Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/worm keeps forcing my computer to reboot


  • This topic is locked This topic is locked
10 replies to this topic

#1 Falneth

Falneth

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:11:49 AM

Posted 30 October 2011 - 02:21 PM

Previous post in Security Forum. Link to previous post is: Previous Post with Information.

Ran DDS today. Log is as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Samual at 14:06:38 on 2011-10-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.807 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ActiveArmor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TVersity\Media Server\web\admin\TVersity.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/tbredir?r=uin&l=en&v=7.1&tbbrand=PRFB
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Freecorder Toolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - c:\program files\freecordertoolbar\vmntemplateX.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: Freecorder Toolbar: {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - c:\program files\freecordertoolbar\vmntemplateX.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nTrayFw] c:\progra~1\nvidia~1\networ~1\bin\nTrayFw.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{881BE2C8-A8A1-497B-9767-BFEEFECC2DEE} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\samual\application data\mozilla\firefox\profiles\ts80nxyk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsl28e7413f;MpKsl28e7413f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3b3392b-a916-44a3-b107-dc66be41dc6d}\MpKsl28e7413f.sys [2011-10-30 28752]
R1 SASDIFSV;SASDIFSV;c:\docume~1\samual\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\docume~1\samual\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-26 366152]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-26 22216]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-10-26 11520]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
.
=============== Created Last 30 ================
.
2011-10-30 14:55:48 -------- d-----w- c:\documents and settings\samual\application data\SUPERAntiSpyware.com
2011-10-30 14:55:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-30 08:28:26 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3b3392b-a916-44a3-b107-dc66be41dc6d}\MpKsl28e7413f.sys
2011-10-30 08:28:23 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3b3392b-a916-44a3-b107-dc66be41dc6d}\offreg.dll
2011-10-30 06:37:33 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a3b3392b-a916-44a3-b107-dc66be41dc6d}\mpengine.dll
2011-10-29 20:32:16 -------- d-----w- c:\documents and settings\samual\local settings\application data\Western_Digital
2011-10-29 20:31:57 -------- d-----w- c:\documents and settings\samual\application data\Western Digital
2011-10-29 20:31:46 -------- d-----w- c:\documents and settings\all users\application data\Western Digital
2011-10-29 20:30:40 -------- d-----w- c:\program files\Western Digital
2011-10-29 20:29:50 -------- d-----w- c:\documents and settings\samual\local settings\application data\Western Digital
2011-10-29 20:00:34 -------- d-----w- c:\documents and settings\samual\application data\vmntemplate
2011-10-29 20:00:23 -------- d-----w- c:\documents and settings\samual\application data\freecordertoolbar
2011-10-29 20:00:18 -------- d-----w- c:\program files\freecordertoolbar
2011-10-29 20:00:07 -------- d-----w- c:\documents and settings\samual\local settings\application data\FLVService
2011-10-29 20:00:00 -------- d-----w- c:\program files\Freecorder
2011-10-29 19:38:18 -------- d---a-w- C:\Plants Vs Zombies
2011-10-29 19:33:07 -------- d-----w- c:\program files\Windows Media Connect 2
2011-10-29 19:32:10 -------- d-----w- c:\windows\system32\LogFiles
2011-10-29 02:19:52 -------- d---a-w- C:\English Anime
2011-10-28 21:11:21 -------- d-----w- c:\windows\system32\XPSViewer
2011-10-28 21:11:08 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-28 21:11:02 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-10-28 21:11:02 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-10-28 21:11:02 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-10-28 21:11:02 117760 ------w- c:\windows\system32\prntvpt.dll
2011-10-28 21:11:01 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-10-28 21:11:01 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-10-28 21:11:01 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-10-28 21:11:01 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-10-28 04:14:56 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-10-27 23:24:37 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-10-27 23:24:21 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-10-27 23:24:09 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-10-27 23:23:08 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-10-27 23:23:01 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-10-27 23:22:48 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-10-27 23:22:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-10-27 23:22:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-10-27 23:22:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-10-27 23:20:35 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-10-27 23:20:35 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-10-27 23:20:34 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-10-27 23:20:34 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-10-27 23:20:34 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-10-27 23:20:34 110592 -c----w- c:\windows\system32\dllcache\services.exe
2011-10-27 23:20:33 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-10-27 23:19:48 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-10-27 23:19:41 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-10-27 23:19:13 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-10-27 23:19:09 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-27 23:16:52 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-27 23:15:42 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-10-27 23:14:34 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-10-27 23:14:14 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-10-27 23:14:10 692736 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2011-10-27 23:13:41 766464 -c--a-w- c:\windows\system32\dllcache\vgx.dll
2011-10-27 23:13:35 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-10-27 23:13:34 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-10-27 23:13:34 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-10-27 23:13:33 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-10-27 23:13:32 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-10-27 23:13:20 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-10-27 23:13:13 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-27 23:12:53 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-10-27 23:12:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-10-27 23:12:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-10-27 23:11:44 -------- d-----w- c:\windows\system32\PreInstall
2011-10-27 23:11:43 -------- d--h--w- c:\windows\$hf_mig$
2011-10-27 22:51:58 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-10-27 22:51:58 215920 ----a-w- c:\windows\system32\muweb.dll
2011-10-27 22:51:58 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-10-27 22:47:03 -------- d-----w- c:\documents and settings\samual\application data\AnvSoft
2011-10-27 22:45:25 -------- d-----w- c:\program files\AnvSoft
2011-10-27 20:32:39 -------- d-----w- c:\program files\Xiph.Org
2011-10-27 20:32:37 -------- d-----w- c:\program files\TVersity Codec Pack
2011-10-27 20:32:26 -------- d-----w- c:\program files\TVersity
2011-10-27 19:16:59 -------- d-----w- c:\documents and settings\samual\local settings\application data\Temp
2011-10-27 19:16:59 -------- d-----w- c:\documents and settings\samual\local settings\application data\Adobe
2011-10-27 18:57:06 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-10-27 15:22:05 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2011-10-27 15:22:05 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2011-10-27 15:21:59 -------- d-----w- c:\documents and settings\samual\local settings\application data\ATI
2011-10-27 04:47:37 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-10-27 04:38:16 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-10-27 04:35:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-27 04:27:09 168576 ----a-w- c:\windows\system32\drivers\atinavt2.sys
2011-10-27 04:27:09 106496 ----a-w- c:\windows\system32\atinppt2.ax
2011-10-27 04:26:54 520192 ------w- c:\windows\system32\ati2sgag.exe
2011-10-27 04:26:52 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2011-10-27 04:26:33 -------- d-----w- c:\program files\ATI Technologies
2011-10-27 04:25:51 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-10-27 04:25:51 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-10-27 04:25:51 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-10-27 04:25:51 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-10-27 04:25:51 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-10-27 04:25:07 -------- d-----r- c:\program files\Skype
2011-10-27 04:22:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-27 04:20:27 -------- d-----w- c:\program files\Yahoo!
2011-10-27 04:18:04 -------- d-----w- C:\Downloads
2011-10-27 04:06:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-27 03:56:57 -------- d-----w- c:\windows\ServicePackFiles
2011-10-27 03:52:01 -------- d-----w- c:\program files\CCleaner
2011-10-27 03:51:55 -------- d-----w- c:\documents and settings\samual\local settings\application data\Google
2011-10-27 03:51:41 -------- d-----w- c:\documents and settings\samual\application data\Malwarebytes
2011-10-27 03:51:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-27 03:51:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-27 03:51:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-27 03:46:44 -------- d-----w- c:\program files\NVIDIA Corporation
2011-10-27 03:46:41 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-10-26 22:43:38 99584 ----a-w- c:\windows\system32\drivers\nvata.sys
2011-10-26 15:03:33 -------- d-s---w- c:\windows\system32\Microsoft
.
==================== Find3M ====================
.
2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32:15 17408 ----a-w- c:\windows\system32\corpol.dll
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 14:07:16.98 ===============



I tried to run GMER, but the scan caused a blue screen error with the message: Kernal Stack Inpage Error. I understand that GMER won't run on a 64 bit OS, but if I'm running a 32-bit OS on a 64-bit processor, will that cause it to fail?

Also, when I try to boot my computer up, I usually have to reboot it again just to get the desktop to load correctly. The reason is that once I reach the desktop, the items that are supposed to load with windows do not load like they should. The entire computer will lock up and just sit there while trying to finish the boot sequence.

Attached Files


Edited by Falneth, 30 October 2011 - 02:25 PM.

A.A.S in Computer and Network Support from Crowder College


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 PM

Posted 04 November 2011 - 01:13 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

#3 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:11:49 AM

Posted 05 November 2011 - 03:53 PM

I've attached both logs. I hope that this fixes this issue. HOWEVER, I would like to know what could be causing the OS to ask for a password when I switch user (not log off) and there are no passwords set. Could it be related to the problem of my OS freezing up when it reaches the desktop during boot-up? One last thing: I've noticed that in my "C:\Documents and Settings" folder, I have Admininstrator, All Users, Samual, Sonda (my gf who is barely ever on the computer), and Administrator.OFFICE.000. I've seen a folder called Administrator.OFFICE. in the Documents and Settings before. Any idea what is causing the "Administrator.OFFICE" folder to be created?

The contents of checkup.txt are as follows:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Adobe Flash Player 11.0.1.152
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````



Combofix.txt log is as follows:

ComboFix 11-11-05.03 - Samual 11/05/2011 15:42:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1064 [GMT -5:00]
Running from: c:\documents and settings\Samual\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ActiveArmor Firewall *Enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-05 to 2011-11-05 )))))))))))))))))))))))))))))))
.
.
2011-11-03 19:57 . 2011-11-03 19:57 -------- d-----w- C:\NeverwinterNights
2011-10-31 02:02 . 2011-10-31 02:02 -------- d-----r- C:\MSOCache
2011-10-30 20:28 . 2011-10-30 20:49 -------- d-----w- C:\Copied folders
2011-10-29 19:38 . 2011-10-29 19:38 -------- d---a-w- C:\Plants Vs Zombies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-17 21:32 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32 . 2006-02-28 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-08-17 13:49 . 2006-02-28 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-17 12:22 . 2006-02-28 12:00 389120 ----a-w- c:\windows\system32\html.iec
2011-09-29 06:53 . 2011-10-27 04:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]
2011-06-24 15:04 81920 ----a-w- c:\program files\freecordertoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}"= "c:\program files\freecordertoolbar\vmntemplateX.dll" [2011-06-24 81920]
.
[HKEY_CLASSES_ROOT\clsid\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2011-03-24 167936]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-08-23 211296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 16:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2006-02-17 15:40 270336 ----a-w- c:\progra~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 12:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-19 07:34 868352 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"idsvc"=3 (0x3)
"ForcewareWebInterface"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
.
R1 MpKslcadf7c21;MpKslcadf7c21;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{35E03140-7DE5-44F6-B03C-973EA3AAC3DC}\MpKslcadf7c21.sys [11/5/2011 9:55 AM 28752]
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Samual\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Samual\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Samual\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Samual\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/26/2011 10:51 PM 366152]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/26/2011 10:51 PM 22216]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/26/2011 11:47 PM 11520]
S1 MpKsl840beaf5;MpKsl840beaf5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1282A224-48CB-4D6E-B01D-96BD4BD9299E}\MpKsl840beaf5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1282A224-48CB-4D6E-B01D-96BD4BD9299E}\MpKsl840beaf5.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [11/2/2011 8:44 AM 18560]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLCADF7C21
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/tbredir?r=uin&l=en&v=7.1&tbbrand=PRFB
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: Interfaces\{881BE2C8-A8A1-497B-9767-BFEEFECC2DEE}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Samual\Application Data\Mozilla\Firefox\Profiles\ts80nxyk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 15:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\nvappfilter.dll
.
- - - - - - - > 'explorer.exe'(2520)
c:\windows\system32\WININET.dll
c:\documents and settings\Samual\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-05 15:44:58
ComboFix-quarantined-files.txt 2011-11-05 20:44
.
Pre-Run: 204,810,162,176 bytes free
Post-Run: 204,800,692,224 bytes free
.
- - End Of File - - 355C9D8B5A3AB2E864E04EDD1617DBC4

Attached Files


Edited by Falneth, 05 November 2011 - 03:59 PM.

A.A.S in Computer and Network Support from Crowder College


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 PM

Posted 06 November 2011 - 08:48 AM

I would like to know what could be causing the OS to ask for a password when I switch user (not log off) and there are no passwords set. Could it be related to the problem of my OS freezing up when it reaches the desktop during boot-up? One last thing: I've noticed that in my "C:\Documents and Settings" folder, I have Admininstrator, All Users, Samual, Sonda (my gf who is barely ever on the computer), and Administrator.OFFICE.000. I've seen a folder called Administrator.OFFICE. in the Documents and Settings before. Any idea what is causing the "Administrator.OFFICE" folder to be created?


I search Gooble for this string Administrator.OFFICE.000 you will find the results here.
http://www.google.com/search?q=Administrator.OFFICE.000&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

What I suspect is that somehow your Office profile was damaged and a new one was created.
How it happened I do not know.

Microsoft has a forum for the Office program.
It may be helpful to peruse it or start a new topic and get qualified help.

==

Your logs are clean. Any other issues pending with computer?

#5 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:11:49 AM

Posted 06 November 2011 - 10:41 AM

I don't think it's my MS Office profile. My computer's name is OFFICE. Could my Administrator account have been compromised? Also, what about the issue with Windows requesting a password when I switch users when there's no password set?

A.A.S in Computer and Network Support from Crowder College


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 PM

Posted 06 November 2011 - 01:35 PM

My computer's name is OFFICE.


Then OFFICE.000 is a folder.

What files are located on that .000 folder?
Look at the properties when was it created?

Windows requesting a password when I switch users when there's no password set


Find out if a password was set.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/usercpl_change_password.mspx?mfr=true

#7 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:11:49 AM

Posted 09 November 2011 - 10:36 AM

The OFFICE.000 folder is 1.57 MB in size. It contains desktop, favorites, my documents, start menu folders (the normal view ones). The hidden folders are: Application data, Local Settings, Nethood, Printhood, Recent, Sendto, and Templates. It also has two files at the root of the office folder: NTUSER.dat and NTUSER.vcd.

There is no password set for either of the user accounts (except for the Administrator account). I have checked this several times and have not found any passwords set at all.

The Office.000 account was created on Nov. 5 at 6:47 am. MY user account was created on Oct. 26 at 9:04 am.

Edited by Falneth, 09 November 2011 - 10:39 AM.

A.A.S in Computer and Network Support from Crowder College


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 PM

Posted 09 November 2011 - 02:24 PM

What ever created that folder on Nov. 5 at 6:47 am (unless someone was on the computer at that time) is unknown to me.

The ComboFix log was created at - Samual 11/05/2011 15:42:23.2.2 PM.

Is system restore available to you.

Can you restore your computer to a date/time prior to Nov. 5 at 6:47 am?


Before you proceed I would advise that you start a new topic in the Windows XP forum and find out it an XP expert has an other solution.

http://www.bleepingcomputer.com/forums/forum56.html

Please keep me posted.

#9 Falneth

Falneth
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri, USA
  • Local time:11:49 AM

Posted 09 November 2011 - 02:31 PM

System restore has been failing from the time I do a fresh install. So, I turned it off since it constantly fails whenever I try to run a restore.

A.A.S in Computer and Network Support from Crowder College


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 PM

Posted 10 November 2011 - 08:48 AM

Then I suggest you start a new topic in the XP forum.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:49 PM

Posted 15 November 2011 - 11:22 AM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users