Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible combofix issue


  • This topic is locked This topic is locked
12 replies to this topic

#1 siequeen

siequeen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 31 July 2010 - 05:41 PM

Hello all.

Recently I used combofix to remove a present my sister had left for me while I was on vacation. By no means am I the sharpest knife in the drawer, and I realize how combofix can cause some serious issues, but in the past it has yielded some great results with my friends and the one other time I used it.

That said - After it removed the nasty pest, it also made it so that I cannot in any way shape or form use keyboard hotkeys (email, media player buttons etc) and most importantly the volume control button. I have used 3 different keyboards with 3 different computers and all 3 work, save any of them connected to this particular computer.

I cannot live with out my volume control button. I really do not know what else to say.

I have installed newest drivers for just about everything related to a keyboard that I can think of, and as I said, this keyboards functions work in their entirety on other machines, as do other keyboards' but once hooked up to this (post combofix) none of them work.

If this is in the wrong forum, I sincerely apologize.

If anyone can help I would be forever in your debt.

I do have the combofix logs and all info anyone may need.

Thanks in advance.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 AM

Posted 31 July 2010 - 06:26 PM

Please add your CombFix logs an MBAM log and then I will move this.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 siequeen

siequeen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 31 July 2010 - 09:23 PM

Ok, here goes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4375

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5508

7/31/2010 11:06:40 PM
mbam-log-2010-07-31 (23-06-40).txt

Scan type: Quick scan
Objects scanned: 123240
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\QNB2EB90WX (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qnb2eb90wx (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\d3dx9_32M.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\Ixuqia.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.




ComboFix 10-07-19.05 - Administrator 07/20/2010 15:10:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2879 [GMT -3:00]
Running from: c:\documents and settings\Administrator\Desktop\Drivers and Installers\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\d3dx9_32M.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-19 22:46 . 2010-07-19 22:47 -------- d-sh--w- c:\documents and settings\Administrator\Phone Browser
2010-07-19 22:45 . 2008-03-21 04:36 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-19 22:45 . 2008-03-20 22:35 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-19 22:45 . 2001-08-18 01:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-19 02:24 . 2010-07-19 22:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NokiaAccount
2010-07-19 02:22 . 2010-07-20 17:10 92680 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-18 06:31 . 2010-07-18 06:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\IsolatedStorage
2010-07-18 06:30 . 2010-07-18 06:30 -------- d-----w- c:\windows\Globalization
2010-07-18 06:30 . 2010-07-18 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-07-18 06:29 . 2010-07-19 02:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Nokia
2010-07-18 06:28 . 2010-07-18 06:28 -------- d-----w- c:\program files\PC Connectivity Solution
2010-07-18 06:28 . 2010-02-26 17:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-07-18 06:28 . 2010-02-26 17:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-07-18 06:28 . 2010-02-26 17:32 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-07-18 06:28 . 2010-02-26 17:32 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-07-18 06:28 . 2010-02-26 17:32 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-07-18 06:28 . 2010-02-26 17:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-07-18 06:27 . 2010-07-18 06:27 12212040 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-07-18 06:27 . 2010-07-18 06:27 13930312 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-07-18 06:27 . 2010-07-18 06:27 77824 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-07-18 06:27 . 2010-07-18 06:27 50000 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\pcswpc.exe
2010-07-18 06:27 . 2010-07-18 06:27 38912 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-07-18 06:27 . 2010-07-18 06:27 38912 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-07-18 06:27 . 2010-07-18 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache
2010-07-18 06:27 . 2010-07-18 06:27 103412296 ----a-w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\Installer.exe
2010-07-18 03:16 . 2010-07-18 03:16 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-18 03:16 . 2010-07-18 03:16 -------- d-----w- c:\program files\MSBuild
2010-07-18 03:16 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-18 03:16 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-18 03:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-18 03:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-18 03:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-18 03:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-18 03:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-18 03:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-18 03:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-18 03:01 . 2008-03-20 22:39 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-07-18 03:01 . 2008-11-07 21:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-18 03:01 . 2010-07-19 22:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nokia
2010-07-18 03:00 . 2010-07-18 03:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Suite
2010-07-18 03:00 . 2010-07-18 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-07-18 03:00 . 2010-07-18 03:00 -------- d-----w- c:\program files\Common Files\PCSuite
2010-07-18 03:00 . 2010-07-18 06:30 -------- d-----w- c:\program files\Common Files\Nokia
2010-07-18 03:00 . 2010-07-18 03:00 -------- d-----w- c:\program files\DIFX
2010-07-18 03:00 . 2008-08-26 13:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-07-18 03:00 . 2010-07-18 06:28 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-18 03:00 . 2010-07-18 06:30 -------- d-----w- c:\program files\Nokia
2010-07-18 03:00 . 2010-02-26 17:32 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-07-18 03:00 . 2010-07-18 02:59 36365624 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Nokia_PC_Suite_eng_web.exe
2010-07-18 02:59 . 2010-07-18 02:59 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\pcswpcsi.exe
2010-07-18 02:59 . 2010-07-18 02:59 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\UninstCCD.exe
2010-07-18 02:59 . 2010-07-18 02:59 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-07-18 02:59 . 2010-07-18 02:59 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\UninstPCS.exe
2010-07-18 02:59 . 2010-07-18 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-07-18 02:55 . 2010-07-18 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-02 06:47 . 2010-07-02 06:47 0 ----a-w- c:\windows\nsreg.dat
2010-07-02 06:47 . 2010-07-02 06:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-07-02 06:19 . 2010-07-02 06:19 -------- d-----w- c:\program files\CCleaner
2010-07-02 05:48 . 2010-07-02 05:48 -------- d-----w- c:\windows\system32\Macromed
2010-07-02 05:19 . 2010-07-02 05:19 2605008 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-07-01 19:45 . 2010-07-01 19:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2010-07-01 19:45 . 2010-07-01 19:45 -------- d-----w- c:\program files\Xfire
2010-06-30 22:10 . 2010-06-30 22:10 202752 ----a-w- c:\windows\Ixuqia.exe
2010-06-22 18:48 . 2010-06-22 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-22 18:45 . 2010-06-22 18:45 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-06-21 21:17 . 2010-07-20 16:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Deployment
2010-06-21 21:16 . 2010-06-21 21:16 -------- d-----w- c:\program files\Reference Assemblies
2010-06-21 21:14 . 2010-06-21 21:14 -------- d-----r- C:\AHCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 17:18 . 2010-04-23 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 16:54 . 2010-05-13 17:13 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-18 07:50 . 2010-04-26 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-07-18 06:31 . 2010-04-17 23:53 14472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 03:01 . 2010-07-18 03:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-07-18 03:01 . 2010-07-18 03:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-07-17 23:28 . 2010-04-26 22:04 -------- d-----w- c:\program files\uTorrent
2010-07-12 08:56 . 2010-04-19 01:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-07-12 06:57 . 2010-04-19 01:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-07-02 06:21 . 2010-04-24 09:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2010-07-02 05:37 . 2010-04-19 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-18 04:46 . 2010-04-24 00:13 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-17 23:39 . 2010-04-18 00:28 -------- d-----w- c:\program files\Digsby
2010-06-15 18:37 . 2010-06-15 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-06-06 05:16 . 2010-06-06 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Octoshape
2010-05-28 00:04 . 2010-05-28 00:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-27 09:03 . 2010-05-27 09:03 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d284a36-n\decora-sse.dll
2010-05-27 09:03 . 2010-05-27 09:03 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-12f5d38d-n\msvcp71.dll
2010-05-27 09:03 . 2010-05-27 09:03 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-12f5d38d-n\jmc.dll
2010-05-27 09:03 . 2010-05-27 09:03 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-12f5d38d-n\msvcr71.dll
2010-05-27 09:03 . 2010-05-27 09:03 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3d284a36-n\decora-d3d.dll
2010-05-26 04:14 . 2010-05-26 04:14 -------- d-----w- c:\program files\Enigma Software Group
2010-05-26 04:13 . 2010-04-18 04:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-25 18:49 . 2010-04-27 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox
2010-05-17 09:42 . 2010-05-17 09:42 680624 ----a-w- c:\windows\system32\Fliqlo.scr
2010-05-17 09:42 . 2010-05-17 09:42 39088 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Fliqlo\saver1.dll
2010-05-17 09:42 . 2010-05-17 09:42 22976 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Fliqlo\saver2.dll
2010-05-13 17:32 . 2010-05-13 17:31 8 ----a-w- c:\windows\system32\nvModes.dat
2010-05-13 17:13 . 2010-05-13 17:13 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-29 18:39 . 2010-04-23 21:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 18:39 . 2010-04-23 21:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 09:47 . 2010-04-29 09:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 09:47 . 2010-04-29 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-27 17:55 . 2010-04-27 17:55 89831 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\Uninstall.exe
2010-04-25 16:53 . 2010-04-18 20:55 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-25 16:53 . 2010-04-18 20:55 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
.

------- Sigcheck -------

[-] 2008-05-03 . 37D8387CBD4437C55F454209BE10EF11 . 361344 . . [5.1.2600.5508] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 29757440]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-05-03 99840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\prio.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 10:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-17 23:03 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2010-03-04 18:10 2192672 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-07-26 19:48 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 13:32 1479680 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\WoW\\Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\PK1ZPODX.WH8\\ZM755JWT.NYH\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [4/17/2010 7:37 PM 222976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SR
*NewlyCreated* - SRSERVICE
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-790525478-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-17 23:03]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-790525478-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-17 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w48rghbt.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-QNB2EB90WX - c:\docume~1\ADMINI~1\LOCALS~1\Temp\Igv.exe
MSConfigStartUp-RelevantKnowledge - c:\program files\RelevantKnowledge\rlvknlg.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-790525478-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:59,1e,82,ff,fe,89,3d,eb,67,1c,c5,b4,98,7d,43,b0,2b,1b,d2,38,1e,
df,1a,1c,2c,1e,e0,b9,1f,c1,d9,17,0a,be,90,4c,28,01,1b,fb,40,8b,92,fc,b9,95,\
"rkeysecu"=hex:fb,4f,89,a5,a7,93,27,d2,4c,5c,e1,a3,1b,69,8d,68
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\prio.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\prio.dll
.
Completion time: 2010-07-20 15:12:40
ComboFix-quarantined-files.txt 2010-07-20 18:12

Pre-Run: 64,174,882,816 bytes free
Post-Run: 64,326,934,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 08F7F123F0F0B5A27C48FA68697F70CF


Here is the kicker now - after running MBAM I lost my hdd. My cpu doesn't see it anymore. Meaning I literally can do nothing but surf the net, and I am really stuck for ideads, since that is the one with everything on it that I want to back up if I had to re-install. Looks like I have to now, since I don't have a hdd. Wow, this is a pickle.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 31 July 2010 - 10:44 PM

Hello

Wow that don't sound good at all. lets see if you can get me one of the reports from combofix

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\ComboFix-quarantined-files.txt
  • click ok
  • copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 siequeen

siequeen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 31 July 2010 - 11:01 PM

2010-07-20 18:12:21 . 2010-07-20 18:12:21 628 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RelevantKnowledge.reg.dat
2010-07-20 18:12:21 . 2010-07-20 18:12:21 590 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-QNB2EB90WX.reg.dat
2010-07-20 18:11:10 . 2010-07-20 18:11:10 5,079 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-20 18:08:45 . 2010-07-20 18:08:45 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-06-30 22:10:16 . 2010-06-30 22:10:16 62,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\d3dx9_32M.dll.vir

I think I did it correctly.

Thanks for your help!!!


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 01 August 2010 - 01:36 AM

Yes you did it correctly but there is nothing in there that would cause what you are experiancing

Please tell me more about what is going on with your harddrive.what you see what you dont. what you can do and what you can't.

what happens when you try to do something


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 siequeen

siequeen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 01 August 2010 - 02:14 AM

QUOTE(gringo_pr @ Aug 1 2010, 01:36 AM) View Post
Yes you did it correctly but there is nothing in there that would cause what you are experiancing

Please tell me more about what is going on with your harddrive.what you see what you dont. what you can do and what you can't.

what happens when you try to do something


Gringo


There is no longer a hdd. After MBAM ran it's course a red question mark appeared on the icon for my hdd. I tried to access it and it said that the shortcut was no longer valid, would I like to delete it. I then checked in my device manager only to find the same thing. I rebooted to see if maybe that could help and now the hdd shortcut icon is gone and the hdd does not appear in my device manager.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 01 August 2010 - 04:04 AM

Hello

this is the only harddrive on the comuter and normaly it would be the C drive?

or is this an external harddrive?


You can't run any programs at all?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 siequeen

siequeen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 01 August 2010 - 05:05 AM

It's a storage hdd. I run windows from another.

Good news is that it fixed itself. After about 7 reboots, it just appeared again.

I did find out why I lost my volume key functions also. Turns out I should have known as it's an issue as old as the hills. The keyboard needs access to HID dll'd and are to be run as a service during boot. So I did some reading on that, and the solutions are pretty simple, but they are not working for me. I run services.msc and right click HID and run it. It fails leaving me with an error saying 'Could not start the Human Interface Device Access service on Local
Computer. Error 126: the specified module could not be found' even after I used my XP cd to take the three needed files and put them in my sys.32 folder. When I run the .sys files or dll that is needed they say they cannot be registered. So I use regsrvc.exe and that cannot verify them either.

Looks like a re-install just because 3 simple dll's are corrupted and I simply cannot copy/paste them. Unless you have any ideas. Aslo, if you have any idea at all why combofix could have removed or corruoted these dll's I would greatly appreciate it.

I suppose maybe I should start a new thread with this HID issue and see if I get any bites?

Thanks again.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 AM

Posted 01 August 2010 - 03:18 PM

Sorry to be so late, Moving this to Virus, Trojan, Spyware, and Malware Removal Logs

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 01 August 2010 - 10:21 PM

what type of computer is this?

I am thinking along the lines of going to its web site and downloading new drivers


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 04 August 2010 - 04:01 PM

How did things go?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 08 August 2010 - 02:10 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users