Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble with removing "System Check"


  • This topic is locked This topic is locked
34 replies to this topic

#1 hungry-boy

hungry-boy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 03 February 2012 - 10:19 AM

I've been infected with 'System Check' for nearly a week, and failed to remove it by follwoing online guides.

I've entered the false key-code to have it return access to my files, ran tdss killer (finds nothing), Trojan Killer (found things I tried to manually remove, as removal was not part of the free trial), Malwarebytes Anti-Malware (keeps finding and removing two files which seem to regenerate), Spyware Doctor (now finds nothing) and Windows defender (now finds nothing).

I cannot enter safe mode.

I've renamed a few files (on advice from an on-line guide) from eg: 'xx1' to 'nenamexx1'.

Symptoms seem intermittent, and I've tried to avoid being connected to the internet since the problem began. Sometimes Internet Explorer starts at start up, and the wrong pages load on browsing.

Not being able to enter safe mode is the most consistent problem.

Any advice would be greatly appreciated, as I've clearly not been able to sort this out on my own. Thanks.




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Compaq_Owner at 12:22:58 on 2012-02-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.381 [GMT 0:00]
.
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Immunet Protect *Enabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Immunet Protect\2.0.17\agent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\PC Tools Security\pctsGui.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Immunet Protect\2.0.17\iptray.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Radio Downloader\Radio Downloader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\compaq_owner\local settings\application data\oyabjgdi\wfncrigj.exe,
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Radio Downloader] "c:\program files\radio downloader\Radio Downloader.exe" /hidemainwindow
uRun: [0lK3vthPZh7qWO] c:\documents and settings\all users\application data\0lK3vthPZh7qWO.exe
uRun: [WfnCrigj] c:\documents and settings\compaq_owner\local settings\application data\oyabjgdi\wfncrigj.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [VTTimer] VTTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Immunet Protect] "c:\program files\immunet protect\2.0.17\iptray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [WfnCrigj] c:\windows\system32\config\systemprofile\local settings\application data\oyabjgdi\wfncrigj.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\renamedesktop.ini
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\wfncrigj.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\aoa6aqfk.default\
FF - component: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\aoa6aqfk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\aoa6aqfk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-3-9 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-3-9 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-3-9 656320]
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [2011-3-9 41424]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [2011-3-9 31184]
R2 ImmunetProtect;Immunet Protect;c:\program files\immunet protect\2.0.17\agent.exe [2011-3-9 756680]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-3-9 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-3-9 1150936]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-5-5 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-5-5 416112]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 PRISM_A00;Intersil PRISM 802.11a/g Driver;c:\windows\system32\drivers\PCTELSAP.SYS [2004-1-2 350282]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\compaq~1\locals~1\temp\eqpuwdfi.sys --> c:\docume~1\compaq~1\locals~1\temp\eqpuwdfi.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-9 136176]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-1-21 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-1-21 8456]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-3-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-9 136176]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-4 16128]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-5-5 16240]
.
=============== Created Last 30 ================
.
2012-02-02 22:31:16 -------- d-----w- c:\documents and settings\compaq_owner\local settings\application data\oyabjgdi
2012-02-02 13:02:27 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{ecb25127-469a-4164-868d-98e8dc6214fd}\mpengine.dll
2012-02-01 22:18:52 -------- d-----w- c:\documents and settings\compaq_owner\application data\Malwarebytes
2012-02-01 22:07:25 840 ----a-w- c:\documents and settings\all users\application data\renameqgvmaaa.tmp
2012-02-01 22:02:10 836 ----a-w- c:\documents and settings\all users\application data\renamergvmaaa.tmp
2012-02-01 21:19:05 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-01 21:19:01 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-01 21:19:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-01 19:09:58 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-01-21 17:33:07 2469760 ----a-w- c:\windows\system32\BootMan.exe
2012-01-21 17:33:07 19840 ----a-w- c:\windows\system32\EuEpmGdi.dll
2012-01-21 17:33:05 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2012-01-21 17:32:08 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2012-01-21 17:32:08 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2012-01-21 17:31:29 -------- d-----w- c:\program files\EASEUS
2012-01-21 15:39:59 -------- d-----w- c:\program files\SDA
2012-01-21 15:38:49 -------- d-----w- c:\documents and settings\compaq_owner\local settings\application data\Downloaded Installations
2012-01-07 13:01:50 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-07 13:01:50 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-07 13:01:50 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-07 13:01:49 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-04 14:28:36 16128 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
.
==================== Find3M ====================
.
2011-12-13 10:33:27 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2011-12-07 10:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-20 09:35:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 12:24:44.88 ===============




Attached File  ark.txt   63.27KB   1 downloads
Attached File  attach.txt   13.07KB   1 downloads

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 04 February 2012 - 01:36 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 04 February 2012 - 06:18 AM

hi gringo.

pc now cannot access this website or dl links for combofix.

i got it from cnet though, and will run it now unless anyone says not to in next hour or so. may struggle to post log.

(excuse typing - using wii)
thanks.

#4 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 04 February 2012 - 07:35 AM

it said:

10 08 09.03

combofix has expired, so must run reduced functionality mode.

i clicked `yes` but combofix then disappeared. i have not touched pc since in case combofix is doing something i cannot see.

update - went to restart combofix, and it has gone. still listed as recent dl, but not available.

not sure if i got something wrong, but will wait for advice now.

ps - when turning off antispyware i noticed a 'renamestartup' folder i had renamed due to association with systemcheck listed as a programme to be launched on start-up, so unchecked it.

thanks

#5 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 04 February 2012 - 10:00 AM

now had family emergency which means i may not be able to reply for a while. sorry.

will just turn pc off

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 04 February 2012 - 12:20 PM

Hello

I would like you to download an updated version of combofix.

update combofix

download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 06 February 2012 - 06:42 PM

Thanks gringo.

I'm away from my pc right, but as I have had trouble accessing certain sites/files on my infected PC, thought that I could d/l combofix here, burn it to cd, and move it on to the infected pc that way.

Would that be okay?

Are there any other files you would suggest I d/l now, to move on to cd prior to returning home?

Ta.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 06 February 2012 - 08:18 PM

we will start with that for now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 09 February 2012 - 12:10 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 10 February 2012 - 02:14 PM

Hi there. I'm afraid that I'm away from my PC, so cannot move foreward with this. We've had a family emergency, but hopefully it will be over by next weeek. Ta.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 10 February 2012 - 03:07 PM

If this gets closed then just send me a pm when you are ready and I will open it up


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 14 February 2012 - 06:04 AM

Thanks Gringo.

I got combo-fix to run fine this time. (I've just noticed that my explorer bookmarks are now missing, but that's a little thing).

Here is the log:



ComboFix 12-02-10.03 - Compaq_Owner 14/02/2012 10:38:32.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.577 [GMT 0:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Immunet Protect *Disabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\renameqgvmaaa.tmp
c:\documents and settings\All Users\Application Data\renamergvmaaa.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\atolomcl.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\dpmawbip.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\kvsjoudi.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\mrjdbwho.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\oyabjgdi\wfncrigj.exe
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\qdcsgdem.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\vuebgbei.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\xgrfufru.log
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\ywysqfyr.log
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\expl.dat
c:\windows\system32\config\systemprofile\Local Settings\Application Data\xgrfufru.log
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
c:\windows\system32\SETBF.tmp
c:\windows\system32\SETC4.tmp
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
D:\Autorun.inf
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-03 15:17 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{228BC623-D100-40B7-B81B-54C13B8C5084}\mpengine.dll
2012-02-02 22:31 . 2012-02-14 10:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\oyabjgdi
2012-02-02 12:54 . 2012-02-02 12:54 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\oyabjgdi
2012-02-01 22:18 . 2012-02-01 22:18 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2012-02-01 21:19 . 2012-02-01 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-01 21:19 . 2012-02-01 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-01 21:19 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-01 20:45 . 2012-02-01 20:45 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Identities
2012-02-01 19:11 . 2012-02-01 19:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-02-01 19:11 . 2012-02-01 19:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-02-01 19:09 . 2012-02-01 19:32 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-02-01 16:49 . 2012-02-14 10:46 -------- d-----w- c:\documents and settings\Administrator
2012-01-21 17:33 . 2011-09-09 18:23 2469760 ----a-w- c:\windows\system32\BootMan.exe
2012-01-21 17:33 . 2011-07-29 13:54 19840 ----a-w- c:\windows\system32\EuEpmGdi.dll
2012-01-21 17:33 . 2011-07-29 13:54 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2012-01-21 17:32 . 2011-07-29 13:54 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2012-01-21 17:32 . 2011-07-29 13:54 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2012-01-21 17:31 . 2012-01-21 17:31 -------- d-----w- c:\program files\EASEUS
2012-01-21 15:39 . 2012-01-21 15:39 -------- d-----w- c:\program files\SDA
2012-01-21 15:38 . 2012-01-21 15:38 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-27 00:21 . 2011-03-09 00:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 04:19 . 2011-03-09 00:42 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-01-04 14:28 . 2012-01-04 14:28 16128 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
2011-12-13 10:33 . 2011-12-13 10:33 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2011-11-25 21:57 . 2005-01-01 21:27 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-01-01 21:27 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-20 09:35 . 2011-05-29 10:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2005-01-01 21:26 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2005-01-01 21:27 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2005-01-01 21:26 152064 ----a-w- c:\windows\system32\schannel.dll
2012-01-07 13:01 . 2011-05-07 14:45 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-09 00:09 . 2011-03-09 11:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . BC8840F2D09BCDF8F6914D6592E30CFD . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . BB4F48CC2920A1BC7DA7F2BA3977D2A3 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . AC7D8BCD4279A25765E099885E792CDD . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-09 39408]
"Radio Downloader"="c:\program files\Radio Downloader\Radio Downloader.exe" [2011-11-19 517032]
"WfnCrigj"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\oyabjgdi\wfncrigj.exe" [2012-02-14 98240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-29 4603904]
"nwiz"="nwiz.exe" [2004-09-29 921600]
"SiSPower"="SiSPower.dll" [2004-09-24 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 77824]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 2551808]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Immunet Protect"="c:\program files\Immunet Protect\2.0.17\iptray.exe" [2011-03-09 2615624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
wfncrigj.exe [2012-2-1 98240]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
wfncrigj.exe [2012-2-1 98240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Compaq_Owner\Local Settings\Application Data\oyabjgdi\wfncrigj.exe"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^renamedesktop.ini]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\renamedesktop.ini
backup=c:\windows\pss\renamedesktop.iniStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2011-03-09 00:10 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [09/03/2011 00:10 41424]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [09/03/2011 00:11 31184]
R2 ImmunetProtect;Immunet Protect;c:\program files\Immunet Protect\2.0.17\agent.exe [09/03/2011 00:10 756680]
R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [05/05/2011 16:31 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [05/05/2011 16:32 416112]
R3 PRISM_A00;Intersil PRISM 802.11a/g Driver;c:\windows\system32\drivers\PCTELSAP.SYS [02/01/2004 00:04 350282]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2011 00:10 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [21/01/2012 17:33 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [21/01/2012 17:32 8456]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [09/03/2011 00:09 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2011 00:10 136176]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [04/01/2012 14:28 16128]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [05/05/2011 16:31 16240]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2012-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-09 13:10]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 00:10]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-09 00:10]
.
2004-01-01 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-01 00:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\aoa6aqfk.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-0lK3vthPZh7qWO - c:\documents and settings\All Users\Application Data\0lK3vthPZh7qWO.exe
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-BambooCore - c:\program files\Bamboo Dock\BambooCore.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 10:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,14,15,3b,81,ed,8b,48,b2,af,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,14,15,3b,81,ed,8b,48,b2,af,07,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2116)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Tablet\Pen\Pen_TouchUser.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Tablet\Pen\Pen_TabletUser.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-02-14 10:58:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 10:58
.
Pre-Run: 37,234,671,616 bytes free
Post-Run: 40,196,939,776 bytes free
.
- - End Of File - - FC5E79A5EF32AED110FFACF419364B33

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 14 February 2012 - 10:45 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.*
svchost.* 
winlogon.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 hungry-boy

hungry-boy
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 14 February 2012 - 01:00 PM

hi gringo. i was able to access site to d/l programme. now i cannot access bleepingcomputer, and must use wii to post. i have log but cannot post it.

got warning that firewall was off, although it was supposed to be on.

i could hand type bits of the log, but typing on wii is v slow. already have some progs like tdss killer on pc.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 PM

Posted 14 February 2012 - 05:54 PM

Is it only bleeping that you cannot access? - if that is the case upload file to mediafire.com and send me the link
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users