Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP3 cannot run: Add Remove Programs and Event Viewer


  • This topic is locked This topic is locked
27 replies to this topic

#1 gjbnc

gjbnc

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 06 January 2012 - 05:38 PM

I do not know how to fix my XP system.

Microsoft offers a Fix It option online. It downloads but fails to run.

XP3 "Add or Remove Programs" does not appear in Control Panel listing. It does appear in icon view but clicking it has NO affect. It does not appear and there are no messages.

Using Adminisrative Tools, ALL of the applets (Event Viewer, Services, Performance, etc.)
report the following error message:
The application failed to initialize properly (0xc000007b).

Avast anti-virus app reports it cannot run

I have used msconfig to disable several autorun apps and have rebootd into safe mode but no change.

I am turning the computer off now and will leave it off for a week as I will be out of town. I will connect back to BleepingComputer.com when I return. Hopefully someone will relate to the problem which I hope is capotured in the attached log info.

Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jerry at 12:50:20 on 2012-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1216 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Logitech\SetPointP\LU\LULnchr.exe
c:\program files\logitech\lws\lu\lulnchr.exe
c:\program files\logitech\lws\lu\LogitechUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Quixley Toolbar: {b494d4bb-ec87-4361-8587-10da6a83edfc} - c:\program files\quixley\prxtbQui0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Quixley Toolbar: {b494d4bb-ec87-4361-8587-10da6a83edfc} - c:\program files\quixley\prxtbQui0.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Support.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: RebateRobot BHO: {fa3fedf6-1a34-4076-9f25-a26a2de6a401} - c:\program files\rebaterobot\RebateRobot.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Quixley Toolbar: {b494d4bb-ec87-4361-8587-10da6a83edfc} - c:\program files\quixley\prxtbQui0.dll
TB: Support.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} - hxxp://www.wowweesupport.com/download/rovio/WebSee_4.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280660640796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://camera.thruhere.net:1024/activex/AxisCamControl.ocx
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://74.242.212.198/codebase/DVM_IPCam2.ocx
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://datafirstcorp.webex.com/client/T27L/webex/ieatgpc.cab
DPF: {F5131C24-E56D-11CF-B78A-444553540000} - hxxps://wc.wachovia.com/common/cab/ikcntrls.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{756A596A-A32E-4493-BB4F-B69B287A4BC4} : NameServer = 192.168.254.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: LMIinit - LMIinit.dll
Notify: PCANotify - PCANotify.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdidl~1\DVDShell.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 psecbdr;psecbdr;c:\windows\system32\drivers\psecbdr.sys [2008-12-5 16896]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-6 165584]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2009-1-27 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-6 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-6 40384]
R2 CVPNDRV;Cisco Systems IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2007-3-9 263751]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-9-17 10448]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-1-12 47640]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2011-3-16 4077424]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-6 40384]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9d98562c3f23a;Google Update Service (gupdate1c9d98562c3f23a);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 cpuz130;cpuz130;\??\c:\docume~1\jerry\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\jerry\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2009-1-27 17792]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-20 133104]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2010-3-18 40912]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-3-18 10448]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [2008-3-22 30168]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-9 141752]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 vusbser;Rovio ARM-Based MCU driver;c:\windows\system32\drivers\vusbser.sys [2009-1-26 30208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
S4 DFSV;DFSV;c:\fl\bin\DFSV.exe [2007-3-16 1482824]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== Created Last 30 ================
.
2012-01-06 16:36:52 -------- d-----w- c:\documents and settings\jerry\application data\ElevatedDiagnostics
2012-01-06 16:35:57 -------- d-----w- C:\MATS
2012-01-06 15:52:48 -------- d-----w- c:\documents and settings\jerry\application data\Systweak
2012-01-06 15:52:44 17280 ----a-w- c:\windows\system32\roboot.exe
2012-01-06 15:52:42 811 ----a-w- C:\compile.bat
2012-01-06 15:52:42 -------- d-----w- C:\skin
2012-01-06 15:52:42 -------- d-----w- C:\defaults
2012-01-06 15:52:42 -------- d-----w- C:\content
2012-01-06 15:52:41 -------- d-----w- c:\program files\RebateRobot
2012-01-06 15:52:40 -------- d-----w- c:\program files\RegClean Pro
.
==================== Find3M ====================
.
2011-12-21 11:09:12 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-12-21 11:09:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-12-21 11:09:12 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-12-21 11:09:12 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-19 15:46:46 3350 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 12:51:38.20 ===============

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 12 January 2012 - 05:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/436671 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 17 January 2012 - 11:16 AM

Hello gjbnc and sorry about the delay.

Please post the requested logs as posted by helpbot so we can begin the cleaning process. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 17 January 2012 - 06:55 PM

Sempai,

I researched how to use the BleepingComputer system before I posted my request. I found there that the DDS and GMER logs were a critical part of the analysis process so I included them with my original posting. After I posted, I turned off the XP box as I was on my way out of town. I have now returned but purposely left the problematic XP box turned off so the logs would still be relevant.

To restate, here are some of the problems:
1. The system does start and stop and I can enter safe mode.
2. Certain (many) standard applications do not run, such as:
Add / Remove programs - starts but never populates the list
Administrative Tools - All apps start and close, reporting an error [The application failed to initialize properly (0xc000007b).]
3. Web sites are dynamically masked so I cannot use certian resources (Microsoft Fix It app)
4. Task Manager shows very busy system.

You probably know what it feels like when you know something is not right on your computer. I know that box and have used it for over 3 years - it is in real trouble.

I hope this helps.

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 17 January 2012 - 10:26 PM

Please do the following.


:step1: Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note: Do not install Avast anti virus when offered.


:step2: Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.


:step3: Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 18 January 2012 - 01:59 PM

sempai,

I started up the XP3 box in safe mode, downloaded the 3 apps, ran them, copied their respective reports to a usb stick and turned the box off.

If I need to run the apps while in normal mode, please advise.

The 3 reports are attached.

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 18 January 2012 - 07:52 PM

Hi gjbnc,

Please do not attach logs unless instructed so that I can read them more easily.

Kindly repeat step #1 (aswMBR) in Normal mode and post the new report please.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 19 January 2012 - 09:23 AM

sempai,

I started the XP box in normal mode, enabled all of the apps in msconfig/startup, rebooted and ran the aswMBR app. The report is posted below. Another app started running a registry scan which located hundreds of issues but I stopped it shortly after it started.

aswMBR.txt, today

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-19 08:54:45
-----------------------------
08:54:45.984 OS Version: Windows 5.1.2600 Service Pack 3
08:54:45.984 Number of processors: 2 586 0xF06
08:54:45.984 ComputerName: GJBH UserName:
08:54:52.375 Initialize success
08:54:52.796 AVAST engine defs: 12010601
08:54:56.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:54:56.234 Disk 0 Vendor: Intel___ 1.0. Size: 238416MB BusType: 3
08:54:56.250 Disk 0 MBR read successfully
08:54:56.250 Disk 0 MBR scan
08:54:56.250 Disk 0 Windows XP default MBR code
08:54:56.265 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51199 MB offset 63
08:54:56.265 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 166729 MB offset 104856255
08:54:56.312 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 20481 MB offset 446317830
08:54:56.343 Disk 0 scanning sectors +488263545
08:54:56.484 Disk 0 scanning C:\WINDOWS\system32\drivers
08:55:50.312 Service scanning
08:56:05.156 Modules scanning
08:56:37.984 Disk 0 trace - called modules:
08:56:38.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
08:56:38.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a92aab8]
08:56:38.484 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a92b030]
08:56:40.312 AVAST engine scan C:\WINDOWS
08:57:19.078 AVAST engine scan C:\WINDOWS\system32
09:00:15.875 AVAST engine scan C:\WINDOWS\system32\drivers
09:00:28.234 AVAST engine scan C:\Documents and Settings\Jerry
09:08:12.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\MBR.dat"
09:08:12.203 The log file has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\aswMBR.txt"


aswMBR.txt, original which I did not correctly post yesterday

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-18 13:45:20
-----------------------------
13:45:20.656 OS Version: Windows 5.1.2600 Service Pack 3
13:45:20.656 Number of processors: 2 586 0xF06
13:45:20.656 ComputerName: GJBH UserName:
13:45:20.984 Initialize success
13:45:21.875 AVAST engine defs: 12010601
13:45:27.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:45:27.234 Disk 0 Vendor: Intel___ 1.0. Size: 238416MB BusType: 3
13:45:27.250 Disk 0 MBR read successfully
13:45:27.265 Disk 0 MBR scan
13:45:28.046 Disk 0 Windows XP default MBR code
13:45:28.078 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51199 MB offset 63
13:45:28.703 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 166729 MB offset 104856255
13:45:28.765 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 20481 MB offset 446317830
13:45:28.796 Disk 0 scanning sectors +488263545
13:45:29.296 Disk 0 scanning C:\WINDOWS\system32\drivers
13:45:48.328 Service scanning
13:45:50.703 Modules scanning
13:45:55.859 Disk 0 trace - called modules:
13:45:58.234
13:45:58.578 AVAST engine scan C:\WINDOWS
13:46:15.140 AVAST engine scan C:\WINDOWS\system32
13:47:55.406 AVAST engine scan C:\WINDOWS\system32\drivers
13:48:06.328 AVAST engine scan C:\Documents and Settings\Jerry
13:48:21.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\MBR.dat"
13:48:21.796 The log file has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\aswMBR.txt"

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 19 January 2012 - 10:06 AM

Please click Start > Run > copy-paste the bolded text below then press Enter.

SFC.EXE /SCANNOW

  • The program may (or it may not) ask you for your Windows XP installation CD, please insert it at the prompt.
  • If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.

Edited by sempai, 19 January 2012 - 10:11 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 19 January 2012 - 10:39 AM

sempai,

Good news / bad news.

The scan runs for a short time and then prompts for the Windows XP Professional disk. I have XP SP3 installed from an Internet upgrade. The scan does not accept the XP SP2 disk which I have here. I do not have an XP SP3 disk. I can probably find an XP disk before the Service Packs were released but I don't know if that would work. I will start searching through some of my old technology piles.

Any advice?

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 19 January 2012 - 10:58 AM

Hi gjbnc,

I am thinking that the culprit of the problem is more on corrupted OS than malware related, currently the only thing that I can see in your logs are adware but let's make sure.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


Edited by sempai, 19 January 2012 - 10:59 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 19 January 2012 - 12:17 PM

sempai,

Combofix log:

ComboFix 12-01-19.01 - Jerry 01/19/2012 11:52:42.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1249 [GMT -5:00]
Running from: c:\documents and settings\Jerry\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\autorun.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Jerry\Local Settings\Application Data\assembly\tmp
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
C:\test.txt
C:\Thumbs.db
c:\windows\EventSystem.log
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\roboot.exe
c:\windows\system32\SET14E.tmp
c:\windows\system32\SET14F.tmp
c:\windows\system32\SET155.tmp
c:\windows\system32\SET1F3.tmp
c:\windows\system32\SET1F5.tmp
c:\windows\system32\SET203.tmp
c:\windows\system32\SET949.tmp
c:\windows\system32\SET94E.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-19 16:45 . 2001-08-17 16:12 16998 -c--a-w- c:\windows\system32\dllcache\OLD6DD.tmp
2012-01-19 16:43 . 2001-08-17 16:11 70174 -c--a-w- c:\windows\system32\dllcache\OLD65F.tmp
2012-01-19 16:42 . 2001-08-18 02:36 131156 -c--a-w- c:\windows\system32\dllcache\OLD5AA.tmp
2012-01-19 16:40 . 2008-04-14 09:41 24064 -c--a-w- c:\windows\system32\dllcache\OLD4E0.tmp
2012-01-19 16:39 . 2001-08-18 02:37 73216 -c--a-w- c:\windows\system32\dllcache\OLD434.tmp
2012-01-19 16:38 . 2001-08-18 02:36 32256 -c--a-w- c:\windows\system32\dllcache\OLD342.tmp
2012-01-19 16:37 . 2001-08-17 16:49 23552 -c--a-w- c:\windows\system32\dllcache\OLD2C8.tmp
2012-01-19 16:36 . 2001-08-17 16:12 97354 -c--a-w- c:\windows\system32\dllcache\OLD1F2.tmp
2012-01-19 16:35 . 2008-04-14 09:40 76800 -c--a-w- c:\windows\system32\dllcache\OLD115.tmp
2012-01-19 16:26 . 2008-04-14 09:41 68608 -c--a-w- c:\windows\system32\dllcache\OLDC0.tmp
2012-01-19 16:26 . 2008-04-14 09:41 13312 -c--a-w- c:\windows\system32\dllcache\OLDBD.tmp
2012-01-19 16:26 . 2008-04-14 09:41 829440 -c--a-w- c:\windows\system32\dllcache\OLDBA.tmp
2012-01-19 16:26 . 2008-04-14 09:42 30720 -c--a-w- c:\windows\system32\dllcache\OLDB4.tmp
2012-01-19 16:26 . 2008-04-14 09:41 133632 -c--a-w- c:\windows\system32\dllcache\OLDB7.tmp
2012-01-19 16:26 . 2008-04-14 09:41 68608 -c--a-w- c:\windows\system32\dllcache\OLDAF.tmp
2012-01-19 16:26 . 2008-04-14 09:41 64512 -c--a-w- c:\windows\system32\dllcache\OLDB1.tmp
2012-01-19 15:34 . 2004-08-04 10:00 14336 -c--a-w- c:\windows\system32\dllcache\OLD97FC.tmp
2012-01-19 15:33 . 2008-04-14 09:41 68608 -c--a-w- c:\windows\system32\dllcache\OLD2C1B.tmp
2012-01-19 15:33 . 2008-04-14 09:41 64512 -c--a-w- c:\windows\system32\dllcache\OLD2C4A.tmp
2012-01-19 15:33 . 2004-08-04 10:00 6144 -c--a-w- c:\windows\system32\dllcache\OLD2B3F.tmp
2012-01-19 15:31 . 2008-04-14 09:42 16439 -c--a-w- c:\windows\system32\dllcache\OLD16.tmp
2012-01-19 15:31 . 2008-04-14 09:41 20540 -c--a-w- c:\windows\system32\dllcache\OLD13.tmp
2012-01-19 15:30 . 2008-04-14 09:41 290816 -c--a-w- c:\windows\system32\dllcache\OLD10.tmp
2012-01-19 15:30 . 2012-01-19 16:45 -------- d-----w- c:\windows\LastGood
2012-01-19 15:30 . 2008-04-14 09:42 16439 -c--a-w- c:\windows\system32\dllcache\OLDD.tmp
2012-01-19 15:30 . 2008-04-14 09:41 20540 -c--a-w- c:\windows\system32\dllcache\OLDA.tmp
2012-01-06 17:00 . 2012-01-06 17:00 -------- d-----w- c:\program files\Windows Defender
2012-01-06 16:36 . 2012-01-06 16:59 -------- d-----w- c:\documents and settings\Jerry\Application Data\ElevatedDiagnostics
2012-01-06 16:35 . 2012-01-06 16:35 -------- d-----w- C:\MATS
2012-01-06 15:52 . 2012-01-06 15:52 -------- d-----w- c:\documents and settings\Jerry\Application Data\Systweak
2012-01-06 15:52 . 2012-01-06 15:52 -------- d-----w- C:\skin
2012-01-06 15:52 . 2012-01-06 15:52 -------- d-----w- C:\defaults
2012-01-06 15:52 . 2012-01-06 15:52 -------- d-----w- C:\content
2012-01-06 15:52 . 2011-12-03 22:49 811 ----a-w- C:\compile.bat
2012-01-06 15:52 . 2012-01-06 15:52 -------- d-----w- c:\program files\RebateRobot
2012-01-06 15:52 . 2012-01-06 15:52 -------- d-----w- c:\program files\RegClean Pro
2012-01-06 01:53 . 2012-01-06 01:53 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 11:09 . 2011-01-13 02:50 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-12-21 11:09 . 2011-01-13 02:50 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-12-21 11:09 . 2011-01-13 02:50 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-12-21 11:09 . 2011-01-13 02:49 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-12-10 20:24 . 2009-11-13 18:12 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2010-10-01 12:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-10-01 12:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-02-28 18:30 . 2006-12-30 21:11 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 . 2006-12-30 21:11 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b494d4bb-ec87-4361-8587-10da6a83edfc}"= "c:\program files\Quixley\prxtbQui0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{b494d4bb-ec87-4361-8587-10da6a83edfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b494d4bb-ec87-4361-8587-10da6a83edfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Quixley\prxtbQui0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 01:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA3FEDF6-1A34-4076-9F25-A26A2DE6A401}]
2011-12-04 05:05 88576 ----a-w- c:\program files\RebateRobot\RebateRobot.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b494d4bb-ec87-4361-8587-10da6a83edfc}"= "c:\program files\Quixley\prxtbQui0.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{b494d4bb-ec87-4361-8587-10da6a83edfc}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B494D4BB-EC87-4361-8587-10DA6A83EDFC}"= "c:\program files\Quixley\prxtbQui0.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{b494d4bb-ec87-4361-8587-10da6a83edfc}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RDReminder"="c:\program files\RegClean Pro\RegCleanPro.exe" [2011-07-07 7734656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 16943496]
"BIBLauncher"="c:\program files\Business-in-a-Box\BIBLauncher.exe" [2011-03-15 901600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-03-18 13879912]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-03-18 111208]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-25 233936]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMAsst.exe [2008-12-5 167936]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDIDL~1\DVDShell.dll" [2004-10-09 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-12-21 11:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 16:00 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2010-09-07 15:12 2838912 ----a-w- c:\program files\Alwil Software\Avast5\AvastUI.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.EXE"=
"d:\\DFNet\\Products\\DFAutoRoute\\DFDS\\bin\\Debug\\DFAutoRoute.vshost.exe"=
"d:\\DF2008\\Tools\\HL7Router\\ExampleVB.Net.Applications\\Listener Proxy Toolkit\\TestListenerProxy\\bin\\Release\\TestListenerProxy.vshost.exe"=
"d:\\DFNet\\Migration\\QRSpoolers\\QRMigration\\QR_ReadSpooler.vshost.exe"=
"d:\\DF2010\\Products\\DFDS20SqlServer\\DFDS\\bin\\Debug\\DFDS.vshost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=
"d:\\DFNet\\Products\\DFAutoRoute\\DFDS\\bin\\Debug\\DFAutoRoute.exe"=
"d:\\_Sites\\Swedish\\DFSpooler.exe"=
"c:\\Program Files\\DFSpooler\\DFSpooler.exe"=
"d:\\DFNet\\Migration\\QRSpoolers\\QRMigration\\QR_ReadSpooler.exe"=
"c:\\Program Files\\WowWee\\Rovio\\Rovio finder.exe"=
"c:\\Program Files\\WowWee\\Rovio2\\Rovio Finder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HermeTech\\UltraPort Listener\\UltraHL7_ListenerConfig.exe"=
"c:\\Program Files\\HermeTech\\UltraPort Router\\UltraHL7_RouterConfig.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4500:UDP"= 4500:UDP:IPsec (IKE NAT-T)
"500:UDP"= 500:UDP:IPsec (IKE)
"135:TCP"= 135:TCP:RPC Endpoint Mapper and DCOM infrastructure
"15716:TCP"= 15716:TCP:*:Disabled:spport
"13226:TCP"= 13226:TCP:*:Disabled:spport
"16534:TCP"= 16534:TCP:*:Disabled:spport
"24058:TCP"= 24058:TCP:*:Disabled:spport
"20871:TCP"= 20871:TCP:*:Disabled:spport
"11809:TCP"= 11809:TCP:*:Disabled:spport
"5985:TCP"= 5985:TCP:Windows Remote Management
.
R0 psecbdr;psecbdr;c:\windows\system32\drivers\psecbdr.sys [12/5/2008 10:27 AM 16896]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/6/2010 9:02 AM 165584]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [1/27/2009 12:05 PM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/6/2010 9:02 AM 17744]
R2 CVPNDRV;Cisco Systems IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [3/9/2007 6:46 PM 263751]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/17/2010 8:50 AM 10448]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 1:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 12856]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate1c9d98562c3f23a;Google Update Service (gupdate1c9d98562c3f23a);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2009 2:58 PM 133104]
S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [3/16/2011 4:32 PM 4077424]
S3 cpuz130;cpuz130;\??\c:\docume~1\Jerry\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Jerry\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [1/27/2009 12:05 PM 17792]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2009 2:58 PM 133104]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 4:01 AM 40912]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 4:01 AM 10448]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [3/22/2008 4:20 PM 30168]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [12/2/2006 2:10 AM 48128]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 8:24 PM 48128]
S3 vusbser;Rovio ARM-Based MCU driver;c:\windows\system32\drivers\vusbser.sys [1/26/2009 8:34 PM 30208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 DFSV;DFSV;c:\fl\Bin\DFSV.exe [3/16/2007 7:38 PM 1482824]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 19:58]
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-20 19:58]
.
2011-11-19 c:\windows\Tasks\jucheck.job
- c:\program files\Common Files\Java\Java Update\jucheck.exe [2011-06-09 18:06]
.
2012-01-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2012-01-06 c:\windows\Tasks\RegClean Pro_DEFAULT.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2012-01-06 18:26]
.
2012-01-06 c:\windows\Tasks\RegClean Pro_UPDATES.job
- c:\program files\RegClean Pro\RegCleanPro.exe [2012-01-06 18:26]
.
2012-01-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-08-24 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: Interfaces\{756A596A-A32E-4493-BB4F-B69B287A4BC4}: NameServer = 192.168.254.254
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} - hxxp://www.wowweesupport.com/download/rovio/WebSee_4.0.cab
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://74.242.212.198/codebase/DVM_IPCam2.ocx
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SBAMTray - c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe
Notify-TPSvc - TPSvc.dll
AddRemove-avast5 - c:\program files\Alwil Software\Avast5\aswRunDll.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 12:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2012-01-19 12:10:57
ComboFix-quarantined-files.txt 2012-01-19 17:10
.
Pre-Run: 1,941,561,344 bytes free
Post-Run: 4,309,102,592 bytes free
.
- - End Of File - - 01768763CDDE67A9F9379B5895E7533A

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 19 January 2012 - 09:32 PM

Hi,

Do you know who or why these ports are opened? Do you use Windows Remote Management?

"15716:TCP"= 15716:TCP:*:Disabled:spport
"13226:TCP"= 13226:TCP:*:Disabled:spport
"16534:TCP"= 16534:TCP:*:Disabled:spport
"24058:TCP"= 24058:TCP:*:Disabled:spport
"20871:TCP"= 20871:TCP:*:Disabled:spport
"11809:TCP"= 11809:TCP:*:Disabled:spport
"5985:TCP"= 5985:TCP:Windows Remote Management

Edited by sempai, 19 January 2012 - 09:32 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 gjbnc

gjbnc
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:49 PM

Posted 20 January 2012 - 11:46 AM

sempai,

It was my primary box until I bought a windows 7 box a year ago. Now, I use remote desktop to access this box so i do not need to keep a monitor/kbd/mouse on it. It also was used to access the vpn network at my office but i do not need that any more.

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:49 AM

Posted 20 January 2012 - 09:30 PM

Thanks, we can leave them alone then.


We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

File::
c:\windows\system32\dllcache\OLD6DD.tmp
c:\windows\system32\dllcache\OLD65F.tmp
c:\windows\system32\dllcache\OLD5AA.tmp
c:\windows\system32\dllcache\OLD4E0.tmp
c:\windows\system32\dllcache\OLD434.tmp
c:\windows\system32\dllcache\OLD342.tmp
c:\windows\system32\dllcache\OLD2C8.tmp
c:\windows\system32\dllcache\OLD1F2.tmp
c:\windows\system32\dllcache\OLD115.tmp
c:\windows\system32\dllcache\OLDC0.tmp
c:\windows\system32\dllcache\OLDBD.tmp
c:\windows\system32\dllcache\OLDBA.tmp
c:\windows\system32\dllcache\OLDB4.tmp
c:\windows\system32\dllcache\OLDB7.tmp
c:\windows\system32\dllcache\OLDAF.tmp
c:\windows\system32\dllcache\OLDB1.tmp
c:\windows\system32\dllcache\OLD97FC.tmp
c:\windows\system32\dllcache\OLD2C1B.tmp
c:\windows\system32\dllcache\OLD2C4A.tmp
c:\windows\system32\dllcache\OLD2B3F.tmp
c:\windows\system32\dllcache\OLD16.tmp
c:\windows\system32\dllcache\OLD13.tmp
c:\windows\system32\dllcache\OLD10.tmp
c:\windows\system32\dllcache\OLDD.tmp
c:\windows\system32\dllcache\OLDA.tmp
c:\docume~1\jerry\locals~1\temp\cpuz130\cpuz_x32.sys

Driver::
cpuz130

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users