Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I may be infected part 2.


  • This topic is locked This topic is locked
56 replies to this topic

#1 Fade2black22

Fade2black22

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 04 November 2011 - 01:55 PM

last person that was trying to help me ended up quitting on me cause he said he ran out of ideas. I still need help.. the last thing he sent me was to run scannow.. I did that and i got a error saying files that are required for windows to run properly must be copied to the DLL Cache. insert your windows XP home edition service pack 3 CD now.. I dont have any cds..I still cant run malwarebytes.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 04 November 2011 - 04:03 PM

Hello, first of all, lets start with a log, so I can get some updated information about your system.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 06 November 2011 - 12:01 PM

here they are. I hope you will be able to help me and not give up like the last person.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 06 November 2011 - 12:08 PM

That is two times attach.txt. :) I need to see DDS.txt as well. Could you copy/paste it into your next reply?

Also, press Windows key + R, type cmd and press enter.

Type sc query rpcss and press enter. Let me know what comes back.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 07 November 2011 - 11:03 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Justo at 21:54:56 on 2011-11-07
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Justo\My Documents\Downloads\dds(1).scr
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{822D09E3-594D-405F-8AF2-B4D9B6A04CF1} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\justo\application data\mozilla\firefox\profiles\u9nu512p.default\
.
============= SERVICES / DRIVERS ===============
.
R? rkhdrv40;Rootkit Unhooker Driver
.
=============== Created Last 30 ================
.
2011-10-26 04:01:00 366152 ----a-w- c:\windows\mbamservice.exe
2011-10-26 04:00:59 563784 ----a-w- c:\windows\mbamcore.dll
2011-10-26 04:00:59 496976 ----a-w- c:\windows\vbalsgrid6.ocx
2011-10-26 04:00:59 46416 ----a-w- c:\windows\ssubtmr6.dll
2011-10-26 04:00:59 2223176 ----a-w- c:\windows\mbamnet.dll
2011-10-26 04:00:59 173640 ----a-w- c:\windows\mbam.dll
2011-10-26 04:00:59 -------- d-----w- c:\windows\Languages
2011-10-26 04:00:58 449608 ----a-w- c:\windows\mbamgui.exe
2011-10-26 04:00:57 1047208 ----a-w- c:\windows\mbam.exe
2011-10-26 04:00:56 78920 ----a-w- c:\windows\mbamext.dll
2011-10-26 04:00:56 709968 ----a-w- c:\windows\unins000.exe
2011-10-26 04:00:56 20552 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-20 22:51:34 -------- d-----w- C:\RkUnhooker
2011-10-11 17:19:13 -------- d-----w- C:\explorer.exe
2011-10-11 05:12:29 -------- d-----w- c:\program files\rksupport
2011-10-11 05:08:01 -------- d-----w- C:\TEMP
2011-10-11 04:21:12 -------- d-----w- C:\1 NTFS_001
2011-10-11 02:20:04 -------- d-----w- C:\1 NTFS_000
2011-10-11 01:15:36 -------- d-----w- C:\1 NTFS
.
==================== Find3M ====================
.
2011-08-11 22:08:59 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 21:55:42.96 ===============


.
==== Installed Programs ======================
.
Adobe Reader 6.0
CCleaner
CompuServe
eMachines Bay Reader
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Java 2 Runtime Environment, SE v1.4.2
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft Windows NT Resource Kit 4.0 Support Tools
Microsoft Works 7.0
Mozilla Firefox 7.0.1 (x86 en-US)
Multimedia Keyboard Driver
Netscape 6 (6.2.1)
NirSoft WinUpdatesList
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Rootkit Unhooker Uninstall
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB914798)
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
WebFldrs XP
Winamp (remove only)
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows Movie Maker 2.0
.
==== End Of File ===========================


Service name: rpcss
type: 20 win32 share process
state: 4 running
(not stoppable not pausable ignores shutdown)
win32 exit code: 0 (0x0)
service exit code: 0 (0x0)
checkpoint: 0x0
wait hint: 0x0

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 08 November 2011 - 02:15 AM

Hi again,

Please download GrantPerms.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\WINDOWS\$NtUninstallQ828026$
Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.


Now please delete any copy of combofix you might still have and download a new one. Run it as instructed below.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 10 November 2011 - 12:56 AM

GrantPerms by Farbar
Ran by Justo (administrator) at 2011-11-09 23:55:09

===============================================
\\?\c:\WINDOWS\$NtUninstallQ828026$

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)

#8 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 10 November 2011 - 01:26 AM

ComboFix 11-11-09.02 - Justo 11/10/2011 0:02.5.1 - x86
Running from: c:\documents and settings\Justo\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\explorer.exe
c:\explorer.exe\Catchlog
c:\explorer.exe\Catchme.tmp
c:\explorer.exe\CF29853.3XE
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))
.
.
2011-10-26 04:01 . 2011-08-31 22:00 366152 ----a-w- c:\windows\mbamservice.exe
2011-10-26 04:00 . 2011-10-26 04:00 -------- d-----w- c:\windows\Languages
2011-10-26 04:00 . 2011-08-31 22:00 2223176 ----a-w- c:\windows\mbamnet.dll
2011-10-26 04:00 . 2011-08-31 22:00 563784 ----a-w- c:\windows\mbamcore.dll
2011-10-26 04:00 . 2011-08-31 22:00 173640 ----a-w- c:\windows\mbam.dll
2011-10-26 04:00 . 2011-06-01 15:16 496976 ----a-w- c:\windows\vbalsgrid6.ocx
2011-10-26 04:00 . 2011-06-01 15:16 46416 ----a-w- c:\windows\ssubtmr6.dll
2011-10-26 04:00 . 2011-08-31 22:00 449608 ----a-w- c:\windows\mbamgui.exe
2011-10-26 04:00 . 2011-08-31 22:00 1047208 ----a-w- c:\windows\mbam.exe
2011-10-26 04:00 . 2011-10-26 04:00 709968 ----a-w- c:\windows\unins000.exe
2011-10-26 04:00 . 2011-08-31 22:00 20552 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-26 04:00 . 2011-08-31 22:00 78920 ----a-w- c:\windows\mbamext.dll
2011-10-20 22:51 . 2011-10-20 22:53 -------- d-----w- C:\RkUnhooker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 08:00 . 2011-09-08 01:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2005-08-22 . 838B1DF317D55BFFF67F99F1AE7ECEB7 . 154624 . . [5.1.2600.1733] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2GDR\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
.
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\6038b71530de3a2425b2782c515c9660\backup\sp3gdr\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\6038b71530de3a2425b2782c515c9660\backup\sp3qfe\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . 6B4BF97957A0B8795811975D4BF1ACFE . 53248 . . [5.1.2600.1699] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\spoolsv.exe
.
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2005-09-01 . 71E9F9E000221536047E059CBE2FE211 . 16384 . . [5.1.2600.1740] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2GDR\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\linkinfo.dll
.
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2GDR\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\tapisrv.dll
[-] 2005-07-08 . 5F0469FF26B19790B5A0D7C77871B6CD . 238592 . . [5.1.2600.1715] . . c:\windows\system32\tapisrv.dll
.
[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2006-08-16 . 7B6A08441A4F11320421599D7ECF8D41 . 70656 . . [5.1.2600.1886] . . c:\windows\system32\ws2_32.dll
[7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\ws2_32.dll
.
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ole32.dll
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\c96035cca2ff8149829aeece9eaea737\backup\sp3gdr\ole32.dll
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\c96035cca2ff8149829aeece9eaea737\backup\sp3qfe\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2GDR\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\ole32.dll
[-] 2005-07-26 . F07397DBDBD249D379CFDEEE6D9BF545 . 1190400 . . [5.1.2600.1720] . . c:\windows\system32\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\ole32.dll
.
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\32f618476f4bd04251d02b8c6ff3cc67\backup\sp3gdr\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\32f618476f4bd04251d02b8c6ff3cc67\backup\sp3qfe\shsvcs.dll
[-] 2004-10-28 . AD324E21EF7E668C9910EB5ADF6495C0 . 116736 . . [6.00.2800.1605] . . c:\windows\system32\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\shsvcs.dll
.
[-] 2009-11-18 . 08D72F6490CD85AA1C12EF3B56299936 . 172544 . . [5.1.2600.1564] . . c:\windows\system32\schedsvc.dll
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[7] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll
[7] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\schedsvc.dll
.
[7] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rasadhlp.dll
[-] 2006-06-26 . 087552302D5AAB20FC37314576BC106C . 6144 . . [5.1.2600.1863] . . c:\windows\system32\rasadhlp.dll
[-] 2006-06-26 . B5D08C96B2DADAF5171FB69E341B272B . 7680 . . [5.1.2600.2938] . . c:\windows\$hf_mig$\KB920683\SP2QFE\rasadhlp.dll
[-] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\$hf_mig$\KB920683\SP2GDR\rasadhlp.dll
[-] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\$NtServicePackUninstall$\rasadhlp.dll
[-] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\rasadhlp.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-09-08_20.42.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-05-27 23:32 . 2008-04-14 11:42 37888 c:\windows\system32\url.dll
+ 2004-05-27 23:32 . 2008-04-14 11:42 39424 c:\windows\system32\pngfilt.dll
+ 2004-05-27 23:32 . 2011-10-11 04:36 72854 c:\windows\system32\perfc009.dat
+ 2004-05-27 23:31 . 2008-04-14 11:42 96256 c:\windows\system32\occache.dll
+ 2004-05-27 23:31 . 2008-04-14 03:56 56832 c:\windows\system32\mshtmler.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 29184 c:\windows\system32\mshta.exe
+ 2004-05-27 23:31 . 2008-04-14 11:41 22016 c:\windows\system32\licmgr10.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 15872 c:\windows\system32\jsproxy.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 96256 c:\windows\system32\inseng.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 35840 c:\windows\system32\imgutil.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 62976 c:\windows\system32\iesetup.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 48640 c:\windows\system32\iernonce.dll
- 2009-09-25 05:37 . 2009-09-25 05:37 81920 c:\windows\system32\ieencode.dll
+ 2009-09-25 05:37 . 2008-04-14 11:41 81920 c:\windows\system32\ieencode.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 34304 c:\windows\system32\ie4uinit.exe
+ 1997-11-18 00:31 . 1997-11-18 00:31 27648 c:\windows\system32\hh.exe
+ 2004-05-27 23:32 . 2008-04-14 11:42 37888 c:\windows\system32\dllcache\url.dll
+ 2004-05-27 23:32 . 2008-04-14 11:42 39424 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 96256 c:\windows\system32\dllcache\occache.dll
+ 2004-05-27 23:31 . 2008-04-14 03:56 56832 c:\windows\system32\dllcache\mshtmler.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 29184 c:\windows\system32\dllcache\mshta.exe
+ 2004-05-27 23:31 . 2008-04-14 11:41 22016 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 15872 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 96256 c:\windows\system32\dllcache\inseng.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 35840 c:\windows\system32\dllcache\imgutil.dll
+ 2004-05-27 23:47 . 2008-04-14 11:42 93184 c:\windows\system32\dllcache\iexplore.exe
+ 2004-05-27 23:31 . 2008-04-14 11:41 62976 c:\windows\system32\dllcache\iesetup.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 48640 c:\windows\system32\dllcache\iernonce.dll
- 2009-09-25 05:37 . 2009-09-25 05:37 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-09-25 05:37 . 2008-04-14 11:41 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 34304 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-05-27 23:47 . 2008-04-14 11:41 38912 c:\windows\system32\dllcache\hmmapi.dll
+ 2004-05-27 23:30 . 2008-04-14 11:41 35328 c:\windows\system32\dllcache\corpol.dll
+ 2004-05-27 23:30 . 2008-04-14 11:41 99840 c:\windows\system32\dllcache\advpack.dll
+ 2004-05-27 23:30 . 2008-04-14 11:41 61440 c:\windows\system32\dllcache\admparse.dll
+ 2004-05-27 23:30 . 2008-04-14 11:41 35328 c:\windows\system32\corpol.dll
+ 2004-05-27 23:30 . 2008-04-14 11:41 99840 c:\windows\system32\advpack.dll
+ 2004-05-27 23:30 . 2008-04-14 11:41 61440 c:\windows\system32\admparse.dll
+ 2011-10-26 04:00 . 2011-10-26 04:01 8686 c:\windows\unins000.dat
+ 2004-08-02 19:20 . 2004-08-02 19:20 4569 c:\windows\system32\dllcache\secupd.dat
- 2009-11-18 19:07 . 2004-08-02 20:20 4569 c:\windows\system32\dllcache\secupd.dat
+ 2006-06-23 17:33 . 2008-04-14 11:42 666112 c:\windows\system32\wininet.dll
+ 2004-05-27 23:32 . 2008-04-14 11:42 276480 c:\windows\system32\webcheck.dll
+ 2002-02-26 21:58 . 2008-05-09 10:53 430080 c:\windows\system32\vbscript.dll
+ 2006-08-31 02:42 . 2008-04-14 11:42 619520 c:\windows\system32\urlmon.dll
+ 2004-05-27 23:32 . 2011-10-11 04:36 444602 c:\windows\system32\perfh009.dat
+ 2004-05-27 23:31 . 2008-04-14 11:42 532480 c:\windows\system32\mstime.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 146432 c:\windows\system32\msrating.dll
+ 2004-05-27 23:31 . 2003-03-31 12:00 146432 c:\windows\system32\msls31.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 449024 c:\windows\system32\mshtmled.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2009-03-08 10:31 . 2008-04-14 11:41 251904 c:\windows\system32\iepeers.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 323584 c:\windows\system32\iedkcs32.dll
+ 2004-05-27 23:31 . 2003-03-31 12:00 221184 c:\windows\system32\ieakui.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 216576 c:\windows\system32\ieaksie.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 143360 c:\windows\system32\ieakeng.dll
+ 2011-09-23 03:07 . 2011-09-23 03:07 125320 c:\windows\system32\FNTCACHE.DAT
- 2004-05-27 16:39 . 2011-08-24 05:05 125320 c:\windows\system32\FNTCACHE.DAT
+ 2009-03-08 10:31 . 2008-04-14 11:41 205312 c:\windows\system32\dxtrans.dll
+ 2009-03-08 10:31 . 2008-04-14 11:41 357888 c:\windows\system32\dxtmsft.dll
+ 2006-06-23 17:33 . 2008-04-14 11:42 666112 c:\windows\system32\dllcache\wininet.dll
+ 2004-05-27 23:32 . 2008-04-14 11:42 276480 c:\windows\system32\dllcache\webcheck.dll
+ 2004-05-27 23:47 . 2008-04-14 11:42 851968 c:\windows\system32\dllcache\vgx.dll
+ 2002-02-26 21:58 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2006-08-31 02:42 . 2008-04-14 11:42 619520 c:\windows\system32\dllcache\urlmon.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 532480 c:\windows\system32\dllcache\mstime.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 146432 c:\windows\system32\dllcache\msrating.dll
+ 2004-05-27 23:31 . 2003-03-31 12:00 146432 c:\windows\system32\dllcache\msls31.dll
+ 2004-05-27 23:31 . 2008-04-14 11:42 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 10:31 . 2008-04-14 11:41 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 323584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-05-27 23:31 . 2003-03-31 12:00 221184 c:\windows\system32\dllcache\ieakui.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 216576 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-05-27 23:31 . 2008-04-14 11:41 143360 c:\windows\system32\dllcache\ieakeng.dll
+ 2009-03-08 10:31 . 2008-04-14 11:41 205312 c:\windows\system32\dllcache\dxtrans.dll
+ 2009-03-08 10:31 . 2008-04-14 11:41 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2010-09-07 20:39 . 2010-09-07 20:39 150392 c:\windows\junction.exe
+ 2009-03-08 10:41 . 2008-04-14 11:42 3066880 c:\windows\system32\mshtml.dll
+ 2009-03-08 10:41 . 2008-04-14 11:42 3066880 c:\windows\system32\dllcache\mshtml.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2003-06-03 18:01 496640 ----a-w- c:\windows\zHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 02:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-03-11 22:18 135168 ----a-w- c:\program files\eMachines Bay Reader\shwiconEM.exe
.
R3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
.
.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Justo\Application Data\Mozilla\Firefox\Profiles\u9nu512p.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 00:12
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\CLBCATQ.DLL
.
- - - - - - - > 'explorer.exe'(920)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2011-11-10 00:14:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-10 06:14
ComboFix2.txt 2011-10-11 17:30
ComboFix3.txt 2011-09-10 21:10
ComboFix4.txt 2011-09-08 21:33
ComboFix5.txt 2011-11-10 06:01
.
Pre-Run: 32,146,649,088 bytes free
Post-Run: 32,126,701,568 bytes free
.
- - End Of File - - E70CAEDCF8EEA7AD81A8278FBFAE3935

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 10 November 2011 - 02:06 AM

Hi, please run the following tool, then rerun combofix. Dial-a-fix is a very old tool and can throw quite some errors, just ignore them and continue.

  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program. Note - you might see an error message regarding Internet Explorer. Just ignore this and continue.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

    Posted Image

    Posted Image
  • Click on go
  • Exit/Close Dial-A-Fix

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 13 November 2011 - 12:16 PM

ComboFix 11-11-09.02 - Justo 11/13/2011 1:46.6.1 - x86
Running from: c:\documents and settings\Justo\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 07:35 . 2011-11-13 07:37 -------- d-----w- c:\windows\system32\CatRoot2
2011-10-26 04:01 . 2011-08-31 22:00 366152 ----a-w- c:\windows\mbamservice.exe
2011-10-26 04:00 . 2011-10-26 04:00 -------- d-----w- c:\windows\Languages
2011-10-26 04:00 . 2011-08-31 22:00 2223176 ----a-w- c:\windows\mbamnet.dll
2011-10-26 04:00 . 2011-08-31 22:00 563784 ----a-w- c:\windows\mbamcore.dll
2011-10-26 04:00 . 2011-08-31 22:00 173640 ----a-w- c:\windows\mbam.dll
2011-10-26 04:00 . 2011-06-01 15:16 496976 ----a-w- c:\windows\vbalsgrid6.ocx
2011-10-26 04:00 . 2011-06-01 15:16 46416 ----a-w- c:\windows\ssubtmr6.dll
2011-10-26 04:00 . 2011-08-31 22:00 449608 ----a-w- c:\windows\mbamgui.exe
2011-10-26 04:00 . 2011-08-31 22:00 1047208 ----a-w- c:\windows\mbam.exe
2011-10-26 04:00 . 2011-10-26 04:00 709968 ----a-w- c:\windows\unins000.exe
2011-10-26 04:00 . 2011-08-31 22:00 20552 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-26 04:00 . 2011-08-31 22:00 78920 ----a-w- c:\windows\mbamext.dll
2011-10-20 22:51 . 2011-10-20 22:53 -------- d-----w- C:\RkUnhooker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 08:00 . 2011-09-08 01:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2005-08-22 . 838B1DF317D55BFFF67F99F1AE7ECEB7 . 154624 . . [5.1.2600.1733] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2GDR\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
.
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\6038b71530de3a2425b2782c515c9660\backup\sp3gdr\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\6038b71530de3a2425b2782c515c9660\backup\sp3qfe\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . 6B4BF97957A0B8795811975D4BF1ACFE . 53248 . . [5.1.2600.1699] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\spoolsv.exe
.
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2005-09-01 . 71E9F9E000221536047E059CBE2FE211 . 16384 . . [5.1.2600.1740] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2GDR\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\linkinfo.dll
.
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2GDR\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\tapisrv.dll
[-] 2005-07-08 . 5F0469FF26B19790B5A0D7C77871B6CD . 238592 . . [5.1.2600.1715] . . c:\windows\system32\tapisrv.dll
.
[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2006-08-16 . 7B6A08441A4F11320421599D7ECF8D41 . 70656 . . [5.1.2600.1886] . . c:\windows\system32\ws2_32.dll
[7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\ws2_32.dll
.
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ole32.dll
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\c96035cca2ff8149829aeece9eaea737\backup\sp3gdr\ole32.dll
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\c96035cca2ff8149829aeece9eaea737\backup\sp3qfe\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2GDR\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\ole32.dll
[-] 2005-07-26 . F07397DBDBD249D379CFDEEE6D9BF545 . 1190400 . . [5.1.2600.1720] . . c:\windows\system32\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\ole32.dll
.
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\32f618476f4bd04251d02b8c6ff3cc67\backup\sp3gdr\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\32f618476f4bd04251d02b8c6ff3cc67\backup\sp3qfe\shsvcs.dll
[-] 2004-10-28 . AD324E21EF7E668C9910EB5ADF6495C0 . 116736 . . [6.00.2800.1605] . . c:\windows\system32\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\shsvcs.dll
.
[-] 2009-11-18 . 08D72F6490CD85AA1C12EF3B56299936 . 172544 . . [5.1.2600.1564] . . c:\windows\system32\schedsvc.dll
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[7] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll
[7] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\schedsvc.dll
.
[7] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rasadhlp.dll
[-] 2006-06-26 . 087552302D5AAB20FC37314576BC106C . 6144 . . [5.1.2600.1863] . . c:\windows\system32\rasadhlp.dll
[-] 2006-06-26 . B5D08C96B2DADAF5171FB69E341B272B . 7680 . . [5.1.2600.2938] . . c:\windows\$hf_mig$\KB920683\SP2QFE\rasadhlp.dll
[-] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\$hf_mig$\KB920683\SP2GDR\rasadhlp.dll
[-] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\$NtServicePackUninstall$\rasadhlp.dll
[-] 2006-06-26 . 5F098BD2AE6B03044B085DECFFDF91EC . 8192 . . [5.1.2600.2938] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\rasadhlp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2003-06-03 18:01 496640 ----a-w- c:\windows\zHotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 02:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-03-11 22:18 135168 ----a-w- c:\program files\eMachines Bay Reader\shwiconEM.exe
.
R3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Justo\Application Data\Mozilla\Firefox\Profiles\u9nu512p.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-13 02:38
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\CLBCATQ.DLL
.
- - - - - - - > 'explorer.exe'(316)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2011-11-13 02:42:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-13 08:42
ComboFix2.txt 2011-11-10 06:14
ComboFix3.txt 2011-10-11 17:30
ComboFix4.txt 2011-09-10 21:10
ComboFix5.txt 2011-11-13 07:45
.
Pre-Run: 32,174,043,136 bytes free
Post-Run: 32,107,474,944 bytes free
.
- - End Of File - - A8AAFA00DD311FC7EAF103F04993CAFE

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 13 November 2011 - 12:24 PM

From your other topic I understood you had trouble installing service pack 3 for XP right?
Could you please try to install it again and let me know if you were successful?

If not, try installing Service pack 2 instead.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 14 November 2011 - 12:49 PM

i dont have service pack 2 so i tried installing that first but i get an error saying the system cannot find the file specified..

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 14 November 2011 - 12:56 PM

Which file and when exactly did you get this error message?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 Fade2black22

Fade2black22
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 16 November 2011 - 11:08 PM

it downloaded and extracted ok, but during the install it stopped. i tried it a couple of time and first it stopped when it was "preparing inventory" and the second time it stopped when it was "inspecting"..

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,581 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:21 AM

Posted 17 November 2011 - 02:22 AM

Please click Start > Run, type chkdsk /r and press enter.
When asked to schedule the scan for next reboot, type Y to confirm.

Restart your computer and let the disk check run unhindered. Note, this may take a long time.

When done, try to install the service pack again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users