Solved Fraudpack, antivirussuite, bad.proxy, and normal can't run explorer properly

[Olikut]

by the way, TDSSkiller in normal windows found nothing.

 

[Broni]

1. Go Start>Run ("Start search" in Vista and Win 7), type in:
cmd
Click OK (hit Enter in Vista and Win 7).

2. At Command Prompt type in (or copy and paste):

cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

and press Enter.

3. Notepad will open.

4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

=========================================================================

1. Go Start>Run ("Start search" in Vista and Win 7), type in:
cmd
Click OK (hit Enter in Vista and Win 7).

2. At Command Prompt, paste this:
ipconfig /all>c:\ipconfig_all.txt&notepad c:\ipconfig_all.txt&exit
Hit Enter.

3. Copy and paste what you see in Notepad into a Reply here.

 

[Olikut]

here's my first try, in safemode w/networking which may or may not be useful (I'll do it in normal next).

ping:

Pinging google.com [74.125.224.52] with 32 bytes of data:



Reply from 74.125.224.52: bytes=32 time=66ms TTL=53

Reply from 74.125.224.52: bytes=32 time=65ms TTL=53

Reply from 74.125.224.52: bytes=32 time=65ms TTL=53

Reply from 74.125.224.52: bytes=32 time=66ms TTL=53



Ping statistics for 74.125.224.52:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 65ms, Maximum = 66ms, Average = 65ms

ipconfig:

Windows IP Configuration



Host Name . . . . . . . . . . . . : black-knight

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 7:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet #2

Physical Address. . . . . . . . . : 00-04-4B-05-42-17



Ethernet adapter Local Area Connection 6:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet

Physical Address. . . . . . . . . : 00-04-4B-05-42-16

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.102

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : fe80::204:4bff:fe05:4216%5

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 24.116.2.50

24.116.2.34

fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

Lease Obtained. . . . . . . . . . : Thursday, February 03, 2011 12:18:33 PM

Lease Expires . . . . . . . . . . : Friday, February 04, 2011 12:18:33 PM



Tunnel adapter Teredo Tunneling Pseudo-Interface:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled

 

[Olikut]

and here you go for normal windows mode:

ping:

Ping request could not find host google.com. Please check the name and try again.

ipconfig:

Windows IP Configuration



Host Name . . . . . . . . . . . . : black-knight

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 6:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller - Packet Scheduler Miniport

Physical Address. . . . . . . . . : 00-04-4B-05-42-16

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 0.0.0.0

Subnet Mask . . . . . . . . . . . : 0.0.0.0

IP Address. . . . . . . . . . . . : fe80::204:4bff:fe05:4216%4

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 24.116.2.50

24.116.2.34

fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1



Ethernet adapter Local Area Connection 7:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport

Physical Address. . . . . . . . . : 00-04-4B-05-42-17



Tunnel adapter Teredo Tunneling Pseudo-Interface:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6

Default Gateway . . . . . . . . . :

NetBIOS over Tcpip. . . . . . . . : Disabled

 

[Broni]

Yeah, it looks like there is no connection in normal mode, because, for some reason, IP configuration gets messed up in normal mode.
It looks fine in Safe Mode with Networking.

Please, reinstall network adapter driver.

 

[Olikut]

I gave that a try. Didn't seem to do anything. When I boot into normal mode it still takes an inordinate amount of time to get to the point I can interact with things. The taskbar doesn't show, MSconfig can't apply changes, windows installer service doesn't work. windows firewall can't start. avast can't load up. Firefox and IE can't connect to anything. I can't properly shutdown without a hard restart (choosing any shutdown type of option in windows results in a hang at 'saving settngs). This is the same state that the computer was in back before I ran combofix for the first time, after which it was able to load and restart normally a few times.

I was able to install the network driver in safe mode w/networking, but normal mode wouldn't allow it due to windows installer issues.

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Olikut]

Ran it in safe mode w/ networking. Would it be safe to run again in normal if I'm able to now?

ComboFix 11-01-31.02 - Ryan 02/04/2011 14:44:55.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1743 [GMT -7:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))
.

2072-04-03 19:13 . 2008-03-21 20:46 607296 ------w- c:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2011-02-04 20:42 . 2011-02-04 20:42 -------- d-----w- c:\windows\LastGood.Tmp
2011-02-04 20:42 . 2004-06-25 18:05 57344 ------w- c:\windows\system32\BCMWLD2K.EXE
2011-02-04 20:42 . 2004-06-25 18:05 139264 ------w- c:\windows\system32\BCMWLU00.EXE
2011-02-04 20:42 . 2004-06-25 18:05 341760 ------w- c:\windows\system32\drivers\BCMWL5.SYS
2011-02-02 07:31 . 2011-02-02 07:31 -------- d-----w- c:\program files\ESET
2011-02-02 07:04 . 2011-02-02 07:04 -------- d-----w- C:\_OTL
2011-01-31 17:23 . 2011-01-31 17:23 -------- d-sh--w- c:\documents and settings\Ryan\IECompatCache
2011-01-31 03:19 . 2011-01-31 03:19 -------- d-----w- c:\documents and settings\Ryan\Application Data\Malwarebytes
2011-01-31 03:19 . 2011-01-31 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-31 03:19 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-31 03:19 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-31 03:13 . 2011-01-31 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Tenebril
2011-01-31 02:54 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-29 17:29 . 2011-01-29 17:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-01-29 16:52 . 2011-01-29 17:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-01-29 16:52 . 2011-01-29 16:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-29 08:17 . 2011-01-31 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-01-21 15:20 . 2011-01-21 15:20 -------- d-----w- c:\documents and settings\Ryan\Application Data\Amazon
2011-01-21 15:20 . 2011-01-21 15:20 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Amazon
2011-01-15 23:56 . 2011-01-15 23:56 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\2DBoy
2011-01-15 23:56 . 2011-01-15 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2011-01-15 23:44 . 2011-01-15 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2011-01-15 23:44 . 2011-01-21 15:20 -------- d-----w- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2007-06-07 12:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 01:53 . 2010-08-01 20:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 23:34 . 2008-01-01 15:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 10:00 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImpulseFastStart"="c:\program files\Stardock\Impulse\Impulse.exe" [2011-01-13 2340208]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"Creative Software Update"="c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2009-01-15 430968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-24 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-03-16 110696]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2006-09-13 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
"CTHelper"="CTHELPER.EXE" [2008-02-21 19456]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
IconPackager.lnk - c:\program files\Stardock\MyColors\IconPackager.exe [2009-3-30 1389944]

c:\documents and settings\Ryan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Impulse Now.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-6-7 476464]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-6-14 479232]
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2008-12-15 22:07 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\SecuLoad.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2VoipServer.exe"=
"c:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Electronic Arts\\Dragon Age Origins\\bin_ship\\EACoreServer.exe"=
"c:\\Program Files\\Electronic Arts\\Dragon Age Origins\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\USMLE\\2010FredV2Step1\\FredV2Orient.exe"=
"c:\\Program Files\\USMLE\\2010FredV2Step1\\NED.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire Diplomacy.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"e:\\Games\\Mass Effect 2\\Binaries\\EACoreServer.exe"=
"e:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"e:\\Games\\Mount and Blade Warband\\mb_warband.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"e:\\Games\\The Settlers 7\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire Entrenchment.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\magic the gathering - duels of the planeswalkers\\DotP.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\amnesia the dark descent\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [1/15/2011 4:44 PM 401920]
S2 DAUpdaterSvc;Dragon Age: Origins Updater;c:\program files\Electronic Arts\Dragon Age Origins\bin_ship\daupdatersvc.service.exe [11/6/2009 3:59 AM 25832]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/26/2009 12:51 PM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/11/2009 7:10 AM 88176]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 6:01 AM 79144]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [11/1/2008 4:56 AM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 1:46 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 1:46 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 1:46 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 1:46 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 1:46 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 1:46 AM 72728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2011-02-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-31 12:16]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 19:51]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 19:51]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\27esdt63.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-04 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-861567501-2147252035-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-839522115-861567501-2147252035-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,3d,9b,e0,96,8b,36,2f,df,39,8d,68,c8,f4,38,d2,49,2d,de,e9,7b,3d,56,
93,c7,e6,00,0f,fd,42,97,9c,d0,a5,c9,5d,b9,fb,5c,7d,e5,6d,2e,84,85,20,bd,5b,\
"??"=hex:03,cf,fe,29,34,65,07,ea,97,84,14,ca,23,98,ed,3f

[HKEY_USERS\S-1-5-21-839522115-861567501-2147252035-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,98,c0,78,c9,b0,a5,30,be,3c,22,7a,73,83,77,89,6d,7a,97,62,da,
15,45,73,f0,3e,01,c8,91,ca,cc,f6,b6,31,b8,ab,2f,f6,ab,e9,ba,61,82,9f,29,94,\
"rkeysecu"=hex:8a,56,07,63,f6,7d,97,ea,ff,c8,c1,87,16,f7,1a,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\Stardock\MyColors\fastload.dll

- - - - - - - > 'explorer.exe'(184)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2011-02-04 14:54:59
ComboFix-quarantined-files.txt 2011-02-04 21:54
ComboFix2.txt 2011-02-02 05:15
ComboFix3.txt 2011-02-02 03:28

Pre-Run: 34,283,409,408 bytes free
Post-Run: 34,258,751,488 bytes free

- - End Of File - - C29918EC282A234211AEAFD3623158B9

 

[Broni]

I don't see anything malicious there.
I don't think, we're dealing with any infection anymore.

Do you have Windows XP CD?

 

[Olikut]

yup. I've got my win XP cd.

 

[Broni]

I suggest, you try repair installation: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

 

[Olikut]

I'll give it a try.

Thanks Broni for all your help

 

[Broni]

You're very welcome

Let me know....

 

[Olikut]

I repaired my windows install, got all the service packs and security updates installed, and everything appears to be working fine.

MBAM isn't finding anything and neither has avast. Thanks for all your help Broni.

 

[Broni]

Excellent!

Good luck and stay safe