Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't figure this one out..still not able to logon to XP media edition


  • This topic is locked This topic is locked
44 replies to this topic

#1 sherri235

sherri235

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 22 February 2010 - 08:25 PM

Hello then. I have two OS on a Dell desktop and cannot log into or access Media Edition. Originally there was a virus (not sure which one) as webroot caught it and froze leaving the loop issue,etc.
Running scans and viewing files through OTLPE as I can't access XP media edition. I can only work within the Home edition OEM that I installed while trying to boot, repair, scan for viruses..etc. Here are a few logs. It is coming up on a month, so I am just about done with fixes as I have recovered that which was important to us. Any suggestions or ideas are appreciated.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-15 12:46:30
Windows 5.1.2600 Service Pack 2
Running: qfsqboig.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF7F660B0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat F715EC8A

---- EOF - GMER 1.0.15 ----



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2010 at 03:33 PM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 02:35:43

Memory items scanned : 200
Memory threats detected : 0
Registry items scanned : 2735
Registry threats detected : 0
File items scanned : 83378
File threats detected : 10

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID


****AND PLEASE NOTE DATE OF 01-24-10 and anything just before as this is when it all went downhill crazy.gif

5/8
DDS_BootCD_Version (Ver_09-10-04.01) - NTFS
Run at 20:08:08.06 on Wed 02/17/2010
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

S-1-5-21-2685193742-759588468-4150277841-500_Start Page = hxxp://att.yahoo.com
S-1-5-21-2685193742-759588468-4150277841-500_Search Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
S-1-5-21-2685193742-759588468-4150277841-500_Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
S-1-5-21-2685193742-759588468-4150277841-500_Default_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-rel
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
S-1-5-21-2685193742-759588468-4150277841-1005_Run: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
S-1-5-21-2685193742-759588468-4150277841-1005_Run: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
S-1-5-21-2685193742-759588468-4150277841-1005_Run: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
S-1-5-21-2685193742-759588468-4150277841-1005_Run: [CrawlerNotes] "c:\progra~1\crawler\notes\cnotes.exe" /notes
S-1-5-21-2685193742-759588468-4150277841-500_Run: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
S-1-5-21-2685193742-759588468-4150277841-500_Run: [DellSupport-] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [YBrowser] "c:\progra~1\yahoo!\browser\ybrwicon.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRun: [smss32.exe] c:\windows\system32\smss32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\MCC Monitor.exe
S-1-5-21-2685193742-759588468-4150277841-1005_Policies-explorer: NoSetActiveDesktop = 1 (0x1)
S-1-5-21-2685193742-759588468-4150277841-1005_Policies-explorer: NoActiveDesktopChanges = 1 (0x1)
S-1-5-21-2685193742-759588468-4150277841-1005_Policies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {035E680E-B668-472F-91F3-E850BCC5051F} - c:\program files\crawler\notes\CNotes.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: ameritrade.com\wwws
Trusted Zone: TDAMERITRAD
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

.IntelC51; \*
drvncdb; [x]
ILADFtmi; [x]
Outlook; [x]
ppsio2; [x]
SeaPort; "c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe"
ssfs0bbc; system32\DRIVERS\ssfs0bbc.sys
Viewpoint Manager Service; "c:\program files\viewpoint\common\ViewpointService.exe"
WRConsumerService; "c:\program files\webroot\webrootsecurity\WRConsumerService.exe"
{3373661F-8083-4217-A234-354AE8EFE6E8}; [x]
{80956DAC-B517-4384-B1B1-D359C09F1406}; [x]

=============== Created Last 30 ================

2010-02-15 00:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2010-02-14 23:22 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2010-02-14 18:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-02-14 09:43 <DIR> --d----- c:\windows\HOME
2010-01-24 18:14 0 a------- c:\windows\system32\26500.exe
2010-01-24 17:53 0 a------- c:\windows\system32\6334.exe
2010-01-24 17:33 0 a------- c:\windows\system32\18467.exe
2010-01-24 17:13 0 a------- c:\windows\system32\41.exe
2010-01-24 17:13 0 a------- c:\windows\system32\IS15.exe
2010-01-24 17:13 0 a------- c:\windows\system32\helper32.dll

==================== Find3M ====================

2010-01-23 20:25 2,467,050 a------- c:\windows\system32\drivers\IntelC51.sys
2010-01-23 00:11 5,852 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-12-21 08:19 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-21 10:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-11-21 10:51 471,552 -------- c:\windows\system32\dllcache\aclayers.dll
2009-08-26 17:02 18,015,723 a------- c:\documents and settings\all users\application data\vlc-1.0.1-win32.exe
2007-12-17 17:40 262,144 a------- c:\documents and settings\all users\NTUSER.DAT
1998-08-24 15:09 10,000 a------- c:\windows\inf\unregpn.exe
2006-03-23 01:07 104 ---shr-- c:\windows\system32\BD5FDF9F82.sys
2009-02-12 15:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021220090213\index.dat

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
AIM 6
AiO_Scan_CDA
AiOSoftwareNPI
AOLIcon
ArcSoft Media Card Companion
ArcSoft MediaConverter
ArcSoft MediaConverter 2
ArcSoft PhotoImpression 5
AT&T Yahoo! Applications
AT&T Yahoo! Music Jukebox
BufferChm
C4100
c4100_Help
Corel Paint Shop Pro Photo XI
Coupon Printer for Windows
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
Crawler Desktop Notes
Crawler Toolbar
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Destinations
DeviceManagementQFolder
Digital Content Portal
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
EducateU
eSupportQFolder
Fax_CDA
FullDPAppQFolder
GemMaster Mystic
Get High Speed Internet!
Google
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
HanesŪ T-ShirtMakerŪ Lite 3.0.0
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstallMgr
InstantShareDevices
InstantShareDevicesMFC
IntelŪ 537EP V9x DF PCI Modem
IntelŪ Graphics Media Accelerator Driver
IntelŪ PRO Network Connections Drivers
IntelŪ PROSet for Wired Connections
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 14
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Macromedia Flash Player
MarketResearch
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2000
Mininova-Vuze Toolbar
Modem Event Monitor
Modem Helper
Modem On Hold
Move Networks Media Player for Internet Explorer
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Musicmatch for Windows Media Player
NewCopy_CDA
OCR Software by I.R.I.S 7.0
PanoStandAlone
PaperPort 7.02
PhotoGallery
PMP DV
PowerDVD 5.5
ProductContextNPI
QuickTime
RandMap
Readme
RealPlayer Basic
Rhapsody Player Engine
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SkinsHP1
SlideShow
SolutionCenter
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic_PrimoSDK
Spy Sweeper Core
Status
TarantellaDance
Toolbox
TrayApp
Ulead COOL 360 1.0
Ulead Photo Explorer 4.2
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Format SDK (KB902344)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
VLC media player 0.9.2
Vuze
WebCyberCoach 3.2 Dell
WebFldrs XP
WebReg
Webroot AntiVirus with Spy Sweeper
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Yahoo! BrowserPlus
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool

============= FINISH: 20:08:24.46 ===============

Edited by sherri235, 22 February 2010 - 08:29 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:06 PM

Posted 25 February 2010 - 12:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 27 February 2010 - 11:55 PM

Thank you, I must not have email notification or I would've jumped at this reply. This began on 1/23-1/24 a few days after someone installed a new security program-so much for that. It seems there were also simultaneous MS updates,etc. around this time. During a scan the system froze with objects quarantined. I had also written a note next to the machine indicating Explorer had an lsp error, assert in LSP,etc. This was last month.
Today the infected desktop has not seen the internet, as I can see through scanning, registry research and safemode with networking that the root / trojan agent will not go away. I have never had the system connected yet and the only fixes I have not tried are ones that are meant for the experts: combofix and hijack this. I have, however run the rootkill and gmer logs as well as rootrepeal(today)which showed some problems. All I have done is scan, so hopefully I haven't made anything to much worse. I am able to log on to Window xp media center edition: the browser seems hijacked and there are multiple keys pointing to MSN g .com, which I discovered by trying to add/remove programs, particularly the MSN toolbar which had some default to NOT uninstall, but I got through that. Now the keys etc. are all pointed towards msn as defaults. Also this infection dumped MYWebsearch deal on us and games which no one plays. Sorry for the length, I will now refrain and post and follow direction, thank you.

Attached File  Attach3.zip   4.64KB   9 downloads
Attached File  DDS3.zip   4.35KB   9 downloads

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/26/2010 7:31:50 PM
mbam-log3-2010-02-26 (19-31-35).txt

Scan type: Quick Scan
Objects scanned: 154480
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:

***NOTE this root/key always comes back even after deletion and reboot**

#4 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 01 March 2010 - 12:47 PM

Sorry, there are newer logs and the gmer log I omitted. Something has happened since root repeal ran, perhaps it took the tcp/udp changes and hidden registry keys out of hiding? Uh oh, hope I didn't mess it up more..for the first time gmer shows alot of issues/rootkits. Here is the newer gmer log that you asked for. It looks like I have alot more problems with this trojan agent and hackers.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-28 15:14:48
Windows 5.1.2600 Service Pack 3
Running: qfsqboig.exe; Driver: C:\DOCUME~1\LAURIE~1\LOCALS~1\Temp\pwtdapog.sys


---- System - GMER 1.0.15 ----

SSDT 82D96B70 ZwAllocateVirtualMemory
SSDT 82DC9498 ZwCreateKey
SSDT 82D99200 ZwCreateProcess
SSDT 82D96020 ZwCreateProcessEx
SSDT 82D96E40 ZwCreateThread
SSDT 82D99458 ZwDeleteKey
SSDT 82D99278 ZwDeleteValueKey
SSDT 82D96BE8 ZwQueueApcThread
SSDT 82D96A80 ZwReadVirtualMemory
SSDT 82D993E0 ZwRenameKey
SSDT 82D96CD8 ZwSetContextThread
SSDT 82D99368 ZwSetInformationKey
SSDT 82D96F30 ZwSetInformationProcess
SSDT 82D96D50 ZwSetInformationThread
SSDT 82D992F0 ZwSetValueKey
SSDT 82D96EB8 ZwSuspendProcess
SSDT 82D96C60 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA62F0B0]
SSDT 82D96DC8 ZwTerminateThread
SSDT 82D96AF8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 82C04988
Device \Driver\Tcpip \Device\Ip 82D19960
Device \Driver\Tcpip \Device\Ip 82BA0EA8
Device \Driver\Tcpip \Device\Ip 82AD2340
Device \Driver\Tcpip \Device\Ip 8298F108
Device \Driver\Tcpip \Device\Ip 828384B8
Device \Driver\Tcpip \Device\Tcp 82C04988
Device \Driver\Tcpip \Device\Tcp 82D19960
Device \Driver\Tcpip \Device\Tcp 82BA0EA8
Device \Driver\Tcpip \Device\Tcp 82AD2340
Device \Driver\Tcpip \Device\Tcp 8298F108
Device \Driver\Tcpip \Device\Tcp 828384B8
Device \Driver\Tcpip \Device\Udp 82C04988
Device \Driver\Tcpip \Device\Udp 82D19960
Device \Driver\Tcpip \Device\Udp 82BA0EA8
Device \Driver\Tcpip \Device\Udp 82AD2340
Device \Driver\Tcpip \Device\Udp 8298F108
Device \Driver\Tcpip \Device\Udp 828384B8
Device \Driver\Tcpip \Device\RawIp 82C04988
Device \Driver\Tcpip \Device\RawIp 82D19960
Device \Driver\Tcpip \Device\RawIp 82BA0EA8
Device \Driver\Tcpip \Device\RawIp 82AD2340
Device \Driver\Tcpip \Device\RawIp 8298F108
Device \Driver\Tcpip \Device\RawIp 828384B8
Device \Driver\Tcpip \Device\IPMULTICAST 82C04988
Device \Driver\Tcpip \Device\IPMULTICAST 82D19960
Device \Driver\Tcpip \Device\IPMULTICAST 82BA0EA8
Device \Driver\Tcpip \Device\IPMULTICAST 82AD2340
Device \Driver\Tcpip \Device\IPMULTICAST 8298F108
Device \Driver\Tcpip \Device\IPMULTICAST 828384B8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 F882FBDE
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] F883093A
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [176] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [312] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\PROGRA~1\Yahoo!\browser\ycommon.exe [324] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [700] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1024] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1040] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1084] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1412] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1776] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [2424] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2976] 0x35670000

---- EOF - GMER 1.0.15 ----




*This looks very bad, I'm glad I never tried to get online, I just want Internet Explorer out of my life for a while.
Attached File  DDS_.zip   4.15KB   9 downloads
Attached File  Attach_.zip   4.67KB   7 downloads

Edited by sherri235, 01 March 2010 - 12:57 PM.


#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:06 PM

Posted 01 March 2010 - 02:57 PM

Hello, sherri235
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.





You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.






regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 01 March 2010 - 08:47 PM

Hi Tom, this is all disturbing. I am able to use Dell recovery disk to access recovery console. I have some questions for you but for now here is the maxlook log. Thank you

Run from C:\Documents and Settings\Laurie Palinsky\Desktop\maxlook.exe on Mon 03/01/2010 at 17:29:55.42

C:\WINDOWS\system32\drivers\IntelC51.sys is infected!

2006-02-16 20:39:20 . 2004-03-06 10:14:42 - 1233525 - 7509C548400F4C9E0211E3F6E66ABBE6 ----a-w- C:\drivers\modem\addon\intelc51.sys
2006-03-24 05:44:41 . 2004-03-06 10:14:42 - 1233525 - 7509C548400F4C9E0211E3F6E66ABBE6 ----a-w- C:\i386\IntelC51.sys
2006-02-16 20:39:20 . 2010-01-24 01:25:50 - 2467050 - C16C9BC3DBCCCCCAF62D253E52C3FE54 ----a-w- C:\WINDOWS\system32\drivers\IntelC51.sys

C:\WINDOWS\system32\drivers\intelppm.sys is infected!

2006-03-24 05:44:42 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\i386\intelppm.sys
2009-02-12 20:01:30 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 -c----w- C:\WINDOWS\$NtServicePackUninstall$\intelppm.sys
2004-08-04 10:00:00 . 2004-08-04 10:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\HOME\system32\drivers\intelppm.sys
2008-09-02 22:11:17 . 2008-04-13 18:31:32 - 36352 - 8C953733D8F36EB2133F5BB58808B66B ------w- C:\WINDOWS\ServicePackFiles\i386\intelppm.sys
2004-08-04 04:59:20 . 2008-04-13 18:31:32 - 36352 - 26505A17E030CCD0221F96CE4FE6E3BA ----a-w- C:\WINDOWS\system32\drivers\intelppm.sys
2009-02-12 20:03:37 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\intelppm.sys
2009-02-12 20:03:38 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\intelppm.sys
"C:\WINDOWS\Driver Cache\i386\sp3.cab"
04-13-2008 10:31:32a ---- 36,352 intelppm.sys
"C:\WINDOWS\Driver Cache\i386\sp2.cab"
08-03-2004 10:59:20p A--- 36,096 intelppm.sys
"C:\WINDOWS\HOME\Driver Cache\i386\sp2.cab"
08-03-2004 10:59:20p A--- 36,096 intelppm.sys
"C:\WINDOWS\ServicePackFiles\i386\sp3.cab"
04-13-2008 10:31:32a ---- 36,352 intelppm.sys

Rogue configuration file = C:\WINDOWS\system32\config\mchhohwh.sav

#7 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 02 March 2010 - 08:06 PM

Hi Tom, I have some questions, mostly because I spilled the beans re: the hacker/financial issues to the mom. Let me know if placing a new hard drive in this computer is not a good idea. I always thought that if a new hard drive was popped in we all start fresh again, yet I had Macs for many years when I replaced drives. I just wanted clarification regarding the fact that you posted 'never safe' on this computer...not even if I chose to replace the hard drive completely? I'm fine w/this now that I have what we wanted, although the favorites file seems like a poor choice in terms of infection . Lots of questions, as I said can I send a pm or something? Time is short for lots of reasons, most importantly, the owner is out of town and I will be shortly, at which point I'll pack this thing up but not if it is so messed up we'll never be able to safely get on line with it again. I'm around tonight, so hopefully I'll hear from ya1

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:06 PM

Posted 03 March 2010 - 01:44 PM

Hi,

When you plugin a new harddrive you lost all data and have to reinstall windows. Fastest way to clean this machine, sure smile.gif.

We can clean it, and I think that we can clean it 100%, but it takes a few posts/days. Just let me know what you decide to do smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 03 March 2010 - 04:50 PM

Lets do it! Let me clean this one up as much or entirely as possible. I posted the log you requested, haven't turned it on today (the sick desktop)..trying to clear space on this laptop I'm using now and updating trend from 2006! for my sister (it's her laptop) . I am ready to go. What next kind sir!

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:06 PM

Posted 04 March 2010 - 02:53 PM

Heeeere we go smile.gif

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    [codebox]Files to move:
    C:\WINDOWS\ServicePackFiles\i386\intelppm.sys | C:\WINDOWS\system32\drivers\intelppm.sys
    C:\i386\IntelC51.sys | C:\WINDOWS\system32\drivers\IntelC51.sys[/codebox]
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new maxlook log in your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 04 March 2010 - 08:06 PM

Hi Tom, here is what happened I ran the avenger and it rebooted, however I select the system to start up in bios so it doesn't automatically jump to this OS. I don't know if that is an issue or I have to enable boot logging or whatever the prompts are in the setup/bios. In any event there was a Windows no disk error but I think this could be due to setup boot device. Should I run it again? Also the script error suggested the command prompt was incorrect so I tried doing it with multiple lines so it would take the pasted script you gave me. Here is the latest. Let me know what or how to do it again. Seems I may have to.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:35:54 2010

14:35:54: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:36:38 2010

14:36:38: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:37:14 2010

14:37:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:41:50 2010

14:41:36: Error: Invalid syntax in command:
"C:\WINDOWS\ServicePackFiles\i386\intelppm.sys | C:\WINDOWS\system32\drivers\intelppm.sysC:\i386\IntelC51.sys | C:\WINDOWS\system32\drivers\IntelC51.sys"
Skipping line. (File move mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


Now maxlook

Run from C:\Documents and Settings\MomsNameHere\Desktop\maxlook.exe on Thu 03/04/2010 at 16:50:38.75

C:\WINDOWS\system32\drivers\IntelC51.sys is infected!

2006-02-16 20:39:20 . 2004-03-06 10:14:42 - 1233525 - 7509C548400F4C9E0211E3F6E66ABBE6 ----a-w- C:\drivers\modem\addon\intelc51.sys
2006-03-24 05:44:41 . 2004-03-06 10:14:42 - 1233525 - 7509C548400F4C9E0211E3F6E66ABBE6 ----a-w- C:\i386\IntelC51.sys
2006-02-16 20:39:20 . 2010-01-24 01:25:50 - 2467050 - C16C9BC3DBCCCCCAF62D253E52C3FE54 ----a-w- C:\WINDOWS\system32\drivers\IntelC51.sys

C:\WINDOWS\system32\drivers\intelppm.sys is infected!

2006-03-24 05:44:42 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\i386\intelppm.sys
2009-02-12 20:01:30 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 -c----w- C:\WINDOWS\$NtServicePackUninstall$\intelppm.sys
2004-08-04 10:00:00 . 2004-08-04 10:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\HOME\system32\drivers\intelppm.sys
2008-09-02 22:11:17 . 2008-04-13 18:31:32 - 36352 - 8C953733D8F36EB2133F5BB58808B66B ------w- C:\WINDOWS\ServicePackFiles\i386\intelppm.sys
2004-08-04 04:59:20 . 2008-04-13 18:31:32 - 36352 - 26505A17E030CCD0221F96CE4FE6E3BA ----a-w- C:\WINDOWS\system32\drivers\intelppm.sys
2009-02-12 20:03:37 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\intelppm.sys
2009-02-12 20:03:38 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\intelppm.sys
"C:\WINDOWS\Driver Cache\i386\sp3.cab"
04-13-2008 10:31:32a ---- 36,352 intelppm.sys
"C:\WINDOWS\Driver Cache\i386\sp2.cab"
08-03-2004 10:59:20p A--- 36,096 intelppm.sys
"C:\WINDOWS\HOME\Driver Cache\i386\sp2.cab"
08-03-2004 10:59:20p A--- 36,096 intelppm.sys
"C:\WINDOWS\ServicePackFiles\i386\sp3.cab"
04-13-2008 10:31:32a ---- 36,352 intelppm.sys

Rogue configuration file = C:\WINDOWS\system32\config\mchhohwh.sav

I'm around tonight and tomorrow am my time..had to run out while trying this earlier and the error message plus the log here was sitting on top of desktop. I tried 'continue' prompt and 'try again' prompts to get by the error,ie no disk
-Thanks for your time, hope to here from you to do this again.

#12 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 04 March 2010 - 09:02 PM

Okay, I may have answered my own questions with the last post so changed bios boot setup allocation on restart and it seems the avenger worked better. I also made each command script you gave have its own line so it was more readable. Here are two redo logs for ya! mellow.gif Looklog/maxlook says infected still..

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:35:54 2010

14:35:54: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:36:38 2010

14:36:38: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:37:14 2010

14:37:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 14:41:50 2010

14:41:36: Error: Invalid syntax in command:
"C:\WINDOWS\ServicePackFiles\i386\intelppm.sys | C:\WINDOWS\system32\drivers\intelppm.sysC:\i386\IntelC51.sys | C:\WINDOWS\system32\drivers\IntelC51.sys"
Skipping line. (File move mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 17:42:40 2010

17:42:40: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Mar 04 17:43:45 2010

17:43:45: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\intelppm.sys|C:\WINDOWS\system32\drivers\intelppm.sys" completed successfully.
File move operation "C:\i386\IntelC51.sys|C:\WINDOWS\system32\drivers\IntelC51.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

New Maxlook log:
Run from C:\Documents and Settings\MomsNameHere\Desktop\maxlook.exe on Thu 03/04/2010 at 17:53:32.96

C:\WINDOWS\system32\drivers\IntelC51.sys is infected!

2006-02-16 20:39:20 . 2004-03-06 10:14:42 - 1233525 - 7509C548400F4C9E0211E3F6E66ABBE6 ----a-w- C:\drivers\modem\addon\intelc51.sys
2006-02-16 20:39:20 . 2004-03-06 10:14:42 - 1233525 - 7509C548400F4C9E0211E3F6E66ABBE6 ----a-w- C:\WINDOWS\system32\drivers\IntelC51.sys

C:\WINDOWS\system32\drivers\intelppm.sys is infected!

2006-03-24 05:44:42 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\i386\intelppm.sys
2009-02-12 20:01:30 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 -c----w- C:\WINDOWS\$NtServicePackUninstall$\intelppm.sys
2004-08-04 10:00:00 . 2004-08-04 10:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\HOME\system32\drivers\intelppm.sys
2004-08-04 04:59:20 . 2008-04-13 18:31:32 - 36352 - 8C953733D8F36EB2133F5BB58808B66B ----a-w- C:\WINDOWS\system32\drivers\intelppm.sys
2009-02-12 20:03:37 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\intelppm.sys
2009-02-12 20:03:38 . 2004-08-10 11:00:00 - 36096 - 279FB78702454DFF2BB445F238C048D2 ----a-w- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\intelppm.sys
"C:\WINDOWS\Driver Cache\i386\sp3.cab"
04-13-2008 10:31:32a ---- 36,352 intelppm.sys
"C:\WINDOWS\Driver Cache\i386\sp2.cab"
08-03-2004 10:59:20p A--- 36,096 intelppm.sys
"C:\WINDOWS\HOME\Driver Cache\i386\sp2.cab"
08-03-2004 10:59:20p A--- 36,096 intelppm.sys
"C:\WINDOWS\ServicePackFiles\i386\sp3.cab"
04-13-2008 10:31:32a ---- 36,352 intelppm.sys

Rogue configuration file = C:\WINDOWS\system32\config\mchhohwh.sav


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:06 PM

Posted 05 March 2010 - 03:11 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    intelppm.sys
    IntelC51.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 05 March 2010 - 03:32 PM

I'm here running it now/scanning with your commands. Are you available now? I have some time to do these fixes, just curious..I should do all of this in regular mode as I have been, correct?

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:25 on 05/03/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "intelppm.sys"
C:\i386\intelppm.sys --a--- 36096 bytes [05:44 24/03/2006] [11:00 10/08/2004] 279FB78702454DFF2BB445F238C048D2
C:\WINDOWS\$NtServicePackUninstall$\intelppm.sys -----c 36096 bytes [20:01 12/02/2009] [11:00 10/08/2004] 279FB78702454DFF2BB445F238C048D2
C:\WINDOWS\HOME\system32\drivers\intelppm.sys --a--- 36096 bytes [10:00 04/08/2004] [10:00 04/08/2004] 279FB78702454DFF2BB445F238C048D2
C:\WINDOWS\maxdriver\intelppm.sys --a--- 36352 bytes [04:59 04/08/2004] [18:31 13/04/2008] 26505A17E030CCD0221F96CE4FE6E3BA
C:\WINDOWS\system32\drivers\intelppm.sys --a--- 36352 bytes [04:59 04/08/2004] [18:31 13/04/2008] 8C953733D8F36EB2133F5BB58808B66B
C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\intelppm.sys --a--- 36096 bytes [20:03 12/02/2009] [11:00 10/08/2004] 279FB78702454DFF2BB445F238C048D2
C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\intelppm.sys --a--- 36096 bytes [20:03 12/02/2009] [11:00 10/08/2004] 279FB78702454DFF2BB445F238C048D2

Searching for "IntelC51.sys"
C:\drivers\modem\addon\intelc51.sys --a--- 1233525 bytes [20:39 16/02/2006] [10:14 06/03/2004] 7509C548400F4C9E0211E3F6E66ABBE6
C:\WINDOWS\maxdriver\IntelC51.sys --a--- 2467050 bytes [20:39 16/02/2006] [01:25 24/01/2010] C16C9BC3DBCCCCCAF62D253E52C3FE54
C:\WINDOWS\system32\drivers\IntelC51.sys --a--- 1233525 bytes [20:39 16/02/2006] [10:14 06/03/2004] 7509C548400F4C9E0211E3F6E66ABBE6

-=End Of File=-

#15 sherri235

sherri235
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:From Chicago...I'm moving to Oregon very soon
  • Local time:03:06 PM

Posted 06 March 2010 - 01:19 PM

Hi Tom, I wanted to add that some how, along the way...the cd rom stopped working in this OS. In the other OS it works. Maybe something I did, but mostly just the defogger, unless I removed or disabled something, not sure though. Just an fyi. I'm ready to get rid of the intel thing...Is it in the modem now? It would not be good if we need to get another one on top of everything else. Let me know what is next before addressing the above issues. Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users