/view22rte.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5393/mcfscan.cab
TCP: {1C5CA96A-0BF8-457E-825A-A839A7C8385A} = 4.2.2.2,4.2.2.3
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-13 20:10:08 0 ----a-w- c:\documents and settings\elaine\defogger_reenable
2010-02-13 17:55:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-13 17:31:37 0 d-----w- c:\windows\ERUNT
2010-02-13 16:45:38 40960 ----a-w- c:\windows\delexe.exe
2010-02-11 23:21:46 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-02-11 23:21:45 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-02-11 17:59:58 0 d-----w- c:\docume~1\elaine\applic~1\Uniblue
2010-02-05 02:59:27 118871 ----a-w- C:\MGlogs.zip
2010-02-05 02:37:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:37:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 02:37:42 0 d-----w- C:\desktop
2010-02-05 01:59:42 0 d-----w- C:\ComboFix
2010-02-01 14:01:40 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-02-01 14:01:33 227840 ------w- c:\windows\system32\wbem\SET23B.tmp
2010-01-18 22:10:20 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan

==================== Find3M ====================

2010-01-07 20:38:18 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 20:38:10 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 20:22:04 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-01-07 20:22:04 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-01-07 20:22:04 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-01-07 20:22:04 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-01-07 20:22:04 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-01-07 20:22:04 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-01-07 20:22:02 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-01 04:33:48 103304 ----a-w- c:\docume~1\elaine\applic~1\GDIPFONTCACHEV1.DAT
2007-04-17 22:04:18 0 ---ha-w- c:\program files\AppUpdate.log
2009-10-18 20:52:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-01 16:06:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120120081202\index.dat
2009-10-18 20:52:35 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 14:13:15.09 ===============


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 16 February 2010 - 04:46 PM

Hi MalibuMurray,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

You seem to have run or tried to run Combofix on your own. Tell me about it. If it didn't run rename it to far.exe and run it.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 16 February 2010 - 09:20 PM

I am okay with not making any changes to my system. The combo fix I believe was previously done when I had the sasser virus.....(since my son came back home and has been using my computer, I find my system with more and more problems, after i get this cleaned, he will be banned) I will run the combofix and post log.

#4 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 16 February 2010 - 10:04 PM

Okay I have run the combo fix and the log is attached. I eagerly await your response and want to thank you Farbar for taking the time to help me with this problem, it really means a lot to me to have someone help me figure out what the bleeping.....is wrong with my system.

ComboFix 10-02-16.01 - Elaine 02/16/10 20:33:32.1.2 - x86
Running from: c:\documents and settings\Elaine\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-14 00:55 . 2010-02-14 00:56 -------- d-----w- c:\documents and settings\Elaine\Local Settings\Application Data\Deployment
2010-02-13 17:55 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-13 17:55 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-13 17:55 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-13 17:55 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-13 17:55 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-13 17:55 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-13 17:55 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-13 17:55 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-13 17:55 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-13 17:55 . 2010-02-13 17:55 -------- d-----w- c:\program files\Alwil Software
2010-02-13 17:55 . 2010-02-13 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-13 17:31 . 2010-02-13 17:31 -------- d-----w- c:\windows\ERUNT
2010-02-13 16:45 . 2000-11-17 22:01 40960 ----a-w- c:\windows\delexe.exe
2010-02-11 23:29 . 2010-02-11 23:29 -------- d-----w- c:\documents and settings\Elaine\Local Settings\Application Data\Threat Expert
2010-02-11 17:59 . 2010-02-11 17:59 -------- d-----w- c:\documents and settings\Elaine\Application Data\Uniblue
2010-02-05 02:59 . 2010-02-05 03:02 118871 ----a-w- C:\MGlogs.zip
2010-02-05 02:37 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:37 . 2010-02-05 03:21 -------- d-----w- C:\desktop
2010-02-05 02:37 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 02:34 . 2010-02-05 02:34 52224 ----a-w- c:\documents and settings\Elaine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-05 02:34 . 2010-02-11 16:36 117760 ----a-w- c:\documents and settings\Elaine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-01 14:01 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-18 22:10 . 2010-01-18 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-18 22:10 . 2010-01-18 22:10 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-01-18 22:10 . 2010-01-18 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-18 22:10 . 2010-01-18 22:10 -------- d-----w- c:\program files\NOS
2010-01-18 22:10 . 2009-12-17 22:37 31936 ----a-w- c:\documents and settings\Elaine\Application Data\Mozilla\Firefox\Profiles\ztt1iuyv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-18 22:10 . 2009-12-17 22:37 29344 ----a-w- c:\documents and settings\Elaine\Application Data\Mozilla\Firefox\Profiles\ztt1iuyv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 03:40 . 2006-05-25 18:57 87856 ----a-w- c:\documents and settings\Elaine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 00:06 . 2008-09-28 15:47 -------- d--h--w- c:\program files\SUPERAntiSpyware
2010-02-12 00:04 . 2008-09-27 20:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-11 23:59 . 2009-05-17 00:18 -------- d-----w- c:\documents and settings\Elaine\Application Data\PC Tools
2010-02-11 17:48 . 2009-05-16 18:18 117760 ----a-w- c:\documents and settings\Malibu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 10:04 . 2008-02-15 15:11 -------- d--h--w- c:\program files\TaxCut Business 2007
2010-02-05 02:49 . 2008-09-28 18:46 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 02:33 . 2008-09-28 15:47 -------- d-----w- c:\documents and settings\Elaine\Application Data\SUPERAntiSpyware.com
2010-01-30 18:36 . 2008-05-17 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-30 18:36 . 2008-05-17 15:50 -------- d--h--w- c:\program files\Common Files\Roxio Shared
2010-01-30 18:28 . 2005-11-16 13:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-30 03:39 . 2008-06-01 00:22 -------- d--h--w- c:\program files\Zune
2010-01-11 23:29 . 2010-01-11 23:29 52224 ----a-w- c:\documents and settings\Malibu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-07 20:38 . 2010-01-07 20:38 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 20:38 . 2010-01-07 20:38 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 20:22 . 2009-09-02 06:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-01-07 20:22 . 2009-09-02 06:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-01-07 20:22 . 2009-09-02 06:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-01-07 20:22 . 2009-09-02 06:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-01-07 20:22 . 2009-09-02 06:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-01-07 20:22 . 2009-09-02 06:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-01-07 20:22 . 2009-09-02 06:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-12-31 16:50 . 2005-11-16 13:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:37 . 2009-12-26 01:10 67360 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper.dll
2009-12-17 22:37 . 2009-12-26 01:10 349552 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-12-17 22:37 . 2009-12-26 01:10 31936 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-17 22:37 . 2009-12-26 01:10 29344 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-17 14:31 . 2009-12-17 14:31 1924744 ----a-w- c:\documents and settings\Elaine\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-12-16 18:43 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 18:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-11-16 13:03 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 03:00 . 2009-11-29 03:00 0 ----a-w- c:\windows\nsreg.dat
2009-11-27 17:11 . 2004-08-10 18:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 00:32 . 2009-11-02 00:38 127325 ----a-w- c:\documents and settings\Elaine\Application Data\Move Networks\uninstall.exe
2009-11-21 00:32 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Elaine\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-21 00:32 . 2009-11-21 00:32 1408376 ----a-w- c:\documents and settings\Elaine\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2007-04-17 22:04 . 2007-04-17 22:04 0 ---ha-w- c:\program files\AppUpdate.log
.

------- Sigcheck -------


[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\eventlog.dll
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2005-05-10 98304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-07 198160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-16 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\TaxCut Business 2008\\TaxCut2008.exe"=
"c:\\Program Files\\Zune\\Zune.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59418:TCP"= 59418:TCP:@xpsp2res.dll,-22009

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-23 450400]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sobreahc
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=localhost:7171
TCP: {1C5CA96A-0BF8-457E-825A-A839A7C8385A} = 4.2.2.2,4.2.2.3
DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} - hxxps://ca.cdc.gov/vsimport.cab
DPF: {B57F9ACB-FD32-433E-8F30-515B2D8226F6} - hxxps://ca.cdc.gov/sdncode/sdnapp/common/chkperm.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\desktop\unins000.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,1b,de,c7,f9,5d,e1,4f,a1,64,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,1b,de,c7,f9,5d,e1,4f,a1,64,0b,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Office\Office10\msoffice.exe
.
**************************************************************************
.
Completion time: 2010-02-16 20:47:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 02:47
ComboFix2.txt 2010-02-05 02:08

Pre-Run: 37,604,417,536 bytes free
Post-Run: 37,920,837,632 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 9E1F3D389C198403F8FFC4A85DD9FBF9

Edited by farbar, 17 February 2010 - 01:54 AM.
Opened the log.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 17 February 2010 - 02:12 AM

Please tell me if you have another Windows XP or a Windows installation CD. We need a missing system file (beep.sys) to put back on this computer.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
Fcopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\System32\eventlog.dll
Driver::
UACd.sys
sobreahc
NetSvc::
sobreahc
uInternet Settings,ProxyServer = http=localhost:7171
TCP: {1C5CA96A-0BF8-457E-825A-A839A7C8385A} = 4.2.2.2,4.2.2.3
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
RegLockDel::
HKLM\SYSTEM\ControlSet001\Services\UACd.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#6 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 17 February 2010 - 10:23 AM

Thank you for the quick reply! I do have the Dell reinstallation cd for windows hp home edition service pack 2.

I have followed your instructions and attached is the combofix log. I await your instructions. Thank you again.

Malibu

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 17 February 2010 - 01:37 PM

We will restore beep.sys file from the CD.
  1. Insert your Windows installation CD.
    • Go to start => run and type cmd and press enter.
    • Copy and paste the following lines one by one in the command window and press Enter after each line:
      (note if your CD-ROM drive letter is something els please repolace d )

      expand d:\\i386\beep.sy_ c:\windows\System32\drivers


      (You should get no error and a success notification about the expansion and the size of it)

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  3. Tell me also how is your computer running









#8 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 17 February 2010 - 08:15 PM

Wow! When I enter the command prompt, it told me that it could not open the file. I checked device manager and it has a yellow exclamation box next to ithe cd/dvd drive, when i tried to troubleshoot, i got the following message;

An ActiveX control on this page is not safe.
Your current security settings prohibit running unsafe controls on this page.
As a result, this page might not display as intended.

Great, so now I do not have use of the cd drive ugggggghhhh!

I did uninstall the old java and installed 6.0 update 18.

My computer seems to be running fine except for the above mentioned problems and not being able to use system restore, I haven't tried to go into safe mode.

Oh great and knowledgeable one what do we do now? smile.gif

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 18 February 2010 - 03:44 PM

Let's see.
  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    DDS::
    uInternet Settings,ProxyServer = http=localhost:7171
    TCP: {1C5CA96A-0BF8-457E-825A-A839A7C8385A} = 4.2.2.2,4.2.2.3
    SkipFix::


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  2. To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

    Please reboot the computer anyway.

  3. Insert your Windows installation CD.
    • Go to start => run and type cmd and press enter.
    • Copy and paste the following lines one by one in the command window and press Enter after each line:
      (note if your CD-ROM drive letter is something els please repolace d )

      expand d:\i386\beep.sy_ c:\windows\System32\drivers
      (You should get no error and a success notification about the expansion and the size of it)

      ren c:\windows\System32\drivers\beep.sy_ beep.sys
      (It should return to the command prompt without notifying any error).

  4. Tell me if the CD-ROM is not read.





#10 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 18 February 2010 - 08:49 PM

This is the log. Defogger was unable to open file and the cd rom drive is still not working.
Not able to boot in safe mode, not able to enable system restore. HELP! This is very frustrating and I appreciate all that you are doing on my behalf. Awaiting your next instructions.



ComboFix 10-02-18.07 - Elaine 02/18/10 19:33:53.5.2 - x86
Running from: c:\documents and settings\Elaine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elaine\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-18 00:58 . 2010-02-18 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Inspector
2010-02-18 00:44 . 2010-02-18 00:44 503808 ----a-w- c:\documents and settings\Elaine\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69beab59-n\msvcp71.dll
2010-02-18 00:44 . 2010-02-18 00:44 499712 ----a-w- c:\documents and settings\Elaine\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69beab59-n\jmc.dll
2010-02-18 00:44 . 2010-02-18 00:44 348160 ----a-w- c:\documents and settings\Elaine\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69beab59-n\msvcr71.dll
2010-02-18 00:44 . 2010-02-18 00:44 61440 ----a-w- c:\documents and settings\Elaine\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-405aa443-n\decora-sse.dll
2010-02-18 00:44 . 2010-02-18 00:44 12800 ----a-w- c:\documents and settings\Elaine\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-405aa443-n\decora-d3d.dll
2010-02-17 15:03 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2010-02-17 15:03 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2010-02-14 00:55 . 2010-02-18 00:50 -------- d-----w- c:\documents and settings\Elaine\Local Settings\Application Data\Deployment
2010-02-13 17:55 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-13 17:55 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-13 17:55 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-13 17:55 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-13 17:55 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-13 17:55 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-13 17:55 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-13 17:55 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-13 17:55 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-13 17:55 . 2010-02-13 17:55 -------- d-----w- c:\program files\Alwil Software
2010-02-13 17:55 . 2010-02-13 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-13 17:31 . 2010-02-13 17:31 -------- d-----w- c:\windows\ERUNT
2010-02-13 16:45 . 2000-11-17 22:01 40960 ----a-w- c:\windows\delexe.exe
2010-02-11 23:29 . 2010-02-11 23:29 -------- d-----w- c:\documents and settings\Elaine\Local Settings\Application Data\Threat Expert
2010-02-11 17:59 . 2010-02-11 17:59 -------- d-----w- c:\documents and settings\Elaine\Application Data\Uniblue
2010-02-05 02:59 . 2010-02-05 03:02 118871 ----a-w- C:\MGlogs.zip
2010-02-05 02:37 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:37 . 2010-02-18 01:02 -------- d-----w- C:\desktop
2010-02-05 02:37 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 02:34 . 2010-02-05 02:34 52224 ----a-w- c:\documents and settings\Elaine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-05 02:34 . 2010-02-11 16:36 117760 ----a-w- c:\documents and settings\Elaine\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-01 14:01 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 00:49 . 2005-11-16 13:18 -------- d--h--w- c:\program files\Common Files\Java
2010-02-18 00:48 . 2009-01-28 04:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-18 00:48 . 2005-11-16 13:18 -------- d--h--w- c:\program files\Java
2010-02-18 00:38 . 2006-06-12 14:21 -------- d--h--w- c:\program files\Citrix
2010-02-17 13:35 . 2009-05-05 20:14 87856 ----a-w- c:\documents and settings\Malibu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 03:40 . 2006-05-25 18:57 87856 ----a-w- c:\documents and settings\Elaine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-12 00:06 . 2008-09-28 15:47 -------- d--h--w- c:\program files\SUPERAntiSpyware
2010-02-12 00:04 . 2008-09-27 20:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-11 23:59 . 2009-05-17 00:18 -------- d-----w- c:\documents and settings\Elaine\Application Data\PC Tools
2010-02-11 17:48 . 2009-05-16 18:18 117760 ----a-w- c:\documents and settings\Malibu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 10:04 . 2008-02-15 15:11 -------- d--h--w- c:\program files\TaxCut Business 2007
2010-02-05 02:49 . 2008-09-28 18:46 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 02:33 . 2008-09-28 15:47 -------- d-----w- c:\documents and settings\Elaine\Application Data\SUPERAntiSpyware.com
2010-01-30 18:36 . 2008-05-17 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-30 18:36 . 2008-05-17 15:50 -------- d--h--w- c:\program files\Common Files\Roxio Shared
2010-01-30 18:28 . 2005-11-16 13:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-30 03:39 . 2008-06-01 00:22 -------- d--h--w- c:\program files\Zune
2010-01-18 22:13 . 2010-01-18 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-18 22:10 . 2010-01-18 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-18 22:10 . 2010-01-18 22:10 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-01-18 22:10 . 2010-01-18 22:10 -------- d-----w- c:\program files\NOS
2010-01-11 23:29 . 2010-01-11 23:29 52224 ----a-w- c:\documents and settings\Malibu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-07 20:38 . 2010-01-07 20:38 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 20:38 . 2010-01-07 20:38 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 20:22 . 2009-09-02 06:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-01-07 20:22 . 2009-09-02 06:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-01-07 20:22 . 2009-09-02 06:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-01-07 20:22 . 2009-09-02 06:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-01-07 20:22 . 2009-09-02 06:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-01-07 20:22 . 2009-09-02 06:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-01-07 20:22 . 2009-09-02 06:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-12-31 16:50 . 2005-11-16 13:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:37 . 2010-01-18 22:10 31936 ----a-w- c:\documents and settings\Elaine\Application Data\Mozilla\Firefox\Profiles\ztt1iuyv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-17 22:37 . 2010-01-18 22:10 29344 ----a-w- c:\documents and settings\Elaine\Application Data\Mozilla\Firefox\Profiles\ztt1iuyv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-17 22:37 . 2009-12-26 01:10 67360 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper.dll
2009-12-17 22:37 . 2009-12-26 01:10 349552 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-12-17 22:37 . 2009-12-26 01:10 31936 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-17 22:37 . 2009-12-26 01:10 29344 ----a-w- c:\documents and settings\Malibu\Application Data\Mozilla\Firefox\Profiles\zptlk83s.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-17 14:31 . 2009-12-17 14:31 1924744 ----a-w- c:\documents and settings\Elaine\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-12-16 18:43 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 18:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-11-16 13:03 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-29 03:00 . 2009-11-29 03:00 0 ----a-w- c:\windows\nsreg.dat
2009-11-27 17:11 . 2004-08-10 18:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-04-17 22:04 . 2007-04-17 22:04 0 ---ha-w- c:\program files\AppUpdate.log
.

((((((((((((((((((((((((((((( SnapShot@2010-02-17_02.43.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-19 01:14 . 2010-02-19 01:14 16384 c:\windows\temp\Perflib_Perfdata_7e0.dat
- 2004-08-10 18:51 . 2010-02-17 01:39 73962 c:\windows\system32\perfc009.dat
+ 2004-08-10 18:51 . 2010-02-19 01:18 73962 c:\windows\system32\perfc009.dat
+ 2010-02-18 00:57 . 2010-02-18 00:57 46392 c:\windows\Installer\{DAC27085-280B-46C0-A145-D4C7DB8AC785}\ProductName.chm.de_E8BE655ADEA641369B5E012FC4DD61C6.exe
+ 2010-02-18 00:57 . 2010-02-18 00:57 75064 c:\windows\Installer\{DAC27085-280B-46C0-A145-D4C7DB8AC785}\DriverDetective.pt_6CF114D33913468CBA2AA6967939B819.exe
+ 2010-02-18 00:57 . 2010-02-18 00:57 75064 c:\windows\Installer\{DAC27085-280B-46C0-A145-D4C7DB8AC785}\DriverDetective.it_251B66F1CA924E82A1EE29E85D5EC5A1.exe
+ 2010-02-18 00:57 . 2010-02-18 00:57 75064 c:\windows\Installer\{DAC27085-280B-46C0-A145-D4C7DB8AC785}\DriverDetective.fr_E1678746353A46E3A9150D3E8B3832B1.exe
+ 2010-02-18 00:57 . 2010-02-18 00:57 75064 c:\windows\Installer\{DAC27085-280B-46C0-A145-D4C7DB8AC785}\DriverDetective.es_654C8EA5162D4D4084239A5EDD67F462.exe
+ 2010-02-18 00:58 . 2010-02-18 00:58 73728 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\f174336d77cca9803f143aeba56531e9\DriversHQ.DriverDetective.ExceptionLogging.ni.dll
- 2004-08-10 18:51 . 2010-02-17 01:39 448188 c:\windows\system32\perfh009.dat
+ 2004-08-10 18:51 . 2010-02-19 01:18 448188 c:\windows\system32\perfh009.dat
+ 2010-02-18 00:49 . 2010-02-18 00:48 153376 c:\windows\system32\javaws.exe
- 2009-08-17 04:15 . 2009-07-25 10:23 145184 c:\windows\system32\javaw.exe
+ 2010-02-18 00:49 . 2010-02-18 00:48 145184 c:\windows\system32\javaw.exe
+ 2010-02-18 00:49 . 2010-02-18 00:48 145184 c:\windows\system32\java.exe
- 2009-08-17 04:15 . 2009-07-25 10:23 145184 c:\windows\system32\java.exe
+ 2010-02-18 00:49 . 2010-02-18 00:49 178176 c:\windows\Installer\20558c0.msi
+ 2010-02-18 00:48 . 2010-02-18 00:48 577536 c:\windows\Installer\20558bb.msi
+ 2010-02-18 00:58 . 2010-02-18 00:58 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\XPBurnComponent\0cc40a53f7164b18276f528714befc40\XPBurnComponent.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 303616 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\fd11431610ee99e6f551a75cf7002750\Microsoft.Practices.ObjectBuilder.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 148992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\9ab053bddaf1831f7b21e77165a2eef7\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 309248 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\05b903398e7615fd16371cce6c4cf6a3\Microsoft.Practices.EnterpriseLibrary.Common.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 230400 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\3003a4c83ac14600b7e3225f934b4d54\Microsoft.ApplicationBlocks.Updater.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 307200 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\7e2dd8bd0295498d5e550f00c088d378\DriversHQ.DriverDetective.Common.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 296960 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\546ee146131e448c9838049fc12a888b\DriversHQ.DriverDetective.Client.Communication.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 483328 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.Common\e9cb4203837a8ffad211d0507fd833cf\DriversHQ.Common.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\ffa1018e8022964eb51025c2c6d8727a\System.Data.OracleClient.ni.dll
+ 2010-02-18 00:58 . 2010-02-18 00:58 3833856 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\360f37ca29726e1205b9c687027d144b\DriversHQ.DriverDetective.Client.ni.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="realsched.exe -osboot" [X]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2005-05-10 98304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-16 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\TaxCut Business 2008\\TaxCut2008.exe"=
"c:\\Program Files\\Zune\\Zune.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59418:TCP"= 59418:TCP:@xpsp2res.dll,-22009

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-23 450400]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} - hxxps://ca.cdc.gov/vsimport.cab
DPF: {B57F9ACB-FD32-433E-8F30-515B2D8226F6} - hxxps://ca.cdc.gov/sdncode/sdnapp/common/chkperm.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-18 19:35:51
ComboFix-quarantined-files.txt 2010-02-19 01:35
ComboFix2.txt 2010-02-19 01:25
ComboFix3.txt 2010-02-19 00:44
ComboFix4.txt 2010-02-17 15:16
ComboFix5.txt 2010-02-19 01:33

Pre-Run: 38,252,847,104 bytes free
Post-Run: 38,234,292,224 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 666CA8F5E3D9BB79F04FE6086EF4CE2D


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 19 February 2010 - 01:56 AM

I have not abandoned helping. But we the system is damaged either by the malware or by deleting essential parts of Windows and system files. We can address those problems one at a time you need to be patient please.smile.gif

Please do all the steps fully and in the order they are written and give me feedback about each step.
  1. I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. You have still some leftovers from an incomplete uninstalled McAfee AntiVirus on your computer.
    To remove McAfee AntiVirus I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

    For download and instruction to use McAfee Consumer Product Removal tool click on majorgeeks.com

  4. Go to start > Run copy and paste the following line in the run box and click OK:

    cmd /c reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc" /f

    A window flashes it is normal.

  5. To repair Safe Mode.
    • Please download SafeBootKeyRepair.exe by sUBs to your desktop from her: http://download.bleepingcomputer.com/sUBs/...otKeyRepair.exe.
    • Close all programs/windows so that you have nothing open and are at your Desktop.
    • Double-click the SafeBootKeyRepair.exe file.
    • When finished, it shall produce a log for you.
    • Copy and paste the entire contents of C:\SafeBoot_Repair.txt in your next reply.

  6. Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account. And tell me exactly what happens and how far you go if you are not able to get to Safe Mode.

  7. Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    cmd /c regedit /e c:\log.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}"
    notepad c:\log.txt


    A notepad will opens with a text in it . Please post the content to your reply.

  8. You need to disable your Avast Antivirus before running GMER.
    • Open Avast.
    • Under avast! settings... windows select Troubleshooting.
    • Check Disabale avast! self-defence module.
    • Click OK.

  9. Please run GMER with this settings:
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.





#12 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 20 February 2010 - 03:19 PM

If I have given you the impression that I feel abandoned I apologize, it was not my intention and I will be patient as I know these things take time. I am grateful for your assistance and your patience in helping me through this.

Ok I have removed coupon printer and deleted the files.

I went to the malware site and tried to install but received an error message, so I downloaded it to the desktop and ran it from there here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3761
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/19/10 10:09:47 AM
mbam-log-2010-02-19 (10-09-47).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 268559
Time elapsed: 49 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\bfcxaq.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.


I have removed McAfree orphans.

I ran cmd /c reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc" /f

Here is the Safeboot log:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\mcmscsvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PEVSystemStart
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\procexp90.Sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WudfSvc




After rebooting "installed 3 of 3 updates" tried safe mode boot got blue screen "a problem has been detected and windoews has shut down to prevent damage....."

second line of cmd instructions would not run
note pad was blank

Avast disabled (I previously checked the disable permanently box but after the changes and rebooting,it starts back up)

Gmer found system modification caused by rootkit activity, the log is too big, see next response.


#13 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 20 February 2010 - 03:23 PM

I have tried to attached the Gmer log but it keeps telling me the file is too big. What should I do? I await your next instructions.



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:33 AM

Posted 20 February 2010 - 05:49 PM

Thanks for the detailed feedback. thumbup2.gif

Please disable Windows automatic update for now.

We concentrate of fixing the CD-ROM ans we need it to fix other issues.

Go to Start > Run and type in Notepad
Make sure that under Format menu Word Wrap is unchecked. Copy/paste the following text inside the code box into a new notepad document.

CODE
regedit /e log.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}"
reg delete HKLM\system\currentcontrolset\control\safeboot\minimal\mcmscsvc /f >log.txt 2>&1
reg delete HKLM\system\currentcontrolset\control\safeboot\minimal\PEVSystemStart /f >>log.txt 2>&1
reg delete HKLM\system\currentcontrolset\control\safeboot\minimal\procexp90.Sys /f >>log.txt 2>&1
start log.txt
del %0

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate and double-click look.bat on the desktop. It should look like this:
  • Notepad will open with some txt in it. Copy and paste the contents in your next reply.


#15 MalibuMurray

MalibuMurray
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 21 February 2010 - 06:46 PM

This is the contents of notepad and I await your next instructions.


The operation completed successfully

The operation completed successfully

The operation completed successfully





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users