Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB ports not working, Can't open most programs


  • This topic is locked This topic is locked
15 replies to this topic

#1 TyTy84

TyTy84

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 18 February 2010 - 09:00 PM

Hello and I want to thank you in advance for reading this.

I have windows vista home premium Version 6.0.6002 service pack 2 build 6002, I am currently in safe mode with all this.

I can't get anything to work in my usb ports. a message comes up on the lower right hand corner that says the usb device is not recognized and malfunctioned. This happens with anything I plug into any of the 3 usbs. They won't even work in safemode or normal mode. In addition to this problem, most programs won't start up in normal mode, but will in safe mode, even ones that I newly download. An error comes up(in normal mode) with the red circle and white X that says "application " can not be found. make sure you typed it in correctly and try again" This is not exactly what it says but similiar.

I had a horrible virus a few weeks ago, norton found them, was banker.a and something fox? it would tell me my computer was infected and to purchase some anti virus program. I instead went out and bought norton because my anti virus were out of date. After the viruses were all gone, the computer seemed to work fine for a week. Then that is when the programs stopped working and usb ports stopped working.

I downloaded (in safe mode) malware bytes anti malware and it found an additional 12 viruses that Norton didn't find. I got rid of those. It didn't help any of my problems. I did a system restore to 5 days back, and it did not help.



DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Sara at 19:46:48.85 on Thu 02/18/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.1303 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AdwareAlert *disabled* (Updated) {66614818-E0C6-4D3F-B377-86AFC451F179}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Sara\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSEARCH PAGE = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.5.0.127\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {f44d8e66-7bb6-49bd-a924-5e0368c00fd1} - c:\program files\video add-on\isfmdl.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: IE Custom Tools: {efaf6ea3-615d-4f83-8748-2f7a576fcea6} - c:\program files\video add-on\ictmdl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No File
uRun: [????r]
uRun: [Acer Tour Reminder]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Tour]
mRun: [SetPanel]
mRun: [eRecoveryService]
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: eNetHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sara\appdata\roaming\mozilla\firefox\profiles\16u4yqcw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://swagbucks.com/?t=w&p=1&q=dudes
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\sara\appdata\roaming\mozilla\firefox\profiles\16u4yqcw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 116264]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1105000.07f\symds.sys [2010-1-29 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1105000.07f\symefa.sys [2010-1-29 172592]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-29 162640]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100130.002\BHDrvx86.sys [2010-2-2 529456]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1105000.07f\cchpx86.sys [2010-1-29 501888]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100204.001\IDSvix86.sys [2010-2-5 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1105000.07f\ironx86.sys [2010-1-29 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1105000.07f\symtdiv.sys [2010-1-29 340016]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-29 19024]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-29 51792]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-29 40384]
S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.5.0.127\ccsvchst.exe [2010-1-29 126392]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-29 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-29 40384]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-2 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-21 21504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

=============== Created Last 30 ================

2010-02-17 22:02:08 0 d-----w- c:\program files\AxBx
2010-02-17 20:45:52 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-17 20:45:52 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-17 20:45:08 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-17 20:45:06 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-17 20:44:19 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-17 20:44:18 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-17 20:44:18 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-17 20:44:18 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-17 20:44:17 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-17 20:44:17 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-17 20:44:15 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-17 20:44:15 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-17 20:44:14 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-17 20:43:29 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:43:28 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-17 20:22:22 0 d-----w- c:\users\sara\appdata\roaming\Tific
2010-02-17 19:49:43 0 d-----w- c:\program files\TeamViewer
2010-02-17 17:16:47 0 d-----w- c:\users\sara\appdata\roaming\QuickScan
2010-02-16 18:15:41 0 d-----w- c:\users\sara\appdata\roaming\Malwarebytes
2010-02-16 18:15:36 0 d-----w- c:\programdata\Malwarebytes
2010-02-16 18:15:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 17:30:51 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-01-29 23:34:47 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-29 23:34:47 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-29 23:34:47 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-29 23:34:25 0 d-----w- c:\program files\Symantec
2010-01-29 23:33:45 0 d-----w- c:\windows\system32\drivers\NAV
2010-01-29 23:33:42 0 d-----w- c:\program files\Norton AntiVirus
2010-01-29 23:26:28 0 d-----w- c:\programdata\PCSettings
2010-01-29 23:24:13 0 d-----w- c:\programdata\NortonInstaller
2010-01-29 23:24:13 0 d-----w- c:\program files\NortonInstaller
2010-01-29 17:16:45 0 d-----w- c:\users\sara\appdata\roaming\CBS Interactive
2010-01-29 17:12:43 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-29 17:11:59 0 d-----w- c:\programdata\Alwil Software

==================== Find3M ====================

2010-02-02 17:30:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-02 17:30:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-02 17:30:46 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-16 22:22:27 737280 ----a-w- c:\windows\iun6002.exe
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 16:32:57 7904 ----a-w- c:\users\sara\appdata\roaming\mindhabits.dat
2009-11-18 08:20:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-27 03:16:40 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 18:30:32 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-05-30 23:37:00 88 --sha-r- c:\windows\system32\0F5B291909.sys
2007-03-09 08:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2008-05-30 23:37:08 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-03-17 13:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031020080317\index.dat
2008-03-17 13:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031720080318\index.dat
2008-03-19 14:17:07 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031920080320\index.dat
2008-03-22 13:44:26 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032220080323\index.dat
2008-03-22 13:44:26 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat
2009-05-14 13:31:34 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-14 13:31:34 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-05-14 13:31:34 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:50:41.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 19 February 2010 - 01:23 PM

Hi TyTy84,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Removal Instructions
  1. Please uninstall Alcohol 120 for now until we are done as it might interfer with our fixes.

  2. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to Program Features in the control panel and remove either Avast or Norton. If you have a Norton subscription i recommend you to keep Norton and uninstall Avast.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d
    sc delete NPF
    del /a /f /q c:\windows\system32\drivers\npf.sys
    del %0
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: remove.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and right-click remmove.bat and select 'Run as Administrator".

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  5. Reboot the computer.

  6. Please run DDS and post a fresh DDS.txt to your reply and tell me if you notice any change.


#3 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 19 February 2010 - 04:32 PM

Thank you for your reply. I followed all the steps. I do not notice any difference. It still has all the same symptoms. I am attaching the malwarebytes log.



Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18882

2/19/2010 4:14:39 PM
mbam-log-2010-02-19 (16-14-39).txt

Scan type: Quick Scan
Objects scanned: 100964
Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijacker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Sara at 16:26:50.80 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.1320 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AdwareAlert *disabled* (Updated) {66614818-E0C6-4D3F-B377-86AFC451F179}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Sara\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSEARCH PAGE = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.5.0.127\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {f44d8e66-7bb6-49bd-a924-5e0368c00fd1} - c:\program files\video add-on\isfmdl.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: IE Custom Tools: {efaf6ea3-615d-4f83-8748-2f7a576fcea6} - c:\program files\video add-on\ictmdl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No File
uRun: [????r]
uRun: [Acer Tour Reminder]
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Tour]
mRun: [SetPanel]
mRun: [eRecoveryService]
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: eNetHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sara\appdata\roaming\mozilla\firefox\profiles\16u4yqcw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://swagbucks.com/?t=w&p=1&q=dudes
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\sara\appdata\roaming\mozilla\firefox\profiles\16u4yqcw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 116264]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1105000.07f\symds.sys [2010-1-29 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1105000.07f\symefa.sys [2010-1-29 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100130.002\BHDrvx86.sys [2010-2-2 529456]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1105000.07f\cchpx86.sys [2010-1-29 501888]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100204.001\IDSvix86.sys [2010-2-5 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1105000.07f\ironx86.sys [2010-1-29 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1105000.07f\symtdiv.sys [2010-1-29 340016]
S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.5.0.127\ccsvchst.exe [2010-1-29 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-2 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-21 21504]

=============== Created Last 30 ================

2010-02-19 20:52:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 20:52:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 20:45:52 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-17 20:45:52 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-17 20:45:08 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-17 20:45:06 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-17 20:44:19 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-17 20:44:18 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-17 20:44:18 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-17 20:44:18 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-17 20:44:17 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-17 20:44:17 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-17 20:44:15 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-17 20:44:15 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-17 20:44:14 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-17 20:43:29 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 20:43:28 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-17 20:22:22 0 d-----w- c:\users\sara\appdata\roaming\Tific
2010-02-17 19:49:43 0 d-----w- c:\program files\TeamViewer
2010-02-17 17:16:47 0 d-----w- c:\users\sara\appdata\roaming\QuickScan
2010-02-16 18:15:41 0 d-----w- c:\users\sara\appdata\roaming\Malwarebytes
2010-02-16 18:15:36 0 d-----w- c:\programdata\Malwarebytes
2010-02-16 18:15:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 17:30:51 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-01-29 23:34:47 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-29 23:34:47 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-29 23:34:47 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-29 23:34:25 0 d-----w- c:\program files\Symantec
2010-01-29 23:33:45 0 d-----w- c:\windows\system32\drivers\NAV
2010-01-29 23:33:42 0 d-----w- c:\program files\Norton AntiVirus
2010-01-29 23:26:28 0 d-----w- c:\programdata\PCSettings
2010-01-29 23:24:13 0 d-----w- c:\programdata\NortonInstaller
2010-01-29 23:24:13 0 d-----w- c:\program files\NortonInstaller
2010-01-29 17:16:45 0 d-----w- c:\users\sara\appdata\roaming\CBS Interactive
2010-01-29 17:11:59 0 d-----w- c:\programdata\Alwil Software

==================== Find3M ====================

2010-02-02 17:30:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-02 17:30:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-02 17:30:46 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-16 22:22:27 737280 ----a-w- c:\windows\iun6002.exe
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 16:32:57 7904 ----a-w- c:\users\sara\appdata\roaming\mindhabits.dat
2009-11-18 08:20:42 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-27 03:16:40 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 18:30:32 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-05-30 23:37:00 88 --sha-r- c:\windows\system32\0F5B291909.sys
2007-03-09 08:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2008-05-30 23:37:08 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-03-17 13:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031020080317\index.dat
2008-03-17 13:39:09 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031720080318\index.dat
2008-03-19 14:17:07 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031920080320\index.dat
2008-03-22 13:44:26 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032220080323\index.dat
2008-03-22 13:44:26 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat
2009-05-14 13:31:34 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-14 13:31:34 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-05-14 13:31:34 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:30:07.23 ===============

Attached Files


Edited by farbar, 19 February 2010 - 05:48 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 19 February 2010 - 05:51 PM

Please copy and paste the log unless otherwise is requested. Thanks.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Edited by farbar, 20 February 2010 - 07:24 AM.
Spelling


#5 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 19 February 2010 - 07:17 PM

I ran combo fix it said regedit is missing and to copy it from another computer.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 20 February 2010 - 07:34 AM

Do you have access to another computer with Vista installed or Vista installation DVD?

If you have access to another computer or know somebody what we need is regedit.exe located in C:\Windows directory.
It should be put on C:\Windows directory of the infected computer.

#7 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 20 February 2010 - 07:45 PM

Ok I put in the regedit. Now i get an error that says "REGT.cfxxe - Application Error The application failed to initialize properly (0xc0000142). Click OK to terminate the application. "

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 20 February 2010 - 08:16 PM

Run Command Prompt as administrator:
  • Click on Start button.
  • Type Cmd in the Start Search text box.
  • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.
  • Copy and paste the following in the command window and post the content of the log that opens:

    dir /a c:\windows\regedit.exe >log.txt&start log.txt


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 20 February 2010 - 08:25 PM

Please don't miss my previous post and tell me also if you are running ComboFix in normal mode or in Safe Mode with Networking.

#10 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 20 February 2010 - 09:10 PM

i just read your posts. I didn't get to do your previous step before i did combofix. I ran combo fix in safe mode with networking since I can not open it in normal mode without an error.

ComboFix 10-02-20.03 - Sara 02/20/2010 20:14:10.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.1055 [GMT -5:00]
Running from: C:\Users\Sara\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\hh.exe . . . is infected!!

C:\Windows\ehome\ehprivjob.exe . . . is infected!!

C:\Windows\System32\calc.exe . . . is infected!!

C:\Windows\System32\choice.exe . . . is infected!!

C:\Windows\System32\pcaelv.exe . . . is infected!!

C:\Windows\System32\sbunattend.exe . . . is infected!!

C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe . . . is infected!!

C:\Windows\System32\ucsvc.exe . . . is infected!!

C:\Windows\System32\where.exe . . . is infected!!

C:\Windows\System32\write.exe . . . is infected!!

C:\Windows\System32\migwiz\mighost.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 01:53:33 . 2010-02-21 01:59:37 -------- d-----w- C:\Users\Sara\AppData\Local\temp
2010-02-21 01:53:33 . 2010-02-21 01:53:33 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-02-21 01:13:03 . 2010-02-21 01:13:23 -------- d-----w- C:\32788R22FWJFW
2010-02-21 00:39:01 . 2010-02-21 00:39:03 146432 ----a-w- C:\Windows\regedit.exe
2010-02-20 23:14:38 . 2010-02-20 23:24:56 -------- d-----w- C:\PROGRA~2\SpeedyPC
2010-02-19 20:52:59 . 2010-01-07 21:07:14 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-02-19 20:52:31 . 2010-01-07 21:07:04 19160 ----a-w- C:\Windows\system32\drivers\mbam.sys
2010-02-17 20:45:52 . 2009-12-11 11:43:30 302080 ----a-w- C:\Windows\system32\drivers\srv.sys
2010-02-17 20:45:52 . 2009-12-11 11:43:11 98816 ----a-w- C:\Windows\system32\drivers\srvnet.sys
2010-02-17 20:45:08 . 2009-12-08 20:01:08 904776 ----a-w- C:\Windows\system32\drivers\tcpip.sys
2010-02-17 20:45:06 . 2009-12-08 17:26:18 30720 ----a-w- C:\Windows\system32\drivers\tcpipreg.sys
2010-02-17 20:44:19 . 2009-12-04 18:29:41 1314816 ----a-w- C:\Windows\system32\quartz.dll
2010-02-17 20:44:18 . 2009-12-04 18:30:05 12288 ----a-w- C:\Windows\system32\tsbyuv.dll
2010-02-17 20:44:18 . 2009-12-04 18:28:52 22528 ----a-w- C:\Windows\system32\msyuv.dll
2010-02-17 20:44:18 . 2009-12-04 18:28:51 31744 ----a-w- C:\Windows\system32\msvidc32.dll
2010-02-17 20:44:17 . 2009-12-04 18:28:49 13312 ----a-w- C:\Windows\system32\msrle32.dll
2010-02-17 20:44:17 . 2009-12-04 18:28:21 50176 ----a-w- C:\Windows\system32\iyuv_32.dll
2010-02-17 20:44:15 . 2009-12-04 18:28:51 123904 ----a-w- C:\Windows\system32\msvfw32.dll
2010-02-17 20:44:15 . 2009-12-04 18:28:27 82944 ----a-w- C:\Windows\system32\mciavi32.dll
2010-02-17 20:44:14 . 2009-12-04 18:27:12 91136 ----a-w- C:\Windows\system32\avifil32.dll
2010-02-17 20:43:29 . 2009-12-04 15:56:09 105984 ----a-w- C:\Windows\system32\drivers\mrxsmb.sys
2010-02-17 20:43:28 . 2009-12-04 15:56:16 212992 ----a-w- C:\Windows\system32\drivers\mrxsmb10.sys
2010-02-17 20:22:22 . 2010-02-17 20:22:22 -------- d-----w- C:\Users\Sara\AppData\Roaming\Tific
2010-02-17 20:21:57 . 2010-02-17 20:21:57 -------- d-----w- C:\Users\Sara\AppData\Local\Symantec
2010-02-17 19:49:43 . 2010-02-17 19:49:43 -------- d-----w- C:\Program Files\TeamViewer
2010-02-17 17:16:47 . 2010-02-17 17:18:33 -------- d-----w- C:\Users\Sara\AppData\Roaming\QuickScan
2010-02-16 18:15:41 . 2010-02-16 18:15:41 -------- d-----w- C:\Users\Sara\AppData\Roaming\Malwarebytes
2010-02-16 18:15:36 . 2010-02-16 18:15:36 -------- d-----w- C:\PROGRA~2\Malwarebytes
2010-02-16 18:15:35 . 2010-02-19 20:53:04 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-02 17:30:51 . 2009-12-03 06:09:48 44080 ----a-r- C:\Windows\system32\drivers\SymIMV.sys
2010-01-29 23:42:57 . 2010-02-17 20:37:33 -------- d-----w- C:\Users\Sara\AppData\Local\CrashDumps
2010-01-29 23:34:47 . 2010-01-29 23:34:25 124976 ----a-w- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-01-29 23:34:25 . 2010-01-29 23:34:47 -------- d-----w- C:\Program Files\Symantec
2010-01-29 23:33:45 . 2010-02-02 17:31:01 -------- d-----w- C:\Windows\system32\drivers\NAV
2010-01-29 23:33:42 . 2010-01-29 23:33:45 -------- d-----w- C:\Program Files\Norton AntiVirus
2010-01-29 23:26:28 . 2010-01-29 23:26:28 -------- d-----w- C:\PROGRA~2\PCSettings
2010-01-29 23:24:13 . 2010-01-29 23:35:32 -------- d-----w- C:\PROGRA~2\NortonInstaller
2010-01-29 23:24:13 . 2010-01-29 23:24:14 -------- d-----w- C:\Program Files\NortonInstaller
2010-01-29 17:16:45 . 2010-01-29 17:16:45 100096 ----a-w- C:\Users\Sara\AppData\Roaming\CBS Interactive\CNET TechTracker\uninst.exe
2010-01-29 17:16:45 . 2010-01-29 17:16:45 -------- d-----w- C:\Users\Sara\AppData\Roaming\CBS Interactive
2010-01-29 17:11:59 . 2010-02-19 20:32:21 -------- d-----w- C:\PROGRA~2\Alwil Software
2010-01-29 17:11:59 . 2010-01-29 17:11:59 -------- d-----w- C:\Program Files\Alwil Software
2010-01-29 16:28:23 . 2010-01-30 00:27:06 -------- d-----w- C:\Users\Sara\AppData\Local\shcxpa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 22:32:41 . 2008-01-11 20:14:32 -------- d-----w- C:\Users\Sara\AppData\Roaming\OpenOffice.org2
2010-02-20 20:57:43 . 2008-01-11 20:16:15 1 ----a-w- C:\Users\Sara\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-20 00:00:20 . 2009-02-01 02:42:54 -------- d-----w- C:\PROGRA~2\Google Updater
2010-02-19 22:37:57 . 2008-05-19 22:51:08 1356 ----a-w- C:\Users\Sara\AppData\Local\d3d9caps.dat
2010-02-17 21:39:20 . 2006-11-02 11:18:33 -------- d-----w- C:\Program Files\Windows Mail
2010-02-17 20:08:55 . 2010-01-12 22:09:29 -------- d-----w- C:\Users\Sara\AppData\Roaming\Winamp
2010-02-17 20:08:54 . 2009-12-20 18:51:58 -------- d-----w- C:\PROGRA~2\PMB Files
2010-02-17 20:08:53 . 2008-12-22 22:52:43 -------- d-----w- C:\Program Files\MindHabits Trainer
2010-02-02 20:04:41 . 2008-01-04 00:01:33 -------- d-----w- C:\Users\Sara\AppData\Roaming\dvdcss
2010-01-29 23:35:34 . 2007-01-22 02:46:21 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2010-01-29 23:34:25 . 2010-01-29 23:34:47 805 ----a-w- C:\Windows\system32\drivers\SYMEVENT.INF
2010-01-29 23:34:25 . 2010-01-29 23:34:47 7443 ----a-w- C:\Windows\system32\drivers\SYMEVENT.CAT
2010-01-29 23:28:44 . 2007-01-22 02:46:35 -------- d-----w- C:\PROGRA~2\Symantec
2010-01-29 23:26:27 . 2009-12-16 03:28:27 -------- d-----w- C:\PROGRA~2\Norton
2010-01-29 03:14:27 . 2009-10-01 04:08:42 0 ----a-w- C:\Users\Sara\AppData\Local\prvlcl.dat
2010-01-24 09:05:27 . 2007-07-03 02:28:53 -------- d-----w- C:\Users\Sara\AppData\Roaming\uTorrent
2010-01-17 16:16:58 . 2007-11-09 21:59:38 -------- d-----w- C:\Users\Sara\AppData\Roaming\Vso
2010-01-16 22:53:10 . 2008-06-25 15:17:52 -------- d-----w- C:\Program Files\Replay AV 8
2010-01-16 22:26:09 . 2007-01-22 02:18:30 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-01-16 22:25:43 . 2010-01-16 22:25:43 -------- d-----w- C:\Program Files\YouSendIt
2010-01-16 22:24:22 . 2008-06-25 15:19:36 -------- d-----w- C:\Program Files\WinPcap
2010-01-16 22:22:27 . 2008-06-25 15:18:24 737280 ----a-w- C:\Windows\iun6002.exe
2010-01-14 16:12:06 . 2009-10-03 05:05:16 181120 ------w- C:\Windows\system32\MpSigStub.exe
2010-01-13 13:29:40 . 2007-08-02 02:20:22 -------- d-----w- C:\Program Files\YahELite
2010-01-12 22:13:52 . 2010-01-12 22:13:52 -------- d-----w- C:\Program Files\Common Files\NSV
2010-01-12 22:12:03 . 2007-06-10 00:16:03 -------- d-----w- C:\Program Files\Winamp
2010-01-12 22:09:53 . 2010-01-12 22:09:53 -------- d-----w- C:\Program Files\Winamp Detect
2010-01-02 06:38:20 . 2010-01-22 06:41:19 916480 ----a-w- C:\Windows\system32\wininet.dll
2010-01-02 06:32:33 . 2010-01-22 06:41:18 71680 ----a-w- C:\Windows\system32\iesetup.dll
2010-01-02 06:32:33 . 2010-01-22 06:41:18 109056 ----a-w- C:\Windows\system32\iesysprep.dll
2010-01-02 04:57:00 . 2010-01-22 06:41:18 133632 ----a-w- C:\Windows\system32\ieUnatt.exe
2009-12-20 20:03:09 . 2009-12-20 20:03:09 45056 ----a-r- C:\Users\Sara\AppData\Roaming\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe1_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-12-20 20:03:09 . 2009-12-20 20:03:09 45056 ----a-r- C:\Users\Sara\AppData\Roaming\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-12-20 20:03:09 . 2009-12-20 20:03:09 10134 ----a-r- C:\Users\Sara\AppData\Roaming\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\ARPPRODUCTICON.exe
2009-12-20 16:32:57 . 2008-12-22 22:58:22 7904 ----a-w- C:\Users\Sara\AppData\Roaming\mindhabits.dat
2008-05-30 23:37:00 . 2007-06-18 02:14:32 88 --sha-r- C:\Windows\System32\0F5B291909.sys
2007-03-09 08:12:32 . 2007-03-09 08:12:32 27648 --sha-w- C:\Windows\System32\AVSredirect.dll
2008-05-30 23:37:08 . 2007-06-18 02:14:32 2828 --sha-w- C:\Windows\System32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-01-19 07:33:33 . 07F60601E8D2A0B99BA2D9897C9C51B9 . 25088 . . [6.0.6000.16386 (vista_rtm.061101-2205)] . . C:\Windows\System32\userinit.exe

[-] 2006-11-02 09:45:00 . D53CBCE4C7E4823CA801DC464386147D . 8704 . . [6.0.6000.16386 (vista_rtm.061101-2205)] . . C:\Windows\System32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoStockPlus Uploader Tool]
PSPUploaderCore.dll\PSPUploader.exe -sleep [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2006-12-07 22:37:16 1261568 ----a-w- C:\Program Files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2006-12-13 18:55:32 3166208 ----a-w- C:\Program Files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-01-14 19:38:48 151552 ----a-w- C:\Acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2008-04-01 17:21:56 61440 ----a-r- C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21:04 57344 ----a-w- C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 17:25:22 202560 ----a-w- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33:09 125952 ----a-w- C:\Windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Let's Just Play Challenge Tracker]
2008-04-26 02:25:02 1369432 ----a-w- C:\Program Files\Let's Just Play Challenge Tracker\Let's Just Play Challenge Tracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2006-12-08 08:24:00 614400 ----a-w- C:\PROGRA~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-02-20 19:22:34 4363504 ----a-w- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05:46 200704 ----a-w- C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-12-01 05:37:00 4186112 ----a-w- C:\Windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 16:17:18 61440 ----a-w- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19:17 148888 ----a-w- C:\Program Files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-10-23 03:00:36 815104 ----a-w- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-30 20:23:00 198160 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45:08 313472 ----a-r- C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33:39 202240 ----a-w- C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:2b,42,80,c4,94,3d,ca,01

R0 SI3112r;ATI-4379 Serial ATA Controller;C:\Windows\System32\drivers\SI3112r.sys [8/29/2007 2:04:04 AM 116264]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NAV\1105000.07F\symds.sys [1/29/2010 10:44:54 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NAV\1105000.07F\symefa.sys [1/29/2010 10:44:54 PM 172592]
S1 BHDrvx86;BHDrvx86;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys [2/2/2010 3:35:44 PM 529456]
S1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\NAV\1105000.07F\cchpx86.sys [1/29/2010 10:44:53 PM 501888]
S1 IDSVix86;IDSVix86;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100204.001\IDSvix86.sys [2/5/2010 6:30:21 PM 343088]
S1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NAV\1105000.07F\ironx86.sys [1/29/2010 10:44:53 PM 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\drivers\NAV\1105000.07F\symtdiv.sys [1/29/2010 10:44:54 PM 340016]
S2 NAV;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccsvchst.exe [1/29/2010 10:44:36 PM 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/2/2010 3:31:52 AM 102448]
S4 sptd;sptd;C:\Windows\System32\drivers\sptd.sys [3/24/2009 10:39:28 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 C:\Windows\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 02:42:50 . 2009-03-24 02:09:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSEARCH PAGE = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - C:\Users\Sara\AppData\Roaming\Mozilla\Firefox\Profiles\16u4yqcw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://swagbucks.com/?t=w&p=1&q=dudes
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - prefs.js: network.proxy.type - 4
FF - component: C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
BHO-{F44D8E66-7BB6-49BD-A924-5E0368C00FD1} - C:\Program Files\Video Add-on\isfmdl.dll
Toolbar-{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6} - C:\Program Files\Video Add-on\ictmdl.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
MSConfigStartUp-AlcoholAutomount - C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe
MSConfigStartUp-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-LVCOMSX - C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
MSConfigStartUp-ManyCam - C:\Program Files\ManyCam 2.2\ManyCam.exe
MSConfigStartUp-Symantec PIF AlertEng - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
AddRemove-AnyDVD - C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - C:\Program Files\DivX\DivXCodecUninstall.exe
AddRemove-Move Networks Player - IE - C:\Users\Sara\AppData\Roaming\Move Networks\ie_bin\Uninst.exe




#11 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 20 February 2010 - 09:15 PM

Volume in drive C is ACER
Volume Serial Number is 78D7-BC92

Directory of c:\windows

02/20/2010 07:39 PM 146,432 regedit.exe
1 File(s) 146,432 bytes
0 Dir(s) 21,884,379,136 bytes free

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 21 February 2010 - 07:14 AM

QUOTE(farbar @ Feb 20 2010, 01:34 PM) View Post
Do you have access to another computer with Vista installed or Vista installation DVD?

If you have access to another computer or know somebody what we need is regedit.exe located in C:\Windows directory.
It should be put on C:\Windows directory of the infected computer.


It surprised me how you mange to read this post selectively and totally miss the emphasis on Vista? What you have done is taking a regedit.exe file from a Windows XP and put it on a Vista OS. Please remove regedit.exe again.

From the ComboFix log and the way Computer is functioning I get the impression the prior infection is much more serious. Many system files are removed and many look infected. We are going to research that.

Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

C:\Windows\hh.exe
C:\Windows\System32\calc.exe
C:\Windows\System32\pcaelv.exe
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\System32\ucsvc.exe


If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste a couple of the results and attach the rest of the scan in your next post.



#13 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 21 February 2010 - 08:37 AM

File hh.exe received on 2010.02.21 13:14:11 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 4/41 (9.76%)


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.21 -
AhnLab-V3 5.0.0.2 2010.02.20 -
AntiVir 8.2.1.170 2010.02.19 -
Antiy-AVL 2.0.3.7 2010.02.19 -
Authentium 5.2.0.5 2010.02.20 -
Avast 4.8.1351.0 2010.02.21 -
AVG 9.0.0.730 2010.02.21 -
BitDefender 7.2 2010.02.21 -
CAT-QuickHeal 10.00 2010.02.19 -
ClamAV 0.96.0.0-git 2010.02.21 -
Comodo 4011 2010.02.21 -
DrWeb 5.0.1.12222 2010.02.21 -
eSafe 7.0.17.0 2010.02.18 -
eTrust-Vet 35.2.7315 2010.02.20 -
F-Prot 4.5.1.85 2010.02.20 -
F-Secure 9.0.15370.0 2010.02.19 -
Fortinet 4.0.14.0 2010.02.21 W32/Virut.CE
GData 19 2010.02.21 -
Ikarus T3.1.1.80.0 2010.02.21 -
Jiangmin 13.0.900 2010.02.21 -
K7AntiVirus 7.10.979 2010.02.20 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5898 2010.02.20 -
McAfee+Artemis 5898 2010.02.20 -
McAfee-GW-Edition 6.8.5 2010.02.19 Heuristic.LooksLike.Win32.Suspicious.H!94
Microsoft 1.5406 2010.02.21 -
NOD32 4883 2010.02.20 Win32/Virut.NBP
Norman 6.04.08 2010.02.21 -
nProtect 2009.1.8.0 2010.02.21 -
Panda 10.0.2.2 2010.02.21 -
PCTools 7.0.3.5 2010.02.21 -
Prevx 3.0 2010.02.21 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.21 -
Sunbelt 5690 2010.02.20 -
Symantec 20091.2.0.41 2010.02.21 Suspicious.Insight
TheHacker 6.5.1.5.202 2010.02.21 -
TrendMicro 9.120.0.1004 2010.02.21 -
VBA32 3.12.12.2 2010.02.21 -
ViRobot 2010.2.19.2194 2010.02.19 -
VirusBuster 5.0.27.0 2010.02.20 -
Additional information
File size: 31744 bytes
MD5...: 1da7f19cf06f2843be073f81d9e9b15d
SHA1..: 18bda5e84a9cec98845785ea77415e3e030a4a1b
SHA256: 5d0fb5e837d98298908b8cf0037c83064d981f3287d247d5eb32b24416674b26
ssdeep: 768:JPtm7bj3w7d8/ZMaHq9MqrL8GMTm6Sok0T6:JVOjwhoZM9M8L8G9VY
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1b2f
timedatestamp.....: 0x4549b636 (Thu Nov 02 09:11:18 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1600 0x1600 6.28 246383c7a47c97dbed9d1b448c8224a6
.data 0x3000 0x380 0x200 0.30 26d2af9b5ae35538e55951b8e598e42b
.rsrc 0x4000 0x1ba0 0x1c00 3.71 9765d0da6d2482adda6c805dd4f93a0e
.reloc 0x6000 0x200 0x200 4.57 7ce9ec4eb40e829c58dd1f470e64cff1

( 3 imports )
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> KERNEL32.dll: ExpandEnvironmentStringsA, FreeLibrary, GetProcAddress, LoadLibraryA, HeapSetInformation, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange, UnhandledExceptionFilter
> msvcrt.dll: __p__commode, __set_app_type, _terminate@@YAXXZ, _except_handler4_common, _controlfp, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, memset, _vsnprintf, __p__fmode

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: HTML Help
description..: Microsoft_ HTML Help Executable
original name: HH.exe
internal name: HH 1.41
file version.: 6.0.6000.16386 (vista_rtm.061101-2205)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

File calc.exe received on 2010.02.21 13:19:06 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 5/41 (12.2%)


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.21 -
AhnLab-V3 5.0.0.2 2010.02.20 -
AntiVir 8.2.1.170 2010.02.19 -
Antiy-AVL 2.0.3.7 2010.02.19 -
Authentium 5.2.0.5 2010.02.20 -
Avast 4.8.1351.0 2010.02.21 Win32:Virut-VY
AVG 9.0.0.730 2010.02.21 -
BitDefender 7.2 2010.02.21 -
CAT-QuickHeal 10.00 2010.02.19 -
ClamAV 0.96.0.0-git 2010.02.21 -
Comodo 4011 2010.02.21 -
DrWeb 5.0.1.12222 2010.02.21 -
eSafe 7.0.17.0 2010.02.18 -
eTrust-Vet 35.2.7315 2010.02.20 -
F-Prot 4.5.1.85 2010.02.20 -
F-Secure 9.0.15370.0 2010.02.19 -
Fortinet 4.0.14.0 2010.02.21 W32/Virut.CE
GData 19 2010.02.21 Win32:Virut-VY
Ikarus T3.1.1.80.0 2010.02.21 -
Jiangmin 13.0.900 2010.02.21 -
K7AntiVirus 7.10.979 2010.02.20 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5898 2010.02.20 -
McAfee+Artemis 5898 2010.02.20 -
McAfee-GW-Edition 6.8.5 2010.02.19 -
Microsoft 1.5406 2010.02.21 -
NOD32 4883 2010.02.20 Win32/Virut.NBP
Norman 6.04.08 2010.02.21 -
nProtect 2009.1.8.0 2010.02.21 -
Panda 10.0.2.2 2010.02.21 -
PCTools 7.0.3.5 2010.02.21 -
Prevx 3.0 2010.02.21 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.21 -
Sunbelt 5690 2010.02.20 -
Symantec 20091.2.0.41 2010.02.21 Suspicious.Insight
TheHacker 6.5.1.5.202 2010.02.21 -
TrendMicro 9.120.0.1004 2010.02.21 -
VBA32 3.12.12.2 2010.02.21 -
ViRobot 2010.2.19.2194 2010.02.19 -
VirusBuster 5.0.27.0 2010.02.20 -
Additional information
File size: 193024 bytes
MD5...: 281be0eb18ba32f3ac717b27badc854d
SHA1..: aeee105659c525092d87eb5a786ad1a553eccc88
SHA256: 0607dc499634ef5d08246551f5f0291404ef89cb7292b5bb0d5f213032aaa622
ssdeep: 3072:9o4C5XtgQXAg/lwv2thx0/rMslbsmpD6d0L3caBQ3mVtJboh17VgiC:+tXt
gU/PjsrMslb9NI0L3caBQ6gVg
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x126fe
timedatestamp.....: 0x4549b0be (Thu Nov 02 08:47:58 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12e00 0x12e00 6.14 72b37b81e253223ab8ec3db85a86211c
.data 0x14000 0x131c 0xa00 3.62 7c7bc84663fbcdb5b3bb512c37590f4c
.rsrc 0x16000 0x158e8 0x15a00 7.40 d952b27c3ad7ac87717d5ddda911e96c
.reloc 0x2c000 0x1a00 0x1a00 6.43 6634666e7dc1e56c1997a2138b17467d

( 9 imports )
> SHELL32.dll: ShellAboutW
> ADVAPI32.dll: RegCreateKeyW, RegSetValueExW, RegQueryValueExW, RegCloseKey
> OLEAUT32.dll: -, -
> ole32.dll: CoCreateInstance
> ntdll.dll: WinSqmAddToStream
> KERNEL32.dll: GetSystemTimeAsFileTime, GetCurrentProcessId, GetCommandLineW, GetProfileIntW, LocalAlloc, LocalFree, lstrcmpW, GetProfileStringW, LocalReAlloc, TerminateProcess, lstrlenW, CloseHandle, WaitForSingleObject, SetEvent, CreateThread, CreateEventW, ResetEvent, GlobalUnlock, GlobalSize, GlobalLock, Sleep, GlobalFree, GlobalAlloc, GlobalReAlloc, GetCurrentProcess, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, HeapSetInformation, UnhandledExceptionFilter, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, InterlockedExchange
> GDI32.dll: SetTextColor, CreateFontIndirectW, SelectObject, DeleteObject, SetBkColor, SetBkMode
> USER32.dll: SetDlgItemTextW, CheckMenuItem, CheckMenuRadioItem, SetWindowPos, OffsetRect, MapWindowPoints, GetClientRect, EnableWindow, LoadMenuW, SetWindowLongW, GetWindowLongW, GetMenu, CreateDialogParamW, GetDlgItem, DestroyMenu, DestroyWindow, SetMenu, GetWindowRect, SystemParametersInfoW, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, IsChild, IsDialogMessageW, GetMessageW, LoadAcceleratorsW, SendMessageW, LoadStringW, SetProcessDefaultLayout, GetProcessDefaultLayout, SetProcessDPIAware, SetCursor, SetFocus, SetWindowTextW, CheckRadioButton, GetSubMenu, MessageBeep, MessageBoxW, EndDialog, DialogBoxParamW, GetSysColor, CloseClipboard, CharNextA, GetClipboardData, OpenClipboard, CallWindowProcW, HideCaret, DefWindowProcW, EnableMenuItem, IsClipboardFormatAvailable, GetDlgCtrlID, PostQuitMessage, DrawTextW, CheckDlgButton, GetWindowTextW, SetDlgItemInt, CharNextW, RegisterClassExW, GetSysColorBrush, LoadCursorW, LoadIconW, InvalidateRect, UpdateWindow, ShowWindow, CreateWindowExW
> msvcrt.dll: _wcsrev, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __1type_info@@UAE@XZ, _terminate@@YAXXZ, _except_handler4_common, _controlfp, memmove, toupper, _CxxThrowException, wcstoul, __CxxFrameHandler3, memset, memcpy, wcschr

( 0 exports )
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Calculator
original name: CALC.EXE
internal name: CALC
file version.: 6.0.6000.16386 (vista_rtm.061101-2205)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 21 February 2010 - 08:54 AM

That is what I suspected and I'm afraid I have bad news.

QUOTE
Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


QUOTE
The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:
QUOTE
The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

The only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php

#15 TyTy84

TyTy84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 21 February 2010 - 09:10 AM

Ok, thank you so much for your time and patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users