Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engine redirect


  • This topic is locked This topic is locked
38 replies to this topic

#1 thejacob

thejacob

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 22 August 2010 - 11:36 AM

Hey I just signed up as a user for Bleeping computer because I am having difficulty with resolving the following issue: No matter what search engine I use the links in the search results do not direct me to the desired/indicated page; also some links are working in a similar manner. I was researching it a little on your site and despite the warning not to run combofix I did. Everything seemed to go as expected and I got my log however it was not something the auto fix could complete. The only odd thing that happened was the computer restarted during the process which it did not say would occur. The log is below. Here is the catch... after I got the log i was going to come on here and post it but I tried to see if the problem was still occurring first. All i did was click the link for the windows recovery on Google and it still had the problem, but immediately firefox shut down and a "mircosoft security essentials Alert" popped up. I was unfamiliar with it so I went on another pc because neither firefox or ie would open. I looked it up and it seemed like a legit program so I looked if there were fake versions or virus and nothing came up on a search so i figured maybe it was part of the recovery program. Well I followed the steps and it gave choices of different legit malware removal tools such as avg or others to use because it couldnt remove it and so I clicked one that had recognized the problem. Obviously a big mistake because it downloaded some "Peak Protection 2010" program and had a mock scanner and all but wanted me to buy the full version and blocked me out of windows completely. Not even safe mode would work and finally the only thing I could do was restart in safe mode with command prompt and do a system restore from there. That did work but I am back to square one. Symantec is detecting a constant attack of threats that it can only partially quarantine or leave alone. It is saying they are Trojan.Bamital!inf . Combofix is deleted but strangely the log was still available. In the meantime I downloaded Super Antispyware and Malwarebytes. I ran both in safe mode after doing an rkill. They did find objects but the problem is not fixed. Like I said I am not sure if the changes the combofix made are still there but this is the log:

ComboFix 10-08-21.06 - Jacob 08/22/2010 9:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1580 [GMT -5:00]
Running from: c:\documents and settings\Jacob\Desktop\ComboFix.exe
AV: AOL Antivirus *On-access scanning disabled* (Outdated) {164FF91F-F5BD-4B74-A9DC-932CECB1603B}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: AOL Firewall *disabled* {6515F560-BD88-41EB-AD77-F1F3F6F80BEA}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jacob\Application Data\Desktopicon
c:\documents and settings\Jacob\Application Data\Desktopicon\eBay.ico
c:\documents and settings\Jacob\Application Data\Desktopicon\uninst.exe
c:\documents and settings\Jacob\Local Settings\Application Data\Windows Server
c:\documents and settings\Jacob\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Jacob\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Jacob\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Jacob\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\win.ini

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-16 15:22 . 2010-08-16 15:22 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-08-16 15:21 . 2010-08-16 15:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-08-16 15:21 . 2010-08-16 15:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-08-12 00:42 . 2010-08-12 00:42 -------- d-----w- c:\documents and settings\Jacob\Local Settings\Application Data\kSolo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 15:03 . 2009-07-17 17:50 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-22 15:03 . 2009-07-17 17:49 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-12 00:52 . 2007-12-29 23:22 -------- d-----w- c:\documents and settings\Jacob\Application Data\ZoomBrowser EX
2010-07-13 00:03 . 2010-07-13 00:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\GTek
2010-07-13 00:03 . 2010-07-13 00:03 -------- d-----w- c:\documents and settings\Jacob\Application Data\GTek
2010-07-12 17:04 . 2004-07-15 15:11 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 17:03 . 2004-07-15 15:11 -------- d-----w- c:\program files\Java
2010-07-04 19:40 . 2010-07-04 19:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-07-04 19:40 . 2010-07-02 15:22 -------- d-----w- c:\program files\McAfee Security Scan
2010-07-02 15:22 . 2006-03-02 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-02 15:22 . 2010-07-02 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-06-30 12:31 . 2004-03-30 01:48 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-12-07 21:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2002-08-29 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2002-08-29 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2002-08-29 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2002-08-29 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2003-08-27 18:19 . 2004-09-08 20:04 36963 -c--a-r- c:\program files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 1928C472AD4009C81BAD3198C3536AD6 . 507904 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2002-08-29 . 2246D8D8F4714A2CEDB21AB9B1849ABB . 516608 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB840987$\winlogon.exe

[-] 2008-04-14 . 0F31C6B64AA2D744C88F92104E3F993B . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 17:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4A9D-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-06-25 21:38 2401584 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-01 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-19 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-9-17 1732608]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-01 13:48 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-12-01 17:38 3951976 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
2005-11-30 15:40 8808 ----a-w- c:\program files\Common Files\AOL\1100831528\EE\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-06-02 14:21 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 16:43 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWHeartbeatMonitor]
2005-02-01 20:07 118784 ----a-w- c:\progra~1\THEWEA~1\DWHeartbeatMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
2005-10-19 17:13 460336 ----a-w- c:\program files\McAfee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-04-12 21:23 42032 ----a-w- c:\program files\Common Files\AOL\1100831528\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
2003-09-04 02:33 106496 ----a-w- c:\program files\Lexmark 3100 Series\lxbrbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 12:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk]
2003-06-13 14:57 294912 ----a-w- c:\progra~1\LEXMAR~2\lxbrksk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
2005-11-04 22:49 988712 ----a-w- c:\program files\McAfee.com\Personal Firewall\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
2005-08-18 21:57 116272 ----a-w- c:\program files\McAfee.com\antivirus\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-11-19 02:33 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
2008-07-10 22:09 9499928 ----a-w- c:\progra~1\RETROS~1\RETROS~1.5\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 18:20 94208 ----a-r- c:\windows\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
2005-11-30 15:40 136808 ----a-w- c:\program files\Common Files\AOL\1100831528\EE\services\sscFirewallPlugin\ver1_10_3_1\sscRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-04-01 18:04 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-12 17:24 106557 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2005-06-24 00:27 85696 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-04-03 22:12 777424 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=2 (0x2)
"aolavupd"=3 (0x3)
"AOL TopSpeedMonitor"=3 (0x3)
"RetroExpLauncher"=2 (0x2)
"RetroExp Helper"=2 (0x2)
"CCALib8"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Program Files\\Sierra On-Line\\sigspat.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Belkin\\F5D8053\\Belkinwcui.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1100831528\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Express HD 2.5\\Retrospect.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [1/31/2009 8:48 AM 64160]
R1 papycpu;papycpu;c:\windows\SYSTEM32\DRIVERS\papycpu.sys [4/20/2005 9:09 PM 1984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1029456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/11/2009 2:38 PM 24652]
S3 adxapie;adxapie;\??\c:\docume~1\Jacob\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\Jacob\LOCALS~1\Temp\adxapie.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 5:12 PM 14032]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010
*Deregistered* - EraserUtilRebootDrv
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:48]

2004-07-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-08-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 22:12]

2010-08-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-11-13 22:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jacob\Application Data\Mozilla\Firefox\Profiles\xz6s4ajy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-mmtask - c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
AddRemove-eBay Icon - c:\documents and settings\Jacob\Application Data\Desktopicon\uninst.exe
AddRemove-Sibelius Scorch Plugin_is1 - c:\program files\Musicnotes\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 10:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6404)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\mcafee.com\personal firewall\MPFService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-08-22 10:20:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 15:20

Pre-Run: 19,507,900,416 bytes free
Post-Run: 19,543,162,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - B44933300A06272B4A795625571E7424

The problem has advanced itself. Symantec was constantly picking up threats, mainly from explorer.exe and winlogon.exe. When I woke up in the morning Symantec said it needed to reboot the computer. I allowed it and it never got to the welcome screen, I got the blue screen with the following message "STOP: c000021a {Fatal System Error} The Windows Logon Process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down." This is the only thing on the screen; nothing else. I tried safe mode and safe mode with command in hopes of restoring but nothing seems to work. I even tried using the Reinstallation CD for XP, but it won't recognize it at all. The computer is 6 or 7 years old so I guess it could be that the hard drive was overwhelmed and is dead. I really don't know. This is beyond my knowledge. Any help would be great; at this point I am very open to a total wipeout if only I could make it happen. By the way I am obviously on a different PC typing this.

EDIT: Posts merged ~BP

Edited by Budapest, 23 August 2010 - 04:46 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 10:37 AM

Hello, don't worry, we just need to copy the deleted files back and you will be able to boot again. smile.gif
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. Provide your administrator password, or, if you don't have one, press enter.
  6. At the C:\Windows prompt, type the following bolded text, and press Enter:

    copy c:\windows\servicepackfiles\i386\explorer.exe explorer.exe

  7. The command should then show 1 file(s) copied. In case you get prompted to overwrite, choose Yes. At the next prompt type the following bolded text, and press Enter:

    cd system32

    copy c:\windows\servicepackfiles\i386\winlogon.exe winlogon.exe


  8. At the next prompt type the following bolded text, and press Enter:

    exit
Windows will now begin loading.

Edited by elise025, 24 August 2010 - 10:40 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 11:37 AM

I can't. I originally did not have Windows Recovery so I got it with the combofix. But when a virus attacked the computer I had to restore the system because it was the only way I could get it to reboot without being blocked from windows. When I did the restore Windows Recovery was removed and it is no longer an option. The only choice is XP Home.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 11:51 AM

I'm not sure I understand your problem at the moment: can you or can you not access windows now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 11:52 AM

No not at all. I can't get to the log in screen. it starts to boot like normal but right before it comes to the welcome screen where I would put in a password it goes blue screen. I am on a different computer right now.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 12:10 PM

So, if I am correct, you used System Restore in an attempt to get back into windows in which process the Recovery Console disappeared as well.

In that case, try to create the following CD and boot from it.

Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 12:17 PM

Just so I am clear on this... I can make this disk on a different computer than the one I am having the issues with? Just so I don't mess up this computer that I am using right now because it's not mine.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 12:43 PM

That is no problem, you just need a working computer to create the CD on, thats all. smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 12:43 PM

ok thanks but it still doesnt work... when you say boot with the disk what exactly does that mean? I put the disk in and let it start normally and it just does the same thing. SO I went into the F12 menu and tried option 5 IDE CDROM. same thing again. then i tried safe mode with command prompt and once again the same thing occurred.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 12:45 PM

What options do you have when you press F12?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 12:51 PM

This is the F 12 Boot menu:
Boot to

1. Normal
2. Primary Master Drive
3. Diskette Drive
4. Hard-Disk Drive C
5. IDE CD ROM device

6. System Setup
7. IDE Drive Diagnostics
8. Boot to Utility Partition

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 01:11 PM

What happens when you choose option 5? Do you see something like "press a key to boot from CD"?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 01:12 PM

no it just goes back trying to reboot with no difference than before.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:05 AM

Posted 24 August 2010 - 01:23 PM

In that case, lets just try something else.

Download http://unetbootin.sourceforge.net/unetboot...dows-latest.exe to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your HDD (just browse a bit, it will have a windows folder and so on).
    Now navigate to the following file in the windows folder: windows\servicepackfiles\i386\winlogon.exe, right click this file, select Copy, go to Windows\system32 and paste it there.
    Do the same for windows\servicepackfiles\i386\explorer.exe, copy this and paste it in Windows (not system32!).
When done, reboot, and see what happens.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 thejacob

thejacob
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 24 August 2010 - 01:44 PM

got it on the USB and got to the F12 menu and chose USB drive but it says that it can not find kernel image: linux then below that it says Boot: and has a cursor for me to type....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users