TechSpot

Computer shutting down when trying to run Avast!, MWB, and SAS

By Autumgurl
Sep 4, 2011
  1. Okay, I've scanned your posts and see similar problems, but with one difference.
    2 years ago I got an email that I thought was from my daughter, on a friends computer, who happened to have the same name as the virus. Stephanie Adams. I saved the email because it said, "I love you mom" or "I miss you mom".
    Recently my son told my other daughter she had sent him spam. Assuming it must have went to my email as well, I checked and there was this same email again. My youngest daughter then informed me this was one of her email accounts that her older sister did not have access to. I deleted both, but have been having real issues with this computer.
    I inserted the disc and restored the computer to it's original state, then downloaded Avast!, MWB, and SAS. I followed the instructions, ran the scans in the order suggested. One took out 88 threats, the other 53, and the other 3. I still had problems so I tried to do it in safe mode, (which I'm not comfortable with) but every time I try to run the scan the computer shuts down.
    I ran them again in normal mode and Avast! took out 3 threats, SAS 33. Tried running Avast! in safe mode and got a warning. It shows a large red X and says "Warning Unsecured, your system is not protected Please use the fix button to start protecting your system." The one below says, "Urgent Avast! Service stopped AV program has been stopped or is in an inconsistent state please restart the program to resume protecting your system. I tried hitting the fix button and it wouldn't do anything, and the same happened when I hit the restart program button. So I tried scanning and this time, this particular program got 3/4 of the way through and shut down.
    I saw one of your posts that had a program to download, but you had to disable the other three first.
    In comes the big problem....I do not have administrator rights on this computer, therefore cannot disable the programs in order to download the program you recommended. I have tried contacting tech support but it's been two weeks, 4 phone calls and no reply.
    I'm not a computer guru but can get around okay. Is there anything I can do to get this, annoying, virus out of my computer? I had thought about using the disc again and starting over but am afraid of making a mistake.
    Oh, and when I used the disc and restored the computer, Spyware Blaster was still installed in the computer? My previous programs were SB, Spybot and AVG.
    Oh and where do I find my system specs? I always forget this.
    Thank you in advance.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Why?
     
  3. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    Administrator rights

    I'm sorry, I meant to put that in there. My daughter uses this for online school. The last time we actually managed to talk to their tech support we were told to insert the disc they sent us to restore the computer. We've tried 4 times or so in the last two weeks to get a hold of someone but all I get is an answering machine and no return phone calls.
    We've ran into this before with their tech support, but we never had a problem like this and were able to figure the other stuff out on our own. They were usually simple and were where to find things she needed to submit work, or the mail they had set up to send the work in wasn't working and they didn't want the work sent through email. I was able to get most things from her teachers. But this is a tough one and I just can't seem to get a hold of a person.
    My daughter is still able to do her work on our desktop, it just conflicts with work we need to get done. If it can't be done I may just mail the thing back to them with a letter, that might get a response.
    Anyway, thanks for your response, even if there is nothing you can do. It was worth a try. Tired of beating my head against the wall.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    I still don't understand.
    Is it your computer, or school's computer?
     
  5. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    Administrator rights

    The computer belongs to the school. That's why I've been trying to contact them. Posting this is just a last ditch effort. I've decided that if I don't hear from them by the end of the week, I am just sending a letter with the computer back to them. I don't know what else to do.
    I was feeling bad about sending it back with a virus, but if they would just call me I know we could fix this.
    The first year she was with this school, we had a similar problem, but not as bad. It took them a week to get back to us and we didn't have a second computer at that time, but at least they finally replied. So we'll see. I really didn't think you could do much since I don't actually own the computer, but I thought I'd at least, give it a shot.
    I did run SAS in safe mode this morning and it ran all the way through, but found nothing. The minute I clicked on MWB, the computer shut down.
    I've made an effort, it's on them now.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  7. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    A few questions before I start

    Okay, before I get started. I'm thinking the anti-virus I downloaded was disabled at some point as it will run like normal in normal mode, but when I try to run it in safe mode it tells me something is wrong with it and nothing happens when I click the buttons it tells me to. This computer also has Office Scan from Trend Micro could that be causing conflicts?
    I had already downloaded MWB, but am not sure if I checked the two boxes for update and launch.
    Would it be better to put it the disc to restore the computer to its original state or not?
    Thank you.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    That must be your decision.
    Let me know.
     
  9. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    Logs

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Student at 18:17:05 on 2011-09-07
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.2250 [GMT -4:00]
    .
    AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {19369770-8059-4EC3-8084-1A3F64128496}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    svchost.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\TEMP\GY499A.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://schools.connectionsacademy.com/
    uDefault_Page_URL = hxxp://schools.connectionsacademy.com
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
    mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
    mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
    mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Name] c:\windows\system32\cas\msname.vbs
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    mRun: [CARPService] carpserv.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
    mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1)
    uPolicies-explorer: NoManageMyComputerVerb = 1 (0x1)
    uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
    uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
    uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
    uPolicies-explorer: NoCloseDragDropBands = 1 (0x1)
    uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    uPolicies-explorer: NoLogoff = 1 (0x1)
    uPolicies-explorer: NoThemesTab = 1 (0x1)
    uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1)
    uPolicies-explorer: NoSetTaskbar = 1 (0x1)
    uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
    uPolicies-explorer: RestrictCpl = 1 (0x1)
    uPolicies-system: DisableChangePassword = 1 (0x1)
    uPolicies-system: DisableLockWorkstation = 1 (0x1)
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: aim.com\www
    Trusted Zone: aol.com\iknowthat.school
    Trusted Zone: aolatschool.com\www
    Trusted Zone: atwola.com\ar
    Trusted Zone: atwola.com\www.ar
    Trusted Zone: brainpop.com\www
    Trusted Zone: connectionsacademy.com
    Trusted Zone: connectionsacademy.com\schools
    Trusted Zone: D
    Trusted Zone: edgate.com\www
    Trusted Zone: letsgolearn.com\www
    Trusted Zone: msnbc.com
    Trusted Zone: passport.net\login
    Trusted Zone: schoolnotes.com
    Trusted Zone: teacherweb.com
    Trusted Zone: worldbookonline.com\www
    Trusted Zone: connectionsacademy.com\schools
    DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxp://10.1.0.17:8180/officescan/ClientInstall/WinNTChk.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxp://10.1.0.65:8080/officescan/console/html/ClientInstall/setup.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxp://10.1.0.65:8080/officescan/console/html/root/AtxEnc.cab
    DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxp://10.1.0.17:8180/officescan/clientinstall/RemoveCtrl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226096417281
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    TCP: DhcpNameServer = 192.168.2.1 204.186.110.76 216.144.187.37 216.144.187.199
    TCP: Interfaces\{6D304090-4CEA-4F39-9825-61439B592402} : DhcpNameServer = 10.1.5.101 10.1.5.102
    TCP: Interfaces\{B3093FAB-0A84-4C76-849D-C6CC479D0E3D} : DhcpNameServer = 192.168.2.1 204.186.110.76 216.144.187.37 216.144.187.199
    TCP: Interfaces\{B4AB9F22-46C9-4326-B049-87C9B783EB56} : DhcpNameServer = 192.168.254.1
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 69.7.71.11 www.limewire.com
    Hosts: 69.7.71.11 www.zango.com
    Hosts: 69.7.71.11 www.myspace.com
    .
    ============= SERVICES / DRIVERS =.
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/7/2007 10:01:23 PM
    System Uptime: 9/7/2011 6:05:13 PM (0 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30E3
    Processor: AMD Turion(tm)X2 Ultra DualCore Mobile ZM-82 | Unknown | 2200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 39 GiB total, 24.184 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP94: 9/7/2011 4:43:46 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    Acrobat.com
    Adobe Acrobat Connect Add-in
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Presenter 6.2
    Adobe Reader 9.1
    Adobe Shockwave Player 11
    Agere Systems HDA Modem
    AMD Driver Support for HP 3D DriverGuard
    Application Installer 4.00.B6
    ATI Catalyst Control Center
    ATI Display Driver
    Broadcom 802.11 Wireless LAN Adapter
    Broadcom NetXtreme Ethernet Controller
    BufferChm
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    CYBERsitter 10
    DeviceManagementQFolder
    Embedded Security for HP ProtectTools Driver
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    HP Help and Support
    HP Imaging Device Functions 7.0
    HP Integrated Module with Bluetooth wireless technology
    HP Notebook Accessories Product Tour
    HP PCMCIA Smart Card Reader
    HP Photosmart and Deskjet 7.0 Software
    HP Quick Launch Buttons 6.00 G2
    HP Update
    HP User Guides 0022
    HP Wireless Assistant 2.00 F1
    hph_software_req
    HpSdpAppCoreApp
    InterVideo DVD Check
    InterVideo Register Manager
    InterVideo WinDVD
    Java(TM) 6 Update 14
    Java(TM) 6 Update 5
     
  10. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Go on.....
     
  11. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    Logs

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7673

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/7/2011 6:04:08 PM
    mbam-log-2011-09-07 (18-04-08).txt

    Scan type: Quick scan
    Objects scanned: 187795
    Time elapsed: 5 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer (PUM.Disable.MCProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-07 18:13:56
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160411AS rev.HP15
    Running: kmp4cn56.exe; Driver: C:\DOCUME~1\Student\LOCALS~1\Temp\kflyakoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

    ---- EOF - GMER 1.0.15 ----
     
  12. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    I still need Attach.txt part of DDS.
     
  13. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/7/2007 10:01:23 PM
    System Uptime: 9/7/2011 7:13:39 PM (3 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30E3
    Processor: AMD Turion(tm)X2 Ultra DualCore Mobile ZM-82 | Unknown | 2200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 39 GiB total, 23.885 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP94: 9/7/2011 4:43:46 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    Acrobat.com
    Adobe Acrobat Connect Add-in
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Presenter 6.2
    Adobe Reader 9.1
    Adobe Shockwave Player 11
    Agere Systems HDA Modem
    AMD Driver Support for HP 3D DriverGuard
    Application Installer 4.00.B6
    ATI Catalyst Control Center
    ATI Display Driver
    Broadcom 802.11 Wireless LAN Adapter
    Broadcom NetXtreme Ethernet Controller
    BufferChm
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    CYBERsitter 10
    DeviceManagementQFolder
    Embedded Security for HP ProtectTools Driver
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    HP Help and Support
    HP Imaging Device Functions 7.0
    HP Integrated Module with Bluetooth wireless technology
    HP Notebook Accessories Product Tour
    HP PCMCIA Smart Card Reader
    HP Photosmart and Deskjet 7.0 Software
    HP Quick Launch Buttons 6.00 G2
    HP Update
    HP User Guides 0022
    HP Wireless Assistant 2.00 F1
    hph_software_req
    HpSdpAppCoreApp
    InterVideo DVD Check
    InterVideo Register Manager
    InterVideo WinDVD
    Java(TM) 6 Update 14
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
    LightScribe 1.4.84.1
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6.0 Parser (KB925673)
    SCR3xxx Smart Card Reader
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB969679)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB969682)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic DLA
    Sonic Express Labeler
    Sonic Update Manager
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 8
    SpywareBlaster 4.2
    Swiff Player 1.1
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Toolbox
    Trend Micro OfficeScan Client
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office Outlook 2007 (KB969907)
    Update for Outlook 2007 Junk Email Filter (kb970012)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    WebFldrs XP
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/7/2011 4:45:56 PM, error: Service Control Manager [7000] - The Communication Services service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
     
  14. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  15. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    slight problem

    I couldnKt get anything done yesterday as I was under the weather. I completed the first step with no problem, but am trying to disable Micro. Not easy since I don't know the password, and again could not get anyone by phone. Just wanted to let you know I am working on it.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    OK....................
     
  17. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    Trend

    Looks like my only option is to run Combofix with Trend open. I don't want to delete a password, I only wanted to temporarily disable it but can not, safely figure that out.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    I still need aswMBR log.

    Run Combofix from safe mode.
     
  19. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    aswMBR log

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-09-08 16:32:33
    -----------------------------
    16:32:33.656 OS Version: Windows 5.1.2600 Service Pack 3
    16:32:33.656 Number of processors: 2 586 0x301
    16:32:33.656 ComputerName: CA-CNU9193LH1 UserName: Student
    16:32:34.140 Initialize success
    16:38:50.250 AVAST engine defs: 11090802
    16:39:31.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    16:39:31.062 Disk 0 Vendor: ST9160411AS HP15 Size: 152627MB BusType: 3
    16:39:33.187 Disk 0 MBR read successfully
    16:39:33.250 Disk 0 MBR scan
    16:39:33.328 Disk 0 unknown MBR code
    16:39:33.484 Disk 0 scanning sectors +117917100
    16:39:33.609 Disk 0 scanning C:\WINDOWS\system32\drivers
    16:40:10.218 Service scanning
    16:40:11.921 Modules scanning
    16:40:31.218 Disk 0 trace - called modules:
    16:40:31.515 KERNL1.EXE CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll Amddfltr.sys ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
    16:40:31.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acb6ab8]
    16:40:31.750 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8ad23d58]
    16:40:31.890 5 hpdskflt.sys[f7508fe1] -> nt!IofCallDriver -> [0x8acb7a48]
    16:40:32.031 7 Amddfltr.sys[f77200b6] -> nt!IofCallDriver -> \Device\00000094[0x8acbd3b8]
    16:40:32.203 9 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad29940]
    16:40:35.937 AVAST engine scan C:\WINDOWS
    16:41:03.906 AVAST engine scan C:\WINDOWS\system32
    16:41:16.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
    16:41:16.609 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"


    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-09-08 16:32:33
    -----------------------------
    16:32:33.656 OS Version: Windows 5.1.2600 Service Pack 3
    16:32:33.656 Number of processors: 2 586 0x301
    16:32:33.656 ComputerName: CA-CNU9193LH1 UserName: Student
    16:32:34.140 Initialize success
    16:38:50.250 AVAST engine defs: 11090802
    16:39:31.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    16:39:31.062 Disk 0 Vendor: ST9160411AS HP15 Size: 152627MB BusType: 3
    16:39:33.187 Disk 0 MBR read successfully
    16:39:33.250 Disk 0 MBR scan
    16:39:33.328 Disk 0 unknown MBR code
    16:39:33.484 Disk 0 scanning sectors +117917100
    16:39:33.609 Disk 0 scanning C:\WINDOWS\system32\drivers
    16:40:10.218 Service scanning
    16:40:11.921 Modules scanning
    16:40:31.218 Disk 0 trace - called modules:
    16:40:31.515 KERNL1.EXE CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll Amddfltr.sys ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
    16:40:31.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acb6ab8]
    16:40:31.750 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> [0x8ad23d58]
    16:40:31.890 5 hpdskflt.sys[f7508fe1] -> nt!IofCallDriver -> [0x8acb7a48]
    16:40:32.031 7 Amddfltr.sys[f77200b6] -> nt!IofCallDriver -> \Device\00000094[0x8acbd3b8]
    16:40:32.203 9 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ad29940]
    16:40:35.937 AVAST engine scan C:\WINDOWS
    16:41:03.906 AVAST engine scan C:\WINDOWS\system32
    16:41:16.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
    16:46:27.437 AVAST engine scan C:\WINDOWS\system32\drivers
    16:47:23.906 AVAST engine scan C:\Documents and Settings\Student
    16:50:19.093 AVAST engine scan C:\Documents and Settings\All Users
    16:50:27.437 Scan finished successfully
    16:51:01.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
    16:51:01.828 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"
     
  20. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    ComboFix

    When I tried to run ComboFix the computer shut down part way through just as MWB did before I contacted you. Question...when I download a fresh one and rename it, still run it in safe mode after Rkill?
     
  21. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Yes...........
     
  22. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    Rkill

    Rkill failed, all 3 times
     
  23. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Just run Combofix.
     
  24. Autumgurl

    Autumgurl TS Rookie Topic Starter Posts: 30

    ComboFix Log

    This is the best I could get...


    ComboFix 11-09-09.04 - Student 09/10/2011 9:11.1.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.2550 [GMT -4:00]
    Running from: c:\documents and settings\Student\Desktop\Judy.exe
    AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {19369770-8059-4EC3-8084-1A3F64128496}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
    c:\documents and settings\admin\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
    c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
    c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
    c:\documents and settings\Default User\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\SL200.tmp.fea0b243.ini
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\SLCD.tmp.985c2cc2.ini
    c:\documents and settings\Student\Local Settings\Application Data\ApplicationHistory\uccc.exe.8ab524e5.ini
    c:\windows\IMAGE.EXE.LOG
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-10 to 2011-09-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-10 03:28 . 2011-09-10 03:31 -------- d-----w- C:\Judy
    2011-09-08 12:36 . 2011-09-08 12:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
    2011-09-07 22:26 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2011-09-07 22:25 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2011-09-07 22:25 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2011-09-07 22:24 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2011-09-07 22:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2011-09-07 22:23 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2011-09-07 22:23 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2011-09-07 22:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2011-09-07 22:18 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-09-07 22:18 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-09-07 22:09 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2011-09-07 21:58 . 2011-06-23 18:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-09-07 21:56 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    2011-09-07 21:55 . 2011-09-07 21:55 -------- d-----w- c:\documents and settings\Student\Application Data\Malwarebytes
    2011-09-07 21:55 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2011-09-07 21:55 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-07 21:55 . 2011-09-07 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-07 21:55 . 2011-09-07 21:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-07 21:55 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-03 10:17 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2004-08-04 08:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-03-28 454656]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
    "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-04-21 40960]
    "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
    "Name"="c:\windows\system32\cas\msname.vbs" [2003-03-24 603]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 710000]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-12-11 1044480]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableChangePassword"= 1 (0x1)
    "DisableLockWorkstation"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsNetHood"= 1 (0x1)
    "NoNetConnectDisconnect"= 1 (0x1)
    "NoManageMyComputerVerb"= 1 (0x1)
    "NoSMBalloonTip"= 1 (0x1)
    "NoStartMenuNetworkPlaces"= 1 (0x1)
    "DisablePersonalDirChange"= 1 (0x1)
    "NoCloseDragDropBands"= 1 (0x1)
    "NoWelcomeScreen"= 1 (0x1)
    "NoLogoff"= 1 (0x1)
    "NoPropertiesMyDocuments"= 1 (0x1)
    "NoSetTaskbar"= 1 (0x1)
    "NoPropertiesRecycleBin"= 1 (0x1)
    "RestrictCpl"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    .
    R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [3/19/2009 7:27 PM 15416]
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 10:14 AM 24064]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 7:19 AM 44800]
    S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\caschools\Software\VCD\VCdRom.sys --> c:\caschools\Software\VCD\VCdRom.sys [?]
    S2 CCOMSVC;Communication Services;c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\windows\CComSvc.exe [?]
    S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [8/16/2008 3:00 AM 249424]
    S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [8/16/2008 3:00 AM 36432]
    S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [5/22/2008 2:33 PM 33024]
    S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [4/27/2007 9:35 PM 575064]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://schools.connectionsacademy.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: aim.com\www
    Trusted Zone: aol.com\iknowthat.school
    Trusted Zone: aolatschool.com\www
    Trusted Zone: atwola.com\ar
    Trusted Zone: atwola.com\www.ar
    Trusted Zone: brainpop.com\www
    Trusted Zone: connectionsacademy.com
    Trusted Zone: connectionsacademy.com\schools
    Trusted Zone: D
    Trusted Zone: edgate.com\www
    Trusted Zone: letsgolearn.com\www
    Trusted Zone: msnbc.com
    Trusted Zone: passport.net\login
    Trusted Zone: schoolnotes.com
    Trusted Zone: teacherweb.com
    Trusted Zone: worldbookonline.com\www
    Trusted Zone: connectionsacademy.com\schools
    TCP: DhcpNameServer = 192.168.2.1 204.186.110.76 216.144.187.37 216.144.187.199
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-DrvLsnr - c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe
    HKLM-Run-IgfxTray - c:\windows\System32\igfxtray.exe
    HKLM-Run-HotKeysCmds - c:\windows\System32\hkcmd.exe
    HKLM-Run-HPDJ Taskbar Utility - c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
    HKLM-Run-CARPService - carpserv.exe
    AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-10 09:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????\??????R?@?????,?@
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCOMSVC]
    "ImagePath"="c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(260)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-09-10 09:30:50
    ComboFix-quarantined-files.txt 2011-09-10 13:30
    .
    Pre-Run: 26,409,934,848 bytes free
    Post-Run: 26,999,697,408 bytes free
    .
    - - End Of File - - 10F2B048DAFE201265FDD1D0AEEB2294
     
  25. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Looks good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...