TechSpot

Get to step 4 start scan, blue screen, and shut down

Solved
By blairman
May 23, 2010
Topic Status:
Not open for further replies.
  1. hello, and thanks to anybody willing to help, i have a gateway vtx400 running xp.
    have successfully installed avira and scanned. successfuly run temp file cleaner.
    updated java, adobe and link to microsoft did not work, so pushed on.
    downloaded malwarebyte anti malware, select quick scan, push start,
    25 or so seconds in, i get blue screen of death, only stays for a second not long enough to read, and the laptop reboots.
    any ideas?????
    blairman
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Try running this first:

    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again

    The continue with the other scans.
     
  3. blairman

    blairman TS Rookie Topic Starter Posts: 52

    i got my camera out and took a picture of the blue screen of death.
    it says
    "a problem has been detected and windows has been shut down to protect your computer
    PAGE_FAULT_IN _NONPAGED_AREA
    then the rest of the blah blah blah blue screen stuff.
    i hope this helps
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you run the program I asked you to? Did you still get the BSOD when trying to run Mbam?

    BTW, there a nifty way to 'take a picture' of what's on the screen. Press the 'Print Screen' key and paste it into Notepad.
     
  5. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    PrintScreen is nifty but it only works when Windows is running (so it can't be used to capture a blue screen when Windows has crashed) :)

    And i think you meant to say "paste it into Paint" ;)
     
  6. blairman

    blairman TS Rookie Topic Starter Posts: 52

    Bobbye, thanks so much for your help. i will try your suggestion, hopefully this afternoon. i ran out of time for messing with this yesterday. i will try it and report back. also thanks for the print screen key, idea, i will remember that. i do not know if it would have worked here, i got the BSOD for literally less than one second, and the the power shut off and rebooting started. maybe it would have delayed that.
    anyhow, will report back later today after some appt's get handled.
    blair
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    blair, or course Lookin Around is right- you can't do a Print Screen if the system is down. Excuse me for that. But I don't use Paint- I should have said Wordpad instead of Notepad. Messed that one up didn't I!:eek:
     
  8. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,372   +167

    No worries.... I have a long list of my own personal bloopers :p
     
  9. blairman

    blairman TS Rookie Topic Starter Posts: 52

    Bobbye and Lookinaround,
    downloaded and ran randmbam. that appears to just be a sneakyway to open malwarebyte anti malware program. i was always able to open malwarebyte. i would select quick scan and select run scan. the process window tells me that it is enumerating registry items. this time i got a minute and 20 seconds into it befor the BSOD ended my forward progress.
    some notes.... the 'security essentials 2010' pop ups have stopped, and i was able to delete the shortcut from the desk, and the file from program files. which i was not able to do at the height of my infestation.
    i am able to start system restore now, however i can only go back 5 days, not back to january or february before all this crap started.
    when i try to go to windowsupdate.microsoft.com, i get a 'internet explorer cannot display the webpage' with a button to diagnose connection problems, however, if i open another internet explorer page, my connection to msn.com is just fine.
    i try to backdoor the update by going to microsoft's home page, and selecting updates, then i get a red x saying the website has encountered a problem and cannot display the page you are trying to view'
    then tried firefox browser and safari browser to get to microsoft update. all get blocked, yet can go any other place on the net.
    i hate to be putting this kind of effort into a laptop that would fetch $60 max on ebay, buy i am letting my brother in law use it because he has limited mobility and it helps him retreive email , and surf net with out changing floors at his house.
    a really appreciatte your help but lets not kill ourselves over this either.
    thanks again
    blairman
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Once the restore points have been removed, they're gone. Think about it> how could you restore to the way your system was 3 months ago? It's like tearing a page out of a book- it's gone!

    Had you stuck with us, I could have removed any remains of Security Essentials for you. Users don't understand that malware cleaning has to be an orderly process.

    You must use IE to get the updates. People frequently complain about not being able to access the update page. I just tell them to try at another time.

    I have no intention of 'killing myself' over this.' We help clean malware off systems here- it's not our job to troubleshoot system problems unless they are directly related to the malware.

    It's a nice thing you want to do for your brother. Why not get over your impatience and do it right? Identify the problem, determine if it's fixable and if it is, fix it!

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)

    After checking this, if I can't offer a solution, I will refer you to the correct forum.
     
  11. blairman

    blairman TS Rookie Topic Starter Posts: 52

    Bobbye, thanks for your help, i am not quite given up on this, i just sometimes question the time-money factor, and right now i have more time than money, at least for the next couple of weeks.
    i did not mean to sound like i was giving up, i just feel bad about saints like you that spend time helping those of us with limited skills.
    so, having said that, i gather that you think it is just an issue with microsoft's update page not being able to handle the traffic, rather than my thoughts, that something, part of a virus or malware is keeping the computer from accessing that page.
    recap, i run malwarebyte and select quick scan, and after 25 to75 seconds i get the BSOD.

    i will move forward and download vew, follow the instruction you left and post the log on my next reply.
    thanks again
    blairman
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you can find the Error that corresponds to the time of the BSOD, there may be something to work on. Here is a shorter, more direct version of the Even Viewer. Errors are time-coded, so if you check the time on the computer clock when it happens, then do the following, you should be able to find the corresponding error event:


    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    This is the same procedure as what I gave you previously, but this path allows you to look for error at specific times. See if that works better for you.
     
  13. blairman

    blairman TS Rookie Topic Starter Posts: 52

    bobbye, i fired up the laptop today, decided to run malwarebytes one more time for grins, and it worked. below is the log, i am rebooting.
    do you still want me to run vew and eventvwr, i will wait to hear from you
    thanks
    blairman
    log
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4132

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/26/2010 10:47:02 AM
    mbam-log-2010-05-26 (10-47-02).txt

    Scan type: Quick scan
    Objects scanned: 125530
    Time elapsed: 12 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 14
    Folders Infected: 0
    Files Infected: 37

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINNT\system32\drivers\4DW4R3PrNJaTBasp.sys (Malware.Packer) -> Delete on reboot.
    C:\WINNT\system32\drivers\4DW4R3.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3gHyXVxxPcF.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3ilCduxtHFR.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3InTFXMlEPw.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3ISpUVoQaHx.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3jjyluCbrTr.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3msnBJyccQO.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3PwEYPOtWFU.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3rEppbYTsDu.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3ryNHVoPTHi.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3spBvwRpwsR.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3tDEYQrnHsb.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3tImBKgwmHL.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3tqxQSQabKD.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3vOtavkSgxX.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3vyjofaRIDW.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\WINNT\system32\drivers\4DW4R3whAWmEODvx.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3BeGrUWCCFm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3beISbctLBl.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3buhOWxWwIy.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3BvhXislwwQ.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3c.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3FElMrrkOlm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3ICSrydMdTP.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3igWAYEbERm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3KEXBHlisuY.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3ktPpjRMOME.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3NbiGarwbat.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3pxlDYrXkSf.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3pxNXgKqAsM.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3sBRLKXunJs.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3sSoDixRlql.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3TSmOLnLnnj.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3VkGKLIYxjM.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINNT\system32\4DW4R3WvSMyqVHNW.dll (Rootkit.Agent) -> Delete on reboot.
     
  14. blairman

    blairman TS Rookie Topic Starter Posts: 52

    or should i continue with step 5 GMER ?
    blairman
     
  15. blairman

    blairman TS Rookie Topic Starter Posts: 52

    well i push on with gmer. kind of interesting when i started the program it would scan automtically. i then brought all of the tabs and selected rootkit\malware and selected scan.
    did this 3times, it would only go so far and lock up on .....drivers/atapi.
    so i went back to TFC, ran malwarebyte again and ran gmer. it did its auto scan, and below is the log. what next please????
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-05-27 07:28:13
    Windows 5.1.2600 Service Pack 3
    Running: vll7j8my.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwrcrkod.sys


    ---- Devices - GMER 1.0.15 ----

    Device -> \Driver\atapi \Device\Harddisk0\DR0 81A55A9A

    ---- Files - GMER 1.0.15 ----

    File C:\WINNT\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  16. blairman

    blairman TS Rookie Topic Starter Posts: 52

    thru step 7

    i pushed on and ran dds so all the logs are now posted. thanks again.
    dds notepad

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 7:39:05.13 on Thu 05/27/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.246.40 [GMT -5:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINNT\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINNT\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINNT\System32\svchost.exe -k imgsvc
    C:\WINNT\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    uInternet Settings,ProxyOverride = 127.0.0.1
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
    uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
    mRun: [GWMDMMSG] GWMDMMSG.exe
    mRun: [GWMDMpi] c:\winnt\GWMDMpi.exe
    mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
    mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
    mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
    mRun: [POINTER] point32.exe
    mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRunOnce: [OOBEDDDemise] cmd /x /c erase c:\winnt\system32\oobe\msoobe.exe
    dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ma521c~1.lnk - c:\program files\netgear\ma521 configuration utility\wlancfg5.exe
    uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
    DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
    DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\do more\DoMoreRunExe.CAB
    DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
    DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxsrvc.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n6lflqy7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-22 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-22 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-22 267432]
    R2 avgntflt;avgntflt;c:\winnt\system32\drivers\avgntflt.sys [2010-5-22 60936]
    R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1980-1-1 24192]
    S3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;\??\c:\winnt\system32\bwndis5.sys --> c:\winnt\system32\BWNDIS5.SYS [?]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
    S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\winnt\system32\drivers\MA521nd5.sys [2006-7-17 158848]

    =============== Created Last 30 ================

    2010-05-27 11:44:53 1602 ----a-w- c:\winnt\OEM.tmp
    2010-05-23 11:59:23 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2010-05-23 11:58:59 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-05-23 11:58:55 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
    2010-05-23 11:58:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-05-23 11:58:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-23 11:39:25 73728 ----a-w- c:\winnt\system32\javacpl.cpl
    2010-05-23 11:39:24 411368 ----a-w- c:\winnt\system32\deployJava1.dll
    2010-05-23 07:56:09 0 ----a-w- c:\winnt\system32\14604.exe
    2010-05-23 07:35:46 0 ----a-w- c:\winnt\system32\32391.exe
    2010-05-23 07:15:18 0 ----a-w- c:\winnt\system32\5436.exe
    2010-05-23 06:13:08 0 ----a-w- c:\winnt\system32\2995.exe
    2010-05-23 02:05:27 0 d-----w- c:\winnt\system32\NtmsData
    2010-05-23 01:58:08 0 d-----w- c:\docume~1\owner\applic~1\Avira
    2010-05-23 01:30:57 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
    2010-05-23 01:30:48 0 d-----w- c:\program files\Avira
    2010-05-23 01:30:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-05-22 17:23:21 21504 ----a-w- c:\winnt\system32\hidserv.dll
    2010-05-22 17:23:21 21504 ----a-w- c:\winnt\system32\dllcache\hidserv.dll

    ==================== Find3M ====================

    2010-05-27 12:19:38 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
    2010-05-27 12:19:38 96512 ----a-w- c:\winnt\system32\dllcache\atapi.sys
    2006-08-21 14:35:42 34164437 ----a-w- c:\program files\NAV061220.exe
    2006-03-15 19:47:14 780 ----a-w- c:\program files\Spyware Doctor.lnk
    2009-11-20 02:15:04 32768 --sha-w- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012009111920091120\index.dat

    ============= FINISH: 7:41:37.27 ===============

    dds attach notes

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/22/2003 4:38:44 PM
    System Uptime: 5/27/2010 7:22:38 AM (0 hours ago)

    Motherboard: Gateway | | Gateway 400VTX
    Processor: Mobile Intel(R) Celeron(R) CPU 2.20GHz | uFCPGA2 | 2191/400mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 28 GiB total, 20.301 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
    Description: Communications Port
    Device ID: ROOT\PORTS\0000
    Manufacturer: (Standard port types)
    Name: Communications Port (COM4)
    PNP Device ID: ROOT\PORTS\0000
    Service: Serial

    ==== System Restore Points ===================

    RP499: 5/22/2010 12:28:56 PM - Removed Microsoft Silverlight
    RP500: 5/22/2010 12:30:43 PM - Removed Microsoft .NET Framework (English)
    RP501: 5/22/2010 12:32:27 PM - Configured iTunes
    RP502: 5/22/2010 12:59:42 PM - Software Distribution Service 3.0
    RP503: 5/23/2010 6:38:07 AM - Installed Java(TM) 6 Update 20
    RP504: 5/25/2010 7:48:28 AM - Installed Safari
    RP505: 5/26/2010 5:40:55 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Acrobat 5.0
    Adobe Flash Player 10 ActiveX
    Apple Application Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    Do More 7.0
    DVD
    Easy CD Creator 5 Basic
    FreeCEO(www.freeceo.com) 802.11 Wireless LAN Adapter
    Gateway Rhapsody
    GTW V.92 Voicemodem
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hoyle Casino 2004
    Intel(R) Extreme Graphics Driver
    Intel(R) PRO Ethernet Adapter and Software
    Java Auto Updater
    Java(TM) 6 Update 20
    Junk Mail filter update
    Lexmark Z25-Z35
    MA521 Configuration Utility
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft IntelliPoint 4.1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Learning and Research Plus Support Files
    Microsoft National Language Support Downlevel APIs
    Microsoft Picture It! Photo 7.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Word 2002
    Microsoft Works 2003 Setup Launcher
    Microsoft Works 7.0
    Microsoft Works Suite Add-in for Microsoft Word
    Mozilla Firefox (1.5)
    MSN Internet Software
    MSVCRT
    PC-Doctor for Windows
    pressplay
    QuickTime
    RealPlayer Basic
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB913433)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Segoe UI
    Shockwave
    upapp
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows XP Service Pack 3
    WinPhlash
    Works Suite OS Pack

    ==== Event Viewer Messages From Past Week ========

    5/27/2010 6:41:44 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    5/26/2010 11:01:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: adpu160m agp440 iaStor IntelIde ultra ViaIde
    5/26/2010 10:58:11 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    5/25/2010 6:16:22 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    5/25/2010 6:16:22 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/23/2010 8:31:40 AM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
    5/23/2010 7:21:34 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.101 with the system having network hardware address 00:24:2C:24:1E:56. Network operations on this system may be disrupted as a result.
    5/23/2010 5:54:33 AM, error: Service Control Manager [7031] - The Avira AntiVir Guard service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    5/23/2010 5:54:32 AM, error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    5/23/2010 5:54:20 AM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    5/22/2010 9:33:36 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.
    5/22/2010 9:13:04 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
    5/22/2010 8:27:30 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    5/22/2010 8:27:30 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    5/22/2010 8:27:30 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    5/22/2010 7:40:35 PM, error: Microsoft Antimalware [2001] -
    5/22/2010 7:37:35 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    5/22/2010 7:37:35 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    5/22/2010 12:29:19 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    5/22/2010 12:18:27 PM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0014A5C493A9 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It!'s easy to see why you're having the problems! Mbam found and remove a significant amount of malware entries. But I suspect there will be more- skip the Error VIEWER for now and follow with this:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    After you've installed and run Combofix, follow with:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
    
    Folder::
    Registry::
    Driver::
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Then Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Leave these logs in your next reply.
     
  18. blairman

    blairman TS Rookie Topic Starter Posts: 52

    combofix results more coming

    ComboFix 10-05-27.01 - Owner 05/27/2010 17:30:02.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.246.47 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\winnt\system32\14604.exe
    c:\winnt\system32\2995.exe
    c:\winnt\system32\32391.exe
    c:\winnt\system32\5436.exe

    Infected copy of c:\winnt\system32\drivers\atapi.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
    .

    2010-05-25 12:48 . 2010-05-25 12:49 -------- d-----w- c:\program files\Safari
    2010-05-25 12:47 . 2010-05-25 12:47 -------- d-----w- c:\program files\Common Files\Apple
    2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
    2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\program files\Apple Software Update
    2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-05-23 11:59 . 2010-05-23 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-05-23 11:58 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-05-23 11:58 . 2010-05-23 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-23 11:58 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
    2010-05-23 11:58 . 2010-05-25 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-23 11:42 . 2010-05-23 11:42 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcp71.dll
    2010-05-23 11:42 . 2010-05-23 11:42 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\jmc.dll
    2010-05-23 11:42 . 2010-05-23 11:42 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcr71.dll
    2010-05-23 11:41 . 2010-05-23 11:41 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-sse.dll
    2010-05-23 11:41 . 2010-05-23 11:41 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-d3d.dll
    2010-05-23 11:41 . 2010-05-23 11:41 -------- d-----w- c:\program files\Common Files\Java
    2010-05-23 11:39 . 2010-05-23 11:38 411368 ----a-w- c:\winnt\system32\deployJava1.dll
    2010-05-23 11:38 . 2010-05-23 11:38 -------- d-----w- c:\program files\Java
    2010-05-23 11:04 . 2010-05-23 11:04 78 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows\Network\mspdb80.dll
    2010-05-23 02:05 . 2010-05-27 12:11 -------- d-----w- c:\winnt\system32\NtmsData
    2010-05-23 01:58 . 2010-05-23 01:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
    2010-05-23 01:30 . 2010-03-01 15:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys
    2010-05-23 01:30 . 2010-02-16 19:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
    2010-05-23 01:30 . 2009-05-11 17:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
    2010-05-23 01:30 . 2009-05-11 17:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
    2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\program files\Avira
    2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\hidserv.dll
    2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\dllcache\hidserv.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-27 12:19 . 2003-06-06 08:37 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
    2010-05-27 11:44 . 2010-05-27 11:44 1602 ----a-w- c:\winnt\OEM.tmp
    2010-05-25 12:49 . 2006-10-29 22:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
    2010-05-25 12:48 . 2006-10-29 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-05-22 17:34 . 2003-06-06 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-04 09:00 . 2010-03-04 09:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
    2006-08-21 14:35 . 2006-08-21 14:35 34164437 ----a-w- c:\program files\NAV061220.exe
    2006-03-15 19:47 . 2006-07-21 22:47 780 ----a-w- c:\program files\Spyware Doctor.lnk
    2006-07-21 22:15 . 2006-07-21 22:15 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2006-07-21 22:15 . 2006-07-21 22:15 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2006-07-21 22:15 . 2006-07-21 22:15 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 90112]
    "GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
    "IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-01-24 155648]
    "HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
    "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032]
    "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
    "ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-29 98304]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OOBEDDDemise"="erase" [X]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MA521 Configuration Utility.lnk - c:\program files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe [2006-7-17 380928]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINNT\\system32\\LEXPPS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/22/2010 8:31 PM 135336]
    R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1/1/1980 24192]
    S3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;\??\c:\winnt\System32\BWNDIS5.SYS --> c:\winnt\System32\BWNDIS5.SYS [?]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
    S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\winnt\system32\drivers\MA521nd5.sys [7/17/2006 8:02 PM 158848]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-25 c:\winnt\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    uInternet Settings,ProxyOverride = 127.0.0.1
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\Do More\DoMoreRunExe.CAB
    DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6lflqy7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
    HKLM-Run-POINTER - point32.exe
    HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-27 17:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    OOBEDDDemise = cmd /x /c erase c:\winnt\System32\oobe\msoobe.exe????????????c?t?1f???d??????????? ??????????E?v?i??????????????????????????????????????????????????????P/??????????|??? ??????w???w|????????????i??|??????p?????????i???????1f??1f??????????????????????????????[?w???????????w???w?[?w????????????C

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-05-27 17:47:48
    ComboFix-quarantined-files.txt 2010-05-27 22:47

    Pre-Run: 21,719,203,840 bytes free
    Post-Run: 21,697,175,552 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 9E1882456769399BB6153A1D5C042320
     
  19. blairman

    blairman TS Rookie Topic Starter Posts: 52

    combofix results and with custom script eset coming

    ComboFix 10-05-27.01 - Owner 05/27/2010 18:04:44.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.246.120 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
    .

    2010-05-25 12:48 . 2010-05-25 12:49 -------- d-----w- c:\program files\Safari
    2010-05-25 12:47 . 2010-05-25 12:47 -------- d-----w- c:\program files\Common Files\Apple
    2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
    2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\program files\Apple Software Update
    2010-05-25 12:46 . 2010-05-25 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-05-23 11:59 . 2010-05-23 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-05-23 11:58 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
    2010-05-23 11:58 . 2010-05-23 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-23 11:58 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
    2010-05-23 11:58 . 2010-05-25 11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-23 11:42 . 2010-05-23 11:42 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcp71.dll
    2010-05-23 11:42 . 2010-05-23 11:42 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\jmc.dll
    2010-05-23 11:42 . 2010-05-23 11:42 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5f224b7b-n\msvcr71.dll
    2010-05-23 11:41 . 2010-05-23 11:41 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-sse.dll
    2010-05-23 11:41 . 2010-05-23 11:41 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73b12b92-n\decora-d3d.dll
    2010-05-23 11:41 . 2010-05-23 11:41 -------- d-----w- c:\program files\Common Files\Java
    2010-05-23 11:39 . 2010-05-23 11:38 411368 ----a-w- c:\winnt\system32\deployJava1.dll
    2010-05-23 11:38 . 2010-05-23 11:38 -------- d-----w- c:\program files\Java
    2010-05-23 11:04 . 2010-05-23 11:04 78 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows\Network\mspdb80.dll
    2010-05-23 02:05 . 2010-05-27 12:11 -------- d-----w- c:\winnt\system32\NtmsData
    2010-05-23 01:58 . 2010-05-23 01:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
    2010-05-23 01:30 . 2010-03-01 15:05 124784 ----a-w- c:\winnt\system32\drivers\avipbb.sys
    2010-05-23 01:30 . 2010-02-16 19:24 60936 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
    2010-05-23 01:30 . 2009-05-11 17:49 45416 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
    2010-05-23 01:30 . 2009-05-11 17:49 22360 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
    2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\program files\Avira
    2010-05-23 01:30 . 2010-05-23 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\hidserv.dll
    2010-05-22 17:23 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\dllcache\hidserv.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-27 12:19 . 2003-06-06 08:37 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
    2010-05-27 11:44 . 2010-05-27 11:44 1602 ----a-w- c:\winnt\OEM.tmp
    2010-05-25 12:49 . 2006-10-29 22:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
    2010-05-25 12:48 . 2006-10-29 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-05-22 17:34 . 2003-06-06 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-03-04 09:00 . 2010-03-04 09:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
    2006-08-21 14:35 . 2006-08-21 14:35 34164437 ----a-w- c:\program files\NAV061220.exe
    2006-03-15 19:47 . 2006-07-21 22:47 780 ----a-w- c:\program files\Spyware Doctor.lnk
    2006-07-21 22:15 . 2006-07-21 22:15 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
    2006-07-21 22:15 . 2006-07-21 22:15 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
    2006-07-21 22:15 . 2006-07-21 22:15 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 90112]
    "GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
    "IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-01-24 155648]
    "HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-01-24 114688]
    "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032]
    "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
    "ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-29 98304]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OOBEDDDemise"="erase" [X]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MA521 Configuration Utility.lnk - c:\program files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe [2006-7-17 380928]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINNT\\system32\\LEXPPS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/22/2010 8:31 PM 135336]
    R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1/1/1980 24192]
    S3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;\??\c:\winnt\System32\BWNDIS5.SYS --> c:\winnt\System32\BWNDIS5.SYS [?]
    S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
    S3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;c:\winnt\system32\drivers\MA521nd5.sys [7/17/2006 8:02 PM 158848]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-25 c:\winnt\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    uInternet Settings,ProxyOverride = 127.0.0.1
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    DPF: {0F04992B-E661-4DB9-B223-903AB628225D} - file://c:\program files\gateway\Do More\DoMoreRunExe.CAB
    DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6lflqy7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-27 18:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    OOBEDDDemise = cmd /x /c erase c:\winnt\System32\oobe\msoobe.exe????????????c?t?1f???d??????????? ??????????E?v?i??????????????????????????????????????????????????????P/??????????|??? ??????w???w|????????????i??|??????p?????????i???????1f??1f??????????????????????????????[?w???????????w???w?[?w????????????C

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3648)
    c:\winnt\system32\WININET.dll
    c:\winnt\system32\ieframe.dll
    c:\winnt\system32\webcheck.dll
    .
    Completion time: 2010-05-27 18:19:12
    ComboFix-quarantined-files.txt 2010-05-27 23:19
    ComboFix2.txt 2010-05-27 22:47

    Pre-Run: 21,699,637,248 bytes free
    Post-Run: 21,690,773,504 bytes free

    - - End Of File - - DC7EA49808CCD00B534A046C59CEFF1D
     
  20. blairman

    blairman TS Rookie Topic Starter Posts: 52

    eset scan results

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d8a0a3c43fa70649bdd573f3902bc44a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-05-28 12:54:52
    # local_time=2010-05-27 07:54:52 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1797 16775141 100 93 0 33150616 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=42039
    # found=2
    # cleaned=0
    # scan_time=3777
    C:\Qoobox\Quarantine\C\WINNT\system32\Drivers\atapi.sys.vir Win32/Olmarik.UI trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{14BCBB80-A370-4CAB-AD2A-E58B6914B467}\RP505\A0087214.sys Win32/Olmarik.UI trojan 00000000000000000000000000000000 I
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, you need to clear this up for me!
    1. It says Windows XP, but it doesn't look like Windows XP.
    2. There are processes from 2006 for Apply Computer.
    3. You have something named ""AMBIT WinDis32 Protocol Driver for Windows" running which comes from the AMBIT Microsystems Corporation which mainly develops & distributes OEM/ODM intelligent power & connectivity solution to the computer & communications industries out of Taiwan.
    4. You're running the OOBE Patch which removes the 'Activate Windows' link from the
    start menu and makes the Activating Windows Dialog say 'Already Activated'.

    So- I'm not sure what we're looking at or why you did multiple Combofix scans. I'd like you to run HijackThis and see what entries are found:

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    I'll check this log then decide what to do. There is nothing in GMER and the 2 entries in Eset are not active in the system.
     
  22. blairman

    blairman TS Rookie Topic Starter Posts: 52

    i'll try to answer bobbye

    i got this laptop from a coworker that upgraded. he was having trouble with the power switch. than i handled. i pulled the circuit board with the on off switch and cleaned the sludge out of the switch, works great now.
    runs on win xp. the safari (apple) i put on to try to get to microsoft update. if i do not need ambit, or oobe patch tell me how to send them packing.
    i ran combo fix twice, which is what i thought your instructions told me to do. run it, then run it again with the custom script. maybe i misread your instructions.

    i will run hijack and post the results first thing sat am. thanks for hanging in there with me on this. there is no love for any programs on this thing. i just want an operating system, and the ability for my brother in law to get his email, which is msn, and he checks nhra drag race results. big race fan. so something that is not paying rent, gets evicted!!!
    hijack with morning coffee sat mornining.
    blairman
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you open the DDS log that has the Attach.txt, you will see a list of the installed programs. There will also be a listing in the HijackThis log but it might not show as complete. Look up any you don't know. Let me know what you want to keep and what you want to send packing and I'll help you get them off,

    Do you know what all those Apple entries are from 2006?
     
  24. blairman

    blairman TS Rookie Topic Starter Posts: 52

    saturday morning

    bobbye, i ran hijack before i saw your last post,
    i have no idea what the apple stuff was from 2006,i could only guess the prev owner was into music, or tried to sink with a cell phone or something. so not important.

    i will post hijack log below, then go into dds and see if anything makes sense to me.;)

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:53:35 AM, on 5/29/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - Global Startup: MA521 Configuration Utility.lnk = ?
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

    --
    End of file - 5710 bytes
     
  25. blairman

    blairman TS Rookie Topic Starter Posts: 52

    bobbye, i looked at dds running programs. now i do not know what actually needs to be running, i think it would be smart to retain the antivirus, and java is important, i think, but some thinks like roxio and quicktime can be started, don't need to run all of the time, svchost? lexpps? common files?netgear? and the rest? like i said "if they don't pay rent, kick 'em out!"
    blairman
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.