Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.exe files not opening for commonly used programs


  • This topic is locked This topic is locked
27 replies to this topic

#1 starnz

starnz

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 October 2010 - 07:11 PM

Hello all,

I am having a peculiar problem with my home desktop. I recently noticed that I am unable to get on the internet with my two most often used browsers. When I try to open one of the browsers (Firefox or Chrome), I get the following message.

"The application failed to initialize properly (0xc0000008). Click on OK to terminate the application."

After a number tries with the main browsers, I decided to try and open the seldom if ever used Internet Explorer. To my surprise it opened right up and browsed with no problem. Another problem I have noticed is I can't print at all, from any program. If I try to run other .exe files I get the same error message.

I have tried to do a system restore and it completed successfully but didn't correct the problem. I also tried starting the system in safe mode which did improve things some. In safe mode, the browsers would open and I could access the internet. I then came here to run the diagnostic tools to post the logs for assistance but the DDS nor GMER would load and run, giving the same error message. When I tried running them in safe mode, the DDS still didn't work(listed as autocad script and opened a notepad page?) but the GMER operated normally.

Other random problems I've noticed:

If I try to uninstall a program, the list of programs under Control Panel - Add/Remove never populates
If I try to get system info under Control Panel - Performance and Maintenance - System, nothing happens
If I try to bring up a DOS window(ipconfig) it opens for a brief second then disappears
Task manager(ctrl+alt+del) brings the same error message posted above
Programs that do work include Ad-Aware, media center, MS Office. Others, whether used regularly or not, do not work now.

Not sure how to proceed here as I can't run the programs to generate any logs. When I try to run the GMER in safe mode for some reason the whole screen doesn't show and I can't scroll down to the save button once the scan has run.

The problem computer is an HP media center running XP. I'm not sure of the exact model since I cant get to the system information.

Any advice on how to approach this problem would be greatly appreciated.

Thanks

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:44 PM

Posted 27 October 2010 - 11:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. I see you're unable to run the standard tools. So just confirm you're still needing help please.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 30 October 2010 - 07:49 AM

Thank you for responding to my problem and trying to get everything working again.

I am still experiencing the problems from the original email. Hardly any of my .exe files work but strangly I am responding from the infected computer using IE, the only browser that does work. Since posting here I have been researching online and tried two programs that helped others with this problem, exeHelper and rkill. I downloaded several versions to my flash and tried to run them but the problem remains. The exeHelper would run but at the end I would get the same error message as in my original post. The rkill wouldn't open at all. Since trying the two programs I have noticed now when I try to open a browser or malwarebytes I don't get the error but nothing happens. I still get the error for most other .exe files.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:44 AM

Posted 30 October 2010 - 12:51 PM

Hello and welcome to Bleeping Computer. :)

*Please subscribe to this thread to get immediate notification of replies, click on Watch Topic > choose Immediate Notification > then click on Proceed.

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please do not attach logs unless instructed.

*You must reply within 5 days otherwise this topic will be closed.


================================================


Please download OTH.scr and OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    Posted Image
  • Then select Start OTL to run the tool.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Copy and Paste the following code into the Custom Scan/Fixes box.


    netsvcs
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav 
    %systemroot%\system32\drivers\*.sys /90
    

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 31 October 2010 - 07:06 PM

Hi,

I tried running the OTH but I get the same error message. When it downloads it comes in as an autocad script on my flash drive? Not sure why its an autocad script but it tried naming it OTH.scr but that didn't work either. Anything else I can try?

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:44 AM

Posted 01 November 2010 - 04:16 AM

Hi,

Please delete both OTH and OTL and do the instructions below.


1. Download SREng
  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

    Posted Image
  • Close SREng now.


2. We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    DDS.com => http://download.bleepingcomputer.com/sUBs/dds.com
    DDS.pif => http://www.forospyware.com/sUBs/dds

  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 02 November 2010 - 07:23 PM

Again I tried to load this on but when I run it I get the same error message. It seems to me that the vast majority of programs that are requiresd to be run on the computer will lead to this error message. Not sure why but for some reason internet explorer works when I run it. Is there anything that loads similar to IE that can help?

#8 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 02 November 2010 - 08:35 PM

I tried loading the previous two programs from the last step in safe mode and they loaded fine. The first one loaded and the only one that showed an error was .scr. I then clicked repair and closed it. I then loaded DDL in safe mode and it opened and appeared to be running. The bar got about 75% across the screen when the system then restarted its self and lost any log info it may have been creating.

Not sure if this is helpful but I'm at a loss. In safe mode the other browsers work fine and things seem to run more smoothly.

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:44 AM

Posted 03 November 2010 - 04:15 AM

Hi,

Let's try RKill once more.


1. Please download RKill by Grinler.

Link 1
Link 2
Link 3
Link 4

  • Save it to your desktop.
  • Close/disable your anti virus program so they do not interfere with RKill. (Tutorials on how to disable your anti virus program can be found HERE.)
  • Double click the RKILL icon to start the program. (For Windows VISTA, right click the icon and run as administrator)
  • A window will appear and close automatically once completed. This indicates a successful run.
  • Do not reboot your computer and continue with step 2.
  • Post the rkill log when you reply. (C:\rkill.log)

Note:

  • Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
  • If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.




2. Please try running DDS.com and follow the instructions on my previous post on how to run it.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 03 November 2010 - 07:44 PM

I ran rkill in safe mode and it seemed to work fine. I don't think it did anything but the log is as follows.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Kevin on 11/03/2010 at 19:20:58.


Services Stopped:


Processes terminated by Rkill or while it was running:




Rkill completed on 11/03/2010 at 19:21:01.


I then tried to run malwarebytes in safe mode and it worked as well. The log is as follows.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4517

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

11/3/2010 8:08:57 PM
mbam-log-2010-11-03 (20-08-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 246532
Time elapsed: 46 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Sorry I went out of order, hopefully running the malwarebytes wasn't a problem. I will run the DDS next.

Edited by starnz, 04 November 2010 - 06:24 AM.


#11 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 03 November 2010 - 07:55 PM

Ok, ran DDS in safe mode. It gave me two logs, one of which said not to post. Following is the DDS log.

DDS (Ver_10-11-03.01) - NTFSx86 NETWORK
Run by Kevin at 20:44:53.35 on Wed 11/03/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.987 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Billeo\billeo.exe
C:\Documents and Settings\Kevin\My Documents\Downloads\dds(2).com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com/?pc=AVBR
uStart Page = hxxp://www.bing.com/?pc=AVBR
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: Billeo: {465e08e7-f005-4389-980f-1d8764b3486c} - c:\program files\billeo\billeo.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: Billeo: {6adb0f93-1aa5-4bcf-9df4-cea689a3c111} - c:\program files\billeo\billeo.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kevin\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SpywareTerminator] "c:\progra~1\spywar~1\SpywareTerminatorShield.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [5-Day Forecast] "c:\program files\5-day forecast\5-day forecast\5-Day Forecast.exe" /Startup
StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kevin\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billeo.lnk - c:\program files\billeo\billeo.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{5d0df1bb-d82e-4fb2-b98e-4fde42ef7ebb}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\yzac35mi.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\yzac35mi.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeotoolbar.dll
FF - plugin: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\yzac35mi.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-10-25 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-10-25 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-31 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-10-25 141312]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-11-7 25824]
S3 EvcapMaui;Emuzed EvcapMaui Device;c:\windows\system32\drivers\EvcapMau.sys [2003-10-1 177664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-11-03 03:06:09 -------- d-----w- c:\program files\5-Day Forecast
2010-11-03 03:06:08 -------- d-----w- c:\docume~1\kevin\locals~1\applic~1\5-Day Forecast
2010-11-03 03:05:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\5-Day Forecast
2010-10-18 00:27:02 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-18 00:27:02 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-14 19:13:13 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-14 19:13:12 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 19:13:12 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 19:12:49 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-24 22:56:47 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-12 12:15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2004-10-01 19:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 20:45:25.03 ===============

Edited by starnz, 04 November 2010 - 06:25 AM.


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:44 AM

Posted 04 November 2010 - 11:18 AM

Hi,

It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

Please do not use any text color because it makes the log more difficult to read.


===============================================================


Please download Combofix and run it in safe mode. Kindly monitor it while running, if Combofix restarts your PC... make sure to start in safe mode again to complete the process.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 05 November 2010 - 04:25 PM

I downloaded and ran combofix in safe mode and it seemed to run fine with a couple exceptions. When I first started up combofix, it detected ad aware live even though I disabled it. After forcing it to run, it did its thing then restarted my computer. I had it restart in safe mode but for some reason it started in regular mode and I got a windows message that the system recovered from a serious error. There was no combofix log created on my c drive.I'm not sure where it came from but I am attaching the only log that was created.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:44 AM

Posted 05 November 2010 - 11:38 PM

Hi,

Please try this:

Click Start > Run > Copy-Paste the code below and press Enter:

"%userprofile%\desktop\ComboFix.exe" /killall

ComboFix should now run unhindered.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 starnz

starnz
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 08 November 2010 - 05:25 PM

Hello,

Tried running combofix with the copy/paste and it worked. Below is the log.

ComboFix 10-11-07.A2 - Kevin 11/08/2010 15:23:23.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1166 [GMT -5:00]
Running from: c:\documents and settings\Kevin\desktop\ComboFix.exe
Command switches used :: /killall
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((( Files Created from 2010-10-08 to 2010-11-08 )))))))))))))))))))))))))))))))
.

2010-11-08 20:06 . 2010-11-08 20:06 4706 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-03 03:06 . 2010-11-03 03:06 -------- d-----w- c:\program files\5-Day Forecast
2010-11-03 03:06 . 2010-11-08 20:32 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\5-Day Forecast
2010-11-03 03:05 . 2010-11-03 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\5-Day Forecast
2010-10-18 02:19 . 2010-10-18 02:19 -------- d-----w- c:\documents and settings\Administrator
2010-10-18 00:27 . 2010-10-18 00:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-14 19:13 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-14 19:13 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 19:13 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 19:12 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-08 20:08 . 2010-09-11 23:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-18 16:23 . 2004-08-10 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-10 05:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-10 05:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2009-10-18 19:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-10 05:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-10 05:00 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-10 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-10 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-14 21:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-24 22:56 . 2008-08-03 00:48 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-08-23 16:12 . 2004-08-10 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-10 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-10 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-12 12:15 . 2010-09-01 04:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-12 12:15 . 2010-09-01 01:48 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2004-10-01 19:00 . 2007-10-25 19:07 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-02-19 18:58 . 2009-02-19 18:58 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-02-19 18:58 . 2009-02-19 18:58 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-26 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 344064]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-05-02 1817600]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-12-26 548864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-11 212992]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"5-Day Forecast"="c:\program files\5-Day Forecast\5-Day Forecast\5-Day Forecast.exe" [2010-06-15 876544]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Kevin\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billeo.lnk - c:\program files\Billeo\billeo.exe [2010-9-15 1448272]
Event Planner Reminder.lnk - c:\windows\Installer\{5D0DF1BB-D82E-4FB2-B98E-4FDE42EF7EBB}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2008-4-11 1718]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^OneNote Table Of Contents.onetoc2]
path=c:\documents and settings\Kevin\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2
backup=c:\windows\pss\OneNote Table Of Contents.onetoc2Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2006-03-16 08:00 1397760 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-02-21 01:18 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [10/25/2007 4:51 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [10/25/2007 4:51 PM 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/31/2010 8:48 PM 64288]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [10/25/2007 9:56 AM 141312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1375992]
R3 EvcapMaui;Emuzed EvcapMaui Device;c:\windows\system32\drivers\EvcapMau.sys [10/1/2003 4:41 PM 177664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15264]
.
Contents of the 'Scheduled Tasks' folder

2010-10-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 20:08]

2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1060284298-682003330-1003Core.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-26 19:32]

2010-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1060284298-682003330-1003UA.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-26 19:32]

2010-09-26 c:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet51002003-04-11 20:25Y3853P1XV7A.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=AVBR
uInternet Settings,ProxyOverride = *.local
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\yzac35mi.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\yzac35mi.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeotoolbar.dll
FF - plugin: c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\yzac35mi.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WD Anywhere Backup - c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe
Notify-WgaLogon - (no file)
AddRemove-{68131B0A-D78D-4aed-B74E-33A6C7324E50} - c:\program files\WD\WD Anywhere Backup\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-08 15:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2940)
c:\windows\system32\WININET.dll
c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\Download\{9ED5FB38-DE59-4B96-98EA-2FA1DA7AC434}\chrome_installer.exe
c:\documents and settings\Kevin\Local Settings\temp\CR_7.tmp\setup.exe
.
**************************************************************************
.
Completion time: 2010-11-08 15:40:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-08 20:39

Pre-Run: 78,492,995,584 bytes free
Post-Run: 76,866,863,104 bytes free

- - End Of File - - 39E0E7743901D6A669C0B84789335EBB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users