Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.EXE - Application Error


  • This topic is locked This topic is locked
19 replies to this topic

#1 willchas

willchas

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 10 September 2011 - 05:20 PM

On Windows Startup: Explorer.EXE - Application Error

I have been working on a relative desktop and when windows xp
starts up the follwing error comes up
Explorer.exe Application Error.
The instruction at "0x7c9345fa" referenced memory at "0X0000000007".
The memory could not be read.

If I click OK the desktop
goes blank and I have to use task manager to log back in.

I have install the following applications which have found and
remove some viruses but the problem still persist.
MalwareBytes
Avast
ComoboFix
Smitfraudfix
VundoFix
SuperAntiSpyware


I am posting the HJT This to see if anybody can find out what the issue maybe.
Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:23:05, on 9/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {67C79BFD-1F19-DE02-922C-AA589BFDD35D} - c:\windows\system32\evsuklor.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANAA1ADQANQA1ADgANQAzADkALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgA"&"prod=90"&"ver=9.0.872
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263816827218
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

--
End of file - 7312 bytes

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 17 September 2011 - 05:45 AM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 20 September 2011 - 11:03 PM

Thanks for the response. I attach the gmer log, otl log and the otl extras log. I hope this would help in someone figuring out what is wrong if this pc.

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 21 September 2011 - 05:31 PM

Thanks! You also said you ran Combofix. Can you please post C:\Combofix.txt? I really need to see what it removed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 23 September 2011 - 08:32 PM

Here is the latest one I have on my machine.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 24 September 2011 - 05:40 AM

It looks like it didn't attach. You can also copy/paste the contents of it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 25 September 2011 - 09:24 AM

ComboFix 11-09-12.05 - Administrator 09/12/2011 22:49:32.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.470 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-13 to 2011-09-13 )))))))))))))))))))))))))))))))
.
.
2011-09-13 02:35 . 2011-09-13 02:35 -------- d-----w- c:\windows\LastGood
2011-09-11 17:58 . 2011-09-11 23:04 133208 ----a-w- c:\windows\system32\drivers\56546349.sys
2011-09-11 14:03 . 2011-06-23 18:36 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-09-11 14:03 . 2011-06-23 18:36 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-09-11 14:03 . 2011-06-23 18:36 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-09-11 14:03 . 2011-06-23 18:36 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-09-11 14:03 . 2011-06-23 18:36 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-09-11 14:03 . 2011-06-23 18:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-09-11 14:03 . 2011-06-23 18:36 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-09-11 05:19 . 2011-09-11 05:19 -------- d-----w- c:\program files\ESET
2011-09-10 21:21 . 2011-09-10 21:21 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-10 21:21 . 2011-09-10 21:21 -------- d-----w- c:\program files\Trend Micro
2011-09-10 20:39 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-10 20:38 . 2011-09-10 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-10 20:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-10 18:48 . 2011-09-10 18:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-09 04:28 . 2008-04-14 09:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-09-09 04:28 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-09-09 04:28 . 2008-04-14 09:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-09-09 04:28 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-09-09 04:28 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-09-09 04:27 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2011-09-09 04:27 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-09-09 04:27 . 2008-04-14 02:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-09-09 04:27 . 2008-04-14 02:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-09-09 04:27 . 2008-04-14 09:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2011-09-09 04:27 . 2008-04-14 04:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2011-09-09 04:27 . 2008-04-14 02:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-09-09 04:27 . 2001-08-17 16:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2011-09-09 04:25 . 2001-08-17 17:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2011-09-09 04:25 . 2001-08-17 17:28 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2011-09-09 04:25 . 2001-08-17 17:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2011-09-09 04:25 . 2001-08-17 16:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2011-09-09 04:25 . 2001-08-17 17:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2011-09-09 04:25 . 2008-04-14 04:10 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2011-09-09 04:25 . 2001-08-17 17:28 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2011-09-09 04:25 . 2001-08-17 17:28 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2011-09-09 04:25 . 2001-08-17 17:28 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2011-09-09 04:25 . 2001-08-17 17:28 7556 -c--a-w- c:\windows\system32\dllcache\usroslba.sys
2011-09-09 04:25 . 2001-08-17 17:28 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2011-09-09 04:25 . 2001-08-17 17:28 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
2011-09-09 04:25 . 2001-08-17 17:28 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2011-09-09 04:23 . 2001-08-17 16:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2011-09-09 04:22 . 2001-08-17 16:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2011-09-09 04:22 . 2001-08-17 18:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2011-09-09 04:22 . 2008-04-14 04:10 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2011-09-09 04:22 . 2001-08-17 16:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2011-09-09 04:22 . 2001-08-17 16:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2011-09-09 04:22 . 2001-08-17 17:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2011-09-09 04:22 . 2001-08-17 17:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2011-09-09 04:22 . 2001-08-17 16:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2011-09-09 04:22 . 2001-08-17 18:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2011-09-09 04:22 . 2001-08-17 18:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2011-09-09 04:22 . 2001-08-17 18:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2011-09-09 04:22 . 2001-08-17 18:07 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys
2011-09-09 04:22 . 2001-08-17 18:07 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys
2011-09-09 04:20 . 2001-08-17 17:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2011-09-09 04:20 . 2001-08-18 02:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2011-09-09 04:20 . 2001-08-17 18:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2011-09-09 04:20 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2011-09-09 04:20 . 2001-08-17 16:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2011-09-09 04:20 . 2001-08-18 02:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2011-09-09 04:20 . 2001-08-17 16:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2011-09-09 04:20 . 2001-08-17 17:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2011-09-09 04:20 . 2008-04-14 04:10 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2011-09-09 04:20 . 2001-08-17 17:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2011-09-09 04:20 . 2008-04-14 12:00 8704 -c--a-w- c:\windows\system32\dllcache\OLD92F.tmp
2011-09-09 04:20 . 2008-04-14 12:00 39936 -c--a-w- c:\windows\system32\dllcache\OLD92C.tmp
2011-09-09 04:20 . 2008-04-14 12:00 456192 -c--a-w- c:\windows\system32\dllcache\OLD917.tmp
2011-09-09 04:18 . 2001-08-17 16:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2011-09-09 04:18 . 2001-08-17 16:12 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2011-09-09 04:18 . 2001-08-17 18:56 157696 -c--a-w- c:\windows\system32\dllcache\sisv256.dll
2011-09-09 04:18 . 2001-08-17 16:50 50432 -c--a-w- c:\windows\system32\dllcache\sisv.sys
2011-09-09 04:18 . 2008-04-14 02:05 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2011-09-09 04:18 . 2001-08-18 02:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll
2011-09-09 04:18 . 2001-08-17 16:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2011-09-09 04:18 . 2001-08-17 18:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2011-09-09 04:18 . 2001-08-17 16:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys
2011-09-09 04:18 . 2001-08-17 18:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2011-09-09 04:18 . 2001-08-17 16:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys
2011-09-09 04:17 . 2001-07-21 18:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2011-09-09 04:17 . 2001-07-21 18:29 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2011-09-09 04:17 . 2001-08-17 16:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2011-09-09 04:17 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2011-09-09 04:17 . 2001-08-17 16:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2011-09-09 04:17 . 2001-08-17 17:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-09-09 04:17 . 2001-08-17 17:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2011-09-09 04:17 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2011-09-09 04:17 . 2008-04-14 04:15 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2011-09-09 04:17 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2011-09-09 04:16 . 2001-08-17 17:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2011-09-09 04:16 . 2001-08-17 17:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-09-09 04:16 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2011-09-09 04:16 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2011-09-09 04:16 . 2008-04-14 04:10 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2011-09-09 04:16 . 2001-08-18 02:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2011-09-09 04:16 . 2001-08-17 16:50 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2011-09-09 04:16 . 2001-08-17 18:56 245632 -c--a-w- c:\windows\system32\dllcache\s3savmx.dll
2011-09-09 04:16 . 2001-08-17 16:50 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2011-09-09 04:16 . 2001-08-17 18:56 198400 -c--a-w- c:\windows\system32\dllcache\s3sav4.dll
2011-09-09 04:16 . 2001-08-17 16:50 61504 -c--a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2011-09-09 04:14 . 2001-08-18 02:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2011-09-09 04:14 . 2001-08-17 16:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2011-09-09 04:14 . 2008-04-14 04:10 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2011-09-09 04:14 . 2001-08-17 16:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2011-09-09 04:14 . 2001-08-18 02:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2011-09-09 04:14 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2011-09-09 04:12 . 2001-08-17 17:28 128286 -c--a-w- c:\windows\system32\dllcache\ptserli.sys
2011-09-09 04:12 . 2008-04-14 09:42 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2011-09-09 04:12 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\ptpusb.dll
2011-09-09 04:12 . 2001-08-18 02:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2011-09-09 04:12 . 2008-04-14 09:42 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2011-09-09 04:12 . 2001-08-17 17:51 16128 -c--a-w- c:\windows\system32\dllcache\pscr.sys
2011-09-09 04:12 . 2008-04-14 04:11 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2011-09-09 04:12 . 2001-08-17 17:53 17792 -c--a-w- c:\windows\system32\dllcache\ppa.sys
2011-09-09 04:12 . 2008-04-14 04:10 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2011-09-09 04:12 . 2001-08-17 17:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2011-09-09 04:12 . 2001-08-18 02:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2011-09-09 04:10 . 2001-08-17 16:12 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys
2011-09-09 04:09 . 2001-08-17 17:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2011-09-09 04:09 . 2001-08-17 16:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2011-09-09 04:09 . 2001-08-17 16:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2011-09-09 04:09 . 2001-08-17 16:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2011-09-09 04:09 . 2008-04-14 04:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-09-09 04:09 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 17:38 . 2011-07-27 01:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-03 10:17 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-03 01:35 . 2011-08-03 01:35 707 ----a-w- c:\windows\.pif
2011-07-31 21:39 . 2011-07-31 21:39 0 ---ha-w- c:\windows\jjhmosyoso.tmp
2011-07-29 22:03 . 2011-07-29 22:03 818176 ----a-w- c:\windows\system32\evsuklor.dll
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-12-07 12:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-09-13_02.34.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-13 02:38 . 2010-07-05 13:15 17272 c:\windows\ie8updates\KB2559049-IE8\spmsg.dll
+ 2011-09-13 02:38 . 2010-07-05 13:15 26488 c:\windows\ie8updates\KB2559049-IE8\spcustom.dll
+ 2011-09-13 02:39 . 2010-07-05 13:15 17272 c:\windows\ie8updates\KB2544521-IE8\spmsg.dll
+ 2011-09-13 02:39 . 2010-07-05 13:15 26488 c:\windows\ie8updates\KB2544521-IE8\spcustom.dll
+ 2011-09-13 02:39 . 2010-07-05 13:15 17272 c:\windows\ie8updates\KB2510531-IE8\spmsg.dll
+ 2011-09-13 02:39 . 2010-07-05 13:15 26488 c:\windows\ie8updates\KB2510531-IE8\spcustom.dll
+ 2011-09-13 02:36 . 2011-09-13 02:45 2942 c:\windows\SoftwareDistribution\EventCache\{187AF8B7-9F77-42A0-8145-91DCB72D2D94}.bin
+ 2008-04-14 12:00 . 2011-03-04 06:37 420864 c:\windows\system32\vbscript.dll
+ 2008-04-14 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll
- 2008-04-14 12:00 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
+ 2008-04-14 12:00 . 2011-03-04 06:37 726528 c:\windows\system32\jscript.dll
- 2008-04-14 12:00 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2009-12-07 12:12 . 2011-04-30 03:01 758784 c:\windows\system32\dllcache\vgx.dll
+ 2008-04-14 12:00 . 2011-03-04 06:37 420864 c:\windows\system32\dllcache\vbscript.dll
- 2008-04-14 12:00 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-04-14 12:00 . 2011-03-04 06:37 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-04-14 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2008-04-14 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 12:00 . 2011-06-23 12:05 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-09-13 02:38 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2559049-IE8\updspapi.dll
+ 2011-09-13 02:38 . 2010-07-05 13:15 755576 c:\windows\ie8updates\KB2559049-IE8\update.exe
+ 2011-09-13 02:38 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2559049-IE8\spuninst.exe
+ 2011-09-13 02:39 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2544521-IE8\updspapi.dll
+ 2011-09-13 02:39 . 2010-07-05 13:15 755576 c:\windows\ie8updates\KB2544521-IE8\update.exe
+ 2011-09-13 02:39 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2544521-IE8\spuninst.exe
+ 2011-09-13 02:39 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2510531-IE8\updspapi.dll
+ 2011-09-13 02:39 . 2010-07-05 13:15 755576 c:\windows\ie8updates\KB2510531-IE8\update.exe
+ 2011-09-13 02:39 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2510531-IE8\spuninst.exe
+ 2008-04-14 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll
+ 2008-04-14 12:00 . 2011-07-25 15:17 5969920 c:\windows\system32\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67C79BFD-1F19-DE02-922C-AA589BFDD35D}]
2011-07-29 22:03 818176 ----a-w- c:\windows\system32\evsuklor.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA&inst=NwA3AC0ANAA1ADQANQA1ADgANQAzADkALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgA&prod=90&ver=9.0.872" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_56546349.lnk - c:\documents and settings\Administrator\Local Settings\temp\_uninst_56546349.bat [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstallIQUpdater]
c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MotoConnect Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"37420:TCP"= 37420:TCP:@xpsp2res.dll,-22009
.
R0 56546349;56546349;c:\windows\system32\drivers\56546349.sys [9/11/2011 1:58 PM 133208]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/30/2011 7:39 AM 441176]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/30/2011 7:39 AM 309848]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/30/2011 7:39 AM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/26/2011 9:57 PM 136176]
S2 yzhghvqv;USB Mass Storage Monitor;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 8:00 AM 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [4/13/2010 10:05 AM 16512]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/26/2011 9:57 PM 136176]
S4 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [4/21/2011 10:11 PM 91456]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
yzhghvqv
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-27 01:57]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-27 01:57]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1645522239-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-04 15:07]
.
2011-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1645522239-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-04 15:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{EA6FA74D-235E-4C80-B57B-5C6C80828C3C}: DhcpNameServer = 10.0.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-12 22:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1645522239-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f4,2b,2d,95,3e,3a,ca,4f,85,47,97,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f4,2b,2d,95,3e,3a,ca,4f,85,47,97,\
.
Completion time: 2011-09-12 22:58:18
ComboFix-quarantined-files.txt 2011-09-13 02:58
ComboFix2.txt 2011-09-13 02:42
ComboFix3.txt 2011-08-30 02:58
ComboFix4.txt 2011-08-23 02:07
.
Pre-Run: 20,435,996,672 bytes free
Post-Run: 20,429,434,880 bytes free
.
- - End Of File - - BEE4B4D38C42C0841E3E91B931258723

Attached Files



#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 26 September 2011 - 07:50 PM

Hello, willchas.

OK, great...I do see many other runs of COmbofix...the last one didnt' do anything. Instead of digging through all of those, let's look at explorer.exe

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    explorer.*
    winlogon.*
    userinit.*
    
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 27 September 2011 - 10:20 PM

Here you go.

SystemLook 30.07.11 by jpshortstuff
Log created at 23:16 on 27/09/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.scf --a---- 80 bytes [12:00 14/04/2008] [12:00 14/04/2008] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [02:05 23/08/2011] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 59120 bytes [19:33 11/09/2011] [01:07 24/09/2011] 80E82D1D9E54FFFBE4538C2A3C94EE92
C:\WINDOWS\SDold\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --a---- 1033728 bytes [12:41 31/12/2009] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "winlogon.*"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 507904 bytes [02:05 23/08/2011] [12:00 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\SDold\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --a---- 507904 bytes [12:43 31/12/2009] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:00 14/04/2008] [12:00 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c- 507904 bytes [12:00 14/04/2008] [12:00 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

Searching for "userinit.*"
C:\WINDOWS\ERDNT\cache\userinit.exe --a---- 26112 bytes [02:05 23/08/2011] [12:00 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf --a---- 27912 bytes [03:27 09/09/2011] [01:07 24/09/2011] 9C88BEDE7B891BF13CAC28A0D0C7B81B
C:\WINDOWS\SDold\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe --a---- 26112 bytes [12:43 31/12/2009] [00:12 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\system32\userinit.exe --a---- 26112 bytes [12:00 14/04/2008] [12:00 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\system32\dllcache\userinit.exe --a--c- 26112 bytes [12:00 14/04/2008] [12:00 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89

-= EOF =-

#10 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 27 September 2011 - 11:09 PM

Another reply. I reran combo fix and it remove some files. I will attach the file.

Attached Files

  • Attached File  log.txt   23.88KB   2 downloads


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 30 September 2011 - 05:22 AM

Hello, willchas.

Those files look clean. Combofix didn't remove anything of significance. Please only run the tools i ask, otherwise we'll work against each other. Let's get a quick scan.



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 30 September 2011 - 09:39 PM

Thanks for all the help. I cannot explain it but the explorer.exe error is not showing up
anymore.I do not know what I can do if this issue comes back in the future. I will post the
malwarebytes file log but it could not find any malicious items.

Attached Files



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 01 October 2011 - 05:25 AM

Hello, willchas.

OK, let's update a few programs with known security holes and get one final ESET scan.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 26 32-bit version. Note that if you have 64-bit windows, the default is to use a 32-bit browser. If you modified your IE to use the 64-bit version, make sure to also download the 64-bit version.
  • Save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 17
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586-s.exe to install the newest version. If you downloaded the 64-bit version, make sure to install that as well.




Step 2

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • It gives you the option to add the latest Avast definitions and recommends you do so. Ignore it and click No as it may crash your system or hang up and we don't need that info.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note: aswMBR will save MBR.dat to your desktop. Do NOT delete it until I tell you your computer is clean. It is a backup of your MBR that we may need later.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 willchas

willchas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 01 October 2011 - 09:32 AM

Did the scan eset found some infect file.
I attach both log files.

Attached Files



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 02 October 2011 - 07:06 AM

Hello, willchas.
Some other leftovers as well.




Step 1

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :files
    C:\Documents and Settings\All Users\Application Data\b513h2vulke4
    C:\Documents and Settings\Administrator\Local Settings\Application Data\b513h2vulke4
    C:\Documents and Settings\Administrator\Local Settings\Application Data\1wq31I7
    C:\Documents and Settings\Administrator\Local Settings\Application Data\OWSaTbG
    :OTL
    MsConfig - StartUpReg: InstallIQUpdater - hkey= - key= -  File not found
    MsConfig - StartUpReg: swg - hkey= - key= -  File not found
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\_uninst_56546349.lnk =  File not found
    O2 - BHO: (no name) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No CLSID value found.
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users