Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer Crashing at Login of Windows Vista Business


  • This topic is locked This topic is locked
15 replies to this topic

#1 AtillaDNun

AtillaDNun

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 26 August 2010 - 10:04 PM

Hello, as of rebooting my machine today when I boot normally into windows vista I automatically get an error that says that Windows Explorer has stopped working and I get a black screen where I can see my cursor. I can ctrl alt delete into task manager and browse to run files but can not connect to the internet, etc. The only thing I can think of is that I installed limewire and apparently along with it some additional program called hotbox or something that was some sort of movie/music program.

DDS:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Matthew at 22:43:26.76 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2030.1470 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Matthew\Downloads\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Matthew\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_S52E3.tmp" /EF "HKCU"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [IRW] c:\windows\system32\IRW.exe
mRun: [Apple_KbdMgr] c:\program files\boot camp\KbdMgr.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [GrpConv] grpconv -o
dRunOnce: [<NO NAME>] OSK.exe
StartupFolder: c:\users\matthew\appdata\roaming\micros~1\windows\startm~1\programs\startup\epsona~1.lnk - d:\common\epsonreg\EpsonReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: authclient.dll inetman.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\suarz4zh.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\suarz4zh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\suarz4zh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\suarz4zh.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 aapltctp;Apple Trackpad Enabler;c:\windows\system32\drivers\aapltctp.sys [2007-8-17 4224]
R3 aapltp;Apple Trackpad;c:\windows\system32\drivers\aapltp.sys [2007-8-17 35072]
R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2007-8-17 16512]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2007-8-17 13824]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2007-7-31 116016]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2007-7-31 99632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2007-7-31 4864]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2007-7-31 6528]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-24 24652]
S3 applebt;Apple Built-in Bluetooth;c:\windows\system32\drivers\applebt.sys [2007-8-17 8064]
S3 BthKicker;Apple Bluetooth Device Driver;c:\windows\system32\drivers\BthKicker.sys [2007-8-17 7424]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-3-6 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 .nsespuy;.nsespuy;c:\windows\system32\drivers\msisadrv.sys [2010-3-6 16440]

=============== Created Last 30 ================

2010-08-27 02:26:20 0 d-----w- c:\programdata\Google
2010-08-27 00:24:03 0 d-----w- c:\programdata\Kaspersky Lab
2010-08-25 21:41:23 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-25 19:41:10 463360 --sh--w- c:\windows\system32\authclient.dll
2010-08-25 19:41:05 49152 --sh--w- c:\windows\system32\inetman.dll
2010-08-25 19:30:13 0 d-----w- c:\program files\LimeWire
2010-08-25 19:20:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-08-25 19:20:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-08-25 19:18:57 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-25 19:18:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-25 19:18:44 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

==================== Find3M ====================

2010-08-02 19:31:05 27525 ----a-w- c:\users\matthew\appdata\roaming\nvModes.dat
2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37:03 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 22:40:48 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-18 22:40:47 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-18 22:40:47 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-18 17:31:29 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-11 16:16:20 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15:06 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35:04 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35:03 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-09 07:21:41 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-25 18:32:22 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-05-07 01:24:59 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 22:44:05.22 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 02 September 2010 - 02:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 02 September 2010 - 06:14 PM

Hello m0le, I am still out here stuck on my mac partition of my macbook pro. Have done nothing with my PC partition since posting.

Thanks for offering to help!



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 02 September 2010 - 06:44 PM

There are a number of ways to deal with this. I would like to try the more straightforward method but we may have to revert to something a bit more involved if the malware locks us out.

I would like to try running MBRCheck using task manager.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 02 September 2010 - 07:13 PM

Here you go!:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Business Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 117):
0x81E02000 \SystemRoot\system32\ntkrnlpa.exe
0x821BB000 \SystemRoot\system32\hal.dll
0x80400000 \SystemRoot\system32\kdcom.dll
0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80477000 \SystemRoot\system32\PSHED.dll
0x80488000 \SystemRoot\system32\BOOTVID.dll
0x80490000 \SystemRoot\system32\CLFS.SYS
0x804D1000 \SystemRoot\system32\CI.dll
0x80600000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8067C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80689000 \SystemRoot\system32\drivers\acpi.sys
0x806CF000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806D8000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E0000 \SystemRoot\system32\drivers\pci.sys
0x80707000 \SystemRoot\System32\drivers\partmgr.sys
0x80716000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80719000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80723000 \SystemRoot\system32\drivers\volmgr.sys
0x80732000 \SystemRoot\System32\drivers\volmgrx.sys
0x8077C000 \SystemRoot\system32\drivers\intelide.sys
0x80783000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80791000 \SystemRoot\System32\drivers\mountmgr.sys
0x807A1000 \SystemRoot\system32\drivers\atapi.sys
0x807A9000 \SystemRoot\system32\drivers\ataport.SYS
0x807C7000 \SystemRoot\system32\drivers\fltmgr.sys
0x805B1000 \SystemRoot\system32\drivers\fileinfo.sys
0x87605000 \SystemRoot\System32\Drivers\ksecdd.sys
0x87676000 \SystemRoot\system32\drivers\ndis.sys
0x87781000 \SystemRoot\system32\drivers\msrpc.sys
0x877AC000 \SystemRoot\system32\drivers\NETIO.SYS
0x87809000 \SystemRoot\System32\drivers\tcpip.sys
0x878F3000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x87A05000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87B15000 \SystemRoot\system32\drivers\volsnap.sys
0x87B56000 \SystemRoot\System32\Drivers\mup.sys
0x87B65000 \SystemRoot\System32\drivers\ecache.sys
0x87B8C000 \SystemRoot\system32\drivers\disk.sys
0x87B9D000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87BBE000 \SystemRoot\system32\drivers\crcdisk.sys
0x87BE7000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x87BF2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8790E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x87919000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x87957000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x87966000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8B205000 \SystemRoot\system32\DRIVERS\athr.sys
0x8B2BE000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8B2CE000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8B2DC000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8B2F4000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8B2FA000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8B329000 \SystemRoot\system32\DRIVERS\storport.sys
0x8B36A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B375000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8B38C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8B397000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8B3BA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8B3C9000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8B3DD000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8B808000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8B891000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8B8A1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8B8AC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8B8B7000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8B8B9000 \SystemRoot\system32\DRIVERS\ks.sys
0x8B8E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8B8ED000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8B8FA000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8B92F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8B940000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8B949000 \SystemRoot\System32\Drivers\Null.SYS
0x8B950000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B957000 \SystemRoot\System32\drivers\vga.sys
0x8B963000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B984000 \SystemRoot\System32\drivers\watchdog.sys
0x8B990000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B998000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B9A3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B9B1000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8B9BA000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8B9D0000 \SystemRoot\system32\DRIVERS\smb.sys
0x8BC0D000 \SystemRoot\system32\drivers\afd.sys
0x8BC55000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8BC87000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8BC9D000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8BCAB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8BCE7000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8BCF1000 \SystemRoot\system32\drivers\csc.sys
0x8BD4C000 \SystemRoot\System32\Drivers\dfsc.sys
0x8BD63000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8BD7A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8BD7E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8BD8B000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8BD96000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x8BD9E000 \SystemRoot\system32\DRIVERS\IRFilter.sys
0x8BDA3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8BDAC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8BDBC000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8BDC3000 \SystemRoot\system32\DRIVERS\KeyMagic.sys
0x8BDCC000 \SystemRoot\system32\DRIVERS\aapltp.sys
0x8BDD5000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8BDDE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8BDE6000 \SystemRoot\system32\DRIVERS\aapltctp.sys
0x814A0000 \SystemRoot\System32\win32k.sys
0x8BDE8000 \SystemRoot\System32\drivers\Dxapi.sys
0x816B0000 \SystemRoot\System32\drivers\dxg.sys
0x816E0000 \SystemRoot\System32\TSDDD.dll
0x81760000 \SystemRoot\System32\framebuf.dll
0x805C1000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8BDF2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8B9E4000 \SystemRoot\system32\DRIVERS\bowser.sys
0x87BC7000 \SystemRoot\System32\drivers\mpsdrv.sys
0x93E0F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x93E2E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x93E67000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x93E7F000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x773F0000 \Windows\System32\ntdll.dll

Processes (total 28):
0 System Idle Process
4 System
344 C:\Windows\System32\smss.exe
420 csrss.exe
456 csrss.exe
464 C:\Windows\System32\wininit.exe
508 C:\Windows\System32\winlogon.exe
536 C:\Windows\System32\services.exe
552 C:\Windows\System32\lsass.exe
560 C:\Windows\System32\lsm.exe
696 C:\Windows\System32\svchost.exe
752 C:\Windows\System32\svchost.exe
792 C:\Windows\System32\svchost.exe
872 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\svchost.exe
932 C:\Windows\System32\svchost.exe
980 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1264 C:\Windows\System32\svchost.exe
1980 C:\Windows\explorer.exe
556 C:\Program Files\Windows Media Player\wmpnscfg.exe
1508 C:\PROGRA~1\MICROS~1\Office10\OUTLOOK.EXE
1100 C:\Program Files\Common Files\Apple\Mobile Device Support\MobileMeServices.exe
1660 C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
1828 WmiPrvSE.exe
2036 C:\Program Files\Mozilla Firefox\firefox.exe
1952 C:\Users\Matthew\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x0000001d`54805000 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHW2160BHPL, Rev: 0081001C

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 02 September 2010 - 07:57 PM

That looks fine. Maybe we should test the malware with something a bit stronger.

Please run Combofix as below:


When finished, it shall produce a log for you. Post that log in your next reply.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 03 September 2010 - 08:31 AM

Thanks again m0le. I got a few errors while combofix ran, at the initial screen it said that access was denied and I needed to run a system administrator command prompt and the same message a few times while it was scanning for malware.

Here is the log:


ComboFix 10-09-02.03 - Matthew 09/03/2010 9:24.1.2 - x86 NETWORK
Microsoft® Windows Vistaâ„¢ Business 6.0.6002.2.1252.1.1033.18.2030.1245 [GMT -4:00]
Running from: c:\users\Matthew\Desktop\comfix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-03 13:27 . 2010-09-03 13:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-03 13:27 . 2010-09-03 13:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-27 00:24 . 2010-08-27 00:24 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-25 21:41 . 2010-08-25 21:41 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-25 19:41 . 2010-08-25 19:41 463360 --sh--w- c:\windows\system32\authclient.dll
2010-08-25 19:41 . 2010-08-25 19:41 49152 --sh--w- c:\windows\system32\inetman.dll
2010-08-25 19:30 . 2010-08-25 21:44 -------- d-----w- c:\program files\LimeWire
2010-08-25 19:20 . 2010-06-26 06:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-08-25 19:18 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-25 19:18 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-25 19:18 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 23:31 . 2007-08-17 13:18 1076 ----a-w- c:\windows\bthservsdp.dat
2010-08-27 03:10 . 2007-08-17 13:09 1356 ----a-w- c:\users\Matthew\AppData\Local\d3d9caps.dat
2010-08-27 00:08 . 2010-05-25 23:10 -------- d-----w- c:\program files\Google
2010-08-26 23:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-25 21:43 . 2009-12-16 02:27 -------- d-----w- c:\programdata\Norton
2010-08-25 21:43 . 2007-10-13 17:34 -------- d-----w- c:\programdata\Symantec
2010-08-25 21:12 . 2009-09-14 23:19 -------- d-----w- c:\users\Matthew\AppData\Roaming\uTorrent
2010-08-25 19:03 . 2010-05-25 23:10 -------- d-----w- c:\users\Matthew\AppData\Roaming\Skype
2010-08-02 19:31 . 2007-08-17 13:41 27525 ----a-w- c:\users\Matthew\AppData\Roaming\nvModes.dat
2010-07-27 11:17 . 2010-05-18 02:52 -------- d-----w- c:\programdata\DivX
2010-07-27 11:17 . 2010-05-18 03:03 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-27 11:17 . 2010-07-27 11:17 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-27 11:17 . 2010-05-18 02:54 -------- d-----w- c:\program files\DivX
2010-07-27 11:17 . 2010-07-27 11:17 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-07-27 11:16 . 2010-07-27 11:16 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-07-27 11:08 . 2010-05-18 03:02 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-07-27 11:08 . 2010-05-18 03:02 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-07-25 14:50 . 2010-04-22 13:45 -------- d-----w- c:\program files\Java
2010-07-19 23:00 . 2010-07-25 14:43 52224 ----a-w- c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\suarz4zh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-07-19 23:00 . 2010-07-25 14:43 101376 ----a-w- c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\suarz4zh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-07-13 22:28 . 2007-10-13 20:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-11 03:39 . 2010-07-11 03:39 -------- d-----w- c:\program files\Common Files\Java
2010-07-07 08:46 . 2010-07-07 08:46 92816 ----a-w- c:\programdata\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2011 11.0.1.400\english\setup.exe
2010-06-26 06:02 . 2010-08-25 19:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-25 19:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-25 19:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-25 19:19 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 22:34 . 2010-06-18 22:34 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-18 17:31 . 2010-08-25 19:19 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-12 15:19 . 2010-06-12 15:19 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-12 15:19 . 2010-06-12 15:19 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-12 15:19 . 2010-06-12 15:19 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-12 15:19 . 2010-06-12 15:19 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-12 15:19 . 2010-06-12 15:19 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-11 16:16 . 2010-08-25 19:19 274944 ----a-w- c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-25 19:19 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 17:35 . 2010-08-25 19:19 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-08 17:35 . 2010-08-25 19:19 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-22 2937528]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-11 321328]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe" [2010-06-23 231888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-31 4669440]
"Skytel"="Skytel.exe" [2007-07-31 1826816]
"IRW"="c:\windows\system32\IRW.exe" [2007-07-31 147456]
"Apple_KbdMgr"="c:\program files\Boot Camp\KbdMgr.exe" [2007-07-31 398640]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-31 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-31 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-31 81920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=authclient.dll inetman.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 14:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 14:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:c0,7f,25,4e,88,ed,ca,01

R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2007-07-31 116016]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2007-07-31 99632]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2007-07-31 4864]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2007-07-31 6528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 applebt;Apple Built-in Bluetooth;c:\windows\system32\DRIVERS\applebt.sys [2007-07-31 8064]
R3 BthKicker;Apple Bluetooth Device Driver;c:\windows\system32\DRIVERS\BthKicker.sys [2007-07-31 7424]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 .nsespuy;.nsespuy;c:\windows\system32\drivers\msisadrv.sys [2008-01-19 16440]
S3 aapltctp;Apple Trackpad Enabler;c:\windows\system32\DRIVERS\aapltctp.sys [2007-07-31 4224]
S3 aapltp;Apple Trackpad;c:\windows\system32\DRIVERS\aapltp.sys [2007-07-31 35072]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2007-07-31 16512]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2007-07-31 13824]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\suarz4zh.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\suarz4zh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\suarz4zh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\suarz4zh.default\extensions\2020Player@2020Technologies.com\plugins\NP2020Player.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 09:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-03 09:28:37
ComboFix-quarantined-files.txt 2010-09-03 13:28
ComboFix2.txt 2010-09-03 13:21

Pre-Run: 468,639,744 bytes free
Post-Run: 438,829,056 bytes free

- - End Of File - - EA7F571622D5F310DFF9D313B4BD9286

Attached Files


Edited by AtillaDNun, 03 September 2010 - 08:35 AM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 03 September 2010 - 07:20 PM

Combofix hasn't found anything so there may be problems with your Vista operating system so let's attempt to fix these issues.
  1. Select
  2. Select All Programs
  3. Select Accessories
  4. Right click Command Prompt and choose Run as administrator
  • If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening.
  • You may simply need to press the Continue button if you are the administrator or insert the administrator password.
  • Type in sfc /scannow in the command window and press enter.
  • Note the space between the c and the /
  • If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue. This can be done with a borrowed DVD if you don't have one.
  • Be patient because the scan may take some time.
  • Allow the scan to run and when completed, reboot the system.

Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 07 September 2010 - 08:37 AM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#10 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 09 September 2010 - 07:26 AM

m0le,

I apologize for not responding, I without access to my laptop for a few days. I rebooted into windows this morning and it actually loaded fine. I did not have time before heading into work to perform the last task you recommended (hope to do so later today) however, when I went to shut down I got a message saying that explorer was still running 'shut down music' or some such and I had to choose ok to continue shutting down.

I did nothing with the PC partition after booting up and actually getting windows to load normally. Again, I will do your last suggestion ASAP and get back to you ASAP. I apologize for holding you and others up.


#11 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 09 September 2010 - 11:33 AM

m0le,

I just ran the scan and it ended saying that windows did not find any integrity errors. Does it appear as though the problem has resolved itself?

Confusing!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 09 September 2010 - 07:38 PM

It's possible that sfc /scannow has cleared the problem.

Can you give the PC a test run for a day or two and report back what happens?
Posted Image
m0le is a proud member of UNITE

#13 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 10 September 2010 - 10:16 AM

Will do.

#14 AtillaDNun

AtillaDNun
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 14 September 2010 - 03:15 PM

Appears to be running ok.

I am running very low on disk space, not sure if that could have triggered the initial series of problems. Taking steps to free up space, but after numerous reboots into Windows explorer is not crashing at start-up anymore as was the problem.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:04 PM

Posted 14 September 2010 - 04:42 PM

QUOTE
I am running very low on disk space, not sure if that could have triggered the initial series of problems.


Could be. This is the end of the fix then...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
[/list]
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users