Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

corrupt gui, disappearing text, windows errors


  • This topic is locked This topic is locked
17 replies to this topic

#1 eyalwe

eyalwe

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 10 November 2010 - 09:41 PM

hi,

i think i've got it bad.
i have two WIN XP computers which i work with, pass files between them and make similar installations.
both started acting up with the following symptoms:
corrupted gui
disappearing text and gui
"insufficient system resources" error
"DLL is not a valid Windows Image" error
various BSOD's

after no luck with driver rollback, system restore and various antivirus/anti-malware software, I did a clean install on one of the machines, and it seems fine.
the other machine will serve to find whether a rootkit or virus is involved, and to determine if further action is necessary.

thanks in advance for your help.

here is the DSS log:


DDS (Ver_10-11-10.01) - NTFSx86
Run by eyaler at 2:02:43.29 on 2010-11-11
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3071.2324 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\הפוך על הפוך\Hebrew.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AeroSnap\AeroSnap.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trendnet\USBKVM Switcher\USBKVM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Recaps\recaps.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\eyaler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\iepro\IEProRecorder.dll
uRun: [AeroSnap] c:\program files\aerosnap\AeroSnap.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Hebrew] c:\program files\הפוך על הפוך\Hebrew.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner.exe" /S
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\eyaler\startm~1\programs\startup\minefi~1.lnk - c:\program files\minefield\firefox.exe
StartupFolder: c:\docume~1\eyaler\startm~1\programs\startup\recaps.lnk - c:\program files\recaps\recaps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\usbkvm~1.lnk - c:\program files\trendnet\usbkvm switcher\USBKVM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: ordernet.co.il
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1231167886437
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
TCP: {9D3C0884-4038-47C4-B2E7-40719C0FBC7E} = 10.0.0.138,192.115.106.131
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

============= SERVICES / DRIVERS ===============

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-2-6 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-2-6 20616]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-9 28552]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-21 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-21 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-21 60936]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-5 10448]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-2-6 122504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz132;cpuz132;\??\c:\windows\system32\drivers\cpuz132_x32.sys --> c:\windows\system32\drivers\cpuz132_x32.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-2-6 13192]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-2-6 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-2-6 8456]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-09 22:27:59 -------- d-sha-r- C:\cmdcons
2010-11-09 13:44:50 -------- d-----w- c:\docume~1\eyaler\applic~1\Panda Security
2010-11-09 13:43:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-11-09 13:31:15 -------- d-----w- c:\windows\system32\NtmsData
2010-11-09 09:36:36 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-09 09:36:22 -------- d-----w- c:\program files\Panda Security
2010-11-09 08:33:39 -------- d-----w- c:\program files\ESET
2010-11-06 23:08:40 -------- d-----w- c:\docume~1\eyaler\applic~1\Malwarebytes
2010-11-06 23:08:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 23:08:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 23:08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 23:08:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-01 23:12:16 -------- d-----w- c:\program files\Maple 14
2010-10-31 22:16:30 -------- d-----w- c:\docume~1\eyaler\applic~1\Maple
2010-10-30 14:24:37 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-10-30 14:24:37 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-10-30 14:15:07 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys
2010-10-25 23:06:53 -------- d-----w- C:\boost
2010-10-16 21:02:42 -------- d-----w- c:\program files\Stellar Phoenix Word Recovery
2010-10-16 21:02:31 -------- d-----w- c:\program files\common files\OfficeRecovery
2010-10-16 20:33:53 98816 ----a-w- c:\windows\sed.exe
2010-10-16 20:33:53 89088 ----a-w- c:\windows\MBR.exe
2010-10-16 20:33:53 256512 ----a-w- c:\windows\PEV.exe
2010-10-16 20:33:53 161792 ----a-w- c:\windows\SWREG.exe
2010-10-16 16:03:05 -------- d-----w- c:\docume~1\eyaler\applic~1\OfficeRecovery
2010-10-16 16:02:16 -------- d-----w- c:\program files\OfficeRecovery
2010-10-16 16:02:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\OfficeRecovery
2010-10-16 15:49:29 -------- d-----w- c:\program files\Stellar Phoenix PowerPoint Recovery
2010-10-16 10:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 10:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 10:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 10:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 10:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 10:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-12 20:13:32 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-12 20:04:39 1288192 -c----w- c:\windows\system32\dllcache\ole32.dll
2010-10-12 19:54:51 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 19:39:48 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 19:39:48 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

==================== Find3M ====================

2010-11-02 23:10:03 240608 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-11-02 23:10:03 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-11-01 23:14:11 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2010-11-01 23:14:11 20480 ----a-w- c:\windows\system32\maplecompat.dll
2010-11-01 23:14:10 31744 ----a-w- c:\windows\system32\maplec.dll
2010-10-30 14:25:03 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-09-18 10:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 07:09:35 94208 ----a-w- c:\windows\DUMP5c49.tmp
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 2:03:07.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 17 November 2010 - 10:20 PM

Hello eyalwe ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 November 2010 - 03:12 AM

hi and thanks,

DDS (Ver_10-11-10.01) - NTFSx86
Run by eyaler at 10:05:20.07 on 2010-11-18
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3071.1344 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\הפוך על הפוך\Hebrew.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AeroSnap\AeroSnap.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Trendnet\USBKVM Switcher\USBKVM.exe
C:\Program Files\Recaps\recaps.exe
C:\Program Files\Bazaar\bzrw.exe
C:\Program Files\Minefield\firefox.exe
C:\Program Files\Bazaar\bzrw.exe
C:\Program Files\Bazaar\bzrw.exe
C:\Program Files\Bazaar\bzrw.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Bazaar\bzrw.exe
C:\Program Files\Minefield\plugin-container.exe
C:\Program Files\Bazaar\bzrw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\eyaler\Desktop\Defogger.exe
C:\Documents and Settings\eyaler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\iepro\IEProRecorder.dll
uRun: [AeroSnap] c:\program files\aerosnap\AeroSnap.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_Plugin.exe -update plugin
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Hebrew] c:\program files\הפוך על הפוך\Hebrew.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner.exe" /S
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\eyaler\startm~1\programs\startup\minefi~1.lnk - c:\program files\minefield\firefox.exe
StartupFolder: c:\docume~1\eyaler\startm~1\programs\startup\recaps.lnk - c:\program files\recaps\recaps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\usbkvm~1.lnk - c:\program files\trendnet\usbkvm switcher\USBKVM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: ordernet.co.il
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1231167886437
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
TCP: {9D3C0884-4038-47C4-B2E7-40719C0FBC7E} = 10.0.0.138,192.115.106.131
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

============= SERVICES / DRIVERS ===============

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-2-6 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-2-6 20616]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-9 28552]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-21 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-21 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-21 60936]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-5 10448]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-2-6 122504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz132;cpuz132;\??\c:\windows\system32\drivers\cpuz132_x32.sys --> c:\windows\system32\drivers\cpuz132_x32.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-2-6 13192]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-2-6 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-2-6 8456]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-16 02:33:18 -------- d-----w- C:\trunk1
2010-11-16 02:22:50 -------- d-----w- C:\trunk
2010-11-12 23:39:37 -------- d-----w- c:\program files\Bazaar
2010-11-12 23:39:37 -------- d-----w- c:\docume~1\eyaler\applic~1\bazaar
2010-11-09 22:27:59 -------- d-sha-r- C:\cmdcons
2010-11-09 13:44:50 -------- d-----w- c:\docume~1\eyaler\applic~1\Panda Security
2010-11-09 13:43:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-11-09 13:31:15 -------- d-----w- c:\windows\system32\NtmsData
2010-11-09 09:36:36 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-09 09:36:22 -------- d-----w- c:\program files\Panda Security
2010-11-09 08:33:39 -------- d-----w- c:\program files\ESET
2010-11-06 23:08:40 -------- d-----w- c:\docume~1\eyaler\applic~1\Malwarebytes
2010-11-06 23:08:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 23:08:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 23:08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 23:08:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-01 23:12:16 -------- d-----w- c:\program files\Maple 14
2010-10-31 22:16:30 -------- d-----w- c:\docume~1\eyaler\applic~1\Maple
2010-10-30 14:24:37 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-10-30 14:24:37 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-10-30 14:15:07 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys
2010-10-25 23:06:53 -------- d-----w- C:\boost

==================== Find3M ====================

2010-11-07 23:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-02 23:10:03 240608 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-11-02 23:10:03 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-11-01 23:14:11 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2010-11-01 23:14:11 20480 ----a-w- c:\windows\system32\maplecompat.dll
2010-11-01 23:14:10 31744 ----a-w- c:\windows\system32\maplec.dll
2010-10-30 14:25:03 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 10:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 10:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 10:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 10:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 10:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 10:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-09-18 10:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 07:09:35 94208 ----a-w- c:\windows\DUMP5c49.tmp
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 10:05:52.84 ===============

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 18 November 2010 - 09:41 AM

Hello,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to eyalwe.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 November 2010 - 10:10 AM

ComboFix 10-11-17.03 - eyaler 2010-11-18 16:58:46.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3071.1481 [GMT 2:00]
Running from: c:\documents and settings\eyaler\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.

2010-11-16 02:22 . 2010-11-16 02:22 -------- d-----w- C:\trunk
2010-11-12 23:39 . 2010-11-12 23:45 -------- d-----w- c:\program files\Bazaar
2010-11-12 23:39 . 2010-11-12 23:39 -------- d-----w- c:\documents and settings\eyaler\Application Data\bazaar
2010-11-09 13:44 . 2010-11-09 13:44 -------- d-----w- c:\documents and settings\eyaler\Application Data\Panda Security
2010-11-09 13:43 . 2010-11-09 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-11-09 13:31 . 2010-11-10 23:46 -------- d-----w- c:\windows\system32\NtmsData
2010-11-09 09:36 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-09 09:36 . 2010-11-09 22:21 -------- d-----w- c:\program files\Panda Security
2010-11-09 08:33 . 2010-11-09 08:33 -------- d-----w- c:\program files\ESET
2010-11-06 23:08 . 2010-11-06 23:08 -------- d-----w- c:\documents and settings\eyaler\Application Data\Malwarebytes
2010-11-06 23:08 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 23:08 . 2010-11-06 23:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 23:08 . 2010-11-06 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-06 23:08 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-01 23:12 . 2010-11-01 23:30 -------- d-----w- c:\program files\Maple 14
2010-10-31 22:16 . 2010-10-31 22:16 -------- d-----w- c:\documents and settings\eyaler\Application Data\Maple
2010-10-31 21:48 . 2010-10-31 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-10-30 14:24 . 2010-10-16 18:55 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-10-30 14:24 . 2010-10-16 18:55 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-10-30 14:15 . 2010-07-09 11:18 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys
2010-10-25 23:06 . 2010-10-25 23:13 -------- d-----w- C:\boost

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-02 23:24 . 2009-03-21 16:03 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 23:24 . 2009-03-21 16:03 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-01 23:14 . 2010-09-02 10:51 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2010-11-01 23:14 . 2010-09-02 10:51 20480 ----a-w- c:\windows\system32\maplecompat.dll
2010-11-01 23:14 . 2010-09-02 10:51 31744 ----a-w- c:\windows\system32\maplec.dll
2010-10-16 18:55 . 2010-08-27 07:58 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55 . 2010-08-27 07:58 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-16 18:55 . 2010-08-27 07:58 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55 . 2010-08-27 07:58 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55 . 2010-08-27 07:58 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55 . 2010-08-27 07:57 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55 . 2010-08-27 07:57 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 18:55 . 2009-12-20 16:31 9623680 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-10-16 18:55 . 2009-12-20 16:31 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 10:04 . 2010-10-16 10:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 10:04 . 2010-10-16 10:04 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 10:04 . 2010-10-16 10:04 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 10:04 . 2010-10-16 10:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 10:04 . 2010-10-16 10:04 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 10:04 . 2010-10-16 10:04 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-09-18 10:23 . 2007-09-20 05:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2007-09-20 05:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2007-09-20 09:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2007-09-20 09:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2007-09-20 09:21 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-03 14:40 . 2010-07-05 15:19 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2007-09-20 05:27 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2007-09-20 05:17 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 07:09 . 2008-03-17 06:37 94208 ----a-w- c:\windows\DUMP5c49.tmp
2010-08-27 05:57 . 2007-09-20 05:17 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2007-09-20 05:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 14:23 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2007-09-20 05:15 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-06 886784]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-10-30 397688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"Hebrew"="c:\program files\הפוך על הפוך\Hebrew.exe" [2005-09-04 753664]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-06 98304]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-25 1753192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\eyaler\Start Menu\Programs\Startup\
Minefield.lnk - c:\program files\Minefield\firefox.exe [2008-8-13 98304]
Recaps.lnk - c:\program files\Recaps\recaps.exe [2008-3-17 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
USBKVM Switcher.lnk - c:\program files\Trendnet\USBKVM Switcher\USBKVM.exe [2009-12-12 589824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-10-30 18:07 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-30 18:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-30 18:06 2595616 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UPSMON]
2005-03-30 14:13 429568 ------w- c:\program files\UPSMON\UPSMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TryAndDecideService"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"UPSMONService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"nvsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Maple 12\\jre\\bin\\maple.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-02-06 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-02-06 20616]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-09 28552]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-21 135336]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-07-05 10448]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-02-06 122504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-02-06 13192]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-02-06 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-02-06 8456]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\options.job
- c:\options\archive\archive.bat [2010-08-26 08:12]

2010-11-11 c:\windows\Tasks\pass.job
- c:\options\archive\pass.bat [2008-04-27 09:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: ordernet.co.il
TCP: {9D3C0884-4038-47C4-B2E7-40719C0FBC7E} = 10.0.0.138,192.115.106.131
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-606747145-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*T%*ך]
@Class="Shell"

[HKEY_USERS\S-1-5-21-57989841-606747145-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*T%*ך\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-11-18 17:05:05
ComboFix-quarantined-files.txt 2010-11-18 15:04
ComboFix2.txt 2010-11-09 22:54

Pre-Run: 141,508,009,984 bytes free
Post-Run: 141,515,034,624 bytes free

- - End Of File - - 626C5F8786F707F57843D7635F5E88A6

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 18 November 2010 - 11:13 AM

Hello,

Can I please see the original report, if you still have it? :) How is it running, please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 November 2010 - 11:52 AM

what do you mean by the original report? this is the only combofix report i have.

Edited by eyalwe, 18 November 2010 - 11:56 AM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 18 November 2010 - 12:08 PM

okay okay.....not a problem....the log indicates that it was run more than once is all, and since nothing was removed I thought perhaps something was in the first run. :)

I'm not seeing a whole lot to go by in these logs. Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Thanks,

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 November 2010 - 02:56 PM

tried several times, i get:

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.



Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 18 November 2010 - 03:11 PM

Ugh...I thought they fixed that....my apologies. :( I see you've run Eset and Panda online scanners....I assume they came up clean, yes? I don't see anything in these logs.....do you have your XP disk? I'd like to scan the system for problems, and if it finds any it can fix you'll need the disk.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 November 2010 - 07:45 PM

yes i have an xp disk
i tried an sfc on my other computer
but it said it was missing some files.
perhaps because its not sp3?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 18 November 2010 - 07:56 PM

The disk is not SP3? If that's what you're saying, then you may be right......but that makes me wonder......if the files that are messed up are in SP3 when it asks for the disk, I wonder if perhaps taking it out and reinstalling it again would help your problems? What do you think?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 18 November 2010 - 08:37 PM

can you rule out malware at this stage?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:59 PM

Posted 18 November 2010 - 08:55 PM

Between your descriptions and what I see.....and don't see....in the logs, I believe so. Now I'll tell you up front....malware is my forte, not in depth troubleshooting. After we get so far into it I'll reach my knowledge limit. If you want to stay here until I do, then I'll do all I can for you, if you need it. If you'd rather you can go to the XP forum and work with someone there. Up to you, and I'm okay either way. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 eyalwe

eyalwe
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 19 November 2010 - 03:08 PM

ok, i got an XP SP3 disc
ran SFC /SCANNOW and rebooted
still experiencing symptoms
what now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users