Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Booting up only in Safe Mode + Search Links Redirected


  • This topic is locked This topic is locked
25 replies to this topic

#1 kgtrojan

kgtrojan

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 14 March 2010 - 12:24 PM

My computer can only boot in Safe Mode. Also when I click on the results of a search, the links are redirected to other sites. I had an Antivirus Live infection in the past and more recently an Antivirus XP 2010 infection. I believe the Safe Mode boot up and the link redirects occurred after the Antivrus XP 2010 infection. I ran Malwarebytes' Anti-Malware and it removed the Antivirus XP 2010 infection and a recent (a day before this post) scan indicated that the PC is clean, yet I am still experiencing the conditions I described above.

Other Issues:
I de-installed McAfee, as it did not not catch any of the infections I listed, but I when tried to install AVG free version 9.0, a "MSVC Redistributables Installation Failed" message displayed. This may be a error specific to AVG, as I have read that other users had similar experiences.

I attempted to install TurboTax but the installation failed due to the install program not being able to find Windows Installer or the Windows Installer was corrupted. I downloaded Windows Installer from the MicroSoft website, but the TurboTax installation failed again. I attempted all of this in Safe Mode. I am not sure if that caused the failed installation.

I would appreciate any help you could provide in resolving these issues. Thank you.

I attached the Attach.txt and ark.txt files and here is the DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Kappy at 21:09:22.81 on Sat 03/13/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.701 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kappy.KAPPY-D5E66F0CD\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uWindow Title = By DSLExtreme
uSearch Bar = hxxp://www.google.com/ie
mWindow Title = By DSLExtreme
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com
mURLSearchHooks: H - No File
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: turbotax.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kappy~1.kap\applic~1\mozilla\firefox\profiles\2vjfpc2y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\kappy.kappy-d5e66f0cd\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\documents and settings\kappy.kappy-d5e66f0cd\application data\mozilla\firefox\profiles\2vjfpc2y.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-17 207792]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-2-13 54776]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-17 112592]
S2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-1-17 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-17 1141712]

=============== Created Last 30 ================

2010-03-14 05:07:09 0 ----a-w- c:\documents and settings\kappy.kappy-d5e66f0cd\defogger_reenable
2010-03-14 04:17:50 0 d-----w- c:\windows\LastGood.Tmp
2010-03-13 22:06:03 0 d-----w- c:\windows\pss
2010-03-06 15:32:49 0 d-----w- c:\docume~1\kappy~1.kap\applic~1\Malwarebytes
2010-03-06 15:32:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-06 15:32:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 15:32:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 15:32:41 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-03-01 02:37:52 0 ----a-w- c:\documents and settings\kappy.kappy-d5e66f0cd\;;
2010-02-28 09:59:49 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-28 09:59:49 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-28 09:59:49 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-14 06:06:21 0 d-----w- c:\program files\McAfeeMOBK
2010-02-14 06:06:07 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-02-14 06:06:02 0 d-----w- c:\program files\McAfee Online Backup

==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-11-16 16:57:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111620081117\index.dat

============= FINISH: 21:11:10.62 ===============







Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 16 March 2010 - 05:59 AM

Hi kgtrojan,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

In case the issue is not resolved please update me on the current condition of your computer. In case you are still unable to boot to normal mode give me precise feedback about what happens when you try to boot normally.

#3 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 16 March 2010 - 11:17 PM

QUOTE(farbar @ Mar 16 2010, 03:59 AM) View Post
Hi kgtrojan,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

In case the issue is not resolved please update me on the current condition of your computer. In case you are still unable to boot to normal mode give me precise feedback about what happens when you try to boot normally.


____

Thank you Farbar.

I agree with your recommendation above not to make any changes.

When I try to boot the computer, I hear a grinding sounding coming from the CD Rom drive (there are no CDs in the drive) and then a black screen appears with the following text:

"We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software change may have caused this."

"If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Good Configuration to revert to the most recent version that worked."

"If a previous startup attempt was interrupted due to a power failure or because the power or reset button was pressed, or if you aren't sure what changed to cause the problem, choose Start Windows Normally."

"Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Last Know Good Configuration (your last recent settings that worked)

Start Windows Normally"


I have been choosing Safe Mode with Networking to allow me to use the computer and connect to the internet. Once in the process of booting in safe mode the following message displays:

"Windows is running in safe mode.

This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available."

To proceed in safe mode, click Yes. If you prefer to use System Restore to restore your computer to a previous state, click No."


I have not been able to use system restore. I can't remember the exact error message, but I was unable to perform the restore.

Early this evening I was able to boot up using the Last Know Good Configuration option. This allowed my machine to boot normally and the following message displayed:

"You have used the System Configuration Utility to make changes to the way Windows starts.

The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.

Choose Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility"


I performed steps in the message. At this point I turned on the Windows firewall, as a balloon message had popped indicating that the firewall was not turned on. Then I restarted the PC. After the restart I could not boot normally and even the Last Know Good Configuration option failed to allow the machine to boot normally. I then selected the Safe Mode with Networking option and booted up in safe mode.

Hopefully, this description of the events will help you diagnose the issues on my machine. Thank you for help.





#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 17 March 2010 - 05:58 AM

Thanks for the feedback.

We are going to run ComboFix. You may run it in Safe Mode with Networking, but if it needed to reboot the computer let it reboot normally and see what happens. If it did not reboot normally reboot it again to Safe Mode and provide the log from there.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 18 March 2010 - 09:18 AM

Thanks again. I ran combo fix and combo fix was able to reboot my computer normally during the scan process.

Here is the log:

ComboFix 10-03-17.07 - Kappy 03/18/2010 6:33.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.717 [GMT -7:00]
Running from: c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Local Settings\Application Data\MSASCui.exe
c:\recycler\S-1-5-21-1220945662-1682526488-725345543-1004
c:\recycler\S-1-5-21-3242585556-3157812537-2462924320-1006
c:\windows\system32\bund1

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-18 13:43 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-18 13:43 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-14 04:12 . 2010-03-14 04:12 -------- d-----w- c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Local Settings\Application Data\IsolatedStorage
2010-03-06 15:32 . 2010-03-06 15:32 -------- d-----w- c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\Malwarebytes
2010-03-06 15:32 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-06 15:32 . 2010-03-06 15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 15:32 . 2010-03-06 15:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-03-06 15:32 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 09:59 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-28 09:59 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-28 09:40 . 2010-02-28 09:41 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 14:01 . 2010-01-17 22:49 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-06 17:24 . 2009-04-04 11:11 -------- d-----w- c:\program files\AVG
2010-03-06 17:22 . 2009-04-04 11:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2010-03-05 23:15 . 2010-02-14 05:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-03-05 23:15 . 2005-03-04 09:10 -------- d-----w- c:\program files\McAfee.com
2010-03-01 03:26 . 2007-04-23 03:33 71880 ----a-w- c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-01 02:55 . 2005-06-02 03:08 -------- d-----w- c:\program files\Microsoft Works
2010-02-28 04:25 . 2008-08-12 03:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 06:06 . 2010-02-14 06:06 -------- d-----w- c:\program files\McAfeeMOBK
2010-02-14 06:06 . 2010-02-14 06:06 -------- d-----w- c:\program files\McAfee Online Backup
2010-02-06 05:13 . 2010-02-14 06:06 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-01-24 02:07 . 2010-01-17 22:49 -------- d-----w- c:\program files\Spyware Doctor
2010-01-23 21:00 . 2007-06-17 02:36 1924744 ----a-w- c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-01-23 15:20 . 2007-06-16 23:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-01-23 15:17 . 2005-08-27 22:47 -------- d-----w- c:\program files\Lavasoft
2010-01-23 15:17 . 2007-06-16 23:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-23 15:14 . 2010-01-23 15:14 6944624 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2010-01-17 22:51 . 2010-01-17 22:49 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-17 22:49 . 2010-01-17 22:49 -------- d-----w- c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\PC Tools
2010-01-17 22:49 . 2010-01-17 22:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-01-17 22:23 . 2010-01-17 22:23 -------- d-----w- c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\AVG8
2010-01-05 10:00 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2008-08-17 01:42 . 2008-08-17 01:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-17 01:42 . 2008-08-17 01:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-17 01:42 . 2008-08-17 01:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-17 01:42 . 2008-08-17 01:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-17 01:43 . 2008-08-17 01:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-17 01:42 . 2008-08-17 01:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-17 01:42 . 2008-08-17 01:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 16:41 . 2008-05-21 16:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 16:41 . 2008-05-21 16:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 16:41 . 2008-05-21 16:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 21:58 . 2008-06-05 21:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-17 01:42 . 2008-08-17 01:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-06 05:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-06 05:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-06 05:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-26 2356088]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Citrix XenApp.lnk - c:\windows\Installer\{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2008-11-15 73728]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [1/17/2010 3:49 PM 207792]
R1 MOBKFilter;MOBKFilter;c:\windows\SYSTEM32\DRIVERS\MOBK.sys [2/13/2010 11:06 PM 54776]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/17/2010 3:51 PM 112592]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 10:14 PM 229688]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/17/2010 3:49 PM 359624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 22:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mWindow Title = By DSLExtreme
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\Mozilla\Firefox\Profiles\2vjfpc2y.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\Move Networks\plugins\npqmp071502000008.dll
FF - plugin: c:\documents and settings\Kappy.KAPPY-D5E66F0CD\Application Data\Mozilla\Firefox\Profiles\2vjfpc2y.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\vssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Citrix\ICA Client\PNAMain.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-03-18 07:10:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-18 14:10

Pre-Run: 51,282,874,368 bytes free
Post-Run: 52,529,741,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DA08FE5B800681E83010F85BC46C6921


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 18 March 2010 - 12:37 PM

  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. You have one partition but two Windows listed. Can you give me feedback about it? You get two Windows to choose at startup?


#7 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 18 March 2010 - 11:37 PM

Hi Farbar,

I followed the steps in your last post and the MBAM log is pasted below. Concerning point 4 in your post about one partition and two window, couple of years ago I re-installed windows on my machine and after the re-installation I had two windows options upon start up, but only one is functional. I have been booting up selecting the the functional windows option every since. My system would prompt for the two options and there was a 30 second timer to pick from the two windows options. After running ComboFix, the "boot" screen now shows Microsoft Windows Recovery Console and the two previous Windows options momentarily and then the boot process proceeds normally. There is no longer the 30 second timer during the boot process.

Also, I wanted to let you know that my Windows Auto Update installed 24 updates when I shut down my computer last night. This occurred after I completed the the procedures outlined in your post. I wanted you to be aware in case this will affect the future repair procedures.

Thank you again for all your efforts.

Here is MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3884
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/18/2010 9:12:06 PM
mbam-log-2010-03-18 (21-12-06).txt

Scan type: Quick Scan
Objects scanned: 166641
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 19 March 2010 - 04:08 AM

Please after doing this steps don't reboot the computer until I have replied.

We are almost done, just lets fix that double Windows at startup.
  1. Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c attrib -r c:\boot.ini&notepad c:\boot.ini

    A boot.ini file opens with the following content:

    QUOTE
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


    I have red colored the last line of it. Select only that last line and remove it. Make sure the rest is still there.
    Go to File menu and select Save then close the boot.ini.

  2. Now please Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c attrib +r c:\boot.ini&notepad c:\boot.ini

    A boot.ini file opens please post the content of it to your reply.


#9 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 March 2010 - 07:37 AM

I attempted to modify the boot.ini file, but I was unable to save the notepad file.

In the DOS window, a message displayed:

"Not resetting hidden file - C:\boot.ini"


The file did, however, open in notepad. I deleted the last line, but when I attempted to save the file, the following message displayed:

"Cannot create the file c:\boot.ini file

Make sure that the path and filename are correct"



Notepad then opened the "Save as" window to save the file. When I attempted to save the file in the C: drive, the following message displayed:

"boot.ini

This file exists with Read Only attributes
Please use a different name"


Although I was unable to make the changes, I did not reboot per your instructions in the last post.

Thank you.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 19 March 2010 - 08:19 AM

OK lets try it once more.
  1. Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c attrib -r -s -h c:\boot.ini&notepad c:\boot.ini

    A boot.ini file opens with the following content:

    QUOTE
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


    I have red colored the last line of it. Select only that last line and remove it. Make sure the rest is still there.
    Go to File menu and select Save then close the boot.ini.

  2. Now please Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c attrib +r +s +h c:\boot.ini&notepad c:\boot.ini

    A boot.ini file opens please post the content of it to your reply.


#11 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 March 2010 - 08:57 AM

I modified the boot.ini file. Here are the contents of the file:


[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 19 March 2010 - 09:51 AM

It looks good.

Tell me how is your computer running as we are going to uninstall ComboFix and round off.

#13 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 March 2010 - 10:05 AM

It seemed fine with the couple of programs I ran so far. Outlook Express and Quicken seemed normal. I did very limited surfing, but I didn't notice anything strange such as tabs opening up and search results being redirected. I still haven't rebooted. Would it by okay to reboot at this point?

I don't have access to that machine at the moment, so it may be about 10 hours before my next post, but I will definitely update you then.

Thank you.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:56 PM

Posted 19 March 2010 - 10:10 AM

QUOTE
Would it by okay to reboot at this point?

Yes you may reboot and you should see just the Recovery Console and one Microsoft Windows XP Home Edition at start up for 2 seconds. You kan even bypass that page if you wanted.

We are in no harry. Update me on the condition of the computer and we will then round off.

Edited by farbar, 19 March 2010 - 10:11 AM.


#15 kgtrojan

kgtrojan
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 March 2010 - 11:49 PM

Hi Farbar,

I rebooted the system and the PC is working fine. It seems a little faster than normal, actually.

Also, once we've completed the entire "cleaning" process, I would like to ask your recommendation for an antivirus package. I have used McAfee and AVG in the past but I would like your opinion on the topic. I also have lavasoft, Search and Destroy, Malwarebytes, and Spydoctor loaded as anti-malware products. I would like to settle on one or two. I really like using Malwarebytes. I have additional questions regarding the best security practices such as firewalls, etc. I have scanned some of the materials in the tutorials on the subject, but I thought I would ask you as well.

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users