Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection - Unable to install antivirus or Windows updates


  • This topic is locked This topic is locked
20 replies to this topic

#1 Lamb1

Lamb1

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 15 May 2011 - 03:04 PM

Laptop was infected with something, not sure what because I inherited it from sister in law. Only details I have is that she clicked on something in her browser, it ran fake virus scan which she clicked on and it got as far as asking for her credit card details to remove threats. Several anti-malware programs were run on it before it came to me.

I have run Malwarebytes on it and found nothing. Have also followed other instructions as per Bleeping Computer member who is helping me:

http://www.bleepingcomputer.com/forums/topic396293.html/page__p__2239713__fromsearch__1#entry2239713

The main problem is that it hangs every time I try to install an antivirus program, or any updates to Windows Defender, or any Windows updates. When it hangs the mouse cursor still moves but nothing else responds. Ctrl Alt Del gives a black screen, that reverts to the frozen desktop after a few minutes.

Several errors have been noted around the time of the system freezing:

Wer Fault.exe Bad Image C:\Windows\System32\dbgeng.dll

Explorer.exe Application Error Instruction at 0x00a4d98b referral memory at 0x00000016. The Memory could not be written.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Critter at 14:11:16.83 on Sun 15/05/2011
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.64.1033.18.2038.1239 [GMT 12:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\locator.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\Windows\Explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Critter\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.nz/ig?hl=en
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\critter\appdata\roaming\mozilla\firefox\profiles\wj8rv3qz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - component: c:\users\critter\appdata\roaming\mozilla\firefox\profiles\wj8rv3qz.default\extensions\{c2db4fe6-8409-45ce-8010-189a7b5cce86}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\critter\appdata\roaming\mozilla\firefox\profiles\wj8rv3qz.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\pc tools security\bdt\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: NCH Community Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - %profile%\extensions\{c2db4fe6-8409-45ce-8010-189a7b5cce86}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-5-8 247760]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-25 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-26 47640]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-4-19 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-8 1153368]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-05-15 00:23:58 -------- d-----w- C:\71dc5d1d0c2e5d3af6c1
2011-05-15 00:23:52 40112 ----a-w- c:\windows\avastSS.scr
2011-05-14 21:22:24 -------- d-----w- c:\program files\ESET
2011-05-14 05:24:33 -------- d-----w- c:\users\critter\appdata\roaming\SUPERAntiSpyware.com
2011-05-14 05:24:33 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-05-14 05:24:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-08 02:11:42 -------- d-sh--w- C:\found.005
2011-05-08 02:03:47 -------- d-----w- C:\ae70375a96f81abda10fbe877bd927
2011-05-07 23:30:52 -------- d-----w- c:\progra~2\Kaspersky Lab
2011-05-07 23:08:56 -------- d-----w- c:\program files\VS Revo Group
2011-05-07 23:00:45 -------- d-----w- c:\users\critter\appdata\local\Threat Expert
2011-05-07 22:41:22 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-07 22:41:22 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-05-07 22:41:22 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-07 22:41:22 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-07 22:40:14 -------- d-----w- c:\program files\PC Tools Security
2011-05-07 22:37:29 -------- d-----w- c:\progra~2\PC Tools
2011-05-07 22:00:43 6144 ------w- c:\windows\system32\7A00.tmp
2011-05-07 22:00:35 6144 ------w- c:\windows\system32\5A5F.tmp
2011-05-07 22:00:29 -------- d-----w- c:\program files\Sophos
2011-05-07 21:59:56 -------- d-----w- c:\users\critter\Pavark
2011-05-07 21:44:14 -------- d-----w- C:\0299d70cc85a38b5798d12
2011-05-07 12:14:13 -------- d-----w- c:\users\critter\appdata\local\temp
2011-05-07 12:13:01 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-07 11:43:35 -------- d-----w- C:\32788R22FWJFW.1.tmp
2011-05-07 11:13:18 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a205e171-1ecf-4952-b810-3798e299fa3e}\mpengine.dll
2011-05-07 10:43:15 -------- d-----w- c:\windows\system32\catroot2
2011-05-07 04:43:52 -------- d-----w- C:\found.004
2011-05-07 03:38:59 408480426 ----a-w- C:\Registery backup may 2011.reg
2011-05-07 02:50:56 -------- d-----w- C:\e579f8cfddc0ddafbc3a1e504285
2011-05-06 22:20:03 -------- d-----w- c:\program files\AVAST Software
2011-05-06 22:20:03 -------- d-----w- c:\progra~2\AVAST Software
2011-05-06 21:11:24 -------- d-----w- C:\found.003
2011-05-05 11:28:52 -------- d-----w- c:\program files\CCleaner
2011-05-04 10:55:55 -------- d-----w- c:\windows\pss
2011-05-04 10:07:56 -------- d-----w- C:\found.002
2011-05-04 07:46:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 07:46:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 09:27:57 -------- d-----w- C:\found.001
2011-04-20 02:05:32 -------- d-----w- C:\found.000
2011-04-18 05:20:16 -------- d-----w- C:\b3be7b7be4b240cf979370d4
2011-04-15 22:36:23 -------- d-----w- c:\users\critter\appdata\roaming\Malwarebytes
2011-04-15 22:36:16 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-15 22:36:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-02-27 02:08:25 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
.
============= FINISH: 14:11:49.45 ===============

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-16 02:41:07
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBCO
Running: l93kxeoc.exe; Driver: C:\Users\Critter\AppData\Local\Temp\kxriafow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88757000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x887A0000, 0x510, 0x40000040]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:01 AM

Posted 27 May 2011 - 12:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 27 May 2011 - 10:35 PM

Hi Casey_boy, thanks for your reply.

New DDS log below and attached as requested. New GMER log below also.

I don't have access to the original Windows CD/DVD, the laptop did not come with one when purchased new. Vista was pre-installed.


DDS (Ver_11-03-05.01) - NTFSx86
Run by Critter at 14:48:13.89 on Sat 28/05/2011
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.64.1033.18.2038.1263 [GMT 12:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\locator.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Critter\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.nz/ig?hl=en
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\critter\appdata\roaming\mozilla\firefox\profiles\wj8rv3qz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - component: c:\users\critter\appdata\roaming\mozilla\firefox\profiles\wj8rv3qz.default\extensions\{c2db4fe6-8409-45ce-8010-189a7b5cce86}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\critter\appdata\roaming\mozilla\firefox\profiles\wj8rv3qz.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\pc tools security\bdt\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: NCH Community Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - %profile%\extensions\{c2db4fe6-8409-45ce-8010-189a7b5cce86}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-5-8 247760]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-25 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-26 47640]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-4-19 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-8 1153368]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-05-15 00:23:58 -------- d-----w- C:\71dc5d1d0c2e5d3af6c1
2011-05-15 00:23:52 40112 ----a-w- c:\windows\avastSS.scr
2011-05-14 21:22:24 -------- d-----w- c:\program files\ESET
2011-05-14 05:24:33 -------- d-----w- c:\users\critter\appdata\roaming\SUPERAntiSpyware.com
2011-05-14 05:24:33 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-05-14 05:24:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-08 02:11:42 -------- d-sh--w- C:\found.005
2011-05-08 02:03:47 -------- d-----w- C:\ae70375a96f81abda10fbe877bd927
2011-05-07 23:30:52 -------- d-----w- c:\progra~2\Kaspersky Lab
2011-05-07 23:08:56 -------- d-----w- c:\program files\VS Revo Group
2011-05-07 23:00:45 -------- d-----w- c:\users\critter\appdata\local\Threat Expert
2011-05-07 22:41:22 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-07 22:41:22 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-05-07 22:41:22 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-07 22:41:22 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-07 22:40:14 -------- d-----w- c:\program files\PC Tools Security
2011-05-07 22:37:29 -------- d-----w- c:\progra~2\PC Tools
2011-05-07 22:00:43 6144 ------w- c:\windows\system32\7A00.tmp
2011-05-07 22:00:35 6144 ------w- c:\windows\system32\5A5F.tmp
2011-05-07 22:00:29 -------- d-----w- c:\program files\Sophos
2011-05-07 21:59:56 -------- d-----w- c:\users\critter\Pavark
2011-05-07 21:44:14 -------- d-----w- C:\0299d70cc85a38b5798d12
2011-05-07 12:14:13 -------- d-----w- c:\users\critter\appdata\local\temp
2011-05-07 12:13:01 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-07 11:43:35 -------- d-----w- C:\32788R22FWJFW.1.tmp
2011-05-07 11:13:18 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a205e171-1ecf-4952-b810-3798e299fa3e}\mpengine.dll
2011-05-07 10:43:15 -------- d-----w- c:\windows\system32\catroot2
2011-05-07 04:43:52 -------- d-----w- C:\found.004
2011-05-07 03:38:59 408480426 ----a-w- C:\Registery backup may 2011.reg
2011-05-07 02:50:56 -------- d-----w- C:\e579f8cfddc0ddafbc3a1e504285
2011-05-06 22:20:03 -------- d-----w- c:\program files\AVAST Software
2011-05-06 22:20:03 -------- d-----w- c:\progra~2\AVAST Software
2011-05-06 21:11:24 -------- d-----w- C:\found.003
2011-05-05 11:28:52 -------- d-----w- c:\program files\CCleaner
2011-05-04 10:55:55 -------- d-----w- c:\windows\pss
2011-05-04 10:07:56 -------- d-----w- C:\found.002
2011-05-04 07:46:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 07:46:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
.
============= FINISH: 14:49:39.88 ===============

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-28 15:35:11
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBCO
Running: l93kxeoc.exe; Driver: C:\Users\Critter\AppData\Local\Temp\kxriafow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88751000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8879A000, 0x510, 0x40000040]
? C:\Users\Critter\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!DialogBoxParamW 757D10B0 5 Bytes JMP 6C42BFE7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!DialogBoxIndirectParamW 757D2EF5 5 Bytes JMP 6C56BBB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!DialogBoxParamA 757E8152 5 Bytes JMP 6C56BB77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!DialogBoxIndirectParamA 757E847D 5 Bytes JMP 6C56BBED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!MessageBoxIndirectA 757FD4D9 5 Bytes JMP 6C56BB33 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!MessageBoxIndirectW 757FD5D3 5 Bytes JMP 6C56BAEF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!MessageBoxExA 757FD639 5 Bytes JMP 6C56BAB5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] USER32.dll!MessageBoxExW 757FD65D 5 Bytes JMP 6C56BA7B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHAppBarMessage + 22B 7624BA5C 4 Bytes [99, 0B, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHAppBarMessage + 233 7624BA64 4 Bytes [A7, 0A, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHAppBarMessage + 25B 7624BA8C 4 Bytes [99, 0B, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHAppBarMessage + 263 7624BA94 4 Bytes [A7, 0A, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHAppBarMessage + 3B7 7624BBE8 4 Bytes [99, 0B, CF, 6B]
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHRestricted + BC5 762687D8 4 Bytes [99, 0B, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHRestricted + BCD 762687E0 4 Bytes [A7, 0A, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHRestricted + D1D 76268930 4 Bytes [99, 0B, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHRestricted + D25 76268938 4 Bytes [A7, 0A, CF, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] SHELL32.dll!SHRestricted + D95 762689A8 4 Bytes [99, 0B, CF, 6B]
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[3412] ole32.dll!OleLoadFromStream 759F1E80 5 Bytes JMP 6C56BDAF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:01 AM

Posted 29 May 2011 - 02:00 PM

Hi Lamb1
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista/Windows7 users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
  • The log can be located here if it was closed. C:\Combofix.txt
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 30 May 2011 - 02:35 AM

Hi Maranatha, thanks for your help.

ComboFix 11-05-29.01 - Critter 30/05/2011 19:19:56.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.64.1033.18.2038.1277 [GMT 12:00]
Running from: c:\users\Critter\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-15 00:23 . 2011-05-15 00:23 -------- d-----w- C:\71dc5d1d0c2e5d3af6c1
2011-05-15 00:23 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-15 00:23 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-14 21:22 . 2011-05-14 21:22 -------- d-----w- c:\program files\ESET
2011-05-14 05:24 . 2011-05-14 05:24 -------- d-----w- c:\users\Critter\AppData\Roaming\SUPERAntiSpyware.com
2011-05-14 05:24 . 2011-05-14 05:24 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-14 05:24 . 2011-05-14 05:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-08 02:11 . 2011-05-08 02:11 -------- d-----w- C:\found.005
2011-05-08 02:03 . 2011-05-08 02:03 -------- d-----w- C:\ae70375a96f81abda10fbe877bd927
2011-05-07 23:30 . 2011-05-07 23:30 -------- d-----w- c:\programdata\Kaspersky Lab
2011-05-07 23:08 . 2011-05-07 23:23 -------- d-----w- c:\program files\VS Revo Group
2011-05-07 23:00 . 2011-05-07 23:00 -------- d-----w- c:\users\Critter\AppData\Local\Threat Expert
2011-05-07 22:41 . 2011-01-07 02:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-07 22:41 . 2011-01-07 02:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-07 22:41 . 2011-01-07 02:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-05-07 22:41 . 2011-01-07 02:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-07 22:40 . 2011-05-07 23:03 -------- d-----w- c:\program files\PC Tools Security
2011-05-07 22:37 . 2011-05-07 23:01 -------- d-----w- c:\programdata\PC Tools
2011-05-07 22:00 . 2010-05-25 22:39 6144 ------w- c:\windows\system32\7A00.tmp
2011-05-07 22:00 . 2010-05-25 22:39 6144 ------w- c:\windows\system32\5A5F.tmp
2011-05-07 22:00 . 2011-05-07 22:16 -------- d-----w- c:\program files\Sophos
2011-05-07 21:59 . 2011-05-07 21:59 -------- d-----w- c:\users\Critter\Pavark
2011-05-07 21:44 . 2011-05-07 21:44 -------- d-----w- C:\0299d70cc85a38b5798d12
2011-05-07 11:43 . 2011-05-07 11:45 -------- d-----w- C:\32788R22FWJFW.1.tmp
2011-05-07 11:13 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A205E171-1ECF-4952-B810-3798E299FA3E}\mpengine.dll
2011-05-07 10:43 . 2011-05-07 23:18 -------- d-----w- c:\windows\system32\catroot2
2011-05-07 04:43 . 2011-05-07 04:43 -------- d-----w- C:\found.004
2011-05-07 03:38 . 2011-05-07 03:39 408480426 ----a-w- C:\Registery backup may 2011.reg
2011-05-07 02:50 . 2011-05-07 02:50 -------- d-----w- C:\e579f8cfddc0ddafbc3a1e504285
2011-05-06 22:20 . 2011-05-15 00:23 -------- d-----w- c:\programdata\AVAST Software
2011-05-06 22:20 . 2011-05-06 22:20 -------- d-----w- c:\program files\AVAST Software
2011-05-06 21:11 . 2011-05-06 21:11 -------- d-----w- C:\found.003
2011-05-05 11:28 . 2011-05-05 11:28 -------- d-----w- c:\program files\CCleaner
2011-05-04 10:07 . 2011-05-04 10:07 -------- d-----w- C:\found.002
2011-05-04 07:46 . 2010-12-20 06:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 07:46 . 2010-12-20 06:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2007-03-23 01:41 538744 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 10:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-03-21 04:23 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-24 22:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-29 05:32 154392 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-07 03:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-29 05:32 138008 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 02:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 02:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-29 05:32 133912 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 04:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-03-14 07:50 4399104 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-03-21 22:46 448632 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 02:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-02-02 05:36 835584 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2006-12-19 10:16 411768 ----a-w- c:\program files\Toshiba\Power Saver\TPwrMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 musbehco;musbehco;c:\users\Critter\AppData\Local\Temp\musbehco.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2010-12-08 374152]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [2011-01-07 247760]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-09-17 12856]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/ig?hl=en
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Critter\AppData\Roaming\Mozilla\Firefox\Profiles\wj8rv3qz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.nz/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\PC Tools Security\BDT\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: NCH Community Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - %profile%\extensions\{c2db4fe6-8409-45ce-8010-189a7b5cce86}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
.
------- File Associations -------
.
.txt=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-30 19:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1594674826-2521325839-4178469667-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:cc,a8,33,16,44,3c,19,62,22,81,cd,0c,f4,de,18,2a,f7,18,59,40,79,
98,10,20,69,24,d0,1a,61,73,b4,aa,38,e1,02,10,b6,a3,c0,90,35,4c,64,fd,8d,c8,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-30 19:30:27
ComboFix-quarantined-files.txt 2011-05-30 07:30
.
Pre-Run: 46,514,671,616 bytes free
Post-Run: 46,741,983,232 bytes free
.
- - End Of File - - CFED9FD3A906C0F18FA91A9975112891

#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:01 AM

Posted 30 May 2011 - 12:58 PM

Hi
The log you posted was the 2nd run of Combofix. I need to see the first log.
It should be located here...
C:\qoobox - ComboFix2.txt

Please go to C:\ open the qoobox and open ComboFix2.txt and copy and paste that log here.

I see AVAST Software in the log, did you get AVAST to download?
I also see PC Tools Security and left overs from Symantec AntiVirus Which Anti Virus did you want to run, you can only have 1 AV. ?
Are you still having the problems that you were being helped with earlier?


Please answer my questions and post the Combofix log.

Thanks
maranatha

Edited by maranatha, 30 May 2011 - 01:17 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 31 May 2011 - 01:03 AM

Went to C:\qoobox and there is no ComboFix2.txt file in there, there is Snapshot@2011-05-30_07.27.41.dat, Combofix-quarantined-files.txt, Add-Remove Programs.txt and two folders - Quarantine and BackEnv.

There is a ComboFix2.txt file in C: but it is the one I posted yesterday for you. No sign of any others.

Avast - I was able to get the setup.exe to download, and it starts to install, but then stalls on vcredist_x86_sp1.exe before it completes and I have to do a hard restart. So no, Avast is not installed.

PC Tools - thought this had been uninstalled, it is not showing on the start menu or in control panel - add remove programs. I did notice there is a PC Tools link to get you to upgrade on the IE browser though, so I guess it wasn't completely uninstalled.

Symantec Antivirus was also uninstalled a long time ago according to the old laptop owner, it was a one year trial when laptop was purchased new and was never used after that. Again, not showing in start menu or in control panel - add remove programs.


Yes still having the same problems as earlier, boots up fine, and is stable until I try to update windows or install antivirus software. Once it stalls ctrl alt del is either unresponsive or I get a black screen. The mouse cursor is the only thing that still responds. At this point I have to power down and restart.

Thanks

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:01 AM

Posted 31 May 2011 - 07:13 AM

Hi

OK Please do this.

Create a restore Point
How to manually create a restore point.

Open System by clicking the Start button, click Control Panel, click System and Maintenance, and then click System.

In the left pane, click System Protection Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.

In the System Protection dialog box, type a description, and then click Create.


Now go to this Microsoft web site vcredist_x86.exeClick on the Download button then click on "RUN" in the download window, it asked to overwrite an existing file select Yes

Reboot the computer.

See if Avast will install, and check windows update.
Let me know.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 31 May 2011 - 03:26 PM

Hi,

Created restore point as instructed. Downloaded vcredist_x86.exe and tried to install, install stalled on FT_VC_Redist_OpenMP_x86 and had to do hard power down to restart. Rebooted and tried running again, asked if I wanted to repair or uninstall, tried to uninstall thinking I would try install again after that, system stalled again and then BSOD.

#10 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 31 May 2011 - 04:14 PM

Further developments...

On the reboot after the BSOD, computer went into startup repair which has not happened before (on reboot it has automatically gone into a system check and run chkdsk before). On completion of the statrup repair I got this message:

Startup Repair cannot repair this computer automatically

Problem details

Problem event name: Startup RepairV2
Problem Signature 01: Auto fallover
Problem Signature 02: 6.0.6000.16386.6.0.6001.18000
Problem Signature 03: 0
Problem Signature 04: 65537
Problem Signature 05: Unknown
Problem Signature 06: NoRootCause
Problem Signature 07: 0
Problem Signature 08: 2
Problem Signature 09: WrpRepair
Problem Signature 10: 2

OS version 6.06.6000.2.0.0.2561
Locale ID: 1033

Now on reboot I get no GUI, just a black screen with the mouse cursor, that is in normal and safe mode.

#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:01 AM

Posted 31 May 2011 - 07:57 PM

Hi
OK lets see if we can you back.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given options, Please select "Last Known Good Configeration" and hit enter.

Let me know if that gets you back to the GUI.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 31 May 2011 - 10:04 PM

OK tried that and it booted with no GUI again unfortunately.

#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:01 AM

Posted 31 May 2011 - 10:37 PM

Hi
OK do you have access to a USB thumb drive? Also I'm guessing you are posting from a clean computer. Correct?

If so try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer

Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive in the Sick computer and boot the computer from the usb drive.
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

Edited by maranatha, 31 May 2011 - 11:28 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 Lamb1

Lamb1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:11:01 PM

Posted 01 June 2011 - 02:28 AM

Hi,

Followed all steps and log is below.

And yes, I'm posting from a clean computer. Normally from my home desktop, but sometimes from my work desktop.

53.0M Jun 1 03:04 /mnt/sda2/Windows/System32/config/software
23.5M Jun 1 03:03 /mnt/sda2/Windows/System32/config/system

Edited by Lamb1, 01 June 2011 - 05:56 AM.


#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:04:01 AM

Posted 01 June 2011 - 09:34 PM

Hi Lamb1
Was that the whole log?
It's not showing any restore points, It should at least have the one you manually created.

When you reboot the computer does it give you the option to boot into the Microsoft Recovery Console, It would be right under the Windows Vista?

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users