Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems after running combofix


  • This topic is locked This topic is locked
4 replies to this topic

#1 fsmyth

fsmyth

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 08 August 2010 - 03:23 PM

Well, I screwed up. sad.gif
While cleaning up my download directory (I _usually_ run unknowns on an unimportant box),
after running the installs to see what the entries were, I ran ComboFix. size=3,815,998
Must have been an old version; it asked to download a newer.
No chance to abort!!!
It almost immediately rebooted the machine (after a CD indirect message).
After the reboot, it ran (successfully?) and displayed a results window.
Closing the window left a blank screen - no task bar, icons, or messages.
Rebooted using the three-finger salute.
Now, Add/Remove software just brings up the little window with icons on the left - no software entries.
The exit button does nothing; the only way to kill it is with the task mgr.
Tried copying classic.htt to default.htt (one of the files removed by combofix), but the
file manager still locks if any .htt is double-clicked. So far, everything else seems to
work (this is early on; all this just occurred. How do I fix this??

Log follows:

ComboFix 10-08-05.01 - alan 08/08/2010 13:53:52.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.288 [GMT -5:00]
Running from: E:\Download\ComboFix.exe
.
/wow section - STAGE 32A
'"' is not recognized as an internal or external command


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Save Tube Video Company\SaveTubeVideo\MiNBho.dll
C:\Program Files\Save Tube Video Company\SaveTubeVideo\SaVEtubevideo.dll
C:\WIN2K\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-08 15:37:33 . 2010-08-08 15:39:23 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2010-08-08 15:37:33 . 2010-08-08 15:38:02 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-08 14:24:14 . 2010-08-08 14:24:14 63488 ----a-w- C:\Documents and Settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-08 14:24:09 . 2010-08-08 14:24:09 52224 ----a-w- C:\Documents and Settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-08 14:24:01 . 2010-08-08 14:24:01 117760 ----a-w- C:\Documents and Settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-08 14:23:49 . 2010-08-08 14:23:49 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-08 14:23:49 . 2010-08-08 14:23:49 -------- d-----w- C:\Documents and Settings\alan\Application Data\SUPERAntiSpyware.com
2010-08-08 14:23:42 . 2010-08-08 14:23:50 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-08-08 12:16:36 . 2010-08-08 12:16:36 -------- d-----w- C:\Program Files\ACW
2010-08-05 23:12:30 . 2010-08-05 23:13:17 -------- d-----w- C:\WIN2K\Backups
2010-08-05 06:02:46 . 2010-08-05 06:02:46 -------- d-----w- C:\Documents and Settings\alan\Local Settings\Application Data\Ahead
2010-08-05 05:40:23 . 2010-08-05 05:40:23 -------- d-----w- C:\Documents and Settings\alan\Application Data\Simple Star
2010-08-05 05:40:23 . 2004-10-21 15:47:40 82432 ----a-w- C:\WIN2K\system32\msxml4r.dll
2010-08-05 05:40:23 . 2004-10-21 15:47:40 44544 ----a-w- C:\WIN2K\system32\msxml4a.dll
2010-08-05 05:40:23 . 2004-10-21 15:47:39 1233920 ----a-w- C:\WIN2K\system32\msxml4.dll
2010-08-05 05:40:23 . 2004-07-13 20:47:15 421888 ----a-w- C:\WIN2K\Nero PhotoShow.scr
2010-08-05 05:37:42 . 2010-08-05 05:39:48 -------- d-----w- C:\Documents and Settings\alan\Application Data\Ahead
2010-08-05 05:37:15 . 2004-05-14 15:12:48 1916928 ------w- C:\WIN2K\UNNVEContent.exe
2010-08-05 05:37:04 . 2004-05-14 15:12:49 1916928 ------w- C:\WIN2K\UNAheadManual.exe
2010-08-05 05:37:00 . 2005-01-27 16:02:12 2658304 ------w- C:\WIN2K\UNMRW.exe
2010-08-05 05:36:58 . 2005-01-27 23:07:20 6400 ------w- C:\WIN2K\system32\drivers\InCDFatRec.sys
2010-08-05 05:36:58 . 2005-01-27 23:07:14 134144 ------w- C:\WIN2K\system32\drivers\InCDFat.sys
2010-08-05 05:36:57 . 2005-01-27 23:08:08 8704 ------w- C:\WIN2K\system32\drivers\InCDrec.sys
2010-08-05 05:36:57 . 2005-01-27 23:08:02 99200 ------w- C:\WIN2K\system32\drivers\InCDfs.sys
2010-08-05 05:36:57 . 2005-01-27 23:07:34 28928 ------w- C:\WIN2K\system32\drivers\InCDpass.sys
2010-08-05 05:36:56 . 2010-08-05 05:37:01 -------- d-----w- C:\Program Files\Ahead
2010-08-05 05:36:56 . 2005-01-27 17:07:28 27776 ------w- C:\WIN2K\system32\drivers\InCDrm.sys
2010-08-05 05:36:39 . 2005-02-08 12:12:22 2670592 ------w- C:\WIN2K\UNNMP.exe
2010-08-05 05:34:01 . 2005-02-17 11:21:51 2682880 ------w- C:\WIN2K\UNNeroVision.exe
2010-08-05 05:33:33 . 2010-08-05 05:33:33 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Ahead
2010-08-05 05:33:33 . 2004-09-22 22:00:06 364544 ----a-w- C:\WIN2K\system32\TwnLib4.dll
2010-08-05 05:33:32 . 2004-09-22 22:00:06 38912 ----a-w- C:\WIN2K\system32\picn20.dll
2010-08-05 05:30:57 . 2010-08-05 05:30:57 -------- d-----w- C:\Program Files\Common Files\Nero
2010-08-05 05:30:45 . 2002-12-11 23:50:18 301712 -c--a-w- C:\WIN2K\system32\dllcache\drmclien.dll
2010-08-05 05:30:45 . 2002-12-11 23:50:18 301712 ----a-w- C:\WIN2K\system32\drmclien.dll
2010-08-05 05:30:45 . 2002-12-11 22:34:42 9728 -c--a-w- C:\WIN2K\system32\dllcache\npwmsdrm.dll
2010-08-05 05:30:45 . 2002-12-11 22:34:42 82432 -c--a-w- C:\WIN2K\system32\dllcache\drmstor.dll
2010-08-05 05:30:45 . 2002-12-11 22:34:42 82432 ----a-w- C:\WIN2K\system32\drmstor.dll
2010-08-05 05:29:52 . 2004-09-22 22:00:06 106496 ----a-w- C:\WIN2K\system32\TwnLib20.dll
2010-08-05 05:29:47 . 2004-09-22 22:00:06 476320 ----a-w- C:\WIN2K\system32\ImagXpr7.dll
2010-08-05 05:29:47 . 2004-09-22 22:00:06 471040 ----a-w- C:\WIN2K\system32\ImagXRA7.dll
2010-08-05 05:29:47 . 2004-09-22 22:00:06 262144 ----a-w- C:\WIN2K\system32\ImagXR7.dll
2010-08-05 05:29:47 . 2004-09-22 22:00:06 1568768 ----a-w- C:\WIN2K\system32\ImagX7.dll
2010-08-05 05:29:46 . 2001-07-09 15:50:42 155648 ----a-w- C:\WIN2K\system32\NeroCheck.exe
2010-08-05 05:29:42 . 2010-08-05 05:29:43 -------- d-----w- C:\Program Files\Common Files\Ahead
2010-08-03 17:11:57 . 2010-08-03 17:11:57 0 ----a-w- C:\WIN2K\PowerReg.dat
2010-08-03 17:11:52 . 2002-02-27 22:50:00 197120 ----a-w- C:\WIN2K\patchw32.dll
2010-08-03 17:11:51 . 2010-08-03 17:11:51 -------- d-----w- C:\Program Files\Common Files\PocketSoft
2010-08-03 16:36:18 . 2010-08-03 16:36:18 -------- d-----w- C:\Documents and Settings\alan\Application Data\StarBurn
2010-08-03 16:36:01 . 2010-08-03 16:36:01 -------- d-----w- C:\Program Files\Save Tube Video Company
2010-08-03 16:35:59 . 2010-08-03 16:35:59 721904 ----a-w- C:\WIN2K\system32\drivers\sptd.sys
2010-08-03 14:28:56 . 2010-08-03 14:28:56 503808 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-25ad9d81-n\msvcp71.dll
2010-08-03 14:28:56 . 2010-08-03 14:28:56 499712 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-25ad9d81-n\jmc.dll
2010-08-03 14:28:56 . 2010-08-03 14:28:56 348160 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-25ad9d81-n\msvcr71.dll
2010-08-03 14:28:55 . 2010-08-03 14:28:55 61440 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-39a881bc-n\decora-sse.dll
2010-08-03 14:28:55 . 2010-08-03 14:28:55 12800 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-39a881bc-n\decora-d3d.dll
2010-08-01 10:26:13 . 2010-08-01 10:27:27 -------- d-----w- C:\Program Files\logs
2010-07-26 14:32:01 . 2010-07-26 14:32:01 -------- d-----w- C:\Documents and Settings\alan\Local Settings\Application Data\Downloaded Installations
2010-07-25 21:09:06 . 2010-07-25 21:09:06 -------- d-----w- C:\Documents and Settings\alan\Local Settings\Application Data\Opera
2010-07-25 21:09:03 . 2010-07-25 21:09:05 -------- d-----w- C:\Program Files\Opera
2010-07-22 20:54:19 . 2006-01-26 13:57:00 520192 ------w- C:\WIN2K\system32\ati2sgag.exe
2010-07-22 20:48:19 . 2010-07-22 20:48:19 -------- d-----w- C:\WIN2K\system32\drivers\drivers
2010-07-21 09:43:28 . 2002-12-11 22:34:42 208896 ----a-w- C:\WIN2K\system32\wmpns.dll
2010-07-20 21:10:17 . 2010-07-20 21:10:17 -------- d--h--w- C:\WIN2K\PIF
2010-07-16 11:47:00 . 2010-07-16 11:47:00 -------- d-----w- C:\Documents and Settings\alan\Application Data\Foxit Software
2010-07-16 11:46:14 . 2010-07-16 11:46:39 -------- d-----w- C:\Program Files\Foxit
2010-07-15 08:02:38 . 2010-07-15 08:02:38 -------- d-----w- C:\Program Files\Google
2010-07-15 01:20:05 . 2010-07-15 01:20:05 -------- d-----w- C:\WIN2K\Sun
2010-07-14 00:21:43 . 2010-07-18 06:05:45 -------- d-----w- C:\Programs
2010-07-14 00:16:29 . 2010-07-14 00:16:29 16384 ----atw- C:\WIN2K\system32\Perflib_Perfdata_264.dat
2010-07-12 20:44:55 . 2003-06-19 17:05:04 21552 -c--a-w- C:\WIN2K\system32\dllcache\usbstor.sys
2010-07-12 18:21:52 . 2010-07-12 18:21:52 -------- d-----w- C:\Documents and Settings\alan\Local Settings\Application Data\Help
2010-07-12 18:12:18 . 2010-07-12 18:12:18 -------- d-----w- C:\Program Files\Aladdin Systems
2010-07-12 18:12:18 . 2001-05-09 05:00:00 983040 ----a-w- C:\WIN2K\system32\stuffit5.engine-5.1.dll
2010-07-12 18:12:18 . 2001-05-09 05:00:00 57344 ----a-w- C:\WIN2K\system32\MACDRAPI.DLL
2010-07-12 18:12:18 . 2001-05-09 05:00:00 35328 ----a-w- C:\WIN2K\system32\Inetwh32.dll
2010-07-10 21:53:28 . 2010-07-10 21:53:28 -------- d-----w- C:\Documents and Settings\alan\Local Settings\Application Data\Identities
2010-07-10 07:55:13 . 2010-05-23 22:50:42 73216 ----a-w- C:\Documents and Settings\alan\Application Data\Mozilla\Firefox\Profiles\ly9f1vco.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-07-10 07:55:13 . 2010-04-18 19:33:56 307200 ----a-w- C:\Documents and Settings\alan\Application Data\Mozilla\Firefox\Profiles\ly9f1vco.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-07-10 07:55:13 . 2010-04-18 19:33:56 172032 ----a-w- C:\Documents and Settings\alan\Application Data\Mozilla\Firefox\Profiles\ly9f1vco.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-07-10 05:53:45 . 2010-07-10 05:53:45 -------- d-----w- C:\WIN2K\system32\Macromed
2010-07-10 01:57:26 . 2003-06-19 17:05:04 11632 -c--a-w- C:\WIN2K\system32\dllcache\mouhid.sys
2010-07-10 01:57:26 . 2003-06-19 17:05:04 11632 ----a-w- C:\WIN2K\system32\drivers\mouhid.sys
2010-07-10 01:57:24 . 1999-10-04 20:03:32 13904 -c--a-w- C:\WIN2K\system32\dllcache\hidusb.sys
2010-07-10 01:57:24 . 1999-10-04 20:03:32 13904 ----a-w- C:\WIN2K\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 18:53:04 . 2010-08-08 18:53:04 16384 ----atw- C:\WIN2K\system32\Perflib_Perfdata_234.dat
2010-08-03 17:02:13 . 2010-07-07 05:47:17 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-08-01 10:27:39 . 2010-07-15 01:18:22 -------- d-----w- C:\Program Files\Java
2010-07-18 19:19:16 . 2010-07-09 02:09:17 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\ATI
2010-07-18 19:19:16 . 2010-07-08 09:17:40 -------- d-----w- C:\Documents and Settings\alan\Application Data\ATI
2010-07-15 01:18:50 . 2010-07-15 01:18:50 -------- d-----w- C:\Program Files\Common Files\Java
2010-07-15 01:18:44 . 2010-07-15 01:18:44 503808 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76b98409-n\msvcp71.dll
2010-07-15 01:18:44 . 2010-07-15 01:18:43 499712 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76b98409-n\jmc.dll
2010-07-15 01:18:43 . 2010-07-15 01:18:43 348160 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76b98409-n\msvcr71.dll
2010-07-15 01:18:41 . 2010-07-15 01:18:41 61440 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-14230819-n\decora-sse.dll
2010-07-15 01:18:41 . 2010-07-15 01:18:41 12800 ----a-w- C:\Documents and Settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-14230819-n\decora-d3d.dll
2010-07-15 01:18:35 . 2010-07-15 01:18:35 16384 ----atw- C:\WIN2K\system32\Perflib_Perfdata_430.dat
2010-07-15 01:18:25 . 2010-07-15 01:18:33 423656 ----a-w- C:\WIN2K\system32\deployJava1.dll
2010-07-14 14:22:44 . 2010-07-01 01:31:33 -------- d---a-w- C:\Program Files\Accessories
2010-07-10 22:54:00 . 2010-07-07 23:22:26 163644 ----a-w- C:\WIN2K\system32\drivers\SECDRV.SYS
2010-07-08 20:40:06 . 2010-07-08 20:40:05 -------- d-----w- C:\Program Files\Microsoft Baseline Security Analyzer 2
2010-07-08 09:17:49 . 2010-07-08 09:17:49 8224 ----a-w- C:\Documents and Settings\alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-08 09:17:40 . 2010-07-08 09:17:40 127 ----a-w- C:\Documents and Settings\alan\Local Settings\Application Data\fusioncache.dat
2010-07-07 17:59:20 . 2001-05-08 12:00:00 6656 ----a-w- C:\WIN2K\system32\lpcio.dll
2010-07-07 17:51:03 . 2010-07-07 17:51:03 -------- d-----w- C:\Program Files\CPUID
2010-07-07 10:41:13 . 2010-07-07 10:41:13 58000 ----a-w- C:\WIN2K\system32\drivers\cdr4_2K.sys
2010-07-07 10:41:13 . 2010-07-07 10:41:13 57344 ----a-w- C:\WIN2K\uneng.exe
2010-07-07 10:41:13 . 2010-07-07 10:41:13 49152 ----a-w- C:\WIN2K\system32\cdrtc.dll
2010-07-07 10:41:13 . 2010-07-07 10:41:13 45056 ----a-w- C:\WIN2K\system32\cdral.dll
2010-07-07 10:41:13 . 2010-07-07 10:41:13 23420 ----a-w- C:\WIN2K\system32\drivers\cdralw2k.sys
2010-07-07 10:41:13 . 2010-07-07 10:41:13 -------- d-----w- C:\Program Files\Common Files\Adaptec Shared
2010-07-07 06:35:15 . 2010-07-07 06:35:15 0 ----a-w- C:\WIN2K\nsreg.dat
2010-07-07 06:29:21 . 2010-07-07 06:29:21 -------- d-----w- C:\Program Files\directx
2010-07-07 06:05:26 . 2010-07-07 05:46:33 -------- d-----w- C:\Program Files\Common Files\InstallShield
2010-07-07 05:46:36 . 2010-07-07 05:46:36 -------- d-----w- C:\Program Files\VIA
2010-07-07 05:45:36 . 2010-07-07 05:42:45 -------- d-----w- C:\Program Files\VIA Technologies, Inc
2010-07-06 21:43:14 . 2010-07-06 21:43:14 558142 ----a-w- C:\WIN2K\java\Packages\VJL7F7VN.ZIP
2010-07-06 21:43:14 . 2010-07-06 21:43:14 2678 ----a-w- C:\WIN2K\java\Packages\Data\IO1Z1NFT.DAT
2010-07-06 21:43:14 . 2010-07-06 21:43:14 2474 ----a-w- C:\WIN2K\java\Packages\Data\BL3HJJVF.DAT
2010-07-06 21:43:13 . 2010-07-06 21:43:13 2678 ----a-w- C:\WIN2K\java\Packages\Data\U1BFBF7H.DAT
2010-07-06 21:43:13 . 2010-07-06 21:43:13 2232 ----a-w- C:\WIN2K\java\Packages\Data\RJJ1B9RD.DAT
2010-07-06 21:43:13 . 2010-07-06 21:43:13 155995 ----a-w- C:\WIN2K\java\Packages\2V9B7XRB.ZIP
2010-07-06 21:43:12 . 2010-07-06 21:43:12 2678 ----a-w- C:\WIN2K\java\Packages\Data\X3LVZ7JJ.DAT
2010-07-06 21:43:12 . 2010-07-06 21:43:12 2678 ----a-w- C:\WIN2K\java\Packages\Data\DBBL3BFZ.DAT
2010-07-06 21:43:12 . 2010-07-06 21:43:12 2678 ----a-w- C:\WIN2K\java\Packages\Data\7JRJ9FRL.DAT
2010-07-06 21:42:59 . 2010-07-01 06:33:12 21952 ---h--w- C:\Program Files\folder.htt
2010-07-06 21:42:19 . 2010-07-06 21:42:19 15012 ----a-w- C:\WIN2K\system32\emptyregdb.dat
2010-07-01 15:15:12 . 2010-07-01 15:15:12 -------- d---a-w- C:\Program Files\Belarc
2010-07-01 07:18:41 . 2010-07-01 07:18:41 -------- d---a-w- C:\Program Files\VCOM
2010-07-01 07:18:28 . 2010-07-01 07:18:28 -------- d---a-w- C:\Program Files\Common Files\Wise Installation Wizard
2010-07-01 06:34:27 . 2010-07-01 06:34:27 -------- d---a-w- C:\Program Files\microsoft frontpage
2010-05-11 17:00:34 . 2010-07-07 17:51:03 20072 ----a-w- C:\WIN2K\system32\drivers\cpuz133_x32.sys
.

------- Sigcheck -------

[-] 2002-11-27 00:03:32 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . C:\WIN2K\system32\mspmsnsv.dll

[-] 2004-07-09 09:27:28 . 3120F6D2AB10CDF242EDE54052A8BE47 . 1689600 . . [ERROR: 0x0] . . C:\WIN2K\system32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 21:07:20 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 17:05:04 111376]
"NeroFilterCheck"="C:\WIN2K\system32\NeroCheck.exe" [2001-07-09 15:50:42 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 17:05:04 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Shortcut to Proxomitron.exe.lnk - C:\Programs\Proxomitron\Proxomitron.exe [2010-7-13 295424]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21:41 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25:48 PM 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41:30 PM 67656]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WIN2K\system32\drivers\usbhub20.sys [7/7/2010 1:39:41 AM 49776]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WIN2K\system32\drivers\el90xbc5.sys [7/7/2010 12:28:19 AM 61712]
S3 InCDFat;Ahead InCDFat File System Driver;C:\WIN2K\system32\drivers\InCDFat.sys [8/5/2010 12:36:58 AM 134144]
S3 PORTMON;PORTMON;\??\D:\Software\Installed\System\Sysinternals\TechNet\PORTMSYS.SYS --> D:\Software\Installed\System\Sysinternals\TechNet\PORTMSYS.SYS [?]
S4 sptd;sptd;C:\WIN2K\system32\drivers\sptd.sys [8/3/2010 11:35:59 AM 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDFatRec
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google-feed.net/?CID=1
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = 172.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://C:\WIN2K\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://C:\WIN2K\Java\classes\xmldso.cab
FF - ProfilePath - C:\Documents and Settings\alan\Application Data\Mozilla\Firefox\Profiles\ly9f1vco.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-AutorunsDisabled - Ati2evxx.dll wzcdlg.dll
AddRemove-HijackThis - C:\Software\Utilities\internals\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 13:56:29
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}]
@Denied: (A 2 3) (Everyone)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\InProcServer32]
@="%SystemRoot%\\Explorer.exe"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\ProgID]
@="DAO.Client"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\TypeLib]
@="{C8618CE4-0520-5103-8336-6C706C70766F}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-08-08 13:57:48
ComboFix-quarantined-files.txt 2010-08-08 18:57:45

Pre-Run: 125,734,912 bytes free
Post-Run: 140,443,648 bytes free

- - End Of File - - E0D980DFAB80529F9089F82D01D2841A



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:20 AM

Posted 16 August 2010 - 02:41 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 fsmyth

fsmyth
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 18 August 2010 - 05:20 AM

Thanks for your reply. I should have posted a followup, but the problem(s) were
fixed long ago. All it took was some digging.
I threw a lot of stuff at the Add/Remove problem, but what _seems_ to have done
the trick was re-registering (using regsvr32) the files:

mshtml.dll
shdocvw.dll
shell32.dll

ref: Microsoft Article ID: 329891


Again, thanks for your interest.
Feel free to edit/delete these long posts.
<als>

ps. Did not attach the "attach.zip", because you did not specify it. Can do so if
necessary.
pps. I am working on a "missing or corrupt hal.dll" XP problem currently.
Appears that this is going to be involved. Interested in helping?

************** dds.scr log ***********************


DDS (Ver_10-03-17.01) - NTFSx86
Run by alan at 4:53:42.09 on Wed 08/18/2010
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.340 [GMT -5:00]


============== Running Processes ===============

C:\WIN2K\system32\spoolsv.exe
C:\Software\System\UPHClean\uphclean.exe
C:\WIN2K\System32\WBEM\WinMgmt.exe
C:\WIN2K\Explorer.EXE
C:\Programs\Proxomitron\Proxomitron.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
E:\microsoft\windows\bleeping\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mWindow Title = SD-Tweaked IE
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = 172.
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Synchronization Manager] mobsync.exe /logon
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\programs\proxomitron\Proxomitron.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\win2k\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\win2k\java\classes\xmldso.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1278620785934
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278486611592
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: AutorunsDisabled Ati2evxx.dll - wzcdlg.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\ly9f1vco.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 usbhub20;USB 2.0 Root Hub Support;c:\win2k\system32\drivers\usbhub20.sys [2010-7-7 49776]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\win2k\system32\drivers\el90xbc5.sys [2010-7-7 61712]
S3 InCDFat;Ahead InCDFat File System Driver;\??\c:\win2k\system32\drivers\incdfat.sys --> c:\win2k\system32\drivers\InCDFat.sys [?]
S3 PORTMON;PORTMON;\??\d:\software\installed\system\sysinternals\technet\portmsys.sys --> d:\software\installed\system\sysinternals\technet\PORTMSYS.SYS [?]

=============== Created Last 30 ================

2010-08-17 21:03:49 16384 ----atw- c:\win2k\system32\Perflib_Perfdata_234.dat
2010-08-15 15:43:16 0 d-----w- c:\win2k\Downloaded Installations
2010-08-15 13:50:08 0 d-----w- c:\program files\MSXML 4.0
2010-08-15 13:07:35 0 d---a-w- c:\win2k\system32\appmgmt
2010-08-15 12:23:32 186136 ----a-w- c:\win2k\system32\wuaueng1.dll
2010-08-15 12:00:29 8192 ----a-w- c:\win2k\system32\default_user_class.dat
2010-08-11 12:48:16 0 d-----w- c:\docume~1\alan\applic~1\Malwarebytes
2010-08-11 12:48:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-10 15:35:52 118784 ----a-w- c:\win2k\system32\MSSTDFMT.DLL
2010-08-10 15:35:52 1071088 ----a-w- c:\win2k\system32\MSCOMCTL.OCX
2010-08-09 19:19:25 20 ----a-w- c:\documents and settings\alan\defogger_reenable
2010-08-09 18:36:08 16384 ----atw- c:\win2k\system32\Perflib_Perfdata_238.dat
2010-08-08 18:53:00 77312 ----a-w- c:\win2k\MBR.exe
2010-08-08 18:52:59 98816 ----a-w- c:\win2k\sed.exe
2010-08-08 18:52:59 256512 ----a-w- c:\win2k\PEV.exe
2010-08-08 18:52:59 161792 ----a-w- c:\win2k\SWREG.exe
2010-08-08 15:37:33 0 d---a-w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-08 15:37:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-08 14:23:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-08 14:23:49 0 d-----w- c:\docume~1\alan\applic~1\SUPERAntiSpyware.com
2010-08-05 05:40:23 82432 ----a-w- c:\win2k\system32\msxml4r.dll
2010-08-05 05:40:23 44544 ----a-w- c:\win2k\system32\msxml4a.dll
2010-08-05 05:40:23 421888 ----a-w- c:\win2k\Nero PhotoShow.scr
2010-08-05 05:40:23 0 d-----w- c:\docume~1\alan\applic~1\Simple Star
2010-08-05 05:37:01 55627 ------w- c:\win2k\UNMRW.cfg
2010-08-05 05:37:00 2658304 ------w- c:\win2k\UNMRW.exe
2010-08-05 05:30:45 9728 -c--a-w- c:\win2k\system32\dllcache\npwmsdrm.dll
2010-08-05 05:30:45 82432 -c--a-w- c:\win2k\system32\dllcache\drmstor.dll
2010-08-05 05:30:45 82432 ----a-w- c:\win2k\system32\drmstor.dll
2010-08-05 05:30:45 301712 -c--a-w- c:\win2k\system32\dllcache\drmclien.dll
2010-08-05 05:30:45 301712 ----a-w- c:\win2k\system32\drmclien.dll
2010-08-03 17:11:57 0 ----a-w- c:\win2k\PowerReg.dat
2010-08-03 17:11:52 197120 ----a-w- c:\win2k\patchw32.dll
2010-08-03 17:11:51 0 d-----w- c:\program files\common files\PocketSoft
2010-08-03 16:36:18 0 d-----w- c:\docume~1\alan\applic~1\StarBurn
2010-08-03 16:35:59 721904 ----a-w- c:\win2k\system32\drivers\sptd.sys
2010-08-01 10:26:13 0 d-----w- c:\program files\logs
2010-07-22 20:54:19 520192 ------w- c:\win2k\system32\ati2sgag.exe
2010-07-22 20:48:19 0 d-----w- c:\win2k\system32\drivers\drivers
2010-07-21 09:43:28 208896 ----a-w- c:\win2k\system32\wmpns.dll
2010-07-20 21:10:17 0 d--h--w- c:\win2k\PIF

==================== Find3M ====================

2010-07-15 01:18:35 16384 ----atw- c:\win2k\system32\Perflib_Perfdata_430.dat
2010-07-15 01:18:25 423656 ----a-w- c:\win2k\system32\deployJava1.dll
2010-07-14 00:16:29 16384 ----atw- c:\win2k\system32\Perflib_Perfdata_264.dat
2010-07-10 22:54:00 163644 ----a-w- c:\win2k\system32\drivers\SECDRV.SYS
2010-07-07 17:59:20 6656 ----a-w- c:\win2k\system32\lpcio.dll
2010-07-07 10:41:13 58000 ----a-w- c:\win2k\system32\drivers\cdr4_2K.sys
2010-07-07 10:41:13 57344 ----a-w- c:\win2k\uneng.exe
2010-07-07 10:41:13 49152 ----a-w- c:\win2k\system32\cdrtc.dll
2010-07-07 10:41:13 45056 ----a-w- c:\win2k\system32\cdral.dll
2010-07-07 10:41:13 23420 ----a-w- c:\win2k\system32\drivers\cdralw2k.sys
2010-07-06 21:42:59 271 ---h--w- c:\program files\desktop.ini
2010-07-06 21:42:59 21952 ---h--w- c:\program files\folder.htt
2010-07-06 21:42:19 15012 ----a-w- c:\win2k\system32\emptyregdb.dat
2001-05-08 12:00:00 32528 ----a-w- c:\win2k\inf\wbfirdma.sys

============= FINISH: 4:53:57.14 ===============


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:20 AM

Posted 24 August 2010 - 03:21 PM

Hi fsmyth,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Due to the warning from the developer of combofix, this tool should not run by oneself for being unsupervised. Sometimes, it will result into an unbootable machine.
If you still need help, please follow the following steps and detail the problems you're still experiencing now.


Step1
  1. Please download OTL and save it to your desktop.
  2. Double click on the icon on your desktop.
  3. Click the "Scan All Users" checkbox.
  4. Click the "Quick Scan" button.
  5. Two reports will open, OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  6. Copy and paste both logs back here in your next reply.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply, please post back:

1.OTListIt.txt and Extra.txt
2.MBAM log Thanks




#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:20 AM

Posted 02 September 2010 - 12:51 AM

Due to Lack of feedback, this topic is now Closed.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users