Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Critical Error! Failed to save components ..... file \System32\0006784


  • This topic is locked This topic is locked
20 replies to this topic

#1 LCW

LCW

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 17 October 2011 - 03:12 PM

Hello.

I'm not sure what nasty I have. In normal mode, I get three critical error messages like below with different file numbers.

---------------
Critical Error!
Windows was unable to save all the components for the file \System32\496A8300. The file is corrupted or unreadable. The error may be caused by a PC hardware problem.
-------------

I have a black screen, can run nothing, cannot access files, cannot connect to the internet.

In safe mode, I can get the files to display and can access a CD and external hard drive, but still cannot access the internet.

I used a laptop to transfer DeFogger, DDS, and GMER. I ran Defogger, obtained DDS logs, but twice GMER caused a stop screen error: RQL_NOT_LESS_OR_EQUAL and dumped the memory - had to reboot.

Previously, I had run rkill, TDSS, and MBAM. Once, the TDSS log indicated it had stopped C:\WINDOWS\system32\grpcon.exe - I believe it was the third time I ran it. Otherwise I get zero files terminated. I cannot run MBAM. I get run-time error '53' mbamnet. I tried using randmbam.exe, but was still unsuccessful after 10 attempts.

I get locked up in safe mode and have to turn off the computer and restart the whole process. This morning, I missed the safe mode tap and when starting up in normal, Spybot popped up and stated it had terminated a file called win32.zbot.

Thank you for any help you can give me. I'm stumped on this one. I've been working with it for two days now and can't seem to move forward. I am running Windows XP - service pack 3.

I have attached the dds.txt file. I see conflicting instructions regarding the DDS attact.txt file. One says post it, one says zip and post it, and another says do not post it until instructed to do so. So I have not posted it.

Please help. I will not try to fix again until I hear from you.

Thank you.

Attached File  dds.txt   7.1KB   5 downloads

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 01:04 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 18 October 2011 - 03:20 PM

Hello,

I ran ComboFix in Safe Mode - no problems. I did not have access to the internet at that time, so I could not install the Recovery Console.

It rebooted in normal mode and I can see and access my files and folders now. All programs, files and folders, EXCEPT those downloaded and created after the infection, are ghosted.

I can connect to the internet now. My bookmarks are gone.

Eudora pulls in email, but displays the error message below and I can't close the program.

----------
Could not open file c\program Files\Eudora\In.toc for writing.

Cause: Access permission denied. File many be marked as read only or locked (13)
--------------

ComboFix log

ComboFix 11-10-18.03 - Laura 10/18/2011 14:17:49.3.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2175.1748 [GMT -5:00]
Running from: C:\Documents and Settings\Laura\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\WINDOWS
C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
C:\Documents and Settings\All Users\Application Data\hUtkqvriAukQ.exe
C:\Documents and Settings\All Users\Application Data\KYoSsQ7sHeKcNB.exe
C:\Documents and Settings\Default User\WINDOWS
C:\Documents and Settings\Laura\acickl.exe
C:\Documents and Settings\Laura\Application Data\volmgr.dll
C:\Documents and Settings\Laura\Application Data\volmgr.exe
C:\Documents and Settings\Laura\WINDOWS
C:\Program Files\Internet Explorer\SET596.tmp
C:\Program Files\Internet Explorer\SET66F.tmp
C:\Program Files\messenger\msmsgsin.exe
C:\Recycle.Bin
C:\Recycle.Bin\45DAD9FAE3C14E0
C:\Recycle.Bin\B6232F3A5A4.exe
C:\WINDOWS\isRS-000.tmp
C:\WINDOWS\patch.exe
C:\WINDOWS\system32\config\systemprofile\WINDOWS
C:\WINDOWS\system32\ie.ico
C:\WINDOWS\system32\open.ico
C:\WINDOWS\system32\rnaph.dll
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\wc98pp.dll
F:\autorun.inf
F:\setup.exe


((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))


2011-10-16 23:05:37 . 2011-10-16 23:05:37 709968 ----a-w- C:\WINDOWS\is-8PTLP.exe
2011-10-16 21:05:06 . 2011-08-31 22:00:50 22216 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-10-13 21:15:49 . 2011-10-13 21:15:49 1409 ---ha-w- C:\WINDOWS\QTFont.for
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-10-16 21:01:32 . 2008-07-08 23:37:18 52352 ----a-w- C:\WINDOWS\system32\drivers\volsnap.sys
2011-09-13 22:56:27 . 2011-05-18 23:02:44 404640 ---ha-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-09-13 22:45:32 . 2011-08-21 19:30:40 134104 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 01:05:26 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 20:01:00 13529088]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47:32 73728]
"nwiz"="nwiz.exe" [2008-05-16 20:01:00 1630208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 20:01:00 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 10:24:52 286720]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 12:58:34 611712]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 07:25:18 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 03:43:26 640376]
"TkBellExe"="C:\program files\real\realplayer\update\realsched.exe" [2011-01-09 20:45:55 274608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-29 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Eudora\EuShlExt.dll" [2001-04-12 22:05:18 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 06:01:00 135264 ---ha-w- C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 10:24:52 286720 ---ha-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"sysmonnt"=C:\WINDOWS\System32\sysmonnt
"Z00nROK9P"=mobacm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"98D0CE0C16B1"=rundll32.exe D0CE0C16B1,D0CE0C16B1
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"=rundll32.exe E6F1873B.DLL,D9EBC318C
"snvrqytdw"=C:\WINDOWS\System32\biwtju.exe
"RSync"=C:\WINDOWS\System32\netsync.exe
"biwtju"=c:\windows\system32\biwtju.exe
"SoloSentry"=C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
"antiware"=C:\windows\system32\eliteeju32.exe
"App32dll"=C:\windows\system32\msnavc32.exe lee0105
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\FTP_Explorer\\ftpx.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7746:TCP"= 7746:TCP:*:Disabled:BitComet 7746 TCP
"7746:UDP"= 7746:UDP:*:Disabled:BitComet 7746 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 62748353;62748353; [x]
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys --> C:\WINDOWS\system32\Drivers\Pcouffin.sys [?]

Contents of the 'Scheduled Tasks' folder

2011-10-18 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-99197640-230531164-3170788598-1006.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33:50 . 2010-11-05 17:33:50]

2011-10-16 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-99197640-230531164-3170788598-1006.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33:50 . 2010-11-05 17:33:50]


------- Supplementary Scan -------

uStart Page = hxxp://google.com/
mWindow Title = Microsoft Internet Explorer presented by Comcast
IE: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Easy-WebPrint Add To Print List
IE: Easy-WebPrint High Speed Print
IE: Easy-WebPrint Preview
IE: Easy-WebPrint Print
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
FF - ProfilePath - C:\Documents and Settings\Laura\Application Data\Mozilla\Firefox\Profiles\q14jjmjk.default\

- - - - ORPHANS REMOVED - - - -

HKCU-Run-4Y3Y0C3AWF7XWHWEEYZF - C:\Recycle.Bin\B6232F3A5A4.exe
HKCU-Run-volmgr - C:\Documents and Settings\Laura\Application Data\volmgr.exe
HKLM-Run-volmgr - C:\Documents and Settings\Laura\Application Data\volmgr.exe
HKLM-Run-hUtkqvriAukQ.exe - C:\Documents and Settings\All Users\Application Data\hUtkqvriAukQ.exe
SafeBoot-03367508.sys
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-HijackThis - C:\Program Files\HiJack This\HijackThis.exe
AddRemove-ViewpointMediaPlayer - C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 06:47 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 18 October 2011 - 08:17 PM

Hello.

Ran CFScript.txt in normal mode. ComboFix wanted to update to newer version, I said no - could be an imposter...
Since I can connect to internet, updated/installed Recovery Console. No problems.

I can't find the program "notepad" or any other accessories, so I used a .txt file I already had to create the script.

Eudora wanted to create a new table of contents, but was unsuccessful - same error:

----------
Could not open file c\program Files\Eudora\In.toc for writing.

Cause: Access permission denied. File many be marked as read only or locked (13)
--------------

ComboFix log

ComboFix 11-10-18.03 - Laura 10/18/2011 19:44:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2175.1550 [GMT -5:00]
Running from: C:\Documents and Settings\Laura\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Laura\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Recycle.Bin\B6232F3A5A4.exe

---- Previous Run -------

C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
C:\Documents and Settings\All Users\Application Data\hUtkqvriAukQ.exe
C:\Documents and Settings\All Users\Application Data\KYoSsQ7sHeKcNB.exe
C:\Documents and Settings\Laura\acickl.exe
C:\Documents and Settings\Laura\Application Data\volmgr.dll
C:\Documents and Settings\Laura\Application Data\volmgr.exe
C:\Program Files\Internet Explorer\SET596.tmp
C:\Program Files\Internet Explorer\SET66F.tmp
C:\Program Files\messenger\msmsgsin.exe
C:\Recycle.Bin\45DAD9FAE3C14E0
C:\Recycle.Bin\B6232F3A5A4.exe
C:\WINDOWS\isRS-000.tmp
C:\WINDOWS\patch.exe
C:\WINDOWS\system32\ie.ico
C:\WINDOWS\system32\open.ico
C:\WINDOWS\system32\rnaph.dll
C:\WINDOWS\system32\Thumbs.db
C:\WINDOWS\wc98pp.dll
F:\autorun.inf
F:\setup.exe


((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))


2011-10-16 23:05:37 . 2011-10-16 23:05:37 709968 ----a-w- C:\WINDOWS\is-8PTLP.exe
2011-10-16 21:05:06 . 2011-08-31 22:00:50 22216 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-10-13 21:15:49 . 2011-10-13 21:15:49 1409 ---ha-w- C:\WINDOWS\QTFont.for
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-10-16 21:01:32 . 2008-07-08 23:37:18 52352 ----a-w- C:\WINDOWS\system32\drivers\volsnap.sys
2011-09-13 22:56:27 . 2011-05-18 23:02:44 404640 ---ha-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-09-13 22:45:32 . 2011-08-21 19:30:40 134104 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( SnapShot@2011-10-18_19.42.09 )))))))))))))))))))))))))))))))))))))))))

+ 2002-08-29 10:00:00 . 2002-08-29 10:00:00 112128 C:\WINDOWS\SYSTEM32\MAPI32.DLL
+ 1998-10-01 17:00:38 . 1998-10-01 17:00:38 520128 C:\WINDOWS\SYSTEM32\MAPI.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 01:05:26 204288]
"4Y3Y0C3AWF7XWHWEEYZF"="C:\Recycle.Bin\B6232F3A5A4.exe" [BU]
"volmgr"="C:\Documents and Settings\Laura\Application Data\volmgr.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 20:01:00 13529088]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47:32 73728]
"nwiz"="nwiz.exe" [2008-05-16 20:01:00 1630208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 20:01:00 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 10:24:52 286720]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 12:58:34 611712]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 07:25:18 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 03:43:26 640376]
"TkBellExe"="C:\program files\real\realplayer\update\realsched.exe" [2011-01-09 20:45:55 274608]
"volmgr"="C:\Documents and Settings\Laura\Application Data\volmgr.exe" [BU]
"hUtkqvriAukQ.exe"="C:\Documents and Settings\All Users\Application Data\hUtkqvriAukQ.exe" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-29 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Eudora\EuShlExt.dll" [2001-04-12 22:05:18 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
2002-04-03 06:01:00 135264 ---ha-w- C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 10:24:52 286720 ---ha-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"sysmonnt"=C:\WINDOWS\System32\sysmonnt
"Z00nROK9P"=mobacm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"98D0CE0C16B1"=rundll32.exe D0CE0C16B1,D0CE0C16B1
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"=rundll32.exe E6F1873B.DLL,D9EBC318C
"snvrqytdw"=C:\WINDOWS\System32\biwtju.exe
"RSync"=C:\WINDOWS\System32\netsync.exe
"biwtju"=c:\windows\system32\biwtju.exe
"SoloSentry"=C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
"antiware"=C:\windows\system32\eliteeju32.exe
"App32dll"=C:\windows\system32\msnavc32.exe lee0105
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\FTP_Explorer\\ftpx.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Home\\ftpte.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7746:TCP"= 7746:TCP:*:Disabled:BitComet 7746 TCP
"7746:UDP"= 7746:UDP:*:Disabled:BitComet 7746 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 62748353;62748353; [x]
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys --> C:\WINDOWS\system32\Drivers\Pcouffin.sys [?]

Contents of the 'Scheduled Tasks' folder

2011-10-19 C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-99197640-230531164-3170788598-1006.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33:50 . 2010-11-05 17:33:50]

2011-10-19 C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-99197640-230531164-3170788598-1006.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-11-05 17:33:50 . 2010-11-05 17:33:50]


------- Supplementary Scan -------

uStart Page = hxxp://google.com/
mWindow Title = Microsoft Internet Explorer presented by Comcast
IE: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Easy-WebPrint Add To Print List
IE: Easy-WebPrint High Speed Print
IE: Easy-WebPrint Preview
IE: Easy-WebPrint Print
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
FF - ProfilePath - C:\Documents and Settings\Laura\Application Data\Mozilla\Firefox\Profiles\q14jjmjk.default\

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 08:34 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 18 October 2011 - 09:06 PM

Hi,

Results from Junction.zip:


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Winamp\winampa.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\PCHealth\ErrorRep\UserDumps\CWShredder.exe.20050810-210432-00.hdmp: Access is denied.



Failed to open \\?\c:\\WINDOWS\PCHealth\ErrorRep\UserDumps\CWShredder.exe.20050810-210432-00.mdmp: Access is denied.


..

...

...

...

...

...

..

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 09:21 PM

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
Posted Image
  • Then click on the Restore button.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 18 October 2011 - 09:37 PM

Hello,

I ran the Restore Accessories Group tool. Still no accessories.

I tried rebooting and then ran again. Same results.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 09:44 PM

Hello


uninstall and reinstall Eudora and see if it wakes up


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 18 October 2011 - 09:57 PM

Can't. Too much information there to grind away. I will try this later, though, after I back up the .mbx files. Should be a nice weekend project...

Is there a way to restore my Favorites in Internet Explorer?

: )

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 10:27 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 18 October 2011 - 10:43 PM

Hello,

Also, programs, folders and files created before infection are ghosted. I can access/run them, though.



Add-Remove Programs report:


7-Zip 4.44 beta
Acrobat.com
Active Disk
Ad-Aware SE Personal
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Template Projects & Footage
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Color Video Profiles CS CS4
Adobe Contribute CS4
Adobe Creative Suite 4 Master Collection
Adobe CS4 American English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4 Codecs
Adobe Encore CS4 Library
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator 7.0.1
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe MotionPicture Color Files CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop 5.5
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 7.0.8
Adobe Reader Japanese Fonts
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Soundbooth CS4
Adobe Soundbooth CS4 Codecs
Adobe SVG Viewer 3.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Aladdin Expander 5.0
AllWebMenus PRO v4.2
Apple Software Update
Banctec Service Agreement
BufferChm
CachePal Uninstall
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon i9900
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CaptureWiz
Comcast High-Speed Internet Install Wizard
Comcast Universal Installer v1.2
Conexant D850 56K V.9x DFVc Modem
Conexant SmartHSFi V92 56K DF PCI Modem
Connect
CuteFTP 8 Home
Dell Networking Guide
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Dell Support
DeviceManagementQFolder
Digital Line Detect
DiMAGE Viewer
DVDSentry
Easy-WebPrint
Easy CD Creator 5 Basic
Gear Flash Downloader 1.0
Google Video Player
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Imaging Device Functions 7.0
HP My Display
HP Photosmart and Deskjet 7.0 Software
hph_software_req
HTML-Kit
ImTOO 3GP Video Converter 6
Intel® PRO Network Connections Drivers
Intel® PROSet
IomegaWare 4.0.2
IsoBuster 1.9
J2SE Runtime Environment 5.0 Update 2
kuler
Lexmark 730 Series
Likno Web Button Maker
LS_HSI
Macromedia Flash 5
Macromedia Generator 2
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WinUsb 1.0
Miro Video Converter
Mozilla Firefox 6.0.2 (x86 en-US)
MP3 CD Converter 4.00
MUSICMATCH® Jukebox
MyDVD
NavStudio
Nero Suite
Netflix Movie Viewer
Netscape Browser (remove only)
Netscape Communicator 4.61
NetWaiting
NVIDIA Drivers
Opera 9.01
Opera Mobile Emulator
PCsync
PDF Settings CS4
Photoshop Camera Raw
PhotoStitch
Pixel Bender Toolkit
PowerDVD
Print Screen Deluxe
QuarkXPress 6.0
QuickTime
RAW Image Task
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
RemoteCapture Task
Sam Spade version 1.14
SDK
Secure Delivery
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype™ 3.8
Sound Blaster Live!
SoundTap Uninstall
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster v3.3
SpywareGuard v2.2
Suite Shared Configuration CS4
System Requirements Lab
Toolbox
Universal Media Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows 7 Upgrade Advisor
Windows Easy Transfer
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinZip
WNW Five Language Dictionary v1.9
WordPerfect Office 11
Yahoo! Install Manager

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:22 PM

Posted 18 October 2011 - 10:49 PM

Hello

Run this first - http://download.bleepingcomputer.com/grinler/unhide.exe


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 7.0.8

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 LCW

LCW
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 19 October 2011 - 12:39 AM

Hello,

Ran unhide.exe. Everything is back, including Eudora and Favorites.

Uninstalled Adobe Reader 7.0.8. Installed FoxitReader - no AskBar.

Installed Java. Uninstalled 'J2SE Runtime Environment 5.0 Update 2'
per Java update website. Cleared Java Cache.

Ran TFC - rebooted.

Ran MBAM. Got run-time error '53' mbamnet, but was able to proceed with successful update and scan.

Installed lasted version of HijackThis (after removing old one). Ran scan.

The computer looks good - other than the extra junk in the HijackThis log.

MBAM and HiJackThis logs below.

---------------------

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7977

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/19/2011 12:18:06 AM
mbam-log-2011-10-19 (00-18-06).txt

Scan type: Quick scan
Objects scanned: 193523
Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AWF7XWHWEEYZF (Trojan.SpyEyes) -> Value: 4Y3Y0C3AWF7XWHWEEYZF -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\volmgr (Trojan.Agent) -> Value: volmgr -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:30:28 AM, on 10/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (disabled by BHODemon)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [hUtkqvriAukQ.exe] C:\Documents and Settings\All Users\Application Data\hUtkqvriAukQ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [volmgr] C:\Documents and Settings\Laura\Application Data\volmgr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1298248123260
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1298248110229
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)

--
End of file - 8320 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users