TechSpot

Infected by rootkit zeroaccess

Solved
By nbabe
Apr 7, 2012
  1. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    I disabled avast. then uplugged the internet cable as mentionned in 5 steps. Then I opened Gmer and at the beginning it runs for a few seconds. I got a dozen hits regarding avast. (I never saw anything there, before it would run then after that mini scan I clicked scan but in the opening scan I got those avast links) should I procedd nonetheless with gmer even though it still sees avast?
  2. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    You posted GMER log already.
    It looks fine.
    Go ahead with DDS.
  3. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 19:07:07 on 2012-04-10
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1144 [GMT -4:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://www.metacrawler.com/
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [Gestionnaire Antidote.exe] c:\program files\druide\antidote\Gestionnaire Antidote.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
    mRun: [<NO NAME>]
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1334078451687
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    TCP: DhcpNameServer = 24.200.241.37 24.202.72.13 24.200.0.1
    TCP: Interfaces\{826423B9-6621-48B0-801F-26BC0A96DEAF} : DhcpNameServer = 24.200.241.37 24.202.72.13 24.200.0.1
    Notify: igfxcui - igfxsrvc.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-10 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-10 337880]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-10 20696]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-10 44768]
    R2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [2012-4-10 33696]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-10 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-10 136176]
    .
    =============== Created Last 30 ================
    .
    2012-04-10 20:53:25 -------- d-----w- c:\program files\home plan software
    2012-04-10 19:05:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\Google
    2012-04-10 19:04:55 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-10 19:04:31 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-10 19:04:14 -------- d-----w- c:\program files\AVAST Software
    2012-04-10 19:04:14 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2012-04-10 18:51:52 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
    2012-04-10 18:50:59 -------- d-sh--w- c:\documents and settings\owner\IETldCache
    2012-04-10 18:45:44 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2012-04-10 18:45:25 -------- d-----w- c:\windows\ie8updates
    2012-04-10 18:45:19 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2012-04-10 18:45:19 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2012-04-10 18:45:19 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2012-04-10 18:45:19 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2012-04-10 18:45:19 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2012-04-10 18:45:19 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2012-04-10 18:45:19 11082752 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2012-04-10 18:44:19 -------- dc-h--w- c:\windows\ie8
    2012-04-10 18:35:40 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-04-10 18:35:40 3072 ------w- c:\windows\system32\iacenc.dll
    2012-04-10 18:33:14 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    2012-04-10 18:33:04 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll
    2012-04-10 18:32:53 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2012-04-10 18:31:01 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2012-04-10 18:30:51 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2012-04-10 18:30:29 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2012-04-10 18:30:29 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2012-04-10 18:30:04 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2012-04-10 18:28:01 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2012-04-10 18:24:38 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-04-10 18:24:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-04-10 18:17:39 -------- d-----w- c:\program files\Messenger
    2012-04-10 18:17:24 -------- d-----w- c:\windows\system32\scripting
    2012-04-10 18:17:24 -------- d-----w- c:\windows\l2schemas
    2012-04-10 18:17:23 -------- d-----w- c:\windows\system32\en
    2012-04-10 18:17:23 -------- d-----w- c:\windows\system32\bits
    2012-04-10 18:14:39 -------- d-----w- c:\windows\network diagnostic
    2012-04-10 18:11:45 -------- d-----w- c:\windows\EHome
    2012-04-10 17:53:47 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
    2012-04-10 17:42:49 -------- d-----w- c:\program files\MSXML 4.0
    2012-04-10 17:38:07 -------- d-----w- c:\documents and settings\owner\local settings\application data\ApplicationHistory
    2012-04-10 17:35:38 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2012-04-10 17:34:06 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2012-04-10 17:33:48 357888 -c----w- c:\windows\system32\dllcache\srv.sys
    2012-04-10 17:32:59 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2012-04-10 17:32:59 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2012-04-10 17:32:52 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2012-04-10 17:28:57 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2012-04-10 17:28:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2012-04-10 17:28:20 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2012-04-10 17:28:17 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2012-04-10 17:23:13 -------- d-----w- c:\windows\system32\PreInstall
    2012-04-10 17:23:12 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2012-04-10 17:23:11 -------- d--h--w- c:\windows\$hf_mig$
    2012-04-10 17:20:35 -------- d-sh--w- c:\documents and settings\owner\UserData
    2012-04-10 14:10:53 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
    2012-04-10 14:10:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-04-10 14:10:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-10 14:10:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-10 13:29:54 33696 ----a-w- c:\windows\system32\drivers\fastpara.sys
    2012-04-10 02:58:59 61500 ----a-w- c:\windows\system32\usrcntra.dll
    2012-04-10 02:57:59 12288 ----a-w- c:\windows\system32\drivers\tunmp.sys
    2012-04-10 02:56:34 47104 ----a-w- c:\windows\system32\cnbjmon.dll
    2012-04-10 02:54:59 9216 -c--a-w- c:\windows\system32\dllcache\subst.exe
    2012-04-10 02:53:59 76800 ----a-w- c:\windows\system32\nslookup.exe
    2012-04-10 02:52:03 9728 -c--a-w- c:\windows\system32\dllcache\label.exe
    2012-04-10 02:51:59 81920 ----a-w- c:\windows\system32\isign32.dll
    2012-04-10 02:50:37 83456 ----a-w- c:\windows\system32\dpvsetup.exe
    2012-04-10 02:49:54 8192 -c--a-w- c:\windows\system32\dllcache\asferror.dll
    2012-04-10 02:07:25 -------- d-----r- C:\Program Files
    2012-04-10 02:06:32 -------- d-----r- c:\documents and settings\all users\Documents
    2012-04-10 01:59:19 -------- d-----r- c:\windows\Offline Web Pages
    2012-04-10 01:58:02 -------- dcsh--r- c:\windows\system32\dllcache
    2012-04-10 01:56:27 -------- d-----w- C:\My Backup -- 12-04-09 0656PM
    2012-04-10 00:48:59 -------- d-----w- c:\program files\Big Hammer
    2012-04-10 00:45:17 -------- d-----w- c:\program files\Druide
    2012-04-10 00:44:54 -------- d-----w- c:\program files\PDF-Convert
    2012-04-10 00:44:43 913408 ----a-w- c:\program files\windows media player\wmpnetwk.exe
    2012-04-10 00:44:43 493568 ----a-w- c:\program files\windows media player\wmdbexport.exe
    2012-04-10 00:44:43 36864 ----a-w- c:\program files\windows media player\wmpshare.exe
    2012-04-10 00:44:43 25600 ----a-w- c:\program files\windows media player\wmpenc.exe
    2012-04-10 00:44:43 241664 ----a-w- c:\program files\windows media player\wmlaunch.exe
    2012-04-10 00:44:43 204288 ----a-w- c:\program files\windows media player\wmpnscfg.exe
    2012-04-10 00:44:43 198144 ----a-w- c:\program files\windows media player\wmpnssci.dll
    2012-04-10 00:44:43 1669120 ----a-w- c:\program files\windows media player\wmsetsdk.exe
    2012-04-10 00:44:42 410928 ----a-w- c:\program files\windows media player\LegitLibM.dll
    2012-04-10 00:43:59 -------- d-----w- c:\program files\twain_32
    2012-04-10 00:43:35 -------- d-----w- c:\program files\Samsung
    2012-04-10 00:43:06 -------- d-----w- c:\program files\maxxscan61
    2012-04-10 00:41:18 -------- d-----w- c:\program files\compeyescan300600
    2012-04-10 00:32:23 -------- d-----w- c:\documents and settings\owner\application data\Symantec
    2012-04-10 00:17:36 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2012-04-10 00:15:20 -------- d-----w- C:\SYSPREP
    2012-04-10 00:13:01 -------- d-----w- c:\windows\system32\SoftwareDistribution
    .
    ==================== Find3M ====================
    .
    2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
    2012-02-28 18:50:29 81920 ------w- c:\windows\system32\ieencode.dll
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 19:08:22.45 ===============
    .
  4. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/9/2012 8:14:07 PM
    System Uptime: 4/10/2012 7:05:20 PM (0 hours ago)
    .
    Motherboard: Intel Corporation | | D915GSE
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | | 3200/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 176.389 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: USB Device
    Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
    Manufacturer:
    Name: USB Device
    PNP Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
    Service:
    .
    ==== System Restore Points ===================
    .
    RP6: 4/10/2012 11:28:18 AM - System Checkpoint
    RP7: 4/10/2012 1:22:35 PM - Software Distribution Service 3.0
    RP8: 4/10/2012 1:36:31 PM - Software Distribution Service 3.0
    RP9: 4/10/2012 1:55:17 PM - Software Distribution Service 3.0
    RP10: 4/10/2012 2:36:15 PM - Software Distribution Service 3.0
    RP11: 4/10/2012 2:53:25 PM - Software Distribution Service 3.0
    RP12: 4/10/2012 3:04:14 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    America Online (Choose which version to remove)
    avast! Free Antivirus
    BigFix
    Compeye 300/600 Driver
    Digital Media Reader
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Home Plan Pro version 5.2.12.20
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    hp deskjet 3320 series
    Intel(R) Graphics Media Accelerator Driver
    Java 2 Runtime Environment, SE v1.4.2
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB2656370)
    Microsoft Picture It! Photo Premium 9
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    oobeFlagNetscape0
    PowerDVD
    QuickTime
    RealPlayer Basic
    Realtek High Definition Audio Driver
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2675157)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    SoftV92 Data Fax Modem with SmartCP
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    WebFldrs XP
    Windows Backup Utility
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5145, the version of the system file is 9.0.0.3250.
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\wmpband.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5145, the version of the system file is 9.0.0.3250.
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\setup_wm.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5146, the version of the system file is 9.0.0.3250.
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\npwmsdrm.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 9.0.0.4503, the version of the system file is 9.0.0.3250.
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\npdsplay.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 3.0.2.629, the version of the system file is 3.0.2.628.
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\npdrmv2.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 9.0.0.4503, the version of the system file is 9.0.0.3250.
    4/9/2012 8:44:49 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 11.0.5721.5145, the version of the system file is 9.0.0.3250.
    4/9/2012 8:44:48 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\windows media player\mplayer2.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.4.9.1126, the version of the system file is 6.4.9.1125.
    4/9/2012 8:42:28 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\inetwiz.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:28 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwutil.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:28 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwrmind.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\iedw.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.5512, the version of the system file is 5.1.2600.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwhelp.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwdl.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn2.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn1.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:42:27 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\connection wizard\icwconn.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.0.2900.5512, the version of the system file is 6.0.2900.2180.
    4/9/2012 8:37:06 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    4/10/2012 9:31:50 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{826423B9-6621-48B0-801F-26BC0A96DEAF} because another computer on the network has the same name. The server could not start.
    4/10/2012 9:31:50 AM, error: NetBT [4321] - The name "NP :20" could not be registered on the Interface with IP address 169.254.97.224. The machine with the IP address 169.254.0.60 did not allow the name to be claimed by this machine.
    4/10/2012 9:31:50 AM, error: NetBT [4321] - The name "NP :0" could not be registered on the Interface with IP address 169.254.97.224. The machine with the IP address 169.254.0.60 did not allow the name to be claimed by this machine.
    4/10/2012 11:55:19 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    4/10/2012 10:39:53 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
    .
    ==== End Of File ===========================
  5. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  6. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-11 15:32:01
    -----------------------------
    15:32:01.531 OS Version: Windows 5.1.2600 Service Pack 3
    15:32:01.531 Number of processors: 2 586 0x304
    15:32:01.531 ComputerName: NP UserName:
    15:32:02.984 Initialize success
    15:32:03.171 AVAST engine defs: 12041101
    15:32:18.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    15:32:18.390 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
    15:32:18.406 Disk 0 MBR read successfully
    15:32:18.406 Disk 0 MBR scan
    15:32:18.406 Disk 0 unknown MBR code
    15:32:18.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
    15:32:18.406 Disk 0 scanning sectors +488392065
    15:32:18.500 Disk 0 scanning C:\WINDOWS\system32\drivers
    15:32:25.156 Service scanning
    15:32:32.656 Modules scanning
    15:32:36.125 Disk 0 trace - called modules:
    15:32:36.140 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    15:32:36.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a394030]
    15:32:36.140 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a3aad98]
    15:32:36.593 AVAST engine scan C:\WINDOWS
    15:32:49.437 AVAST engine scan C:\WINDOWS\system32
    15:34:20.000 AVAST engine scan C:\WINDOWS\system32\drivers
    15:34:34.671 AVAST engine scan C:\Documents and Settings\Owner
    15:39:11.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    15:39:11.687 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


    thne it said it had an error and stopped. tried it twice

    botkit now

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-11 15:32:01
    -----------------------------
    15:32:01.531 OS Version: Windows 5.1.2600 Service Pack 3
    15:32:01.531 Number of processors: 2 586 0x304
    15:32:01.531 ComputerName: NP UserName:
    15:32:02.984 Initialize success
    15:32:03.171 AVAST engine defs: 12041101
    15:32:18.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
    15:32:18.390 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
    15:32:18.406 Disk 0 MBR read successfully
    15:32:18.406 Disk 0 MBR scan
    15:32:18.406 Disk 0 unknown MBR code
    15:32:18.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
    15:32:18.406 Disk 0 scanning sectors +488392065
    15:32:18.500 Disk 0 scanning C:\WINDOWS\system32\drivers
    15:32:25.156 Service scanning
    15:32:32.656 Modules scanning
    15:32:36.125 Disk 0 trace - called modules:
    15:32:36.140 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    15:32:36.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a394030]
    15:32:36.140 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a3aad98]
    15:32:36.593 AVAST engine scan C:\WINDOWS
    15:32:49.437 AVAST engine scan C:\WINDOWS\system32
    15:34:20.000 AVAST engine scan C:\WINDOWS\system32\drivers
    15:34:34.671 AVAST engine scan C:\Documents and Settings\Owner
    15:39:11.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
    15:39:11.687 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 869670d31e461535ecca5b3e97963d9c

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
  7. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Looks good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    ComboFix 12-04-11.03 - Owner 04/11/2012 17:44:36.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1116 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Owner\WINDOWS
    c:\program files\keygen.exe
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\dllcache\dlimport.exe
    c:\windows\wallpg.exe
    K:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-11 20:56 . 2012-02-10 18:33 42152 ----a-w- c:\windows\system32\drivers\oahlp32.sys
    2012-04-11 20:56 . 2012-02-10 18:33 29464 ----a-w- c:\windows\system32\drivers\OAnet.sys
    2012-04-11 20:56 . 2012-02-10 18:33 25192 ----a-w- c:\windows\system32\drivers\OAmon.sys
    2012-04-11 20:56 . 2012-02-10 18:33 205864 ----a-w- c:\windows\system32\drivers\OADriver.sys
    2012-04-11 00:38 . 2012-04-11 00:38 -------- d-----w- C:\Downloads
    2012-04-10 23:45 . 2012-04-11 21:34 -------- d-----w- c:\documents and settings\Owner\Tracing
    2012-04-10 23:44 . 2012-04-10 23:44 -------- dc----w- c:\windows\system32\DRVSTORE
    2012-04-10 23:44 . 2010-04-28 11:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
    2012-04-10 23:39 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
    2012-04-10 19:06 . 2012-04-10 19:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2012-04-10 19:05 . 2012-04-10 23:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
    2012-04-10 19:04 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-10 19:04 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-10 19:04 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-10 19:04 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-10 19:04 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-10 19:04 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-10 19:04 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-10 19:04 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-10 19:04 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-10 19:04 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-10 18:51 . 2012-04-10 18:51 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
    2012-04-10 18:50 . 2012-04-10 18:50 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
    2012-04-10 18:44 . 2012-04-10 18:44 -------- dc-h--w- c:\windows\ie8
    2012-04-10 18:35 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    2012-04-10 18:24 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\system32\scripting
    2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\l2schemas
    2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\system32\en
    2012-04-10 18:17 . 2012-04-10 18:17 -------- d-----w- c:\windows\system32\bits
    2012-04-10 18:11 . 2012-04-10 18:11 -------- d-----w- c:\windows\EHome
    2012-04-10 17:53 . 2004-08-04 02:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
    2012-04-10 17:39 . 2012-04-10 18:16 -------- d-----w- c:\windows\ServicePackFiles
    2012-04-10 17:38 . 2012-04-10 18:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
    2012-04-10 17:29 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2012-04-10 17:28 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2012-04-10 17:23 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
    2012-04-10 17:23 . 2012-04-10 18:54 -------- d--h--w- c:\windows\$hf_mig$
    2012-04-10 17:20 . 2012-04-10 17:20 -------- d-sh--w- c:\documents and settings\Owner\UserData
    2012-04-10 14:10 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-10 13:29 . 1998-10-10 00:53 33696 ----a-w- c:\windows\system32\drivers\fastpara.sys
    2012-04-10 02:58 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
    2012-04-10 02:57 . 2008-04-13 18:56 12288 ----a-w- c:\windows\system32\drivers\tunmp.sys
    2012-04-10 02:56 . 2008-04-14 00:11 47104 ----a-w- c:\windows\system32\cnbjmon.dll
    2012-04-10 02:54 . 2009-10-21 05:38 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2012-04-10 02:53 . 2008-04-14 00:12 76800 ----a-w- c:\windows\system32\nslookup.exe
    2012-04-10 02:52 . 2010-06-15 16:17 143422 ----a-w- c:\windows\system32\l3codecx.ax
    2012-04-10 02:50 . 2008-04-14 00:12 83456 ----a-w- c:\windows\system32\dpvsetup.exe
    2012-04-10 02:49 . 2008-04-14 00:08 114688 ----a-w- c:\windows\system32\asctrls.ocx
    2012-04-10 02:07 . 2012-04-11 21:47 -------- d-----r- C:\Program Files
    2012-04-10 01:58 . 2012-04-11 21:47 -------- dcsh--r- c:\windows\system32\dllcache
    2012-04-10 01:56 . 2012-04-10 15:09 -------- d-----w- C:\My Backup -- 12-04-09 0656PM
    2012-04-10 00:17 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2012-04-10 00:15 . 2012-04-10 00:15 -------- d-----w- C:\SYSPREP
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-10 23:42 . 2004-10-16 06:45 73728 ----a-w- c:\windows\ALCFDRTM.VER
    2012-02-28 18:50 . 2012-02-28 18:50 81920 ------w- c:\windows\system32\ieencode.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Gestionnaire Antidote.exe"="c:\program files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-02 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
    "SoundMan"="SOUNDMAN.EXE" [2004-08-25 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2004-08-25 2552320]
    "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-12 135168]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "@OnlineArmor GUI"="c:\program files\Online Armor\OAui.exe" [2012-02-10 2645440]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-10-14 1742384]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2012-02-10 359352]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/10/2012 3:04 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/10/2012 3:04 PM 337880]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/11/2012 4:56 PM 205864]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/11/2012 4:56 PM 25192]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/11/2012 4:56 PM 29464]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2012 3:04 PM 20696]
    R2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [4/10/2012 9:29 AM 33696]
    R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [4/11/2012 4:56 PM 208472]
    S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [4/11/2012 4:56 PM 42152]
    S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [4/11/2012 4:56 PM 4369208]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-10 c:\windows\Tasks\ISP signup reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2012-04-10 00:12]
    .
    2012-04-10 c:\windows\Tasks\ISP signup reminder 3.job
    - c:\windows\system32\OOBE\oobebaln.exe [2012-04-10 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.metacrawler.com/
    TCP: DhcpNameServer = 24.200.241.37 24.202.72.13 24.200.0.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-America Online us - c:\program files\Common Files\aolshare\Aolunins_us.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-11 17:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-04-11 17:51:38
    ComboFix-quarantined-files.txt 2012-04-11 21:51
    .
    Pre-Run: 187,644,379,136 bytes free
    Post-Run: 187,771,375,616 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect
    .
    - - End Of File - - 7E1AD0D9655F971648D5DC6AC0150CE9



    do have question how can i get rid of whats left of the c:backup (2-3 files that wont delete)

    and is it true I should use the admin account cause thats the one I always use (kida ahve limited account)

    also can i delet the log an dbak file?thanks!
  9. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Combofix log looks good.

    What do you have that folder for?

    Yes.

    Say again?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  10. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    i dont have internet access anymore

    EDIT
    Ihave sometimes internet access and sometimes not. it just reworked no idea why or why it stops
    and looks like my laptop and desktop now share the same internet line(we have a router so I dont understand why this is happening.
  11. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    otl downloaded but it wont run I get the error message that i dont have access. and again im the admin!

    ---------------------------
    C:\Documents and Settings\Owner\Desktop\OTL.exe
    ---------------------------
    Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
    ---------------------------
    OK
    ---------------------------


    c:backup was created when I did recovery.the files have long digits info and seems tobe empty
    ecample of one:

    7abaffad1a563007e0b2fd
     
  12. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    I suggest you call your ISP so they can check things out.
  13. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.
  14. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


    ...

    ...

    ...

    ...

    ..
    Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\96dcea1\update: Access is denied.


    .

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ..
    Failed to open \\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64: Access is denied.



    Failed to open \\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\i386: Access is denied.



    Failed to open \\?\c:\\My Backup -- 12-04-09\ac7d152522fead729386a5e252\update: Access is denied.



    Failed to open \\?\c:\\My Backup -- 12-04-09\Qoobox\BackEnv: Access is denied.


    .

    ...

    ...

    ...

    ...

    ...

    ...


    Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


    ...

    ...

    ...

    ...

    ...

    ...

    ...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
    Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
    Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...
  15. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    For 32-bit systems please download GrantPerms.zip and save it to your desktop.
    For 64-bit systems please download GrantPerms64.zip and save it to your desktop.
    Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
    Copy and paste the following in the edit box:

    Code:
    c:\\Documents and Settings\Owner\Desktop\96dcea1\update
    c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64
    c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\i386
    c:\\My Backup -- 12-04-09\ac7d152522fead729386a5e252\update
    c:\\My Backup -- 12-04-09\Qoobox\BackEnv
    c:\\My Backup -- 12-04-09
    c:\\Qoobox\BackEnv
    
    Click Unlock. When it is done click "OK".
    Click List Permissions and post the result of Perms.txt file that pops up.
    A copy of Perms.txt will be saved in the same directory the tool is run.

    You should be able to delete those stubborn files now.

    ===================================================================

    Skip OTL.

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  16. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    ok I figured out I have a 32 bit system. I donwload the right one. extracted it but still receives thsi error message that I dont have access to open it. arhg so ...whats next...

    bon i restartted and tried it now it uns Grant perms sorry
    GrantPerms by Farbar
    Ran by Owner (administrator) at 2012-04-11 20:45:17

    ===============================================
    \\?\c:\\Documents and Settings\Owner\Desktop\96dcea1\update

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\My Backup -- 12-04-09\7abaffad1a563007e0b2fd\i386

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\My Backup -- 12-04-09\ac7d152522fead729386a5e252\update

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\My Backup -- 12-04-09\Qoobox\BackEnv

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\My Backup -- 12-04-09

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)


    \\?\c:\\Qoobox\BackEnv

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)
  17. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Why would you run GMER?
  18. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    sorry I ,meant grantperms...oups so many software heremy mistakes getting confused by the names

    . sorry the log is above but I still cannot remove those files except the c:\\Qoobox\BackEnv that one I oculd delete. heres

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    avast! Free Antivirus
    Online Armor 5.5
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java 2 Runtime Environment, SE v1.4.2
    Adobe Reader X (10.1.3)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Tall Emu Online Armor OAcat.exe
    Tall Emu Online Armor oasrv.exe
    Tall Emu Online Armor oaui.exe
    Tall Emu Online Armor OAhlp.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    ``````````End of Log````````````
  19. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Is this the folder in question?
    c:\\My Backup -- 12-04-09
  20. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    yes that s the one and one file on desktop which came from there when I was trying today to get rid of all info from backup in case virus was there.

    fss now

    Farbar Service Scanner Version: 01-03-2012
    Ran by Owner (administrator) on 11-04-2012 at 20:57:33
    Running from "C:\Documents and Settings\Owner\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    RpcSs Service is not running. Checking service configuration:
    The start type of RpcSs service is OK.
    The ImagePath of RpcSs: "%SystemRoot%\system32\svchost.exe -k rpcss".


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswTdi(8) fssfltr(9) Gpc(6) IPSec(4) NetBT(5) OAmon(10) Tcpip(3)
    0x0800000004000000030000000A0000000800000005000000060000000700000009000000
    IpSec Tag value is correct.

    **** End of log ****
  21. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Regarding that folder....

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    DeleteFolder: 
    "c:\My Backup -- 12-04-09"
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
  22. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    some inside that folder got deleted...now it seems to be empty but if I click on it it says 154mb...and it wont delete

    Also to run blitcblank I had to restart the computer I had again an administrator error(cannot access files u might not have permission bla bla.


    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\msxpsinc.gpd", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\msxpsinc.ppd", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\mxdwdrv.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\amd64\xpssvcs.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\filterpipelineprintproc.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsdrv.cat", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsdrv.inf", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsinc.gpd", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\msxpsinc.ppd", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\mxdwdrv.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\7abaffad1a563007e0b2fd\i386\xpssvcs.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\96dcea1", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\96dcea1\update", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveDirectoryOnReboot: sourceDirectory = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252\update", destinationDirectory = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252\update\updspapi.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\ac7d152522fead729386a5e252\update\wpdinstallutil.dll", destinationFile = "(null)", replaceWithDummy = 0
    MoveFileOnReboot: sourceFile = "\??\c:\my backup -- 12-04-09\boot.ini", destinationFile = "(null)", replaceWithDummy = 0
    RemoveFile: ZwDeleteFile failed: status = c0000121
    MoveDirectoryOnReboot: ProcessElement failed: status = c0000121
  23. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Restart computer and re-run Blitzblank with the same code.
  24. nbabe

    nbabe TechSpot Member Topic Starter Posts: 58

    (redid this blitzbank)
    when the computer logs I get error messages in blue at the booting time. I went to see it was still there
    So I tried to get rid of it manually.
    here is the error message I get on it if I tryto get rid of it manually

    ---------------------------
    Error Deleting File or Folder
    ---------------------------
    Cannot delete 1394BUS.SY_: Access is denied.

    Make sure the disk is not full or write-protected
    and that the file is not currently in use.
    ---------------------------
    OK
    ---------------------------
  25. Broni

    Broni Malware Annihilator Posts: 46,694   +254

    Read my previous reply.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.