Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Security Essential Alert


  • This topic is locked This topic is locked
24 replies to this topic

#1 nhutchinson

nhutchinson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 29 October 2010 - 11:02 AM

Hello

My son got a microsoft security essential alert on his desktop running windows xp. When this alert came up the system crashed and he was not able to get by the startup en in safe mode. He ran recovery console, used the fix mbr command and gained access to the system. He searched the net for advice and was advised to run r kill and malwarbytes. This did not sort out the problem. The computer then began to freeze when you tried to carry out any command. The computer is now back freezing on startup. There are logs of the r kill and malwarebytes scans on the systen but we are unable to get them. Any help would be really appreciated.

Regards Noel

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 31 October 2010 - 02:56 AM

Hi Noel, please let me know if you have an XP CD at hand.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 31 October 2010 - 06:42 AM

Hello Elise025

Thank you for your reply, my son had this system made up in a local computer shop but he was not given an XP cd. I may be able to get one but it will take a few days.

Regards Noel

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 31 October 2010 - 07:04 AM

Hi Noel, that is okay. Please let me know when you have it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 01 November 2010 - 12:37 PM

Hi Elise

I now have the XP CD.

Regards Noel

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 01 November 2010 - 01:13 PM

Hello again,

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.bat.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 02 November 2010 - 12:41 PM

Hi Elise

I tried to boot the system with the cd and it asked for my serial which I entered. The PC began to open windows but then shut down. The only way into the system is in safe mode even then if I happen to click on the internet explorer key the Microsoft Security Alert comes up. I have run Malwarebytes and it now finds no infections. By the way this programme is no longer free http://www.petri.co.il/how_to_write_iso_files_to_cd.htm. Thank you for your patience.

Regards Noel

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 02 November 2010 - 03:12 PM

Can you download tools on a flashdrive, boot in safe mode and run them from there? If so, try to do that with the following:

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 02 November 2010 - 04:08 PM

Hi Elise

When trying to install rootkit unhooker I am getting an error message with a problem installing/opening driver.

Regards Noel

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 02 November 2010 - 04:37 PM

Hi, please try this:

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 03 November 2010 - 06:30 AM

Hi Elise

There are a few problems with running scans at the moment.

1 If I try to boot up normally I get a message saying out of range and a blank screen. The PC does seem to be working in the backround.

2 If I try boot up in safe mode with networking I get a message saying I need to activate my account.

3 To run combofix in safe mode I had to mannually uninstall AVG9. The uninstall option in windows freezes.

4 The recovery console on the PC needs updating but with no internet access combofix can not do this.

I did get the following log from combofix.

ComboFix 10-11-02.04 - Administrator 03/11/2010 10:58:07.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1272 [GMT 0:00]
Running from: K:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleansweep.exe
c:\cleansweep.exe\cleansweep.exe
c:\cleansweep.exe\config.bin
c:\docume~1\ADMINI~1\LOCALS~1\Temp\103765.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\126000.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\155500.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\160375.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\196031.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\53546.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\55015.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\58203.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\72750.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\74234.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\75859.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\76843.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\77687.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\78796.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\82406.exe
c:\docume~1\TOWERU~1\LOCALS~1\Temp\99937.exe
c:\documents and settings\Administrator\Application Data\hotfix.exe
c:\documents and settings\Administrator\Application Data\ohydy.exe
c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\cbss.dll~
c:\documents and settings\All Users\Documents\Settings\cbss.dll~
C:\test.txt
c:\windows\system32\drivers\sysam.exe
c:\windows\system32\driVERs\txfhf.sys
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DARKNESS
-------\Legacy_SYSTEMSONSW
-------\Service_Systemsonsw
-------\Legacy_txfhf
-------\Service_txfhf


((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.

2010-11-02 18:03 . 2008-04-14 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-11-02 18:02 . 2008-04-14 12:00 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2010-11-02 17:48 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-11-02 17:48 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-11-02 17:48 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-11-02 17:48 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-11-02 17:47 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET47.tmp
2010-11-02 17:47 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SET3B.tmp
2010-11-02 17:47 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SET38.tmp
2010-11-02 15:30 . 2010-11-02 16:04 -------- d-----w- C:\pebuilder3110a
2010-11-01 20:27 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SETD1.tmp
2010-11-01 20:27 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SETC5.tmp
2010-11-01 20:27 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SETC2.tmp
2010-10-28 18:07 . 2010-10-28 18:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-28 17:59 . 2010-10-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-28 17:54 . 2010-10-28 18:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\updates
2010-10-28 17:12 . 2010-10-28 17:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-28 15:02 . 2010-10-28 15:09 155136 ----a-w- c:\windows\system32\drivers\syhdiwi.exe
2010-10-26 15:14 . 2010-10-26 15:14 -------- d-----w- c:\program files\Common Files\Java
2010-10-26 15:13 . 2010-09-15 03:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-26 13:29 . 2010-10-26 13:29 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-10-26 13:29 . 2010-10-26 13:29 -------- d-----w- c:\windows\system32\xlive
2010-10-26 13:20 . 2010-10-26 13:20 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\Fallout3
2010-10-23 10:38 . 2010-10-23 10:39 -------- d-----w- c:\documents and settings\tower user\Mafia.II.Crackfix-SKIDROW
2010-10-23 10:36 . 2010-10-23 10:36 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\2K Games
2010-10-23 10:35 . 2010-10-23 10:35 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-22 20:19 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 20:18 . 2008-10-27 09:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-10-22 19:58 . 2010-10-22 19:58 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\FalloutNV
2010-10-21 09:03 . 2010-10-21 09:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Hack_Search_V1
2010-10-17 21:06 . 2010-10-28 18:21 -------- d-----w- c:\program files\Steam
2010-10-15 17:11 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-10-14 22:22 . 2010-10-14 22:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-10-09 23:11 . 2010-10-09 23:12 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\ManyCam
2010-10-09 23:11 . 2010-10-09 23:12 -------- d-----w- c:\program files\ManyCam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 17:13 . 2010-10-28 17:12 155136 ----a-w- c:\windows\system32\drivers\sysam.exe184
2010-10-28 17:12 . 2010-10-28 17:12 155136 ----a-w- c:\windows\system32\drivers\sysam.exe852
2010-10-28 15:02 . 2010-10-28 15:02 155136 ----a-w- c:\windows\system32\drivers\syhdiwi.exe867
2010-10-12 21:40 . 2010-09-27 21:19 1380 ----a-w- C:\74yhq.bat
2010-09-27 21:19 . 2010-09-28 15:02 75776 ----a-w- c:\documents and settings\tower user\workgroup
2010-09-25 20:48 . 2010-09-19 22:04 233960 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-09-25 20:48 . 2010-09-18 16:56 233960 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-25 20:15 . 2010-09-18 16:56 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-09-22 19:19 . 2010-09-22 19:19 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-09-22 19:19 . 2010-09-22 19:19 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-09-19 22:03 . 2010-09-18 16:56 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-09-15 03:50 . 2010-07-03 09:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:29 . 2010-07-03 09:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-12 09:10 . 2010-09-12 09:10 3133440 ----a-w- c:\windows\system32\rsmsvr.exe
2010-09-10 22:21 . 2010-09-10 22:21 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-09-10 22:21 . 2010-09-10 22:21 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-09-04 11:27 . 2010-09-04 11:27 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-26 12:52 . 2010-07-03 10:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 14:02 3863136 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-09-28 15:57 2735200 ----a-w- c:\program files\Softonic-Eng7\tbSof0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6639dc30-7e94-480b-9d4e-51b4a597070b}]
2010-09-12 14:02 3863136 ----a-w- c:\program files\Hack_Search_V1\tbHack.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 15:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof0.dll" [2010-09-28 2735200]
"{6639dc30-7e94-480b-9d4e-51b4a597070b}"= "c:\program files\Hack_Search_V1\tbHack.dll" [2010-09-12 3863136]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CLASSES_ROOT\clsid\{6639dc30-7e94-480b-9d4e-51b4a597070b}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"ATIModeChange"="Ati2mdxx.exe" [2006-10-12 26112]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 16050688]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 2808832]
"SRFirstRun"="srclient.dll" [2008-04-14 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 14:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^tower user^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\tower user\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2010-09-27 12:55 160328 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Server.exe]
2010-09-27 21:19 75776 ----a-w- c:\documents and settings\tower user\Application Data\Microsoft\System\Services\Server.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1049:TCP"= 1049:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [6/25/2010 2:49 PM 63232]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2010 11:27 AM 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2010 3:49 PM 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/2/2010 3:49 PM 243024]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 12:00 PM 14336]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 CAN300;CAN300;c:\windows\system32\drivers\can300.sys [9/3/2010 12:44 AM 10224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 4:36 PM 86016]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 6:19 PM 50704]
S2 syhdiwi;syhdiwi;c:\windows\system32\drivers\syhdiwi.exe [10/28/2010 3:02 PM 155136]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [6/25/2010 2:49 PM 36864]
S3 Normandy;Normandy SR2; [x]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 4:21 PM 594048]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/26/2007 1:47 AM 272128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-11-02 c:\windows\Tasks\At1.job
- c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe [2010-09-24 05:33]

2010-11-02 c:\windows\Tasks\At2.job
- c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe [2010-09-24 05:33]

2010-11-02 c:\windows\Tasks\At3.job
- c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe [2010-09-24 05:33]

2010-11-02 c:\windows\Tasks\At4.job
- c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe [2010-09-24 05:33]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1677128483-1417001333-1004Core.job
- c:\documents and settings\tower user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-03 18:20]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1677128483-1417001333-1004UA.job
- c:\documents and settings\tower user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-03 18:20]

2010-11-02 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 15:50]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-engel - c:\documents and settings\Administrator\Application Data\updates\updates.exe
HKLM-Run-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
HKLM-Run-Aqcwsoysca - c:\docume~1\TOWERU~1\LOCALS~1\Temp\82406.exe
HKLM-Run-Vflhtxvbdpppppp - c:\docume~1\TOWERU~1\LOCALS~1\Temp\53546.exe
HKLM-Run-Wmcaue - c:\docume~1\TOWERU~1\LOCALS~1\Temp\55015.exe
HKLM-Run-Wcoimmig - c:\docume~1\TOWERU~1\LOCALS~1\Temp\126000.exe
HKLM-Run-Fjiadx - c:\docume~1\TOWERU~1\LOCALS~1\Temp\160375.exe
HKLM-Run-Kbmxajglgruvmjo - c:\docume~1\TOWERU~1\LOCALS~1\Temp\196031.exe
HKLM-Run-Ccmeea - c:\docume~1\TOWERU~1\LOCALS~1\Temp\58203.exe
HKLM-Run-Ukgumeoqqw - c:\docume~1\TOWERU~1\LOCALS~1\Temp\72750.exe
HKLM-Run-Qkiswasywmieuw - c:\docume~1\TOWERU~1\LOCALS~1\Temp\74234.exe
HKLM-Run-Uxwnqpkjy - c:\docume~1\TOWERU~1\LOCALS~1\Temp\75859.exe
HKLM-Run-Styzynmncfy - c:\docume~1\TOWERU~1\LOCALS~1\Temp\76843.exe
HKLM-Run-Cpktgdgvi - c:\docume~1\TOWERU~1\LOCALS~1\Temp\77687.exe
HKLM-Run-Azotolixuhqpyho - c:\docume~1\TOWERU~1\LOCALS~1\Temp\78796.exe
HKLM-Run-Vzoobzekrducvn - c:\docume~1\TOWERU~1\LOCALS~1\Temp\99937.exe
HKLM-Run-Ubkpitqfa - c:\docume~1\TOWERU~1\LOCALS~1\Temp\155500.exe
AddRemove-MoTeC Comms Drivers 1.0 - c:\program files\MoTeC\Comms\1.0\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-03 11:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1940)
c:\windows\system32\ieframe.dll
.
Completion time: 2010-11-03 11:24:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-03 11:24

Pre-Run: 42,224,283,648 bytes free
Post-Run: 42,306,547,712 bytes free

Current=3 Default=3 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 1BBF5D5FCF1E5CCAEF7B06050029ACC9

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 03 November 2010 - 08:17 AM

1 If I try to boot up normally I get a message saying out of range and a blank screen. The PC does seem to be working in the backround.

That is a problem with your display settings. If it still occurs, boot in safe mode, and use add/remove programs to uninstall your graphics drivers. Reboot in normal mode and see if it works now. If so, you can reinstall the drivers from your computers's driver CD.
If you are not sure how to do this, just let me know. :)

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
AtJob::

File::
c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 03 November 2010 - 10:57 AM

Hi Elise

If you can help with uninstalling the drivers it would be appreciated.

ComboFix 10-11-02.04 - Administrator 03/11/2010 15:43:21.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1278 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\TOWERU~1\LOCALS~1\Temp\clipb.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job

.
((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.

2010-11-03 10:30 . 2010-11-03 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-11-03 10:30 . 2010-11-03 10:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Innovative Solutions
2010-11-02 18:03 . 2008-04-14 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-11-02 18:02 . 2008-04-14 12:00 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2010-11-02 17:48 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-11-02 17:48 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-11-02 17:48 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-11-02 17:48 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-11-02 17:47 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET47.tmp
2010-11-02 17:47 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SET3B.tmp
2010-11-02 17:47 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SET38.tmp
2010-11-02 15:30 . 2010-11-02 16:04 -------- d-----w- C:\pebuilder3110a
2010-11-01 20:27 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SETD1.tmp
2010-11-01 20:27 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SETC5.tmp
2010-11-01 20:27 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SETC2.tmp
2010-10-28 18:07 . 2010-10-28 18:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-28 17:59 . 2010-10-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-28 17:54 . 2010-10-28 18:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\updates
2010-10-28 17:12 . 2010-10-28 17:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-28 15:02 . 2010-10-28 15:09 155136 ----a-w- c:\windows\system32\drivers\syhdiwi.exe
2010-10-26 15:14 . 2010-10-26 15:14 -------- d-----w- c:\program files\Common Files\Java
2010-10-26 15:13 . 2010-09-15 03:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-26 13:29 . 2010-10-26 13:29 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-10-26 13:29 . 2010-10-26 13:29 -------- d-----w- c:\windows\system32\xlive
2010-10-26 13:20 . 2010-10-26 13:20 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\Fallout3
2010-10-23 10:38 . 2010-10-23 10:39 -------- d-----w- c:\documents and settings\tower user\Mafia.II.Crackfix-SKIDROW
2010-10-23 10:36 . 2010-10-23 10:36 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\2K Games
2010-10-23 10:35 . 2010-10-23 10:35 -------- d-----w- c:\program files\NVIDIA Corporation
2010-10-22 20:19 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 20:18 . 2008-10-27 09:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-10-22 19:58 . 2010-10-22 19:58 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\FalloutNV
2010-10-21 09:03 . 2010-10-21 09:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Hack_Search_V1
2010-10-17 21:06 . 2010-10-28 18:21 -------- d-----w- c:\program files\Steam
2010-10-15 17:11 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-10-14 22:22 . 2010-10-14 22:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-10-09 23:11 . 2010-10-09 23:12 -------- d-----w- c:\documents and settings\tower user\Local Settings\Application Data\ManyCam
2010-10-09 23:11 . 2010-10-09 23:12 -------- d-----w- c:\program files\ManyCam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 17:13 . 2010-10-28 17:12 155136 ----a-w- c:\windows\system32\drivers\sysam.exe184
2010-10-28 17:12 . 2010-10-28 17:12 155136 ----a-w- c:\windows\system32\drivers\sysam.exe852
2010-10-28 15:02 . 2010-10-28 15:02 155136 ----a-w- c:\windows\system32\drivers\syhdiwi.exe867
2010-10-12 21:40 . 2010-09-27 21:19 1380 ----a-w- C:\74yhq.bat
2010-09-27 21:19 . 2010-09-28 15:02 75776 ----a-w- c:\documents and settings\tower user\workgroup
2010-09-25 20:48 . 2010-09-19 22:04 233960 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-09-25 20:48 . 2010-09-18 16:56 233960 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-25 20:15 . 2010-09-18 16:56 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-09-22 19:19 . 2010-09-22 19:19 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-09-22 19:19 . 2010-09-22 19:19 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2010-09-19 22:03 . 2010-09-18 16:56 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-09-15 03:50 . 2010-07-03 09:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:29 . 2010-07-03 09:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-12 09:10 . 2010-09-12 09:10 3133440 ----a-w- c:\windows\system32\rsmsvr.exe
2010-09-10 22:21 . 2010-09-10 22:21 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-09-10 22:21 . 2010-09-10 22:21 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-09-04 11:27 . 2010-09-04 11:27 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-26 12:52 . 2010-07-03 10:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 14:02 3863136 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-09-28 15:57 2735200 ----a-w- c:\program files\Softonic-Eng7\tbSof0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6639dc30-7e94-480b-9d4e-51b4a597070b}]
2010-09-12 14:02 3863136 ----a-w- c:\program files\Hack_Search_V1\tbHack.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 15:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof0.dll" [2010-09-28 2735200]
"{6639dc30-7e94-480b-9d4e-51b4a597070b}"= "c:\program files\Hack_Search_V1\tbHack.dll" [2010-09-12 3863136]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CLASSES_ROOT\clsid\{6639dc30-7e94-480b-9d4e-51b4a597070b}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"ATIModeChange"="Ati2mdxx.exe" [2006-10-12 26112]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 16050688]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 2808832]
"SRFirstRun"="srclient.dll" [2008-04-14 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 14:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^tower user^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\tower user\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2010-09-27 12:55 160328 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Server.exe]
2010-09-27 21:19 75776 ----a-w- c:\documents and settings\tower user\Application Data\Microsoft\System\Services\Server.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1049:TCP"= 1049:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [6/25/2010 2:49 PM 63232]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2010 11:27 AM 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2010 3:49 PM 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/2/2010 3:49 PM 243024]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 12:00 PM 14336]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 CAN300;CAN300;c:\windows\system32\drivers\can300.sys [9/3/2010 12:44 AM 10224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 4:36 PM 86016]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 6:19 PM 50704]
S2 syhdiwi;syhdiwi;c:\windows\system32\drivers\syhdiwi.exe [10/28/2010 3:02 PM 155136]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [6/25/2010 2:49 PM 36864]
S3 Normandy;Normandy SR2; [x]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 4:21 PM 594048]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/26/2007 1:47 AM 272128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1677128483-1417001333-1004Core.job
- c:\documents and settings\tower user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-03 18:20]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1677128483-1417001333-1004UA.job
- c:\documents and settings\tower user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-03 18:20]

2010-11-02 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 15:50]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-03 15:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-03 15:55:19
ComboFix-quarantined-files.txt 2010-11-03 15:55
ComboFix2.txt 2010-11-03 11:24

Pre-Run: 42,308,075,520 bytes free
Post-Run: 42,294,231,040 bytes free

Current=3 Default=3 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - F640A25F77103F2C2F28C8A8259F713C

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:21 AM

Posted 03 November 2010 - 11:24 AM

Can you find the graphics card drivers in Add remove programs?

If not, click Start > Run, type devmgmt.msc and press enter. Look in the list for Display Adapters and right click on the display driver found there. Select uninstall. Reboot normally and let me know if that works now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 nhutchinson

nhutchinson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 03 November 2010 - 01:09 PM

Hi Elise

That got me a little further. I now get the wallpaper screen and am asked to activate my account when I say yes nothing happens it stays on the wallpaper with no icons. I do see the eggtimer every now and then but nothing loads.

Regards Noel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users