Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files that can not be deleted


  • This topic is locked This topic is locked
41 replies to this topic

#1 ThePreacher_sr

ThePreacher_sr

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 06 October 2011 - 03:56 PM

After several postings and logs from system look, Broni said that maybe I should start a new topic here, that maybe you all can help me with this problem.

Here is a link to my first post to Bleeping Computer and some of the logs that I posted for Broni: http://www.bleepingcomputer.com/forums/topic421488.html

And here is the link to the last set of logs that Broni asked me to run and then post: http://www.bleepingcomputer.com/forums/topic421488.html/page__pid__2431949__st__15#entry2431949

If you need more info please let me know, I have been watching this thread every day.

One other thing that I've been noticing is that when I am on a "secure" page like when I was trying to take a test at my online college the computer kept trying to log me out. In is a timed quiz and if I cancel my browser I lose all my answers and get a zero for the test... not a good thing. The other thing that happened is that I was trying to buy tickets on line to a show and the browser bar kept trying to change the page. It looked like some one was typing gibberish in the URL window and it kept trying to change the page on me.

I've helped my dad on his computer using a program that allows me to see and work on his computer from my house. That is what it reminded me of, like he was trying to type something at the same time I was and the computer was getting confused as to who's key typing to allow. I do not have wireless on this computer, but my wife's computer upstairs has a d-link wireless card hooked up to it, but we are not networked together other than sharing the same Comcast Cable Internet. I don't have the d-link router hooked up at this time either.

Thanks for any and all help you could provide.

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:29 AM

Posted 11 October 2011 - 04:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/422214 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 12 October 2011 - 06:08 PM

How long is this gmer program take to run. I ran the dds one and got both of those logs. I started this gmer program around 12 noon today and it is still running as I type. It's now 7:06 PM... that's over 7 hours so far.

I'm heading off to work in a couple hours, so I hope it's done when I get home tomorrow around 8 am.

Is this normal run time or did I do something wrong. I followed your directions and unclicked those boxes. So, I don't know if this is normal or not.

Thanks

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:29 AM

Posted 14 October 2011 - 09:23 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Since GMER seemed to be giving you some trouble, try this one instead:

RKUnhooker anti-rootkit scanner.

Please first disable any CD emulation programs using the steps found in this topic:

Please note that if you are running a 64-bit version of Windows you will not be able to run RKUnhooker and you may skip this step.


Why we request you disable CD Emulation when receiving Malware Removal Advice

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
    Copy the entire contents of the report and paste it in a reply here.
Note** You may get this warning:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Just ignore it, click Cancel, then Accept. :thumbup2:

Please copy and paste the logs from DDS & RKUnhooker in your next reply.

Best Regards,
oneof4.


#5 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 October 2011 - 10:46 AM

I finally got the GMER to work. I tried to copy and paste the logs like you requested, but an error message came up saying: "Your post was too long. Please go back and shorten it a little. So, I tried to attach all three files. The 2 DDS (as you can see)files attached but when I tried to attach the GMER log I got another error message that said: "Error This file was too big to upload.

The only other way I know to share it with you is to go to this site and see it there. The GMER file that I tried to paste here and that I uploaded to that site is over 3.2 MB. Maybe that is why it wouldn't paste here

http://www.mediafire.com/?35a20gdddgk8m72

ONCE AGAIN THANK YOU FOR ANY ASSISTANCE

Stan

Attached Files



#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:29 AM

Posted 14 October 2011 - 11:53 AM

Give me some time to research your logs. and I'll get back with you.

Best Regards,
oneof4.


#7 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 October 2011 - 02:03 PM

Ok, thanks. Just let me know. The files with the zz.zzzz.zzz. etc are the ones I can't delete and the reason I think the GMER log was so huge.

Stan

#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:29 AM

Posted 15 October 2011 - 04:14 PM

Hi ThePreacher_sr :)

I notice from your scan log that you have installed on your machine one or more peer-to-peer file sharing programs. Please follow these instructions to remove it: Click on Start > Control Panel > Add/Remove Programs, then go down the list and choose the following:

  • uTorrent
Then choose Remove
We do not ask you to do this without reason.

P2P programs form a direct conduit into your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P progam.
http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

We may possibly be wasting our time in cleaning your machine if you continue to use P2P programs, as it is pretty much certain that if you continue to use them then you will get infected again.

==========

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Viewpoint Media Player, click Remove.
  • Do the same for each Viewpoint component.

==========

[We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

==========

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Close/disable your PC Tools Firewall, as it could prevent ComboFix and other tools we may use from running properly.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Best Regards,
oneof4.


#9 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 15 October 2011 - 08:19 PM

Well, that was a wasted couple of hours. Not your fault mine for forgetting to ask you how do I get my PC Tools firewall and Threat Fire to not load on restart of my computer.

The combo fix worked as it was described on that page I went to. Then when it rebooted my computer I had a bunch of warnings from my firewall and ThreatFire. I tried closing all of them, but combo fix just had that blue screen up saying that it was generating a log. I let it go for about a half hour with no change. Then I thought maybe the firewall and antivirus was prohibiting it from displaying, so I suspended or turned those off and waited another half hour with no change to the Combo Fix screen.

So, what should I do now? Should I rerun the Combo Fix and if I should, how do I keep from repeating this same scenario?

Thanks again for your help. With your expertise :busy: and my blundering :whistle: , maybe we'll get this thing fixed. :thumbsup:

Stan

#10 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 October 2011 - 11:32 AM

Ok, disregard my last post. I went under services and disabled and stopped all the services for my PC Tools and then ran the Combo Fix again. Here it is copy and pasted:

ComboFix 11-10-15.04 - Stan 10/16/2011 11:10:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.983 [GMT -4:00]
Running from: c:\documents and settings\Stan\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Trustworthy Sharpen.STANLEY\System\win_qs8.jqx
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
c:\windows\kixiqabesi.exe
c:\windows\system32\B5E4C20996.dll
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\dumphive.exe
c:\windows\system32\hack\OEMLINK\OEM1.reg
c:\windows\system32\hack\OEMLINK\OEM2.reg
c:\windows\system32\hack\OEMLINK\OEM3.reg
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ENGINE
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-15 22:40 . 2011-10-15 22:40 -------- d-----w- c:\documents and settings\Stan\Application Data\uTorrent
2011-10-14 15:01 . 2011-10-14 15:02 -------- d-----w- c:\program files\7-Zip
2011-10-09 16:11 . 2011-06-21 07:23 49152 ----a-w- c:\program files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
2011-10-01 01:52 . 2011-10-01 21:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Vuze_Remote
2011-09-30 17:18 . 2011-09-30 17:18 -------- d-----w- c:\documents and settings\Stan\.swt
2011-09-30 17:16 . 2011-09-30 17:16 -------- d-----w- c:\program files\Conduit
2011-09-30 17:15 . 2011-10-01 21:18 -------- d-----w- c:\documents and settings\Stan\Local Settings\Application Data\Vuze_Remote
2011-09-30 17:15 . 2011-09-30 17:16 -------- d-----w- c:\documents and settings\Stan\Local Settings\Application Data\Conduit
2011-09-30 04:24 . 2011-10-01 16:20 -------- d-----w- C:\3590F75ABA9E485486C100C1A9D4FF06ZZZZZ...Z.ZZZZ.Z
2011-09-30 03:19 . 2011-10-09 11:10 -------- d-----w- C:\3590F75ABA9E485486C100C1A9D4FF06Z.ZZZZ...ZZ.Z..Z
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 12:14 . 2011-06-03 21:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 16:36 . 2011-09-01 16:37 150192 ----a-w- c:\program files\TweakUiPowertoySetup.exe
2011-08-31 21:00 . 2008-10-18 16:56 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-10-06 23:42 . 2009-10-06 23:40 20332256 -c--a-w- c:\program files\Ofexhelp.exe
2008-10-18 16:31 . 2008-10-18 16:31 19213 -c--a-w- c:\program files\Common Files\taxoqefahi.bat
2007-10-22 08:31 . 2007-10-22 08:31 76808 -c--a-w- c:\program files\DSETUP.dll
2007-10-22 08:31 . 2007-10-22 08:31 502792 -c--a-w- c:\program files\DXSETUP.exe
2007-10-22 08:31 . 2007-10-22 08:31 1673224 -c--a-w- c:\program files\dsetup32.dll
2007-07-03 03:28 . 2007-07-03 03:28 287592 -c--a-w- c:\program files\dxwebsetup.exe
2011-10-10 16:30 . 2011-08-29 19:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-02-01 02:37 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2009-02-01 02:37 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-10-16_00.56.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-16 14:00 . 2011-10-16 14:00 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 20:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
c:\program files\Vuze_Remote\prxtbVuze.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [BU]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
"ThreatFire"=2 (0x2)
"wuauserv"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R3 McComponentHostService;McComponentHostService; [x]
R3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\DRIVERS\pctNdis.sys [2010-07-08 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-11-25 124992]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2011-07-11 70664]
R4 AntiVirSchedulerService;Avira AntiVir Scheduler; [x]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2011-02-18 371472]
R4 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-07-11 263888]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-12-31 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-12-31 69392]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-07-11 253096]
S1 PCTSD;PCTSD; [x]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4446752]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2011-07-11 160576]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2009-03-28 31896]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-11-24 89192]
S3 pctNdisMP;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-07-08 57536]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-12-31 33552]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-16 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2011-09-13 09:45]
.
2011-10-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-625079839-1194595414-1954097754-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-10-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-625079839-1194595414-1954097754-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-10-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-625079839-1194595414-1954097754-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-10-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-625079839-1194595414-1954097754-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-10-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-625079839-1194595414-1954097754-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-10-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-625079839-1194595414-1954097754-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-10-16 c:\windows\Tasks\User_Feed_Synchronization-{79FC69AE-DB79-4CB2-BF77-BB3D2762D275}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:36]
.
2011-10-16 c:\windows\Tasks\User_Feed_Synchronization-{914BF42F-502C-4974-A020-03A43610C424}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All using 4shared Desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: thefifthimperium.com\baencd
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
FF - ProfilePath - c:\documents and settings\Stan\Application Data\Mozilla\Firefox\Profiles\au5fwyp4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

FF - user.js: browser.urlbar.autoFill - true
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{7762A897-2A75-4E3F-A3A7-55BD098B9879} - (no file)
AddRemove-Vuze_Remote Toolbar - c:\progra~1\VUZE_R~1\UNINST~1.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 11:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\09\05\1e\11\11\14t"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1252)
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
.
- - - - - - - > 'explorer.exe'(564)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-16 11:46:53
ComboFix-quarantined-files.txt 2011-10-16 15:46
.
Pre-Run: 71,019,900,928 bytes free
Post-Run: 70,991,777,792 bytes free
.
- - End Of File - - 45E8484DFDDFF86FE8FEB0E560FAD808

I can't really do too much on my computer the way it is, so I'm just gonna leave the PC Tools stuff disabled and the computer off till I hear back from you. I'll check for your reply on one of my other computers.

Thanks again, for any and all help.

Stan

Edited by ThePreacher_sr, 16 October 2011 - 11:36 AM.


#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:29 AM

Posted 16 October 2011 - 01:08 PM

How is the computer running, now that ComboFix has been run?

Best Regards,
oneof4.


#12 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 October 2011 - 03:26 PM

Well, my programs are not near as sluggish when I try to bring up multiple programs at one time. The internet connection in Mozilla ia a lot less laggy.

I haven't tried to buy anything or take any test to see if it tries to redirect me elsewhere.

The only thing that is still not working right is the fact that I can't delete those 2 files in my C drive. I just tried using a program called "Active Eraser" and as soon as I check the boxes for those files and hit delete, it doesn't delete them, in fact it shuts down the Active Eraser program.

Other than that, it seems to be working pretty good.

Do you think it would be ok to bring up my PC tools stuff now?

Edited by ThePreacher_sr, 16 October 2011 - 03:26 PM.


#13 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 October 2011 - 07:14 PM

Well, I've run it for a couple more hours. Trying to get it to act up and other than those files not being able to delete them all seems pretty good.

THANKS!!!

As for those files, what do you think they are and why won't they delete and why does my eraser program shut down when I try to delete them? I see they were created at the end of september this year. That's when most of these problems started, especially the one that tried to end my college tests.

Stan

#14 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:29 AM

Posted 17 October 2011 - 07:00 AM

Hey :)

As for those files, what do you think they are and why won't they delete and why does my eraser program shut down when I try to delete them?

If research proves to be correct, the files apparently are related to CCleaner. See This link for a similar situation.

I am inclined to go ahead and have you uninstall CCleaner, and see if that resolves the issue. If CC is a program that you use often, then you can reinstall it later.

Go ahead and give it a try, then report back with the results.

Best Regards,
oneof4.


#15 ThePreacher_sr

ThePreacher_sr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 19 October 2011 - 04:50 PM

I deleted CCleaner and the files were still there even after reboot. The computer seemed to work fine for that one day, but now since I've rebooted it seems to be laggier than usual. When I turn my computer off for the night and start it up the next day it takes about 5 minutes for it to be fully functional. The first time I rebooted after Combo Fix, I actually had to wait 7 minutes for my icons to appear. That had happened regularly about a year ago and I repaired that, but I can't remember how or what someone told me how to fix it. They are back on now after reboot, it only happened that one time.

One thing that I've noticed is that when I do reboot or restart, the first screen to come up is my Vid card screen and computer info. Then I get a total black screen (not even a blinking cursor) for about 45 seconds. Then a screen comes up that has 3 entries. 1. Microsoft Windows Recovery Console 2. do not select this (debugger enabled) 3. Microsoft XP Professional. The capitalization is how I see it on the screen. #2 does not have any capital letters, that's what caught my eye the first time. This first came up when I first installed Combo Fix.

Before I installed Combo Fix, that window would come up but it did not have #2 on it and it would stay up until I clicked on #3. Then it would proceed as normal. Now, that screen comes up, it lasts for about 3 seconds and then goes into the Windows XP screen with the moving bar, then to my desk top.

Another thing, I can't boot up into safe mode. When I press F8 it will go to that screen that shows all those Multiparition things and then it says windows starting up and then goes right to the desktop.

As for the files that I couldn't delete before and you thought CCleaner was at fault. I used a software program called Tuneup Utilities, it has a file deletion program and I went into each of those zero byte files properties and unchecked the 'hidden' box. Then I renamed it and was able to delete them that way. Took me almost 2 hours to get all of them, but I did. The thing I find strange is that even though it said zero bytes for each file folder, when I went to empty the recycle bin, it would take 3 minutes to delete, just like it would when I download my family pictures to my computer and then erase the flash drive for reuse. I didn't erase all of them at one time. I would do one subfolder (which sometimes had hundreds of other files in them) at a time. Like I said, took me almost 2 hours to get them all. Some wouldn't delete until I rebooted and tried again.

Last thing, (I think) the computer is actually worse now than before Combo Fix. I can't run more than one program off my desktop at a time, like say my Excel spreadsheets and Word, it's just way too slow to start for one thing and then when I try to move back and forth from each program it takes forever to come up, even after I have them opened. I've gotten to a point that I read a book, while I wait for it to load.

The Internet is the same. I can't use multiple tabs, which makes it extremely hard to do my college research on any given topic. I have business class comcast cable because of the speed of 11mb/5mb, but sometimes it's like I'm back on DSL, not as bad as dial up, but still pretty slow.

Oh yeah. Any idea why my Minesweeper score got erased. I play that game regularly and I had a high score since 2007 of 6 beginner 58 intermediate 135 Expert. I was kinda proud of those scores and would Screen shot them to friends on line who thought they were good :) Now, those times are gone and even when I set a new record as soon as I reboot, those are gone as well.

I don't like keeping my system on while I'm at work, but I've been leaving it run since rebooting seems to cause so many problems.

Any help or ideas would be greatly appreciated. I know this computer is old, but I don't have the funds right now to buy a new system. And I'm also a little afraid that when I transfer my saved files to a new system, the problems may go along with it. Also, I really like XP, I use Windows 7 at work and I really don't care for that OS.

Thanks.

Stan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users