Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Audio, No Taskbar, No Windows Start Button, Can't Download Files


  • This topic is locked This topic is locked
22 replies to this topic

#1 syao-chan

syao-chan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 11 April 2011 - 12:24 AM

Hello,

As the Subject says, my issues are:


  • No Audio
  • No Taskbar
  • No Windows Start Button
  • Can't Download Files
  • Malwarebytes won't run (Error 372-- though I was able to use it just last week during my routine PC maintenance tasks)


Many thanks in advance!

~ Syao

--------------------------
DDS Logs
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 13:20:01.68 on Mon 04/11/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\handyCafe\Client\hndclient.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Skillbrains\lightshot\1.3.0.15\LightShot.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\handyCafe\Client\_hndguard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
F:\Cleaning toolkit\7koo717i.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
F:\Cleaning toolkit\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uStart Page = hxxp://search.handycafe.com/start?ph
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [LightShot] c:\documents and settings\administrator\local settings\application data\skillbrains\lightshot\LightShot.exe Flags: uninsdeletevalue
uRun: [\\SYAO-SERVER\EPSON TX110 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifbp.exe /fu "c:\docume~1\admini~1\locals~1\temp\E_S1A.tmp" /EF "HKCU"
uRun: [\\PC-1E3C23A0CD85\EPSON T13 T22E Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigei.exe /fu "c:\docume~1\admini~1\locals~1\temp\E_S12.tmp" /EF "HKCU"
uRun: [\\SERVERKAYE\EPSON T13 T22E Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigei.exe /fu "c:\docume~1\admini~1\locals~1\temp\E_S1B2.tmp" /EF "HKCU"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [hndclient] c:\program files\handycafe\client\hndclient.exe
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
dRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: c:\program files\frostwire\FrostWire.exe = FrostWire.exe
uPolicies-disallowrun: c:\program files\mozilla firefox\firefox.exe = firefox.exe
uPolicies-system: DisableCAD = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: DisableCAD = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: &Search - http://tbedits.webfetti.com/one-toolbaredits/menusearch.jhtml?s=100000418&p=ZKxdm648YYph&si=xPH&a=7AA4F2EA-2368-484C-8CD3-928CD44F7234&n=2011011123
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: c:\progra~1\handyc~1\filter~1\plugin\_hfilter.dll
Trusted Zone: kuaiche.com\software
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D84EB4B0-BFA9-4B0C-B75A-17ABAD45ABB7} - hxxp://images.friendster.com/201009A-013/js/aurigma/FriendsterImageUploader.cab
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - d:\program files\stardock\fences\FencesMenu.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c0xsq3ai.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://search.handycafe.com/start?ph
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\{c9b68337-e93a-44ea-94dc-cb300ec06444}\components\Engine.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\engine@conduit.com\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\c0xsq3ai.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll
FF - plugin: c:\documents and settings\administrator\application data\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - %profile%\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IMinent Toolbar: {C9B68337-E93A-44EA-94DC-CB300EC06444} - %profile%\extensions\{C9B68337-E93A-44EA-94DC-CB300EC06444}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Softonic-Eng7 Community Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Winamp Toolbar: {0b38152b-1b20-484d-a11f-5e04a9b0661f} - %profile%\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\alwil software\avast5\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.handycafe.firewall.client - handyCafeCFW/3.3.33 en
FF - user.js: browser.startup.homepage - hxxp://search.handycafe.com/start?ph
FF - user.js: browser.startup.page - 1
FF - user.js: general.useragent.extra.handycafe.client - handyCafeCln/3.3.21
.
============= SERVICES / DRIVERS ===============
.
R? Ambfilt;Ambfilt
R? avast! Antivirus;avast! Antivirus
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? GGSAFERDriver;GGSAFER Driver
R? gupdate;Google Update Service (gupdate)
R? LLRING0;LLRING0
R? npggsvc;nProtect GameGuard Service
R? npkycryp;npkycryp
R? OAO17Afx;OAO17Afx
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
R? XDva296;XDva296
R? XDva332;XDva332
R? XDva352;XDva352
R? XDva360;XDva360
R? XDva370;XDva370
R? XDva372;XDva372
R? XDva375;XDva375
R? XDva377;XDva377
R? XDva379;XDva379
R? XDva382;XDva382
R? XDva383;XDva383
R? XDva384;XDva384
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? BIOS;BIOS
.
=============== File Associations ===============
.
inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1
.
=============== Created Last 30 ================
.
2011-03-20 10:35:53 -------- d-----w- c:\program files\SystemRequirementsLab
2011-03-20 10:35:07 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Winamp Toolbar
2011-03-20 09:42:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2011-03-20 09:41:55 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-20 09:41:54 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-03-20 09:41:54 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-20 09:41:46 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-03-20 09:41:46 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-03-20 09:41:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-20 09:41:46 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-03-20 09:41:46 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-03-20 09:41:46 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-03-20 09:41:46 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-03-20 09:41:46 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-20 09:41:28 -------- d-----w- c:\program files\NVIDIA Corporation
2011-03-20 09:25:51 -------- d-----w- c:\program files\Freemake
2011-03-20 09:18:50 -------- d-----w- c:\program files\TweakNow PowerPack 2011
2011-03-20 09:18:50 -------- d-----w- c:\docume~1\admini~1\applic~1\TweakNow PowerPack 2011
2011-03-14 20:37:57 -------- d-----w- c:\program files\Incomplete
2011-03-14 20:37:04 -------- d-----w- c:\program files\FrostWire
.
==================== Find3M ====================
.
2011-03-06 12:35:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-06 12:35:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 15:04:21 40648 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 13:20:19.96 ===============

Attached Files


Edited by Budapest, 11 April 2011 - 12:25 AM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 15 April 2011 - 02:58 PM

Hi,

Frostwire

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 16 April 2011 - 02:37 AM

Hi Blade,

Thank you for your response. Attached are the requested logs. In addition, I have uninstalled Frostwire completely (previously, I have just added it to Restricted Programs via registry tweaks, since folks keep on reinstalling it on the PC >.>)


Thanks,

Syao

Attached Files


Edited by syao-chan, 16 April 2011 - 02:39 AM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 16 April 2011 - 04:48 AM

Hi again,

Look for ComboFix2.txt file in c:\qoobox or c:\combofix folder and post it back.


Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    wscntfy.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Click start->run->type services.msc and press enter.
Check status & startup type of the following services:
Background Intelligent Transfer Service (BITS)
Remote Procedure Call (RPC)


Report back.


Adobe Reader 7.0.5 is not supported anymore and should be removed.

Uninstall this old Java:
J2SE Runtime Environment 5.0 Update 5


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish. Copy-paste back the findings.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 16 April 2011 - 07:29 PM

Hi Blade,

Thanks for your swift response! I've attached the requested logs.

SystemLook//
SystemLook 04.09.10 by jpshortstuff
Log created at 07:35 on 17/04/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "wscntfy.exe"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wscntfy.exe --a---- 13824 bytes [02:05 04/09/2010] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

-= EOF =-

//Services.msc//
BITS - Status: none, Startup type: automatic
RPC - I have two: RPC 1 (provides the endpoint mapper) has no status and is on Automatic. RPC 2 (manages the RPC name service database) has no status and is on Manual.

//Uninstalling programs//
I can't uninstall any software today, I get an error that the Windows Installer Service cannot be accessed.

//ESET//
C:\Documents and Settings\Administrator\Application Data\OpenCandy\OpenCandy_7AE1F9EFB3B3424FB643C0EDE8BCA1AA\p1v1_AFIRegistryReviver_w.exe a variant of Win32/SlowPCfighter application
C:\Documents and Settings\Administrator\My Documents\NBA LIVE 08\CabalMain.exe a variant of Win32/Packed.VMProtect.AAH trojan
D:\C40R.bin a variant of Win32/Packed.VMProtect.AAH trojan
D:\CabalMain.exe a variant of Win32/Packed.VMProtect.AAH trojan
D:\caor.exe Win32/Packed.Themida.AAE trojan
D:\x.dll a variant of Win32/Packed.VMProtect.AAH trojan
D:\download new\CabalMain.exe a variant of Win32/Packed.VMProtect.AAH trojan
D:\zhypermu muguard 2010\vcorp.dll probably a variant of Win32/Agent.EOFXVKB trojan

Attached Files


Edited by syao-chan, 16 April 2011 - 07:30 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 17 April 2011 - 02:45 PM

Hi,

Delete those ESET findings. Try to start those BITS and RPCSS (RPC1) services. If starting the services was successful run ComboFix again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 19 April 2011 - 01:53 PM

Hi Blade,

I deleted the files found, but I still couldn't restart BITS or RPC. The latter brought up an Error 5 Access is Denied.

I did get my taskbar back, though the minimized windows appear above the taskbar, not on the taskbar. >.>


- Syao

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 19 April 2011 - 02:13 PM

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a/s c:\svchost* >Log.txt
START Log.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 20 April 2011 - 03:27 AM

Hi Blade,

Here you go:


Volume in drive C has no label.
Volume Serial Number is 0894-EA93

Directory of c:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 05:12 PM 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of c:\WINDOWS\system32

08/03/2004 06:26 PM 14,336 svchost.exe
1 File(s) 14,336 bytes

Total Files Listed:
2 File(s) 28,672 bytes
0 Dir(s) 1,116,483,584 bytes free


Thanks for continuously working with me on this. :)

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 20 April 2011 - 05:08 AM

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
cacls c:\windows\system32\rpcss.dll >>Log.txt
cacls c:\windows\system32\svchost.exe >>Log.txt
ECHO.>>Log.txt
ECHO --------------->>Log.txt
SWREG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RpcSs" /s >>Log.txt
START Log.txt
DEL %0


Double-click on fixes.bat file to execute it. Again, Log.txt should open. Attach it to your post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 20 April 2011 - 01:48 PM

Hi Blade,

Attached the requested log. :)

- Syao

Attached Files

  • Attached File  Log.txt   2.25KB   3 downloads


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 21 April 2011 - 02:17 AM

Hi,

Open notepad and copy/paste (if you can't copy-paste then you need to type it - in that case, be careful with the syntax) the text in the quotebox below into it:

FCopy::
c:\windows\system32\svchost.exe|c:\windows\system32\svchost.bak
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe|c:\windows\system32\svchost.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe|c:\windows\system32\dllcache\svchost.exe


Save this as CFScript.txt to your desktop.

Make sure that ComboFix.exe and CFScript.txt files are on your desktop. Then run following command with same syntax as shown below (don't forget quotes) in command prompt:
ComboFix "%userprofile%\Desktop\CFScript.txt"

ComboFix will run. Post back the resultant log & fresh dds.txt log.

Edited by Blade81, 21 April 2011 - 02:18 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 21 April 2011 - 03:04 AM

Hi Blade,

I get this error instead: http://prntscr.com/1rr6f :(


- Syao

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:39 PM

Posted 21 April 2011 - 03:18 AM

Please try this command instead:
"%userprofile%\desktop\ComboFix.exe" "%userprofile%\Desktop\CFScript.txt"

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 syao-chan

syao-chan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 21 April 2011 - 04:00 AM

Thanks, that worked! :) I've attached the logs.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users