Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware / Malware Bytes run-time error


  • This topic is locked This topic is locked
21 replies to this topic

#1 Danapba

Danapba

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 19 April 2010 - 07:47 AM

I was attempting to run Malware Bytes on my home system and got a Run Time Error 93 - invalid Pattern String error. I found some advice on this site in a forum on how to correct, downloaded the Combo-Fix, and took the steps outlined. I initally had (7) "infections" in my registry when I ran Malware Bytes beore the run time error, afterwards, down to 1 before the same error hit after I ran Combo-Fix, so some progress.

I have followed the site instructions on what to process and have attached the logs.

Hope someone has the expertise to help me with this. Thanks in advance!

Daniel

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 23 April 2010 - 06:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 April 2010 - 07:14 AM

Morning, I'm attaching (2) of the (3) items requested.

Had a "page fault in non-paged area" error last night when I ran GMER, system is fine, will rerun tonight. I have a lot of photos/songs on the hard drive, so it takes many hours to run with all the files. Appreciate your help on this.


Daniel

Attached Files



#4 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 April 2010 - 07:48 AM

Disappointing. Never had the blue error screen with this computer again. It was running the GMER, thought it was doing well, probably within 30 minutes of finishing, another page error similar to what I mentioned above.

Here's the error detail.

WER9656.dir00\Mini0423710-01\sysdata.xml.dmp
Technical location - C:\Docume~Dan&Ka~1\Locals~1\temp

Bccode:10000050
Bcp1: B596A200
BCP2: 00000000
BCP3: EB09ED3D
O/S Ver: 5_1_2600
Service Pack 3.0

(XP operating system).

Totally guessing, but it looks like it died at a temp file, should I clear out the cache and re-run? Or, any way the GMER log from a week ago give you what you need for diagnosis.

Hoping this thing isn't unstable....first time I've encountered any error that looks significant is when running the GMER.

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 27 April 2010 - 06:57 PM

Hello, .
Please post the Combofix log from your run at C:\combofix.txt Please copy and paste into your reply instead of attaching.









Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.

Please pull anything out of hte recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    IE - HKU\S-1-5-21-1581790127-700987273-1429012687-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://freshvideogals.com/search/
    O3 - HKU\S-1-5-21-1581790127-700987273-1429012687-1006\..\Toolbar\ShellBrowser: (no name) - {0DAB6002-016F-44F9-A921-7F959DDDE5B8} - No CLSID value found.
    O3 - HKU\S-1-5-21-1581790127-700987273-1429012687-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-1581790127-700987273-1429012687-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    @Alternate Data Stream - 9 bytes -> C:\WINDOWS\SYSTEM32:[etet].dll
    :files
    C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
    :Commands
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.
Finally, in addition to the Combofix.txt and the two OTL logs, try running GMER in safe mode with only "files" and "sections" checked. That has a higher change of giving us a log. Thanks!

etavares

Edited by etavares, 27 April 2010 - 06:57 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 April 2010 - 08:04 PM

Here is the combo-fix log you requested. I only had Turbotax as a trusted site, I removed it from the Internet Security Tool - Security area. I will post the combo-fix log and work on the others. Thanks a ton!

omboFix 10-04-17.07 - Dan & Kari Walock 04/18/2010 16:28:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.632 [GMT -5:00]
Running from: c:\documents and settings\Dan & Kari Walock\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\recycler\NPROTECT\00002625.
c:\recycler\NPROTECT\00143584.
c:\recycler\NPROTECT\00143588.
c:\recycler\NPROTECT\00143601.
c:\recycler\NPROTECT\00143602.
c:\recycler\NPROTECT\00144087.
c:\recycler\NPROTECT\00144135.
C:\setup.exe
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\Thumbs.db
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-03-22 02:04 . 2010-03-22 02:07 -------- d-----w- c:\documents and settings\Dan & Kari Walock\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 21:39 . 2005-11-22 20:29 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-18 21:17 . 2009-08-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-18 15:49 . 2003-11-26 09:19 -------- d-----w- c:\program files\Jasc Software Inc
2010-04-18 15:47 . 2008-02-08 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2010-04-11 02:49 . 2010-03-06 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 05:46 . 2010-03-06 20:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-03-06 20:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 20:39 . 2010-03-19 20:39 -------- d-----w- c:\documents and settings\Dan & Kari Walock\Application Data\Broderbund
2010-03-19 20:39 . 2010-03-19 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Broderbund
2010-03-19 20:38 . 2010-03-19 20:38 -------- d-----w- c:\program files\Broderbund
2010-03-18 02:43 . 2010-02-17 04:12 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-14 04:23 . 2004-07-31 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-03-14 02:55 . 2004-07-31 21:56 -------- d-----w- c:\program files\Kodak
2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 20:27 . 2010-03-06 20:27 -------- d-----w- c:\documents and settings\Dan & Kari Walock\Application Data\Malwarebytes
2010-03-06 20:27 . 2010-03-06 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 22:48 . 2008-07-27 16:55 -------- d-----w- c:\program files\Coupons
2010-03-01 00:38 . 2009-09-19 18:43 86460 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-25 10:03 . 2010-02-17 04:13 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-02-25 09:56 . 2010-03-18 02:43 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-02-25 06:24 . 2004-02-07 00:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2009-10-02 23:33 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 12:34 . 2003-12-03 05:23 117912 ----a-w- c:\documents and settings\Dan & Kari Walock\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 12:33 . 2008-11-24 12:26 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-24 05:20 . 2005-12-22 02:10 -------- d-----w- c:\program files\The Learning Company
2010-02-24 05:16 . 2004-01-26 05:09 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-16 14:08 . 1980-01-01 06:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-26 151597]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-02-04 1851392]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2007-08-24 197888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\Dan & Kari Walock\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-8-9 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-2-24 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Dan & Kari Walock^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Dan & Kari Walock\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"DwlClient"=c:\program files\Common Files\Dell\EUSW\Support.exe
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DIGServices"=c:\program files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
"DIGStream"=c:\program files\DIGStream\digstream.exe
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"ScreenPrint32"=c:\documents and settings\Dan & Kari Walock\Desktop\ScreenPrint32.exe -startup
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_2_6.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/17/2009 9:40 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 4:59 AM 1047880]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [10/14/2009 8:24 AM 10064]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [4/29/2008 9:34 PM 16512]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [3/6/2010 3:27 PM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/30/2004 4:19 PM 153416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:40]

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-04-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-02-29 18:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.go.com/
uDefault_Search_URL = hxxp://ie.search.msn.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://ie.search.msn.com
uCustomizeSearch = hxxp://ie.search.msn.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://www.magicvalley.com/misc/lesschwab/VatDec.cab
DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/Update/biblionet.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 16:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000001DF7AFA18BC5D7B27E 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1581790127-700987273-1429012687-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3524)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\TUProgSt.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-04-18 16:54:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-18 21:54

Pre-Run: 3,673,706,496 bytes free
Post-Run: 3,945,234,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - F0365E7DAD90E70C37CCFA832D90305E


#7 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 April 2010 - 08:48 PM

Ok, all my desktop icons disappeared with the exception of Internet Explorer, My Network Places, and My computer. The OTL fix log that I saved to the desktop is gone. I attempted to run OTL Run Scan, and I got the following errors this time (1st time ever saw these).

Vptray.ex bad image

applications on DLL C:\windows\system32\xpspres.dll is not a valid windows image - please check against install diskette.

Same error but \wbem\fastprox.dll at the end was the 2nd error after I clicked OK to the 1st.

Then, as I went to past the OTL Fix detail in, the other desktop icons are gone.

Please advise.

#8 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 April 2010 - 08:53 PM

Funny, I attempted to create a new shortcut for a program I have on this system, and when I put the shortcut on the desktop, all the other icons reappeared.

Here is the OTL fix log. Please advise as far as the OTL - scan not working (no report was generated after the image errors) so I'm stalled at the moment.

Thanks,

Daniel



All processes killed
========== OTL ==========
HKU\S-1-5-21-1581790127-700987273-1429012687-1006\SOFTWARE\Microsoft\Internet Explorer\Search\\Default_Search_URL| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-1581790127-700987273-1429012687-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{0DAB6002-016F-44F9-A921-7F959DDDE5B8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DAB6002-016F-44F9-A921-7F959DDDE5B8}\ not found.
Registry value HKEY_USERS\S-1-5-21-1581790127-700987273-1429012687-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-1581790127-700987273-1429012687-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
ADS C:\WINDOWS\SYSTEM32:[etet].dll deleted successfully.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC} folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Adm[inistra
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes

User: All Users

User: Dan & Kari Walock
->Temp folder emptied: 10847946 bytes
->Temporary Internet Files folder emptied: 41739023 bytes
->Java cache emptied: 18620089 bytes
->Flash cache emptied: 2003247 bytes

User: Default User
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 15596 bytes
->Temporary Internet Files folder emptied: 616267 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 88409 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4920298 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 57099 bytes
RecycleBin emptied: 22613229 bytes

Total Files Cleaned = 97.00 mb


OTL by OldTimer - Version 3.2.2.0 log created on 04272010_201451

Files\Folders moved on Reboot...
C:\Documents and Settings\Dan & Kari Walock\Local Settings\Temporary Internet Files\Content.IE5\LQZZ1GMK\iframe[1].htm moved successfully.
C:\Documents and Settings\Dan & Kari Walock\Local Settings\Temporary Internet Files\Content.IE5\2ZB6ZTKU\index[3].htm moved successfully.

Registry entries deleted on Reboot...


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 28 April 2010 - 04:31 PM

Hello, .

When did the icons disappear? After running the OTL fix? Before it? During it? Can you run OTL after a reboot? Let's take a look a those files.

Do you have a Windows CD handy? Not sure if we need it yet, but let's take a look.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
FileLook::
C:\windows\system32\xpspres.dll
C:\windows\system32\wbem\fastprox.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 28 April 2010 - 08:09 PM

The icons disappeared when I ran the OTL scan and got the bad image errors. I clicked OK to get past them, went back to do my reply, and all my icons were missing. Once I attempted to create the new shortcut to one of my programs and drag it onto the desktop, the icons came back.

As for my Windows disk, should be around here somewhere. Frankly, I should have (3) XP operating system disks somewhere around as I have a laptop and a 2nd computer for my kids.

I will run the Combo-Fix as you mention below and post is shortly.

Thanks, and I'll see if I can find my O/S disk in case we need to go that way.

#11 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 28 April 2010 - 09:05 PM

Update: Found my O/S Reinstallation CD for XP Pro, in case a file needs to be pulled off that.

Ran Combo Fix, the log is as follows. Thanks again!

Daniel


ComboFix 10-04-28.03 - Dan & Kari Walock 04/28/2010 20:21:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.566 [GMT -5:00]
Running from: c:\documents and settings\Dan & Kari Walock\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan & Kari Walock\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-28 01:14 . 2010-04-28 01:14 -------- d-----w- C:\_OTL
2010-04-24 03:16 . 2010-04-24 03:16 -------- d-----w- c:\program files\iPod
2010-04-24 03:15 . 2010-04-24 03:17 -------- d-----w- c:\program files\iTunes
2010-04-24 03:15 . 2010-04-24 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-24 03:03 . 2010-04-24 03:03 -------- d-----w- c:\program files\Bonjour
2010-04-19 23:01 . 2010-04-19 23:00 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 01:44 . 2005-11-22 20:29 -------- d-----w- c:\program files\Symantec AntiVirus
2010-04-28 01:36 . 2008-01-26 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-24 14:06 . 2007-01-01 17:50 -------- d-----w- c:\documents and settings\Dan & Kari Walock\Application Data\Apple Computer
2010-04-24 03:16 . 2007-07-01 19:01 -------- d-----w- c:\program files\Common Files\Apple
2010-04-24 03:09 . 2003-11-26 09:13 -------- d-----w- c:\program files\QuickTime
2010-04-24 02:53 . 2010-04-24 02:53 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-19 23:01 . 2003-11-26 08:48 -------- d-----w- c:\program files\Common Files\Java
2010-04-19 23:01 . 2010-04-19 23:01 503808 ----a-w- c:\documents and settings\Dan & Kari Walock\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62df9305-n\msvcp71.dll
2010-04-19 23:01 . 2010-04-19 23:01 499712 ----a-w- c:\documents and settings\Dan & Kari Walock\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62df9305-n\jmc.dll
2010-04-19 23:01 . 2010-04-19 23:01 348160 ----a-w- c:\documents and settings\Dan & Kari Walock\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62df9305-n\msvcr71.dll
2010-04-19 23:01 . 2010-04-19 23:01 61440 ----a-w- c:\documents and settings\Dan & Kari Walock\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-56475a39-n\decora-sse.dll
2010-04-19 23:01 . 2010-04-19 23:01 12800 ----a-w- c:\documents and settings\Dan & Kari Walock\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-56475a39-n\decora-d3d.dll
2010-04-19 23:00 . 2003-11-26 08:48 -------- d-----w- c:\program files\Java
2010-04-18 21:17 . 2009-08-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-18 15:49 . 2003-11-26 09:19 -------- d-----w- c:\program files\Jasc Software Inc
2010-04-18 15:47 . 2008-02-08 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2010-04-11 02:49 . 2010-03-06 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 02:49 . 2010-04-11 02:49 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 05:46 . 2010-03-06 20:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-03-06 20:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 20:39 . 2010-03-19 20:39 -------- d-----w- c:\documents and settings\Dan & Kari Walock\Application Data\Broderbund
2010-03-19 20:39 . 2010-03-19 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Broderbund
2010-03-19 20:38 . 2010-03-19 20:38 -------- d-----w- c:\program files\Broderbund
2010-03-18 02:43 . 2010-02-17 04:12 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-14 04:23 . 2004-07-31 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-03-14 02:55 . 2004-07-31 21:56 -------- d-----w- c:\program files\Kodak
2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 20:27 . 2010-03-06 20:27 -------- d-----w- c:\documents and settings\Dan & Kari Walock\Application Data\Malwarebytes
2010-03-06 20:27 . 2010-03-06 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 22:48 . 2008-07-27 16:55 -------- d-----w- c:\program files\Coupons
2010-03-02 03:41 . 2009-06-23 02:44 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-02 03:41 . 2009-06-23 02:44 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-03-02 03:41 . 2009-06-23 02:44 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-02 03:41 . 2009-05-27 02:41 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-01 00:38 . 2009-09-19 18:43 86460 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-25 10:03 . 2010-02-17 04:13 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-02-25 09:56 . 2010-03-18 02:43 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-02-25 06:24 . 2004-02-07 00:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2009-10-02 23:33 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 12:34 . 2003-12-03 05:23 117912 ----a-w- c:\documents and settings\Dan & Kari Walock\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 12:33 . 2008-11-24 12:26 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-16 14:08 . 1980-01-01 06:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 14:45 . 2010-02-11 14:45 119808 ----a-w- c:\documents and settings\Dan & Kari Walock\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\FFTextLinks.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\wbem\fastprox.dll ---
Company: Microsoft Corporation
File Description: WMI
File Version: 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: fastprox.dll
File size: 473600
Created time: 2002-08-29 11:00
Modified time: 2009-02-09 12:10
MD5: 378A0AEFB11D8B0DC8C27B9F7604B88D
SHA1: 29F6E565319817ADA1C7EDA8E3F506F38F4C23F7


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-26 151597]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-02-04 1851392]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2007-08-24 197888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Dan & Kari Walock\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-8-9 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2008-2-24 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Dan & Kari Walock^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Dan & Kari Walock\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
"DwlClient"=c:\program files\Common Files\Dell\EUSW\Support.exe
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DIGServices"=c:\program files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
"DIGStream"=c:\program files\DIGStream\digstream.exe
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"ScreenPrint32"=c:\documents and settings\Dan & Kari Walock\Desktop\ScreenPrint32.exe -startup
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_2_6.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/17/2009 9:40 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 4:59 AM 1047880]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [10/14/2009 8:24 AM 10064]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\SYSTEM32\DRIVERS\ASPI32.SYS [4/29/2008 9:34 PM 16512]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [3/6/2010 3:27 PM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/30/2004 4:19 PM 153416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:40]

2010-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-04-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-02-29 18:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.go.com/
uDefault_Search_URL = hxxp://ie.search.msn.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://ie.search.msn.com
uCustomizeSearch = hxxp://ie.search.msn.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://www.magicvalley.com/misc/lesschwab/VatDec.cab
DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/Update/biblionet.cab
DPF: {6A4F3A11-99B7-4BD1-AF88-B7354D1DAECD} - hxxp://www.freehandmusic.com/Update/SoleroMusicControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1581790127-700987273-1429012687-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-04-28 20:55:02
ComboFix-quarantined-files.txt 2010-04-29 01:54
ComboFix2.txt 2010-04-18 21:54

Pre-Run: 27,398,369,280 bytes free
Post-Run: 27,386,417,152 bytes free

- - End Of File - - ACF61181C7C6540B962D6AE63F6EC1CB


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 29 April 2010 - 06:01 PM

OK, we may not need them. Let's try something...uninstall MBAM from add/remove programs. Then follow the instructions below:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 29 April 2010 - 08:38 PM

More frustration.

Uninstalled MBAM, reinstalled, Disabled Tea-Timer, ran MBAM,..7 minutes in....invalid pattern string 93 error. Won't finish. Same as prior.



#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 30 April 2010 - 06:32 PM

Hello, Danapba.

OK, please launch MBAM and click the 'about' tab and let me know what version of MBAM you have...e.g. 1.46. This is a visual basic error...and could be in the coding for it.

Let's get an ESET scan to be safe. Don't delete or quaratine anything yet, just let it scan.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Danapba

Danapba
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 30 April 2010 - 08:15 PM

The version is 1.46.

I'll proceed with the scan.

Thanks,

Daniel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users