Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system restore virus


  • This topic is locked This topic is locked
33 replies to this topic

#16 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 14 November 2011 - 09:07 AM

I ran it again

Search results for i8042prt.sys

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda2/WINDOWS/system32/dllcache/i8042prt.sys
51.3K Apr 14 2008

e7452197ad03f90b1b622cc1c20d9df8 /mnt/sda2/WINDOWS/system32/drivers/i8042prt.sys
51.3K Apr 14 2008

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda2/WINDOWS/system32/ReinstallBackups/0012/DriverFiles/i386/i8042prt.sys
51.3K Aug 21 2008

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda2/WINDOWS/system32/ReinstallBackups/0013/DriverFiles/i386/i8042prt.sys
51.3K Apr 14 2008

68e8ff9eeaf8b37a66cac2c57835ffbd /mnt/sda1/Minint/system32/drivers/i8042prt.sys
54.5K Feb 18 2007

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda1/restore/WINDOWS/system32/dllcache/i8042prt.sys
51.3K Apr 14 2008

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda1/restore/WINDOWS/system32/drivers/i8042prt.sys
51.3K Apr 14 2008

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda1/restore/WINDOWS/system32/ReinstallBackups/0012/DriverFiles/i386/i8042prt.sys
51.3K Aug 21 2008

4a0b06aa8943c1e332520f7440c0aa30 /mnt/sda1/restore/WINDOWS/system32/ReinstallBackups/0013/DriverFiles/i386/i8042prt.sys
51.3K Apr 14 2008

BC AdBot (Login to Remove)

 


#17 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 14 November 2011 - 10:09 AM

Hi, please navigate to the following file:
/mnt/sda2/WINDOWS/system32/dllcache/i8042prt.sys <-- right click this file and select Copy.

Now navigate to /mnt/sda2/windows/system32/drivers/i8042prt.sys <-- right click this file and select Rename. Rename the file to i8042prt.vir
Right click in an empty space in the Drivers folder and select Paste. This will paste the copied i8042prt.sys file in the correct location.

When done, try to restart your computer and let me know if you can now successfully enter Windows.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#18 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 14 November 2011 - 06:42 PM

I get to the windows screen and where it reads "to begin, click your user name"
and the cursor will not move.
I coopied the file you asked then renamed it and found the blank space and pasted it. It read successful. I do see the i8042prt.vir but not the renamed one in the drivers folder.
Thanks
E

#19 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 15 November 2011 - 03:30 AM

After you rename the original file, you need to copy/paste the one from DllCache in the Drivers folder. Please make sure the file (i8042prt.sys) is in place, then try to boot normally again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#20 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 15 November 2011 - 10:36 AM

Elise

Everything seems to be working it booted right up and started autoscan from combofix and then restarted it created this log

ComboFix 11-11-06.02 - Errol Dad 11/15/2011 9:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1604 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Errol Dad\Start Menu\Programs\System Restore
c:\documents and settings\Errol Dad\Start Menu\Programs\System Restore\System Restore.lnk
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\$NtUninstallKB16552$
c:\windows\$NtUninstallKB16552$\2694001098
c:\windows\$NtUninstallKB16552$\3614742492\@
c:\windows\$NtUninstallKB16552$\3614742492\bckfg.tmp
c:\windows\$NtUninstallKB16552$\3614742492\cfg.ini
c:\windows\$NtUninstallKB16552$\3614742492\Desktop.ini
c:\windows\$NtUninstallKB16552$\3614742492\keywords
c:\windows\$NtUninstallKB16552$\3614742492\kwrd.dll
c:\windows\$NtUninstallKB16552$\3614742492\L\ebkirwrz
c:\windows\$NtUninstallKB16552$\3614742492\lsflt7.ver
c:\windows\$NtUninstallKB16552$\3614742492\U\00000001.@
c:\windows\$NtUninstallKB16552$\3614742492\U\00000002.@
c:\windows\$NtUninstallKB16552$\3614742492\U\00000004.@
c:\windows\$NtUninstallKB16552$\3614742492\U\80000000.@
c:\windows\$NtUninstallKB16552$\3614742492\U\80000004.@
c:\windows\$NtUninstallKB16552$\3614742492\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2011-10-15 to 2011-11-15 )))))))))))))))))))))))))))))))
.
.
2011-11-15 15:15 . 2011-11-15 15:15 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B48BB0FC-A60D-461C-823C-B84FF6D83732}\offreg.dll
2011-11-15 15:02 . 2011-11-15 15:02 -------- d-----w- c:\windows\LastGood.Tmp
2011-11-15 09:52 . 2008-04-14 07:48 52480 ------w- c:\windows\system32\drivers\i8042prt.sys
2011-11-06 20:11 . 2011-11-06 20:11 -------- d-----w- c:\program files\ESET
2011-11-06 07:24 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B48BB0FC-A60D-461C-823C-B84FF6D83732}\mpengine.dll
2011-11-06 07:04 . 2011-11-06 07:04 -------- d-----w- c:\documents and settings\Errol Dad\Application Data\Malwarebytes
2011-11-06 07:04 . 2011-11-06 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-06 07:04 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-06 07:04 . 2011-11-06 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-06 06:20 . 2011-11-06 06:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-06 05:25 . 2011-11-06 05:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-10-24 18:45 . 2011-10-24 18:45 -------- d-----w- c:\program files\Safari
2011-10-24 17:40 . 2011-10-24 17:40 -------- d-----w- c:\documents and settings\Errol Dad\Application Data\DriverCure
2011-10-24 17:40 . 2011-10-24 17:40 -------- d-----w- c:\documents and settings\Errol Dad\Application Data\ParetoLogic
2011-10-24 17:40 . 2011-10-24 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-13 19:24 . 2011-07-07 11:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-04-26 19:11 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2011-08-01 15:06 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-28 07:06 . 2010-04-26 18:57 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2010-04-26 18:57 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2010-04-26 18:57 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-18 17:28 . 2011-09-18 17:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-18 17:28 . 2011-07-28 15:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-06 13:20 . 2010-04-26 18:57 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2010-04-26 18:57 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2010-04-26 18:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2010-04-26 18:57 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2010-04-26 18:57 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-06 872448]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2008-01-26 677144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Conime"="c:\windows\system32\conime.exe" [2008-08-21 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-03-03 2510848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-14 1527128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
c:\documents and settings\Errol Dad\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for BlackBerry\PdaNetPC.exe [2011-3-17 371216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-6-30 5889880]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-7-6 1156968]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2011-7-6 1178984]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Errol Dad\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [7/24/2007 10:21 AM 38816]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [3/9/2011 12:29 PM 366000]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [6/30/2011 12:25 PM 1248256]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/27/2010 5:32 AM 97280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/24/2007 10:21 AM 41216]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [3/17/2011 2:19 PM 9472]
S1 MpKsl8b8900a7;MpKsl8b8900a7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B48BB0FC-A60D-461C-823C-B84FF6D83732}\MpKsl8b8900a7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B48BB0FC-A60D-461C-823C-B84FF6D83732}\MpKsl8b8900a7.sys [?]
S3 swmx02;HP ev2200 USB MUX Driver (#02);c:\windows\system32\drivers\swmx02.sys [11/18/2005 5:21 PM 57600]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-11-15 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-07-28 19:24]
.
2011-11-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2011-11-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-15 10:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-11-15 10:22:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-15 15:22
.
Pre-Run: 48,189,865,984 bytes free
Post-Run: 51,956,330,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0D6081C79251927694F9AFB3884DB3B3

#21 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 15 November 2011 - 11:03 AM

Glad to hear that! :) How are things running at this point?

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#22 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 15 November 2011 - 03:47 PM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\rpkdriverinst.log
: The filename, directory name, or volume label syntax is incorrect.


..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

...

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.QuickBooks.FCS\1.3.0.0__5b3f47ba29970ccb: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.QuickBooks.FCS_5b3f47ba29970ccb_1.3.0.0_x-ww_d936dcb9
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.QuickBooks.FCS_5b3f47ba29970ccb_1.3.0.0_x-ww_d936dcb9

...

...

...

...

...

...

...

...

...

...

...

...

..

#23 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 15 November 2011 - 04:03 PM

That looks good.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#24 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 15 November 2011 - 07:42 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Errol Dad at 21:21:13 on 2011-11-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1370 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
C:\Program Files\PdaNet for BlackBerry\PdaNetPC.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kodak\AiO\Center\AiOHostDirector.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\errold~1\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for blackberry\PdaNetPC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://unisourceworldwide.webex.com/client/T27L10NSP21/webex/ieatgpc.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{E89246E1-542B-43DA-AC9D-CB38141BE3F1} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslc188d779;MpKslc188d779;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f92120cd-20a8-4042-b325-0fd4426b8e68}\MpKslc188d779.sys [2011-11-15 28752]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-3-9 366000]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-4-27 97280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-7-24 41216]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-3-17 9472]
S1 MpKsl8b8900a7;MpKsl8b8900a7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b48bb0fc-a60d-461c-823c-b84ff6d83732}\mpksl8b8900a7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b48bb0fc-a60d-461c-823c-b84ff6d83732}\MpKsl8b8900a7.sys [?]
S3 swmx02;HP ev2200 USB MUX Driver (#02);c:\windows\system32\drivers\swmx02.sys [2005-11-18 57600]
.
=============== Created Last 30 ================
.
2011-11-16 00:34:13 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f92120cd-20a8-4042-b325-0fd4426b8e68}\MpKslc188d779.sys
2011-11-16 00:34:04 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f92120cd-20a8-4042-b325-0fd4426b8e68}\offreg.dll
2011-11-15 15:31:34 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f92120cd-20a8-4042-b325-0fd4426b8e68}\mpengine.dll
2011-11-15 09:52:40 52480 ------w- c:\windows\system32\drivers\i8042prt.sys
2011-11-07 00:10:10 -------- d-sha-r- C:\cmdcons
2011-11-06 23:58:00 98816 ----a-w- c:\windows\sed.exe
2011-11-06 23:58:00 518144 ----a-w- c:\windows\SWREG.exe
2011-11-06 23:58:00 256000 ----a-w- c:\windows\PEV.exe
2011-11-06 23:58:00 208896 ----a-w- c:\windows\MBR.exe
2011-11-06 20:11:18 -------- d-----w- c:\program files\ESET
2011-11-06 07:04:49 -------- d-----w- c:\documents and settings\errol dad\application data\Malwarebytes
2011-11-06 07:04:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-06 07:04:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-06 07:04:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-24 17:40:35 -------- d-----w- c:\documents and settings\errol dad\application data\DriverCure
2011-10-24 17:40:34 -------- d-----w- c:\documents and settings\errol dad\application data\ParetoLogic
2011-10-24 17:40:21 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
.
==================== Find3M ====================
.
2011-10-13 19:24:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-18 17:28:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-18 17:28:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 21:21:23.37 ===============

Edited by erroll, 15 November 2011 - 09:22 PM.


#25 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 16 November 2011 - 02:57 AM

That is looking good, but can you please also post me the attach.txt file created by DDS?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#26 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 16 November 2011 - 08:42 AM

Elise
After turning my A/V MSE back on it detected and removed TrojanDropper:Win32/Sirefef.B
Thanks
E

#27 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 16 November 2011 - 09:37 AM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/17/2010 8:16:31 PM
System Uptime: 11/16/2011 7:08:20 AM (2 hours ago)
.
Motherboard: Hewlett-Packard | | 30AC
Processor: Intel® Core™2 CPU T5600 @ 1.83GHz | U10 | 1828/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 67 GiB total, 48.737 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP101: 8/24/2011 3:28:17 PM - Software Distribution Service 3.0
RP102: 8/26/2011 12:14:12 PM - Software Distribution Service 3.0
RP103: 8/26/2011 5:17:41 PM - Software Distribution Service 3.0
RP104: 8/29/2011 10:24:49 AM - Software Distribution Service 3.0
RP105: 9/2/2011 10:27:48 PM - Software Distribution Service 3.0
RP106: 9/5/2011 11:37:23 AM - Software Distribution Service 3.0
RP107: 9/7/2011 10:09:25 AM - Software Distribution Service 3.0
RP108: 9/7/2011 3:01:13 PM - Software Distribution Service 3.0
RP109: 9/8/2011 7:25:46 PM - Software Distribution Service 3.0
RP110: 9/13/2011 6:01:44 PM - Software Distribution Service 3.0
RP111: 9/16/2011 4:15:36 PM - Software Distribution Service 3.0
RP112: 9/16/2011 4:25:16 PM - Software Distribution Service 3.0
RP113: 9/18/2011 10:05:49 AM - Software Distribution Service 3.0
RP114: 9/18/2011 1:28:00 PM - Installed Java™ 6 Update 27
RP115: 9/19/2011 10:47:42 AM - Software Distribution Service 3.0
RP116: 9/22/2011 10:35:50 PM - Software Distribution Service 3.0
RP117: 9/24/2011 1:00:37 AM - Software Distribution Service 3.0
RP118: 9/28/2011 1:28:58 PM - System Checkpoint
RP119: 9/29/2011 10:06:25 AM - Software Distribution Service 3.0
RP120: 9/29/2011 1:27:26 PM - Software Distribution Service 3.0
RP121: 10/4/2011 9:59:22 AM - Software Distribution Service 3.0
RP122: 10/8/2011 8:23:30 PM - Software Distribution Service 3.0
RP123: 10/10/2011 7:54:02 AM - Software Distribution Service 3.0
RP124: 10/13/2011 3:32:46 PM - Software Distribution Service 3.0
RP125: 10/15/2011 9:24:27 PM - Software Distribution Service 3.0
RP126: 10/15/2011 10:10:08 PM - Software Distribution Service 3.0
RP127: 10/20/2011 8:39:24 AM - Software Distribution Service 3.0
RP128: 10/21/2011 3:53:41 PM - Software Distribution Service 3.0
RP129: 10/22/2011 7:17:31 PM - Software Distribution Service 3.0
RP130: 10/24/2011 7:01:45 AM - Software Distribution Service 3.0
RP131: 10/24/2011 2:45:41 PM - Installed Safari
RP132: 10/24/2011 7:35:21 PM - Removed Microsoft Office Live Meeting 2007
RP133: 10/24/2011 7:35:41 PM - Installed Microsoft Office Live Meeting 2007
RP134: 10/25/2011 10:14:38 AM - Software Distribution Service 3.0
RP135: 10/26/2011 7:30:21 PM - Software Distribution Service 3.0
RP136: 10/28/2011 10:05:04 AM - Software Distribution Service 3.0
RP137: 10/30/2011 1:05:40 AM - Software Distribution Service 3.0
RP138: 10/31/2011 11:30:23 PM - Software Distribution Service 3.0
RP139: 11/2/2011 2:26:32 PM - Software Distribution Service 3.0
RP140: 11/3/2011 7:44:20 PM - Software Distribution Service 3.0
RP141: 11/5/2011 8:03:58 PM - Software Distribution Service 3.0
RP142: 11/6/2011 2:24:17 AM - Software Distribution Service 3.0
RP143: 11/15/2011 10:00:41 AM - Software Distribution Service 3.0
RP144: 11/15/2011 10:26:01 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.5
Agere Systems HDA Modem
aioprnt
aioscnnr
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AuthenTec Fingerprint Sensor Minimum Install
BlackBerry Desktop Software 4.5
Bonjour
Broadcom NetXtreme Ethernet Controller
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
center
Compatibility Pack for the 2007 Office system
Embedded Security for HP ProtectTools
ESET Online Scanner v3
essentials
File Type Assistant
Free File Viewer 2011
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP ev2200 Driver Package
HP Integrated Module with Bluetooth wireless technology
HP Mobile Data Protection System
HP ProtectTools Security Manager
HP Quick Launch Buttons 6.30 J1
InterActual Player
iTunes
Java Auto Updater
Java™ 6 Update 27
Kodak AIO Printer
KODAK AiO Software
magicJack
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office File Validation Add-In
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Windows XP Video Decoder Checkup Utility
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
ocr
OGA Notifier 2.0.0048.0
PdaNet for BlackBerry 2.01
PreReq
QuickBooks
QuickBooks Pro 2011
QuickTime
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skins
SoundMAX
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6f
VZAccess Manager for HP
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
11/15/2011 3:36:50 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the QBCFMonitorService service to connect.
11/15/2011 10:07:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1350.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7801.0&avdelta=1.115.1350.0&asdelta=1.115.1350.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/15/2011 10:07:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1350.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7801.0&avdelta=1.115.1350.0&asdelta=1.115.1350.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/15/2011 10:07:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1350.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7801.0&avdelta=1.115.1350.0&asdelta=1.115.1350.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/15/2011 10:07:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1350.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.7801.0&avdelta=1.115.1350.0&asdelta=1.115.1350.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
11/15/2011 10:07:34 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.115.1350.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7801.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
11/14/2011 6:38:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
.
==== End Of File ===========================

#28 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 16 November 2011 - 10:03 AM

I suspect it detected a quarantined component of the infection.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u1.
  • Look for "JDK 7u1 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


Please launch Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#29 erroll

erroll
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 16 November 2011 - 02:43 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8176

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/16/2011 11:33:20 AM
mbam-log-2011-11-16 (11-33-20).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 239950
Time elapsed: 45 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#30 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,410 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:09 AM

Posted 16 November 2011 - 03:20 PM

That looks good, do you have any problem left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users