Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Security 2011- Removal issues


  • Please log in to reply
102 replies to this topic

#1 Zedded

Zedded

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 12 March 2011 - 06:29 PM

OS:XP HOME, Service Pack 3, v.6055
AV and firewall: AVG 2011 Security Suite (currently disabled)
Post edited 13/03 for attempt at more clarity and to add DDS and GMER logs.

Problem: Computer only functions in Safe Mode, after Malwarebytes removal of XP security 2011. In Normal Mode, no software can be started: AV, firewall, defender, Malwarebytes, browsers, help and support etc. Trying to run any software either generates a window asking which software is needed to run it or, as for XP Help and Support or Windows Firewall, or Defender, the applications "cannot be found"

I have read several threads about XP Security 2011 removal, but only after a problematic removal of "XP security 2011", and am not sure how to proceed. Following the hijack of my laptop by the virus and the disabling of all web browsing, I was given a CD with some malware removal tools and some instructions in a notepad readme.

Instructions on CD were to install Malwarebytes and run it, then Combofix (or Spybot) followed by CCleaner.

What I did:
In Safe Mode with Networking, Trojan.Fakealert and Trojan.Dropper quarantined and deleted using Malwarebytes.
Upon Reboot, second MB pass found the same infections, but this time in system volume information\_restore. Also successfully quarantined and deleted.
Upon Reboot, blue screen, Registry_error, two attempts.
Only way I could reboot was using last good configuration.
A further pass with Malwarebytes revealed no malware I think.
This is all I did.

I did try other things but aborted as I felt out of my depth and didn't want to risk making things more complicated.
I thought that it might be a good idea to delete recent Restore Points as they appear compromised (infected restore files still in MB quarantine), which cannot be done through the Help and Support in Safe Mode.
However, in NORMAL MODE, XP's Help and Support "Helpctr.exe Application cannot be found".
So I didn't delete anything.

Back in Safe Mode, next instructions were to use Combofix to verify that malwarebytes has removed everything.
I decided to ignore Combofix following a message, during install, that it is incompatible with AVG. Rather than attempt the uninstall of an already compromised AVG, and as I wasn't sure about using this software with my OS, I cancelled the install.
I also Installed CCleaner, but didn't "fix" anything as the registry scan recommended deleting registry entries left over from uninstalled software, including AVG, which I didn't actually uninstall.

In Safe Mode, I can enable Windows Firewall, but have to do it every time I boot.
I have completed DDS and GMER scans after finding the "preparation guide" since having my post kindly redirected to this forum, and they are appended and attached, except for the Ark.txt log of the GMER scan as "this file is too big to upload".

Thanks for any help.
Z

DDS SCAN ERROR MESSAGE
Windows Script Host
Can't find script engine "VBSCRIPT" for script "C:\DOcuments and Settings\Administrator\Local Settings\Temp\MSGB.PIF".

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Administrator at 0:01:16.26 on 13/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
.
============== Running Processes ===============
.
C:\Program Files\Soluto\SolutoService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10m_Plugin.exe -update plugin
mRun: [CtrlVol] c:\program files\launch manager\CtrlVol.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [LaunchAp] c:\program files\launch manager\LaunchAp.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/153f25f0a8b18e4d3d05/netzip/RdxIE601.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229537611867
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194733182628
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages =
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\d9hwg7x8.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d6d4427&v=6.011.025.001&i=26&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.011.025.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R? atimtai;atimtai
R? AVFilter;AVFilter
R? AVG Security Toolbar Service;AVG Security Toolbar Service
R? Avgfwfd;AVG network filter service
R? avgfws;AVG Firewall
R? AVGIDSAgent;AVGIDSAgent
R? AVGIDSDriver;AVGIDSDriver
R? AVGIDSFilter;AVGIDSFilter
R? AVGIDSShim;AVGIDSShim
R? Avgldx86;AVG AVI Loader Driver
R? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
R? avgwd;AVG WatchDog
R? AVHook;AVHook
R? DIBLOAD2;Digital TV firmware loader(Type 2)
R? ids0004C;ids0004C
R? ids00089;ids00089
R? INIDVD;Initio USB DVD Filter Driver
R? mailKmd;mailKmd
R? MODUSB;Digital TV DVB-T USB adapter driver
R? Pcarangemaax;Pcarangemaax
R? PCGenFAM;PCGenFAM
R? PCTAVSvc;PC Tools AntiVirus Engine
R? SamsonLLDriver;Samson LL Driver
R? SWWDM_multi;Samson Audio (WDM)
R? UKS11LDR;Midiman USB Keystation Loader
R? ULMODLOAD2;Digital TV firmware loader(Type 2) service
R? ULMODUSB;Digital TV DVB-T USB adapter service
R? USBKS1X1;Midiman USB Keystation Midi Driver
R? vaxscsi;vaxscsi
S? Avgfwdx;Avgfwdx
S? AVGIDSEH;AVGIDSEH
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? CLEDX;Team H2O CLEDX service
S? SolutoService;Soluto PCGenome Core Service
.
=============== Created Last 30 ================
.
2011-03-11 18:56:49 -------- d-----w- c:\program files\CCleaner
2011-03-11 17:26:10 54016 ----a-w- c:\windows\system32\drivers\lpcw.sys
2011-03-11 15:54:12 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-11 15:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-11 15:54:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-11 15:54:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-11 15:54:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 19:55:55 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-03-08 19:44:44 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\AVG Security Toolbar
2011-03-07 21:42:43 -------- d-----w- c:\docume~1\admini~1\applic~1\AVG10
2011-02-18 17:41:10 -------- d-----w- c:\program files\CompareFolders3
2011-02-15 20:32:48 -------- d-----w- c:\program files\Spotify
2011-02-14 16:41:48 -------- d-----w- c:\program files\common files\Motive
2011-02-14 16:41:36 -------- d-----w- c:\program files\BT Broadband Desktop Help
2011-02-14 16:41:11 -------- d-----w- c:\program files\Citrix
2011-02-14 16:41:02 308096 ------w- c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
2011-02-14 16:40:34 -------- d-----w- c:\program files\BTHomeHub
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2008-12-17 22:10:10 527 ----a-w- c:\program files\Reset.cmd
2006-10-20 10:58:10 377856 ------w- c:\program files\RegSeeker.exe
2006-10-20 09:58:06 7137 ------w- c:\program files\FlashPlayer9.reg
2005-11-05 11:15:54 298 ------w- c:\program files\FixAddRemove.reg
.
============= FINISH: 0:02:47.60 ===============

Attached Files


Edited by Zedded, 13 March 2011 - 05:34 PM.
Moved from XP forum to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:55 AM

Posted 17 March 2011 - 03:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 18 March 2011 - 06:16 AM

Hi, Oneof4.

This is just to acknowledge that I've received your reply and that I still need assistance for the same problem.
I didn't receive notification of your reply though. I'll have to double check my settings.
I will follow your instructions and post a reply with logs shortly.
Thanks!
Z

#4 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 18 March 2011 - 08:04 AM

Hi again.
I haven't yet performed the scan or included new logs, reasons listed below. I'll wait for advice.

1- I still have the problem, as described in my first edited post.
2- I am able to operate my laptop in SAFE MODE only.
I can boot in Normal Mode, but applications cannot be run.
So I can perform scan in Safe Mode.
I haven't performed any maintenance on my computer since posting my first log, as suggested by Bleeping instructions.
3- Original Windows CD. I don't think I ever had one. My laptop (made by Microlink-specialised in assistive technology) came with its own set up CDs which may have included Windows.
4- Safe Mode- DISABLING A/V- I am unable to disable my AVG 2011 (I'm not even sure it's enabled as it is out of action in NORMAL MODE; The web browser does display the AVG search box and page security status so it must be operating at some level). When I click the "user interface", a Command Line Composer window tells me all I can do in Safe Mode is use AVG command line scanner.

The DDS and GMER scans I posted previously were performed in Safe Mode without disabling AVG, as I thought the application was not enabled, corrupted or non existant.
There was a script issue; I included the error message at the beginning of my previous DDS log post.
I did use Defogger to disable CD emulation.

A note bout my A/V: I am running the AVG 2011 trial, as I had problems with PCtools and wished to upgrade my security. I don't think PCtools uninstalled completely, as there are some elements left(menu items) and my computer crashed every time I tried to remove these. I was able to download and use AVG 2011. This was before my infection with "XP security 2011"

Should I perform scans anyway?
I eagerly await your instructions,
Many thanks for your time.
Z

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:55 PM

Posted 20 March 2011 - 08:51 AM

Hello and welcome to Bleeping Computer. :)

Let's try to save the infected computer, please boot again in safe mode and do the following.


1. We will begin by removing AVG so it will not interfere with our tools. Please download and run the AVG remover here -> http://www.avg.com/kr-en/download-tools


2. Download and run ComboFix in safe mode, kindly monitor it while running and when combofix reboots your PC during its run... Make sure to reboot it again in safe mode to complete the process.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 20 March 2011 - 04:16 PM

Hi Sempai, just acknowledging receipt of your message.
I'm online now and following your instructions.
Thanks! Z

Edited 21:52
Hi Sempai.
Following you instuctions, I have
1- Uninstalled AVG using AVG remover
2- Run Combofix.
Message displayed when Combofix was "attempting to create a new System Restore point":
NirCmd.cfxxe- Unable to Locate Component
This application has failed to start because ConnAPI.DLL was not found. Re-installing the application may fix the problem. OK?
I clicked ok.
Something appeared to load/install (not sure what, was very fast for my slow computer eyes)then the Combifix scan started.
Scan and reboot successful. Log attached.

Questions:
- Is my suspected incomplete PCtools uninstall an issue at the moment?
- I have followed your instructions without connecting external HDs. These were not connected when my computer was infected, unless the infection occured prior to the actual manifestation of the "XP security 2011" hijack. I haven't connected them since. Should I have included them in the Combifix scan?

Thanks for your time.
Z
EDITED 22:11 to post contents of Combifix log (also attached)

ComboFix 11-03-19.04 - Administrator 20/03/2011 21:35:35.1.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
ADS - system32: deleted 142 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc1C.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc25.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc2C.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc3D.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc3E.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc48.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mcc9D.tmp
c:\documents and settings\Oem Student\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\Oem Student\System
c:\documents and settings\Oem Student\System\win_qs7.jqx
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004963_.tmp.dll
c:\windows\system32\_004967_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004970_.tmp.dll
c:\windows\system32\_004972_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004979_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004983_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004986_.tmp.dll
c:\windows\system32\_004987_.tmp.dll
c:\windows\system32\_004991_.tmp.dll
c:\windows\system32\_004992_.tmp.dll
c:\windows\system32\_004994_.tmp.dll
c:\windows\system32\_004997_.tmp.dll
c:\windows\system32\_004999_.tmp.dll
c:\windows\system32\_005000_.tmp.dll
c:\windows\system32\_005002_.tmp.dll
c:\windows\system32\_005003_.tmp.dll
c:\windows\system32\_005006_.tmp.dll
c:\windows\system32\_005007_.tmp.dll
c:\windows\system32\_005008_.tmp.dll
c:\windows\system32\_005009_.tmp.dll
c:\windows\system32\_005010_.tmp.dll
c:\windows\system32\_005015_.tmp.dll
c:\windows\system32\_005017_.tmp.dll
c:\windows\system32\_005018_.tmp.dll
c:\windows\system32\advapi32(2).dll
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-15 20:17 . 2011-03-15 21:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2011-03-14 12:08 . 2011-03-14 12:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2011-03-14 03:00 . 2011-03-14 03:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-03-13 21:26 . 2011-03-13 21:26 -------- d-----w- c:\windows\LastGood.Tmp
2011-03-13 08:14 . 2011-03-13 08:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Secunia PSI
2011-03-13 08:13 . 2011-03-13 08:13 -------- d-----w- c:\program files\Secunia
2011-03-13 00:11 . 2011-03-13 00:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2011-03-11 18:56 . 2011-03-11 18:56 -------- d-----w- c:\program files\CCleaner
2011-03-11 17:26 . 2011-03-11 17:26 54016 ----a-w- c:\windows\system32\drivers\lpcw.sys
2011-03-11 15:54 . 2011-03-11 15:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-11 15:54 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-11 15:54 . 2011-03-11 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-11 15:54 . 2011-03-11 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-11 15:54 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 19:55 . 2011-03-08 19:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-03-08 19:44 . 2011-03-08 19:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2011-03-07 21:42 . 2011-03-07 21:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2011-02-28 18:50 . 2011-02-28 18:50 -------- d-----w- c:\program files\Common Files\Skype
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2002-11-26 14:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 13:53 . 2002-11-26 14:15 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2004-04-22 09:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-04-22 09:44 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-04-22 09:43 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2011-01-30 02:26 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{CF88ABAC-B7D2-4179-BD11-EC13ED14FEE7}\mpengine.dll
2011-01-07 14:09 . 2004-04-21 22:46 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-10 21:05 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-04-22 09:44 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-02-06 17:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-04-22 09:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2004-04-22 09:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2008-12-17 22:10 . 2008-12-17 22:10 527 ----a-w- c:\program files\Reset.cmd
2006-10-20 10:58 . 2006-12-13 12:52 377856 ------w- c:\program files\RegSeeker.exe
2006-10-20 09:58 . 2006-12-13 12:52 7137 ------w- c:\program files\FlashPlayer9.reg
2005-11-05 11:15 . 2006-12-13 12:52 298 ------w- c:\program files\FixAddRemove.reg
2010-07-14 14:20 . 2010-07-14 14:20 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-07-14 14:20 . 2010-07-14 14:20 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-07-14 14:20 . 2010-07-14 14:21 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-07-14 14:20 . 2010-07-14 14:20 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
------- Sigcheck -------
.
[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\atapi.sys
[7] 2008-02-11 . 7316AFA8EFA110621D6D90722AF3EFE6 . 96512 . . [5.1.2600.3311] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-02-11 . 7316AFA8EFA110621D6D90722AF3EFE6 . 96512 . . [5.1.2600.3311] . . c:\windows\SYSTEM32\drivers\atapi.sys
[7] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[7] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-08-22 20480]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-08 65536]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-02-12 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-02-14 16:41 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OESpamTest
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-12 20:03 133104 ----atw- c:\documents and settings\Oem Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 00:00 385024 ------w- c:\program files\Syncrosoft\POS\H2O\cledx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 09:47 289064 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
2009-02-19 06:37 1374096 ----a-w- c:\program files\PC Tools AntiVirus\PCTAV.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ------w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"snpstd"=c:\windows\vsnpstd.exe
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LMgrOSD"=c:\program files\Launch Manager\OSD.exe
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"LaunchAp"=c:\program files\Launch Manager\LaunchAp.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HotkeyApp"=c:\program files\Launch Manager\HotkeyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\SpywareBlaster\\spywareblaster.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Azureus\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 PCGenFAM;PCGenFAM;c:\windows\system32\DRIVERS\PCGenFAM.sys [2010-11-01 181704]
R1 mailKmd;mailKmd; [x]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R3 atimtai;atimtai;c:\windows\system32\DRIVERS\atimtai.sys [2001-08-17 281600]
R3 DIBLOAD2;Digital TV firmware loader(Type 2);c:\windows\system32\DRIVERS\dgtvload2.sys [2004-06-21 17118]
R3 ids0004C;ids0004C;c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0004C.sys [x]
R3 ids00089;ids00089;c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00089.sys [x]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 MODUSB;Digital TV DVB-T USB adapter driver;c:\windows\system32\Drivers\dgtvcap.sys [2004-05-04 16312]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\Drivers\SamsonLLDriver.sys [2006-12-12 56832]
R3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]
R3 UKS11LDR;Midiman USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2002-06-06 15740]
R3 ULMODLOAD2;Digital TV firmware loader(Type 2) service;c:\windows\system32\DRIVERS\dgtvload2.sys [2004-06-21 17118]
R3 ULMODUSB;Digital TV DVB-T USB adapter service;c:\windows\system32\Drivers\dgtvcap.sys [2004-05-04 16312]
R3 USBKS1X1;Midiman USB Keystation Midi Driver;c:\windows\system32\drivers\usbks1x1.sys [2002-06-06 32476]
R3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2007-01-20 223128]
R4 Pcarangemaax;Pcarangemaax; [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-03-31 717296]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2010-11-01 331296]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-09 33792]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-16 c:\windows\Tasks\Uninstall PC Tools AntiVirus.job
- c:\progra~1\PCTOOL~1\unins000.exe [2009-07-21 18:17]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d9hwg7x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d6d4427&v=6.011.025.001&i=26&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WinDefend
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-OnfolioStorage - c:\program files\Onfolio\onfserv.exe
MSConfigStartUp-Windows Registry Repair Pro - c:\program files\Registry Repair Pro\RegistryRepairPro.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 21:44
Windows 5.1.2600 Service Pack 3, v.6055 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LaunchAp = c:\program files\Launch Manager\LaunchAp.exe??????????B~<???????a??|??B~???????????????|x??? ??|0???????L????????S??????????0??????|????????????????????t??sx??s@??????????????|h??st???????t=?s???????????????????s?!?sx??s??????B~??@?8&?sD:???7@?P:?????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Ahead\Cover Designer]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-342506518-1667634439-1731015327-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,5e,fe,6b,b0,20,a6,47,89,46,7f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,5e,fe,6b,b0,20,a6,47,89,46,7f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(944)
c:\windows\system32\WININET.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-03-20 21:46:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-20 21:46
.
Pre-Run: 11,931,070,464 bytes free
Post-Run: 12,075,327,488 bytes free
.
Current=2 Default=2 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - A387DCAB9DC0626AC7658FAA7F1BF951

Attached Files


Edited by Zedded, 20 March 2011 - 05:11 PM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:55 PM

Posted 21 March 2011 - 09:03 AM

Is my suspected incomplete PCtools uninstall an issue at the moment?

Malware is present so I can't really tell.

I have followed your instructions without connecting external HDs. These were not connected when my computer was infected, unless the infection occured prior to the actual manifestation of the "XP security 2011" hijack. I haven't connected them since. Should I have included them in the Combifix scan?


We will deal with the external HD later on.


=====================================


Please run the CF script below in Normal mode.

We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

KillAll::

FCopy::     
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\atapi.sys

File::
c:\windows\Tasks\Uninstall PC Tools AntiVirus.job

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
c:\documents and settings\Administrator\Application Data\AVG10
c:\program files\PC Tools AntiVirus
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]

RegLock::
[HKEY_USERS\.Default\Software\Ahead\Cover Designer]
[HKEY_USERS\S-1-5-21-342506518-1667634439-1731015327-500\Software\Microsoft\Internet Explorer\User Preferences]

Driver::
ids0004C
ids00089
Pcarangemaax

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 March 2011 - 11:40 AM

Oh Sensei Sempai,
Hello.

I am experiencing the same "application not found" issue with Combofix in Normal Mode as with any other application.
This is what I did:
-Saved your CFScript.txt in the same location as Combofix, ie the administrator desktop in safe mode.
-Booted Windows normally, all antimalware disabled.
-Safe mode desktop items not displayed in normal mode desktop (even though it's an administrator log-in) So opened C:\Documents and Settings\Administrator\Desktop
-Dragged CFScript.txt onto Combofix icon.
This opened "Open file-security warning" window, in which I selected RUN.
The following error message appeared:
"C:\Documents and Settings\Administrator\Desktop\Combofix.exe
Application not found"

I do have the combofix link on CD.
Perhaps I can try downloading it to the Normal mode desktop and try again?
Z

Edited by Zedded, 21 March 2011 - 02:26 PM.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:55 PM

Posted 21 March 2011 - 05:20 PM

Please run the cf script is safe mode, monitor it again while running and when the computer reboots... make sure to boot it again in safe mode to complete the process.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 March 2011 - 05:53 PM

Here's log for your CFscript:

ComboFix 11-03-21.01 - Administrator 21/03/2011 22:38:21.2.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Tasks\Uninstall PC Tools AntiVirus.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\AVG10
c:\documents and settings\Administrator\Application Data\AVG10\cfgall\usergui.cfg
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\2eaaaaa8.xml
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\f2e6c37e.xml
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\overlay.xml
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\wea_21.png
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\wea_28.png
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\wea_29.png
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\wea_30.png
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\wea_33.png
c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar\cache\wea_34.png
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Bases\Patches\patch_pers_5.0.383_384_to_5.0.385.exe
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Bases\Patches\patch_pers_5.0.388_390_to_5.0.391.exe
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Bases\Patches\patch_pers_5.0.388_to_5.0.390.exe
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Bases\Patches\soft.ver
c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\Bases\Patches\soft.xml
c:\program files\PC Tools AntiVirus
c:\program files\PC Tools AntiVirus\~ulo
c:\program files\PC Tools AntiVirus\Alert.cfg
c:\program files\PC Tools AntiVirus\Alert.exe
c:\program files\PC Tools AntiVirus\bpo-avhelp.chm
c:\program files\PC Tools AntiVirus\bra-avhelp.chm
c:\program files\PC Tools AntiVirus\bugreport.txt
c:\program files\PC Tools AntiVirus\common.ini
c:\program files\PC Tools AntiVirus\csi-avhelp.chm
c:\program files\PC Tools AntiVirus\ctr-avhelp.chm
c:\program files\PC Tools AntiVirus\deu-avhelp.chm
c:\program files\PC Tools AntiVirus\eng-avhelp.chm
c:\program files\PC Tools AntiVirus\esp-avhelp.chm
c:\program files\PC Tools AntiVirus\fre-avhelp.chm
c:\program files\PC Tools AntiVirus\helper.dll
c:\program files\PC Tools AntiVirus\homepage.url
c:\program files\PC Tools AntiVirus\ita-avhelp.chm
c:\program files\PC Tools AntiVirus\KDSInterface.txt
c:\program files\PC Tools AntiVirus\Language\ChineseSimp.ini
c:\program files\PC Tools AntiVirus\Language\ChineseTrad.ini
c:\program files\PC Tools AntiVirus\Language\Deutsch.ini
c:\program files\PC Tools AntiVirus\Language\English.ini
c:\program files\PC Tools AntiVirus\Language\Espanol.ini
c:\program files\PC Tools AntiVirus\Language\French.ini
c:\program files\PC Tools AntiVirus\Language\Italian.ini
c:\program files\PC Tools AntiVirus\Language\Language.dll
c:\program files\PC Tools AntiVirus\Language\Language.xsl
c:\program files\PC Tools AntiVirus\Language\Polski.ini
c:\program files\PC Tools AntiVirus\Language\Portuguesebrazilian.ini
c:\program files\PC Tools AntiVirus\Language\Russian.ini
c:\program files\PC Tools AntiVirus\LuLng\ChineseSimp.lng
c:\program files\PC Tools AntiVirus\LuLng\ChineseTrad.lng
c:\program files\PC Tools AntiVirus\LuLng\Deutsch.lng
c:\program files\PC Tools AntiVirus\LuLng\English.lng
c:\program files\PC Tools AntiVirus\LuLng\French.lng
c:\program files\PC Tools AntiVirus\LuLng\Italian.lng
c:\program files\PC Tools AntiVirus\LuLng\Polski.lng
c:\program files\PC Tools AntiVirus\LuLng\Portuguesebrazilian.lng
c:\program files\PC Tools AntiVirus\LuLng\Russian.lng
c:\program files\PC Tools AntiVirus\LuLng\Spanish.lng
c:\program files\PC Tools AntiVirus\msvcp71.dll
c:\program files\PC Tools AntiVirus\msvcr71.dll
c:\program files\PC Tools AntiVirus\PCTAV.exe
c:\program files\PC Tools AntiVirus\PCTAV.ini
c:\program files\PC Tools AntiVirus\PCTAVEng.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
c:\program files\PC Tools AntiVirus\PCTAVService.txt
c:\program files\PC Tools AntiVirus\PCTAVService.txt.old
c:\program files\PC Tools AntiVirus\PCTAVShellExtension.dll
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\PC Tools AntiVirus\PCTCFilter.dll
c:\program files\PC Tools AntiVirus\PCTLicHelper.dll
c:\program files\PC Tools AntiVirus\pctlsp.log
c:\program files\PC Tools AntiVirus\PCTMime.dll
c:\program files\PC Tools AntiVirus\PCToolsAntiVirusExtension.dll
c:\program files\PC Tools AntiVirus\PCTThreatInfo.dll
c:\program files\PC Tools AntiVirus\PCTWSC.dll
c:\program files\PC Tools AntiVirus\pol-avhelp.chm
c:\program files\PC Tools AntiVirus\rus-avhelp.chm
c:\program files\PC Tools AntiVirus\SDAVgate.dll
c:\program files\PC Tools AntiVirus\tedbe.dat
c:\program files\PC Tools AntiVirus\Trial\alert.gif
c:\program files\PC Tools AntiVirus\Trial\header.JPG
c:\program files\PC Tools AntiVirus\UgLng\ChineseSimp.lng
c:\program files\PC Tools AntiVirus\UgLng\ChineseTrad.lng
c:\program files\PC Tools AntiVirus\UgLng\Czech.lng
c:\program files\PC Tools AntiVirus\UgLng\Danish.lng
c:\program files\PC Tools AntiVirus\UgLng\Deutsch.lng
c:\program files\PC Tools AntiVirus\UgLng\Dutch.lng
c:\program files\PC Tools AntiVirus\UgLng\English.lng
c:\program files\PC Tools AntiVirus\UgLng\EnglishBritish.lng
c:\program files\PC Tools AntiVirus\UgLng\Finnish.lng
c:\program files\PC Tools AntiVirus\UgLng\French.lng
c:\program files\PC Tools AntiVirus\UgLng\Greek.lng
c:\program files\PC Tools AntiVirus\UgLng\Italian.lng
c:\program files\PC Tools AntiVirus\UgLng\Korean.lng
c:\program files\PC Tools AntiVirus\UgLng\Norwegian.lng
c:\program files\PC Tools AntiVirus\UgLng\Polski.lng
c:\program files\PC Tools AntiVirus\UgLng\Portuguese.lng
c:\program files\PC Tools AntiVirus\UgLng\PortugueseBrazilian.lng
c:\program files\PC Tools AntiVirus\UgLng\Russian.lng
c:\program files\PC Tools AntiVirus\UgLng\Spanish.lng
c:\program files\PC Tools AntiVirus\UgLng\Swedish.lng
c:\program files\PC Tools AntiVirus\UgLng\Thai.lng
c:\program files\PC Tools AntiVirus\UgLng\Turkish.lng
c:\program files\PC Tools AntiVirus\unins000.dat
c:\program files\PC Tools AntiVirus\unins000.exe
c:\program files\PC Tools AntiVirus\unins000.msg
c:\program files\PC Tools AntiVirus\Update.exe
c:\program files\PC Tools AntiVirus\UpdateHlpr.dll
c:\program files\PC Tools AntiVirus\Updates\6.13010-6.13020.exe
c:\program files\PC Tools AntiVirus\Updates\av10-000.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-001.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-002.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-003.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-004.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-005.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-006.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-007.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-008.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-009.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-010.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-011.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-012.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-013.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-014.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-015.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-016.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-017.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-018.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-019.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-020.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-100.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-101.vdb
c:\program files\PC Tools AntiVirus\Updates\av10-daily.vdb
c:\program files\PC Tools AntiVirus\Updates\BLST.bin
c:\program files\PC Tools AntiVirus\Updates\Bsdb.bin
c:\program files\PC Tools AntiVirus\Updates\info.dbsdk
c:\program files\PC Tools AntiVirus\Updates\SFS2.bin
c:\program files\PC Tools AntiVirus\Updates\TIDDB.tin
c:\program files\PC Tools AntiVirus\Updates\vdb.xml
c:\program files\PC Tools AntiVirus\upgrade.cfg
c:\program files\PC Tools AntiVirus\Upgrade.exe
c:\program files\PC Tools AntiVirus\Xerces.dll
c:\program files\PC Tools AntiVirus\xerdom.dll
c:\windows\Tasks\Uninstall PC Tools AntiVirus.job
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IDS0004C
-------\Legacy_IDS00089
-------\Service_ids0004C
-------\Service_ids00089
-------\Service_Pcarangemaax
.
.
((((((((((((((((((((((((( Files Created from 2011-02-21 to 2011-03-21 )))))))))))))))))))))))))))))))
.
.
2011-03-15 20:17 . 2011-03-15 21:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2011-03-14 12:08 . 2011-03-14 12:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2011-03-14 03:00 . 2011-03-14 03:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-03-13 08:14 . 2011-03-13 08:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Secunia PSI
2011-03-13 08:13 . 2011-03-13 08:13 -------- d-----w- c:\program files\Secunia
2011-03-13 00:11 . 2011-03-13 00:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2011-03-11 18:56 . 2011-03-11 18:56 -------- d-----w- c:\program files\CCleaner
2011-03-11 17:26 . 2011-03-11 17:26 54016 ----a-w- c:\windows\system32\drivers\lpcw.sys
2011-03-11 15:54 . 2011-03-11 15:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-11 15:54 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-11 15:54 . 2011-03-11 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-11 15:54 . 2011-03-11 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-11 15:54 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 19:55 . 2011-03-08 19:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-02-28 18:50 . 2011-02-28 18:50 -------- d-----w- c:\program files\Common Files\Skype
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2002-11-26 14:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 13:53 . 2002-11-26 14:15 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2004-04-22 09:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-04-22 09:44 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-04-22 09:43 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2011-01-30 02:26 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{CF88ABAC-B7D2-4179-BD11-EC13ED14FEE7}\mpengine.dll
2011-01-07 14:09 . 2004-04-21 22:46 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-10 21:05 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-04-22 09:44 301568 ----a-w- c:\windows\system32\kerberos.dll
2008-12-17 22:10 . 2008-12-17 22:10 527 ----a-w- c:\program files\Reset.cmd
2006-10-20 10:58 . 2006-12-13 12:52 377856 ------w- c:\program files\RegSeeker.exe
2006-10-20 09:58 . 2006-12-13 12:52 7137 ------w- c:\program files\FlashPlayer9.reg
2005-11-05 11:15 . 2006-12-13 12:52 298 ------w- c:\program files\FixAddRemove.reg
2010-07-14 14:20 . 2010-07-14 14:20 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-07-14 14:20 . 2010-07-14 14:20 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-07-14 14:20 . 2010-07-14 14:21 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-07-14 14:20 . 2010-07-14 14:20 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-08-22 20480]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-08 65536]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-02-12 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-02-14 16:41 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-12 20:03 133104 ----atw- c:\documents and settings\Oem Student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 00:00 385024 ------w- c:\program files\Syncrosoft\POS\H2O\cledx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 09:47 289064 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 09:50 413696 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ------w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"snpstd"=c:\windows\vsnpstd.exe
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"LMgrOSD"=c:\program files\Launch Manager\OSD.exe
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"LaunchAp"=c:\program files\Launch Manager\LaunchAp.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HotkeyApp"=c:\program files\Launch Manager\HotkeyApp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\SpywareBlaster\\spywareblaster.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Azureus\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 PCGenFAM;PCGenFAM;c:\windows\system32\DRIVERS\PCGenFAM.sys [2010-11-01 181704]
R1 mailKmd;mailKmd; [x]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
R3 atimtai;atimtai;c:\windows\system32\DRIVERS\atimtai.sys [2001-08-17 281600]
R3 DIBLOAD2;Digital TV firmware loader(Type 2);c:\windows\system32\DRIVERS\dgtvload2.sys [2004-06-21 17118]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\DRIVERS\inidvd.sys [2007-11-07 7936]
R3 MODUSB;Digital TV DVB-T USB adapter driver;c:\windows\system32\Drivers\dgtvcap.sys [2004-05-04 16312]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\Drivers\SamsonLLDriver.sys [2006-12-12 56832]
R3 SWWDM_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2006-12-12 25088]
R3 UKS11LDR;Midiman USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2002-06-06 15740]
R3 ULMODLOAD2;Digital TV firmware loader(Type 2) service;c:\windows\system32\DRIVERS\dgtvload2.sys [2004-06-21 17118]
R3 ULMODUSB;Digital TV DVB-T USB adapter service;c:\windows\system32\Drivers\dgtvcap.sys [2004-05-04 16312]
R3 USBKS1X1;Midiman USB Keystation Midi Driver;c:\windows\system32\drivers\usbks1x1.sys [2002-06-06 32476]
R3 vaxscsi;vaxscsi;c:\windows\System32\Drivers\vaxscsi.sys [2007-01-20 223128]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-03-31 717296]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2010-11-01 331296]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-09 33792]
.
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d9hwg7x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d6d4427&v=6.011.025.001&i=26&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-21 22:45
Windows 5.1.2600 Service Pack 3, v.6055 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LaunchAp = c:\program files\Launch Manager\LaunchAp.exe??????????B~<???????a??|??B~???????????????|x??? ??|0???????L????????S??????????0??????|????????????????????t??sx??s@??????????????|h??st???????t=?s???????????????????s?!?sx??s??????B~??@?8&?sD:???7@?P:?????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9o.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9o.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2000)
c:\windows\system32\WININET.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-03-21 22:49:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-21 22:49
ComboFix2.txt 2011-03-20 21:46
.
Pre-Run: 12,066,607,104 bytes free
Post-Run: 12,002,897,920 bytes free
.
Current=2 Default=2 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 2B04DB562881D5A0FBA009DC7DA08DE5

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:55 PM

Posted 22 March 2011 - 09:23 AM

Hi,

Please do the following in normal mode. Instructions are posted in order so make sure to do instruction #1 first.


1. Please copy the contents of the code box below, open notepad and paste it there.
  • On the top toolbar in notepad select file, then save as. In the box that opens type in fix.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the fix.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.
assoc.exe=exefile >> "%userprofile%\desktop\fix.txt"
notepad "%userprofile%\desktop\fix.txt"
del %0


Note: Make sure to reboot your computer before doing step # 2&3. Do them in normal mode also


2. Download SREng
  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

    Posted Image
  • Close SREng and tell me in your next reply if there is any Error found.


3. Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 22 March 2011 - 12:05 PM

Hi Semp!

Online now. Just about to follow your instructions.
As i cannot get online in normal mode, I don't think I can download SREng.
The same applies for copying the notepad code in normal mode, I will have to copy it to notepad in safe mode, and then access it through C:\Documents and Settings\Administrator\Desktop . I hope this is appropriate.

When I try to open an application, say Firefox, in normal mode I'm either told the application is not found, or I'm asked what software I wish to use to open the application.
I will try to open Firefox using Firefox.This may allow me to get online.

Back shortly.
Cheers, Z

#13 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 22 March 2011 - 01:13 PM

I'm in Normal mode!
Used Firefox to open Firefox and it worked.
There were some error messages, including application not found,I have appended them to this reply.

Back to your instructions.

1-Copied the fix.bat code to notepad and closed notepad.
Then Windows update, which seems totally unaware that nothing else is working, wanted to force a restart and I pressed Now instead of Later! gulp. I hope that didn't throw a spanner in the works.
So: Upon reboot, located the FIX icon, this is its notepad message to you:

.exe=exefile

2- STUCK HERE.

Rebooted, downloaded file and extracted to Desktop.
Then clicked SREngLdr.EXE and this window came up:
"Choose the program you want to use to open this file"

3-Haven't got to ~3 yet.



FIREFOX:
To open Firefox in Normal mode, this is what I did.
Click on Firefox icon.
Window: which program to use?
Use Firefox to open Firefox.

Then this error message:
c:\Program Files\Java\jre6\lib\deploy\jqs\ff\..\..\..\..\bin\jqsnotify.exe
Application not found.
Clicked OK.

Then this error message:
Warning- Unresponsive script
Script: chrome:\\jqs\content\overlay.js:21
Continue or Stop script
CLicked Stop script.

Firefox then open.
You chose to open Firefox which is a etc...
WOuld you like to save the file?
Save or Cancel.
Clicked Cancel.

I have to run through all of this every time I boot.

Z

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:55 PM

Posted 23 March 2011 - 08:03 AM

Hi,

To make things easier for you, I attached a text file named export.txt.
  • Download and save it on your desktop
  • Rename the text file to export.bat
  • Double click the export.bat file to run it
  • Once completed, two reports will be created on C:\ directory with file name look.txt & look1.txt
  • Please post the contents of those reports when you reply

Attached Files


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Zedded

Zedded
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 23 March 2011 - 08:27 AM

Hi,

This was performed in Normal mode.
Look.txt content:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.exe\shell]

[HKEY_CLASSES_ROOT\.exe\shell\open]

[HKEY_CLASSES_ROOT\.exe\shell\open\command]
@="\"C:\\Documents and Settings\\Oem Student\\Local Settings\\Application Data\\pwy.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe\shell\runas]

[HKEY_CLASSES_ROOT\.exe\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"


Look1.txt
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"Content Type"="application/x-msdownload"
"EditFlags"=hex:38,07,00,00
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
"TileInfo"="prop:FileDescription;Company;FileVersion"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"C:\\Documents and Settings\\Oem Student\\Local Settings\\Application Data\\pwy.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\CmdLineExt]
@="{F0407C3D-349C-42B9-B83E-821E31623DF9}"

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]
@=""




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users