Ultrad321
-
Posts
11 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Ultrad321
-
-
Sorry It took me so long I was waiting to get a blank cd. I have one now, and I will run the scan tonight and post it after I get back from work tomorrow. Bear with me please : /
-
Kaspersky won't start either--I know that some of those files in the Quarantine folder are viruses, and I hate it when none of these programs seems to work. You got anything else up your sleeve that might do the trick? You think if i delete those quarantined files it might make a difference?
-
Just attempted to run that program and I get this error
"Mismatch between the kernel reported by windows and the one reported by a hardware scan.
Do you want to use the kernel reported by windows?"
Yes No
If I click Yes it says Could not load driver (0xc000036b)!
same error no matter which option I pick. Apparently it does not work with my 64 bit OS from what a google search dug up--Windows XP Professional x64
-
Also I consulted Jotti online malware scan and Im pretty sure that the Dr.Web folder's AOL files, VirtumundobeGone, and the batch file, possibly the reg entries are false positives from the heuristics, but the other files in that folder showed up as infections.
-
Nothing will install, all programs taht were messed up before still are. There are a lot of files in the quarantine bins for trendmicro housecall and Dr. Web, but i dont think it moved anymore in there after my restart. I attached pictures of the two quarantine folders so you can see the files in there
-
I attached it with non word wrap. All the same problems still there, due to the 2 or 3 things taht could not be fixed I guess. No change that I can tell, everything is still messed up
-
Dr.Web log found a lot of stuff but wasnt able to delete it all. Excel won't open due to the virus so this is the only way to put the drweb log in, since it won't let me upload .csv files
c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Moved.;
psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Moved.;
A0042298.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Siggen.568;Deleted.;
A0042299.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1459;Deleted.;
A0042301.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;
A0042302.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;
A0042303.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;
A0045631.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Siggen.568;Deleted.;
A0045632.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1459;Deleted.;
A0045633.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;
A0045634.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;
A0045635.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;
BACKUP-20071207-233006-457.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;
BACKUP-20071207-233103-479.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;
BACKUP-20071207-233123-734.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;
BACKUP-20071207-233141-958.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;
BACKUP-20071207-235336-312.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;
BACKUP-20071208-000717-169.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;
sch20ddshlp.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Probably Trojan.Packed.196;Moved.;
wnl32.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.DownLoader.61955;Deleted.;
VirtumundoBeGone.exe\data005;C:\Documents and Settings\Administrator\Desktop\system health tools\VirtumundoBeGone.exe;Tool.Prockill;;
VirtumundoBeGone.exe;C:\Documents and Settings\Administrator\Desktop\system health tools;Archive contains infected objects;Moved.;
nsh2F.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;
nsuA.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;
nsv5.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;
nswD.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;
regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;Incurable.Moved.;
RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
ylcgcuoq.dat;C:\WINDOWS\system32\Drivers;Trojan.NtRootKit.511;Deleted.;
new hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05 PM, on 03/02/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts: be placed in the first column followed by the corresponding host
name.
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
(no file)
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files
(x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files
(x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files
(x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files
(x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft
Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d
locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files
(x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search
& Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [Aim6]
"C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User
'?')
O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [spybotSD
TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (User
'?')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User
'?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User
'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files
(x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
(no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no
file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no
file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} -
http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
http://upload.facebook.com/controls/2008.1...kPhotoUploader5.
cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -
http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
http://a840.g.akamai.net/7/840/537/2004061...icro.com/housec
all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} -
http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - (no
file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program
Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner -
C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program
Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner -
C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files (x86)\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -
C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files
(x86)\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner -
C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner -
C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown
owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner -
C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files
(x86)\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner -
C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner -
C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. -
C:\WINDOWS\system32\wwSecure.exe
--
End of file - 7986 bytes
-
I ran Ad-Aware in the meantime while waiting for some help, so I'll post that log too
Ad-Aware 2007 Build
Log File Created on: 2009-03-01 23:11:40
Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: DREWS-SGAMER
Name of user performing scan: SYSTEM
System information
===========================
Number of processors: 1
Processor type: AMD Athlon 64 Processor 3200+
Memory Available: 25%
Total Physical Memory: 1073094656 Bytes
Available Physical Memory: 257556480 Bytes
Total Page File Size: 3148898304 Bytes
Available On Page File: 2420752384 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1772601344 Bytes
OS: Microsoft Windows Server 2003 family Service Pack 2 (Build 3790)
Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3
Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Unloading Explorer if necessary during removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Create and save WebUpdate log file
Databaseinfo
===========================
Version number: 146
Build Number: 0
Build Date and Time: 2009/01/22 14:54:48
Scan Statistics
===========================
Method: Smart
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: On
Item Scanned: 189436
Infections Detected: 7
Infections Ignored: 0
Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 4 4
File Hash Scan..: 0 0
Infections Found
===========================
Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 409170 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com PrefID /
Item Id: 409170 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com CSList /
Item Id: 409363 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com cluid /
Item Id: 409363 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com imprs /
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\Documents and Settings\Administrator\Recent Count: 149
Item Id: 2 Value: MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Search Assistant\ACMru\5603 Count: 9
Item Id: 3 Value: MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Internet Explorer\TypedURLs Count: 10
Items Ignored During Scan
===========================
Listing of running processes
===========================
C:\PROGRAM FILES (X86)\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
c:\program files (x86)\lavasoft\ad-aware 2007\aawservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\program files (x86)\lavasoft\ad-aware 2007\ceapi.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\program files (x86)\lavasoft\ad-aware 2007\pkarchive84cb.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\wldap32.dll
c:\windows\system32\psapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\program files (x86)\lavasoft\ad-aware 2007\update.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\userenv.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
C:\PROGRAM FILES (X86)\FSI\F-PROT\FPAVUPDM.EXE
c:\program files (x86)\fsi\f-prot\fpavupdm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\system32\ws2help.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\syswow64\shell32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\syswow64\netapi32.dll
c:\windows\system32\tapi32.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winmm.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msapsspc.dll
c:\windows\system32\msvcrt40.dll
c:\windows\system32\msnsspc.dll
c:\windows\syswow64\msv1_0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasadhlp.dll
c:\windows\syswow64\urlmon.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\syswow64\wldap32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wshtcpip.dll
C:\PROGRAM FILES (X86)\JAVA\JRE6\BIN\JQS.EXE
c:\program files (x86)\java\jre6\bin\jqs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\ws2_32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\system32\ws2help.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\program files (x86)\java\jre6\bin\msvcr71.dll
c:\windows\system32\imm32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\pdh.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78fcf8d0\comctl32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\odbcbcp.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\perfos.dll
c:\windows\system32\perfdisk.dll
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files (x86)\common files\microsoft shared\vs7debug\mdm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\system32\shimeng.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acwow64.dll
c:\windows\system32\imm32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\xpsp2res.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\comres.dll
c:\program files (x86)\common files\microsoft shared\vs7debug\msdbg2.dll
c:\windows\syswow64\netapi32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
C:\WINDOWS\SYSWOW64\PNKBSTRA.EXE
c:\windows\syswow64\pnkbstra.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\wsock32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2help.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\imagehlp.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\system32\mswsock.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\hnetcfg.dll
c:\windows\system32\wshtcpip.dll
C:\WINDOWS\SYSWOW64\WWSECURE.EXE
c:\windows\syswow64\wwsecure.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78fcf8d0\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\xpsp2res.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\comres.dll
C:\WINDOWS\SYSWOW64\CTFMON.EXE
c:\windows\syswow64\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\msutb.dll
c:\windows\system32\imm32.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\apphelp.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\ole32.dll
C:\PROGRAM FILES (X86)\FSI\F-PROT\F-SCHED.EXE
c:\program files (x86)\fsi\f-prot\f-sched.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\mfc42.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\odbc32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\odbcint.dll
c:\program files (x86)\fsi\f-prot\schedeng.dll
c:\windows\system32\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctfime.ime
C:\PROGRAM FILES (X86)\JAVA\JRE6\BIN\JUSCHED.EXE
c:\program files (x86)\java\jre6\bin\jusched.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\syswow64\netapi32.dll
c:\windows\system32\tapi32.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winmm.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\system32\userenv.dll
c:\windows\syswow64\msapsspc.dll
c:\windows\system32\msvcrt40.dll
c:\windows\syswow64\msnsspc.dll
c:\windows\syswow64\msv1_0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\syswow64\wldap32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\netman.dll
c:\windows\system32\netshell.dll
c:\windows\system32\credui.dll
c:\windows\system32\atl.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wzcsvc.dll
c:\windows\system32\wmi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\esent.dll
c:\windows\system32\wzcsapi.dll
c:\windows\syswow64\urlmon.dll
C:\PROGRAM FILES (X86)\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
c:\program files (x86)\common files\real\update_ob\realsched.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\version.dll
c:\windows\system32\imm32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\xpsp2res.dll
c:\windows\system32\clbcatq.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\system32\comres.dll
c:\windows\system32\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\system32\samlib.dll
C:\PROGRAM FILES (X86)\IPOD\BIN\IPODSERVICE.EXE
c:\program files (x86)\ipod\bin\ipodservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\system32\imm32.dll
c:\program files (x86)\ipod\bin\ipodservice.resources\en.lproj\ipodservicelocalized.dll
c:\program files (x86)\ipod\bin\ipodservice.resources\ipodservice.dll
c:\windows\system32\xpsp2res.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\comres.dll
c:\windows\system32\uxtheme.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\imagehlp.dll
C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE
c:\program files (x86)\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\program files (x86)\mozilla firefox\xul.dll
c:\program files (x86)\mozilla firefox\sqlite3.dll
c:\program files (x86)\mozilla firefox\mozcrt19.dll
c:\windows\syswow64\msvcrt.dll
c:\program files (x86)\mozilla firefox\js3250.dll
c:\program files (x86)\mozilla firefox\nspr4.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\winmm.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\program files (x86)\mozilla firefox\smime3.dll
c:\program files (x86)\mozilla firefox\nss3.dll
c:\program files (x86)\mozilla firefox\nssutil3.dll
c:\program files (x86)\mozilla firefox\plc4.dll
c:\program files (x86)\mozilla firefox\plds4.dll
c:\program files (x86)\mozilla firefox\ssl3.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\version.dll
c:\windows\system32\winspool.drv
c:\windows\syswow64\comdlg32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\usp10.dll
c:\windows\syswow64\oleaut32.dll
c:\program files (x86)\mozilla firefox\xpcom.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\clbcatq.dll
c:\windows\system32\comres.dll
c:\program files (x86)\mozilla firefox\components\browserdirprovider.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\syswow64\wldap32.dll
c:\windows\system32\xpsp2res.dll
c:\program files (x86)\mozilla firefox\components\brwsrcmp.dll
c:\windows\syswow64\netapi32.dll
c:\windows\system32\urlmon.dll
c:\windows\syswow64\iertutil.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rsaenh.dll
c:\program files (x86)\mozilla firefox\softokn3.dll
c:\program files (x86)\mozilla firefox\nssdbm3.dll
c:\program files (x86)\mozilla firefox\freebl3.dll
c:\program files (x86)\mozilla firefox\nssckbi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\imagehlp.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\linkinfo.dll
C:\PROGRAM FILES (X86)\LAVASOFT\AD-AWARE 2007\AD-AWARE2007.EXE
c:\program files (x86)\lavasoft\ad-aware 2007\ad-aware2007.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\secur32.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78fcf8d0\comctl32.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\shell32.dll
c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\inetmib1.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\wldap32.dll
c:\windows\system32\credui.dll
c:\windows\system32\atl.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\samlib.dll
c:\windows\system32\setupapi.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\mpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\olepro32.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\netui0.dll
c:\windows\system32\netui1.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\userenv.dll
End of Scan Section
===========================
Quarantined Infections
===========================
Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com PrefID /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com CSList /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com cluid /, Belonging to Tracking Cookie
Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com imprs /, Belonging to Tracking Cookie
MRU Path: C:\Documents and Settings\Administrator\Recent Count: 149, Belonging to MRU Object
MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Search Assistant\ACMru\5603 Count: 9, Belonging to MRU Object
MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Internet Explorer\TypedURLs Count: 10, Belonging to MRU Object
End of Quarantined Infections
===========================
-
Also just a heads-up I run XP Professional x64 OS, so some things like ComboFix won't work with my x64 operating system b/c they are 32 only.
ONe other thing I want to mention is that My installer seems to be really messed up, nothing will install, always gives the error 1719 (problem with windows installer), or it gives me some thing about the permission settings not being right (though I am the sole administrator)
-
for the past couple weeks my computer has basically been locked up by some malware. it keeps the most popular programs like IE and Windows Media Player,a nd most games from working, and it has affected the correct operation of dll's and prevented most installs from happening, and when I try to run programs that are isntalled like Word it just brings up a frozen installer.
Now I have scanned with Spybot, F-Prot, and they either didn't get anything or "fixed it" but nothing changed. Trendmicro Housecall picked up a bunch of stuff and said it fixed it but nothing really changed. Less popular or non microsoft programs like Firefox (what I'm using now) and Quicktime, Itunes, etc. work however.
SO at least a couple times I have thought I deleted the virtumonde files, but nothing changed after their deletion. Tried to install MBAM (changed the exe name multiple times with no avail) but I kept getting the Runtime error 0 Acceleration Grid,etc. and MBAM Runtime 404 error, a
"CoCreateInstance failed; code 0x80040154. Class not registered." when the .ink files tried to install. So MBAM installs but these errors come up both during install and when I tryto run it. I have seen other people's topics where MBAM eliminated their problems so I hope to get it installed and let it have a crack.
I have found some suspicious files like one related to a malware I got last year
C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat
and also wsil32.dll which i'm not sure about
In addition, attempted install of Superantispyware gives the same cocreate instance error, and I have already tried a number of specific virtumonde fix programs.
PLEASE HELP! I have tried all I can by myself before bugging y'all with this problem, but I need some more experienced help with this now, so I'll roll out the logs.
Gmer log
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-01 00:19:34
Windows 5.2.3790 Service Pack 2
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
---- EOF - GMER 1.0.14 ----
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23 AM, on 03/01/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\system health tools\gmer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts: be placed in the first column followed by the corresponding host
name.
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
(no file)
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files
(x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files
(x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files
(x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files
(x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft
Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d
locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files
(x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search
& Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [Aim6]
"C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User
'?')
O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [spybotSD
TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (User
'?')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User
'?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User
'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall]
%systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files
(x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
(no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no
file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no
file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} -
http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
http://upload.facebook.com/controls/2008.1...kPhotoUploader5.
cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -
http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
http://a840.g.akamai.net/7/840/537/2004061...icro.com/housec
all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} -
http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - (no
file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program
Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner -
C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program
Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner -
C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files (x86)\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -
C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files
(x86)\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner -
C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner -
C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown
owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner -
C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner -
C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files
(x86)\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner -
C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner -
C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. -
C:\WINDOWS\system32\wwSecure.exe
--
End of file - 8121 bytes
Deckard's System Scanner
Deckard's System Scanner v20071014.68
Run by Administrator on 2009-03-01 00:25:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25 AM, on 03/01/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\system health tools\gmer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\system health tools\dss.exe
C:\PROGRA~2\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')
O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
--
End of file - 8180 bytes
-- Files created between 2009-02-01 and 2009-03-01 -----------------------------
2009-02-28 22:19:43 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-28 21:08:27 0 d-------- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2009-02-16 20:16:38 0 d-------- C:\VundoFix Backups
2009-02-16 02:51:29 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2009-02-15 01:07:42 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2009-02-15 00:34:09 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI(4)
2009-02-02 22:57:09 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI(3)
2009-02-02 22:40:32 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI(2)
-- Find3M Report ---------------------------------------------------------------
2009-02-28 22:18:59 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2009-02-16 21:43:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2009-02-16 20:16:37 0 d-------- C:\Program Files (x86)\zips of games
2009-02-15 11:46:19 0 d-------- C:\Program Files (x86)\GameSpy Arcade
2009-02-15 01:07:14 0 d-------- C:\Program Files (x86)\ATI Technologies
2009-02-10 21:41:16 0 d-------- C:\Program Files (x86)\botf
2009-02-08 23:00:45 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information
2009-02-02 23:12:27 0 d-------- C:\Program Files (x86)\CyberLink
2009-01-18 00:32:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Bioshock
2009-01-08 21:35:04 0 d-------- C:\Program Files (x86)\ubernesv3rev2
2008-12-07 22:39:06 8812 --ah----- C:\WINDOWS\system32\repefeji
-- Registry Dump ---------------------------------------------------------------
-- End of Deckard's System Scanner: finished at 2009-03-01 00:25:41 ------------
Struggling with Virtumonde (I think) MBAM won't install or run correct
in Resolved Malware Removal Logs
Posted
It starts to boot up (I can see the files loading up for it, but it never loads up), but then the monitor goes into the powersave mode as it would if the computer is turned off, like it's not even connected. I can't even see the GUI to use the commandline because it's like the computer isnt even connected to the monitor, though I know it is b/c it was showing just seconds before. What to do?