Suspected virus. Critical drive C errors, can't see files. Start menu gone.

By JesusIsmylife · 20 replies
Feb 13, 2012
  1. Hi,

    Any help would be extremely welcome.

    My laptop suddenly started complaining I may have a virus (I have Sophos Antivirus installed, and I think it is pretty up to date)

    Then I get loads of errors starting with pop up window (titled delayed write failed) saying "Failed to save all the components for the file \\System32\\0003101. The file is corrupted or unreadable. This may be caused by a PC hardware problem "

    This windows keeps popping up with a different file name each time. I then got another popup window which I thought was the genuine Windows Error fixing program, and I stupidly clicked on the button to repair and fix my computer. I think this installed a program on the laptop as it listed a new program on the start menu.

    However, after a while (and a re-boot or two) I have no programs on the start menu, and I cannot see any of the C drive. The cdrive is there,as I can see it from another machine on my LAN, but I cannot access all the files as it sayd "Access Denied" to a lot of them.

    Where do I start please?!!


  2. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter


    Ok, after looking around this great site, I think I have got the "System Check" virus. My symptoms match those of other who have experienced this.

    So, I have downloaded the "unhide" utility, and ran this. I can now see all my desktop icons again and I can see my files correctly.

    I have downloaded Malwarebytes anti malware, and installed this. I made sure Update and Launch were checked and clicked Finish.

    A window has now popped up with a window title of vbAccelerator SGrid II Control and it say Run-time error '0'

    I only have the option to click OK, which when I do I get another popup with the title "Malwarebytes Anti-Malware and in the window is says Run-time error '440': Automation error" Again I can only click OK.

    I click OK and I get another pop up identical to the first. I click OK and I get the second pop up again. I click OK and I dont seem to get any more pop ups.

    I'm now going to download and run aswMBR and I will post the log shortly.

    Am I doing the right things?!!

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    STOP! running random programs! You have rogue malware and every time click on one of the fake warnings, you run the malware again!!!!

    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
    Note 2: If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
  4. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter



    Sorry for getting impatient. I will follow your instructions to the letter from now on !

    Firstly, I had already downloaded unhide.exe from your site and run it. It has removed the hidden attribute and I can now see all my files and desktop icons. As this only removes the attribute, and it has done so correctly I am assuming you do not need me to run it again?

    Next I have previously installed Malwarebytes Anti-Malware and it appears on my list of programs. I have therefore selected to uninstall this (using the Uninstall option on the programs list) as per your instructions. However, the uninstall status window is showing no progress, and looks like it is frozen. It has been like this for about 10 minutes. There is little, if any, disk activity.

    Should I just let it run or do I need to do anything else?

    (For information, I also keep getting an alert displayed in a balloon from the system tray. It claims to be from Sophos (I have Sophos Antivirus installed and running on my system) and it reports "suspicious behaviour HIPS/RegMod-009 has been detected and moved to quarantine. No Action Taken. ")

    Thanks very much for your help.
  5. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter


    Just to let you know the Maware Anti-Malware uninstall program is still just sitting there, with no progress showing on the progress bar. Also, I am unable to get focus on the window.

    Its been like this for one hour and 30 minutes.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You don't need to run Unhide again.

    See if you can back off the Malwarebytes uninstall.. See if it will update, then run the scan.
    IF Mbam seems to be 'stuck' in the uninstall mode, shut it down and run the following:
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
    You can then go ahead and run the following:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Please leave the logs in your next reply. When I review them I will determine what we do next.
    Regarding the Sophos 'balloon: HIPS/RegMod-009
    Category: Suspicious Behavior and Files
    Type: Suspicious behavior
    Sophos advises as follows:
    • To reduce the chance of unwanted detections, Sophos HIPS should be set to 'Alert only' mode for the duration of any software installations.
    • You have 2 options if you've received an alert:
      [o]Authorize the file if it's from a trusted source.
      [o] Send for analysis if you do not trust the file or think it may be compromised.

    Since we are aware that there is rogue malware on the system it is possible that the malware has generated this fake alert. Make sure Sophos is set in the 'Alert' only mode, then ignore the message for now. It is important that you do not click on the 'alerts' or 'warnings' as that can activate the malware to run again.
  7. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

    I am trying to downoad Super Anti Spyware, but my PC is almost unuseable now. It is running incredbily slowly, and the System Check screen is on top of my desktop and connot be moved. (I cannot get focus.)
    I have managed to click on the download link, but it is sitting there at 0%.

    What is most worrying is that I have Teamviewer installed and I can see (partially behind the system check screen) a Teamviewer pop up window which is inviting me to choose a partner (i.e. one of my PC's on my LAN) to present this application with Teamviewer. The "Allow Partner to interact" check box is not checked.

    I suspect someone is trying to use Teamviewer to get on to other PCs on my LAN.

    Can I disconnect the internet and download any progams I need from a known clean PC and put them on a USB stick and run them on the infected PC like this?

    I am very worried about my PC being on the internet like this.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Yes, you can use a flash drive.

    Have to tried to run Malwarebytes? I need something to see what we're working with. I can give you some 'cosmetic' help for the system, but it doesn't remove the malware itself and may not be successful with the malware still on the system.

    Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    • Click on Start> Control Panel> Appearance & Personalization
    • Select Change Theme or Change Desktop Background
    Some items may not show on the Start menu. To add them back:
    • Right click on Start> Properties
    • Taskbar and Start Menu Properties screen appears
    • choose Start Menu tab> Click on Customize
    • For Windows XP> Choose Advanced tab
    • Check the items you want back on the Start Menu
    • When finished> click on OK> Apply and close.
  9. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

    Thanks for this. I appreciate you have no logs from me yet but I will get them posted as soon as I can.

    I rebooted with no network connection and the PC came up ok and allowed me to tidy up the desktop, and re-enable the stuff from the Start Bar.

    I have copied Superantispyware on to the desktop and have intstalled it. I re-connected the LAN and ran the software. It downloaded an update successfully. The PC also launched a new IE browser, with a picture of a scantily clad young woman, who was claiming they wanted to chat with me.

    The virus/malware/whatever it is is still there I guess.

    Anyway, I have disconnected the network again and am running superantispyware which is going well. So far we have 86 threats detected, and once it is finished I'll post the logs so you know where we are.

    Once I've posted the logs I will await your further instructions before running combofix.

    Thanks for your help. It really is greatly appreciated.
  10. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter


    Superantispyware completed and found 860 odd threats. The log file is to big to post in one reply. The first half is :-

    SUPERAntiSpyware Scan Log

    Generated 02/15/2012 at 00:52 AM

    Application Version : 5.0.1144

    Core Rules Database Version : 8173
    Trace Rules Database Version: 5985

    Scan type : Complete Scan
    Total Scan Time : 02:19:25

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)

    Memory items scanned : 778
    Memory threats detected : 0
    Registry items scanned : 24090
    Registry threats detected : 0
    File items scanned : 72719
    File threats detected : 530

    Edit: Tracking Cookies reviewed and deleted by Bobbye
  11. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

    ... and the second half is :-

    Edit: Tracking Cookies reviewed and deleted by Bobbye


    Do you want me to now run combofix?
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Yes, please go ahead and run Combofix.

    Note: I have reviewed the Tracking Cookies in the SAS log. I am going to edit the post and delete them. Hopefully you check the line in SAS to remove the entries it found. If you did not, please run it again and do so.

    The following will prevent the Tracking Cookies:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    Please post the Combofix log when ready.
  13. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter


    ComboFix Logs as follows: -

    ComboFix 12-02-13.01 - Cllr Edwards 15/02/2012 15:28:24.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.465 [GMT 0:00]
    Running from: F:\ComboFix.exe
    AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
    ((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
    2012-02-14 22:28 . 2012-02-15 07:34 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-02-14 21:39 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-14 21:39 . 2012-02-14 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-14 18:22 . 2012-02-14 18:22 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\
    2012-02-14 18:21 . 2012-02-14 18:21 -------- dc----w- c:\documents and settings\All Users\Application Data\
    2012-02-13 13:36 . 2012-02-13 23:13 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\Myke
    2012-02-13 13:36 . 2012-02-13 23:12 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\Vuvy
    2012-02-13 13:06 . 2012-02-13 13:06 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\Malwarebytes
    2012-02-13 13:06 . 2012-02-13 13:06 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-02-12 12:52 . 2012-02-15 08:04 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2012-01-02 17:28 . 2011-10-22 08:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-26 18:23 . 2008-03-09 21:51 164880 ----a-w- c:\documents and settings\cllr edwards\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
    2011-12-17 19:46 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-12-05 14:00 . 2011-12-05 14:00 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
    2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-07-17 16:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-02-14 4617600]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
    "IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2005-12-09 311296]
    "LANDeskInventoryClient"="c:\program files\LANDesk\LDClient\LDIScn32.exe" [2006-07-10 839680]
    "SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2005-12-09 258048]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-15 198160]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
    "VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]
    "DVD or CD Sharing"="c:\program files\DVD or CD Sharing\ODSAgent.exe" [2008-02-20 619832]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
    "Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    kafiy.exe [2012-2-13 161792]
    c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\
    wuqo.exe [2012-2-13 161792]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-9-23 1462104]
    hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    SSH Accession.lnk - c:\program files\SSH Communications Security\SSH Sentinel\Accession\ssh_accession.exe [2007-11-25 1691648]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2010-05-26 14:27 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-04-28 15:04 87424 ----a-w- c:\windows\system32\LMIinit.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2003-10-31 11:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
    "EnableFirewall"= 0 (0x0)
    "c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
    "c:\\Program Files\\SSH Communications Security\\SSH Sentinel\\Accession\\ssh_accession.exe"=
    "c:\\Program Files\\Common Files\\Sonic Shared\\Sonic Central\\Main\\Mediahub.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
    "85:TCP"= 85:TCP:BroadWave Web Server
    "86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    "4100:UDP"= 4100:UDP:uPNP Router Control Port
    R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
    R2 gupdate1caa329fb6e5dc2;Google Update Service (gupdate1caa329fb6e5dc2);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 133104]
    R2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\DRIVERS\HidCom.sys [2005-04-04 69575]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 133104]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-15 2794234]
    R3 sshvnic;SSH Virtual Network Adapter (sshvnic);c:\windows\system32\DRIVERS\sshvnic5.sys [x]
    R3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\Drivers\TEUSBMU.sys [2005-01-14 20992]
    R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2010-03-02 14976]
    S0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2006-09-13 3456]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-05-20 717296]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2010-10-08 153344]
    S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2010-10-08 24064]
    S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\DRIVERS\StarPortLite.sys [2008-01-23 85760]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2006-01-11 122880]
    S2 DLPortIO;DriverLINX Port I/O Driver; [x]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-04-28 374152]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-05-31 12856]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-10-08 163056]
    S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2010-06-14 97520]
    S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [2006-06-29 245760]
    S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2010-10-08 1541360]
    S3 iTurns;iTurns;c:\windows\system32\DRIVERS\iTurnsDriver.sys [2008-11-28 10704]
    S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [2005-07-01 11904]
    S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [2005-07-01 3328]
    S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [2005-07-01 3712]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Contents of the 'Scheduled Tasks' folder
    2012-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
    2008-08-12 c:\windows\Tasks\Calculator.job
    - c:\windows\system32\calc.exe [2007-06-12 12:00]
    2012-02-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8195135653.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
    2012-02-13 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8195144289.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
    2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore1caceb92e6a6044.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:33]
    2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:33]
    2012-02-15 c:\windows\Tasks\SDMsgUpdate (TE).job
    - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2011-07-29 17:29]
    ------- Supplementary Scan -------
    uStart Page = hxxp://
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\documents and settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll
    LSP: mswsock.dll
    TCP: Interfaces\{2B30221D-39B4-439D-9B06-D3D5AF6680E7}: NameServer =
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://
    - - - - ORPHANS REMOVED - - - -
    HKCU-Run-dplaysvr - c:\documents and settings\cllr edwards\Application Data\dplaysvr.exe
    HKLM-Run-btbb_McciTrayApp - c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe
    HKLM-Run-dplaysvr - c:\documents and settings\cllr edwards\Application Data\dplaysvr.exe
    HKLM-Run-XAyrXMNieLwFUhF.exe - c:\documents and settings\All Users\Application Data\XAyrXMNieLwFUhF.exe
    AddRemove-DVD Burner v1.30 Trial (ActiveX) - c:\windows\UNWISE.EXE
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
    Rootkit scan 2012-02-15 16:01
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    --------------------- LOCKED REGISTRY KEYS ---------------------
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(1828)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
    - - - - - - - > 'lsass.exe'(1892)
    c:\documents and settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll
    - - - - - - - > 'explorer.exe'(4024)
    c:\program files\Microsoft Virtual PC\VPCShExH.DLL
    ------------------------ Other Running Processes ------------------------
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\LANDesk\LDClient\LocalSch.EXE
    c:\program files\LANDesk\LDClient\tmcsvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\Sophos\AutoUpdate\ALsvc.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
    c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\ATI Technologies\ATI.ACE\cli.exe
    Completion time: 2012-02-15 16:12:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-15 16:12
    Pre-Run: 3,441,438,720 bytes free
    Post-Run: 4,334,768,128 bytes free
    - - End Of File - - C15C668E74C4ED3532E171CAF89791ED

    Thanks for editting the previous post. I genuinely have no idea how some of those entries got there. Questions will be asked at home as you can imagine.

    The Combfix program ran several times, in that it automatically rebooted the PC I think at least 3 times, and when it re-started, and I had logged on, it continued doing its stuff.

    I noticed in the blue window the line Access Denied a number of times. I dont know if this is significant or not?

    Anyway, over to you again......
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Do you know what these are?

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    kafiy.exe [2012-2-13 161792]
    c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\
    wuqo.exe [2012-2-13 161792]
    Please download sUBs' SvcQuery.exe and save to your desktop.
    • Double click the file to Open
    • A window will open. When prompted to provide a service name, type in the following:
    • Press Enter
    • The tool will create a log. Please leave that in your next reply.
    If you cannot run the following in Normal Mode:

    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

    I am concerned about the finding of the This is frequently associated with the Ramnit malware. Let's check the following please:
    • Make sure to use Internet Explorer for this
    • Please go to free on-line scan service
    • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:




    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    And another:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
  15. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

  16. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

    Here is the result of Eset

    C:\Documents and Settings\cllr edwards\Application Data\Sun\Java\Deployment\cache\6.0\21\3cd12b15-3c6ed10f Win32/TrojanDownloader.Vespula.AH trojan cleaned by deleting - quarantined
    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
    C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201231.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201770.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201786.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201897.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP593\A0202168.exe a variant of Win32/Kryptik.AANP trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP593\A0202169.dll a variant of Win32/Kryptik.AANP trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP593\A0202170.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP594\A0203167.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP595\A0203475.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP595\A0203483.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP599\A0204414.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
    C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP599\A0204415.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
    C:\WINDOWS\system32\drivers\VMM.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined

    Over to you again......
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.
    There is a Scheduled Tasks set in 2007 ad/or 2008 for the Calculator:
    2008-08-12 c:\windows\Tasks\Calculator.job
    - c:\windows\system32\calc.exe [2007-06-12 12:00]
    What kind of Tasks do you have a calculator doing?
    Advise delete task as follows:
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

    • To delete the task: right-click the Task> click Delete.
      Did you miss my direction in the Eset scan to [*] Uncheck 'Remove found threats'

      Run the following please: It will give me more information. There are 4 new malware entries. Those from System Volume are Restore Points. They are no longer active in the system and will be removed when we are finished. You are instructed no to do a System Restore while cleaning, so they shouldn't be a problem.

      Please download OTMovit by Old Timer and save to your desktop.
      • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
      • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
        C:\Documents and Settings\cllr edwards\Application Data\Sun\Java\Deployment\cache\6.0\21\3cd12b15-3c6ed10f 
        C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe 
        C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe 
        [start explorer]
      • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
      • Click the red Moveit! button.
      • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
      • Close OTMoveIt3
        The two entries I asked about were malware, as I suspected. So we need to find how they are getting in:
        Download Security Check by screen317 and save to the desktop
        • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
        • A Notepad document should open automatically called checkup.txt please
        • Post the contents of that document.
      If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
      You also need to find and remove these from Startup:
      C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe
      C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe
      Use the msconfig utility to access the Startup Menu. Expand the Command section if needed by holding the lfet mouse button down on the line in th frame above between process and Command and move to the right to expand.
      Please run this Custom CFScript:

      • [1]. Close any open browsers.
        [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
        [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
      c:\documents and settings\Default User\Start Menu\Programs\Startup\kafiy.exe 
      c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe 
      c:\documents and settings\cllr edwards\Application Data\Myke
      c:\documents and settings\cllr edwards\Application Data\Vuvy
      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
      Save this as CFScript.txt, in the same location as ComboFix.exe

      Referring to the picture above, drag CFScript into ComboFix.exe

      When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
      Please describe remaining problems after you are finished with the above.
  18. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

    Sorry, I did miss your instructions in the Eset scan to [*] Uncheck 'Remove found threats'

    Apologies - my bad.

    Anyway, I tried to run OTM but it wouldn't run on my laptop. I tried downloading direct from the web site to the laptop desktop, and also I downloaded it to a clean pc and copied it over using a usb stick.

    When I try to run it I get a window saying OTM has encountered a problem and needs to close. We are sorry for the inconvenience. I can then either click to send microsoft an error report or click dont send. I chose dont send.

    I ran security check and here is the log:

    Results of screen317's Security Check version 0.99.31
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    ESET Online Scanner v3
    Sophos Anti-Virus
    Antivirus up to date!
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 22
    Java version out of date!
    Adobe Flash Player Flash Player out of Date!
    Adobe Reader 8 Adobe Reader out of date!
    Process Check:
    objlist.exe by Laurent

    Sophos Sophos Anti-Virus SAVAdminService.exe
    ``````````End of Log````````````

    I ran the msconfig untility and looked in the Startup tab, but neither

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe
    C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe

    were listed there.

    I then tried dragging the txt file to combofix, and that wouldn't run either.

    I get a window come up with a title bar NSIS Error. In the box it says "Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installers author to obtain a new copy."

    I have downloaded a new combofix.exe to my clean PC and it runs fine. I copied this over to the infected laptop using a USB stick and I get the same error.

    I dont seem to be winning this battle !!

    any further ideas?
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Are you working on your computer or are you doing remote help on someone else's system? You also run LaunchAnywhere. There is very little security on the system and several outdated programs that are vulnerabilities.

    As far as I can tell by your description, the installer error began after you ran Malwarebytes, then got stuck trying to uninstall it. I don't have much to go on missing the logs. You aren't able to remove the malware entries we find. You mention an infected laptop and using a flash drive.

    Please see if you can run this very basic program, HijackThis:
    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    When you finish with the above, I'd like you to use the Windows Installer Cleanup Utility to remove all entries related to the following:

    Do not click on any error messages! Not even with just OK. Ignore them and try to continue.

    Please connect long enough if you can and run the Eset scan again. Please remember to Uncheck the box for removal of the entries.

    I am still concerned about the Backdoor.IRC bot and the possibility of a file infector.
    Let's check the system:
    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
  20. JesusIsmylife

    JesusIsmylife TS Rookie Topic Starter

    I am working on my Laptop which is infected, and which I have disconnetced from the internet.

    I have a clean PC here as well which I use to download all the apps you instruct me to, and I copy these onto a ZIP drive, which I then plug into the Laptop and copy from the ZIP onto the laptop.

    I use the Laptop for remote access to other systems, and my laptop also has software on so I can access this from remote locations.

    the HijackThis log is :-

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:48:41, on 26/02/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\LANDesk\Shared Files\residentagent.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\Program Files\LANDesk\LDClient\softmon.exe
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Sophos\AutoUpdate\almon.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\SSH Communications Security\SSH Sentinel\Accession\ssh_accession.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
    O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=SCDCLANDESK:5007 /S=SCDCLANDESK /I=HTTP://SCDCLANDESK/ldlogon/ldappl3.ldz /NOUI /rstart=60
    O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
    O4 - HKLM\..\Run: [DVD or CD Sharing] "C:\Program Files\DVD or CD Sharing\ODSAgent.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: SSH Accession.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll
    O10 - Unknown file in Winsock LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} (20-20 3D Viewer for IKEA) -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B30221D-39B4-439D-9B06-D3D5AF6680E7}: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B30221D-39B4-439D-9B06-D3D5AF6680E7}: NameServer =
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
    O23 - Service: Google Update Service (gupdate1caa329fb6e5dc2) (gupdate1caa329fb6e5dc2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
    O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
    O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    End of file - 14266 bytes

    The MGA Log is :-

    Diagnostic Report (1.9.0027.0):
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****
    Windows Product Key Hash: 871+b8eemJZ0IlPs98De/x8U9e0=
    Windows Product ID: 76487-641-3620845-23234
    Windows Product ID Type: 1
    Windows License Type: Volume
    Windows OS version:
    ID: {45C0BDDB-C9D5-48B3-89D1-E9E5CEF94964}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered,
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: 0
    File Exists: Yes
    WgaTray.exe Signed By: Microsoft
    WgaLogon.dll Signed By: Microsoft

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    OGAExec.exe Signed By: Microsoft
    OGAAddin.dll Signed By: Microsoft

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: Registered,
    Signed By: Microsoft
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{45C0BDDB-C9D5-48B3-89D1-E9E5CEF94964}</UGUID><Version>1.9.0027.0</Version><OS></OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2FV7Y</PKey><PID>76487-641-3620845-23234</PID><PIDType>1</PIDType><SID>S-1-5-21-776561741-1336601894-839522115</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude 131L </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>2.1.0 </Version><SMBIOSVersion major="2" minor="4"/><Date>20061218000000.000000+000</Date></BIOS><HWID>117834E701842E6C</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version=""/><File Name="WgaLogon.dll" Version=""/><File Name="OGAAddin.dll" Version=""/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

    Licensing Data-->

    Windows Activation Technologies-->

    HWID Data-->

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1E832:Dell Inc|10BBC:Dell Inc|F2BA:HITACHI, Ltd|F2BA:HITACHI, Ltd|F2BA:HITACHI, Ltd|10BBC:Microsoft Corporation
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->

    Over to you again.....
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It appears that you are on your work computer, operating under a volume license. You are running LANDesk® Management Suite software including the Targeted Multicast Client Service Executable. This file is not digitally signed. This also includes the Intel Ping Discovery Service (PDS). Part of Intel's LANDesk Management Suite 6 and the Common Base Agent (CBA) - used for communicating between the core server and managed clients.

    There is IT Management software running, processes for remote connections. There is a keylogger on the system which most likely is from the company you are working for. A volume license is being used and no key numbers are given.

    In the absence of some of the logs, I am not able to determine what the update status. I asked and repeated the following in my Replies 17 & 19: It was never addressed:

    Please contact the IT person at your work for help with this system.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...