Jump to content

ligerjack

Members
 View Profile  See their activity

  • Posts

    12

  • Joined

  • Last visited

Reputation

0 Neutral
  1. ligerjack
    I've got a lot of documents and pdfs on the system and instead of saving them all I was justing going to look at them to see if I still needed them. Problem is the little "no program associated with it....." error prevents me from loading word or acrobat to even give them a look-see. I saw a reference to this utility which fixes the exe file associations in the registry automatically on bleepingcomputer. http://windowsxp.mvps.org/exefile.htm. Sounded like the same problem I have, but didn't know if it would work given my backdoor trojan problem.
  2. ligerjack
    Chris - is there a way to re-enable my ability to load .exe files just by left clicking. For some reason some of the programs do not have the "run as" option when I right click. I'm trying to determine what to save off the infected computer.
  3. ligerjack
    Thanks Chris. I take it from your response that assuming imgburn is operable, I can go ahead and start evacuating the files even with the trojan still present (as long as I'm not connected to the internet). Or should I attempt to kill it before burning? Also do you have a link for a site that describes the walk through for a reformatting/reinstallation of XP? Finally - more of a general question - as time goes on MBAM and the other software get better at better at detecting and removing viruses/trojans. Of course the virus and trojan authors are making better and better malware. Is it possible that in a few months MBAM or other program will be able to spot and remove the backdoor trojan I have or will the backdoor trojan I have always elude these programs. (or always leave potential remnants behind that eludes these programs). In other words if I didn't touch the computer for several months and then downloaded the latest version of MBAM, would MBAM spot my trojan and be able to fix it and whatever it had messed with on my system? Thanks again for your help.
  4. ligerjack
    Oyyy - and I thought we were making progress. I guess I'll do the clean wipe - but I need to evacuate some files from the computer. Not sure whether imgburn works using the run as trick, but I'm also worried about whether this trojan could be transferred to the DVD or CDs that I burn and then infect the computer all over again when I load them back on. Another question - I have an old pre-SP2 XP cd. Am I going to be able to install with firewall protection? Is there a way to slipstream the XP and SP2 (or SP3 for that matter)? I've reinstalled windows 98 before, but never xp. Thanks for your help.
  5. ligerjack
    The following is the Hijack This log. I should also note regarding the NAV - I even tried to uninstall it, but the add/remove item on the control panel, like all the other programs, gave me the "this file does not have a program associated with it for performing this action. Create an association in the folder options control panel" error.. Here is the Hijack This log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:27:42 PM, on 9/1/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader Driver v1.8e4\Disk_Monitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Versato.lnk = C:\Program Files\MediaKey\Versato.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file) O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://citrix.ecave.net/cab/8.1/wficat.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 7002 bytes
  6. ligerjack
    The following is the combofix log. At some point this virus knocked NAV out of the system tray, but Combofix detected NAV running. Of course when I tried to load NAV with the "run as" method in order to disable auto protect it was stuck on "refreshing". Long story short, I tried to disable autoprotect, but not sure I was successful. All program icons are still giving me the "this file does not have a program associated with it for performing this action....." business. Anyway here is the log. I will run hijack this next and post that. ComboFix 09-09-01.04 - Owner 09/01/2009 22:56.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.204 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Shared c:\program files\Shared\lib.sig c:\recycler\NPROTECT c:\windows\Installer\1cfe1c.msi c:\windows\patch.exe c:\windows\system32\_000006_.tmp.dll c:\windows\system32\resdll.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))))) . 2009-08-30 05:30 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-30 05:30 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-27 04:39 . 2009-08-27 04:59 46640 ----a-w- c:\windows\system32\msln.exe 2009-08-24 03:27 . 2009-08-24 03:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-08-15 23:43 . 2009-08-15 23:57 -------- d-----w- c:\program files\fvpubo 2009-08-15 14:18 . 2009-08-15 14:41 -------- d-----w- c:\documents and settings\Owner\Application Data\ImgBurn 2009-08-15 13:40 . 2009-08-15 13:40 -------- d-----w- c:\program files\ImgBurn 2009-08-12 03:55 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll 2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-30 05:30 . 2009-04-01 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-27 04:27 . 2004-02-21 05:15 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-05 09:11 . 2003-11-14 11:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-26 05:53 . 2009-07-26 05:52 -------- d-----w- c:\program files\iTunes 2009-07-26 05:53 . 2009-07-26 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-26 05:52 . 2009-07-26 05:52 -------- d-----w- c:\program files\iPod 2009-07-26 05:51 . 2009-07-26 05:51 -------- d-----w- c:\program files\Bonjour 2009-07-26 05:50 . 2009-07-26 05:49 -------- d-----w- c:\program files\QuickTime 2009-07-26 05:41 . 2009-07-26 05:41 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 2009-07-26 03:14 . 2008-01-28 05:45 -------- d-----w- c:\program files\Apple Software Update 2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 04:43 . 2004-08-07 14:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-14 03:40 . 2004-08-29 18:30 19312 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-09 17:16 . 2009-07-26 05:46 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 17:16 . 2008-01-28 05:45 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-05 14:16 . 2009-07-05 14:17 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-05 14:16 . 2003-12-09 04:23 -------- d-----w- c:\program files\Java 2009-07-05 14:15 . 2009-07-05 14:15 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:32 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 07:42 . 2003-11-14 08:16 655872 ----a-w- c:\windows\system32\mstscax.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Disk Monitor"="c:\program files\\IC Card Reader Driver v1.8e4\Disk_Monitor.exe" [2003-03-28 469504] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-24 3309568] "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-03-24 46080] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-05 148888] "PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-03-29 36864] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648] "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2007-11-20 731136] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-03-24 782336] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] Versato.lnk - c:\program files\MediaKey\Versato.exe [2004-5-22 565248] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [5/22/2004 3:54 PM 14624] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [3/6/2009 11:56 PM 101936] S3 UNDPX1K;UNDPX1K;\??\c:\windows\system32\drivers\UNDPX1K.SYS --> c:\windows\system32\drivers\UNDPX1K.SYS [?] S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\DRIVERS\WebSTAR.sys --> c:\windows\system32\DRIVERS\WebSTAR.sys [?] S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;c:\windows\system32\DRIVERS\SACMXP1.sys --> c:\windows\system32\DRIVERS\SACMXP1.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] 2009-08-22 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job - c:\progra~1\NORTON~1\Navw32.exe [2005-09-24 17:13] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Cmaudio - cmicnfg.cpl . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uSearchURL,(Default) = hxxp://www.locators.com/search.php?que=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-01 23:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3964) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SNDSrvc.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE c:\windows\system32\nvsvc32.exe . ************************************************************************** . Completion time: 2009-09-02 23:14 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-02 04:14 Pre-Run: 32,748,728,320 bytes free Post-Run: 34,347,659,264 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 170 --- E O F --- 2009-08-12 12:07
  7. ligerjack
    Good news: I uninstalled MBAM and was able to download it again and install. I was able to run it using the "run as" trick and unchecking the "protect my computer" box. I ran a complete quick scan with log report below. It ran to completion and reported being able to successfully address all of the listed infections. It then stated it had to reboot. The antivirus pro and pc spyware 2010 icons are gone from the desktop upon reboot. Bad news: upon rebooting and before the desktop came up, I received the old error dialog box - "Windows cannot open this file: mbamgui.exe. To open this file windows needs to know what program created it ........". It also gave me another one after I clicked cancel regarding mbam.exe, so I don't know if the quarantining process was complete. Also, when I try regular left clicking of programs (e.g. opera) I still get the "This file does not have a program associated with it..." error. As noted I can apparent open things by right clicking run as and then unchecking the "protect my computer". I did another MBAM quick scan and no infections came up. I'll try a regular scan next. What's next - combofix or hijack this? Or both? Here's the MBAM log Malwarebytes' Anti-Malware 1.40 Database version: 2715 Windows 5.1.2600 Service Pack 2 8/30/2009 12:50:17 AM mbam-log-2009-08-30 (00-50-17).txt Scan type: Quick Scan Objects scanned: 100114 Time elapsed: 15 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 13 Registry Values Infected: 5 Registry Data Items Infected: 5 Folders Infected: 6 Files Infected: 61 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-73586283-706699826-839522115-1003\Dc6.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACeewdpayxoo.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACxjkaxlqgoo.dll (Rogue.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\mdm.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\smss.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\1895136240.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\1909031596.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\199.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\winamp.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\winlogon.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\install.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\services.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\system.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\784387694.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\notepad.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\ueja73hkjd.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Desktop\PC_Antispyware2010.lnk (Rogue.PCAntispy) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus2008) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully. C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr2 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr3 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr4 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr5 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr6 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr7 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr8 (Rogue.Install) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr9 (Rogue.Install) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACpjyidomppy.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACtuhalttddc.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACvkkksxobnl.dat (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACruodtvrqcb.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
  8. ligerjack
    I was actually just able to run avenger without errors and it rebooted, when it got back to the desktop a message popped up that said "cannot fined cleanup.exe....." (I avoided the above referenced errors by unchecking the box next to the "protect my computer and data from unauthorized program activity in the "run as" dialog box). I also did not get a command prompt screen. I found an avenger text log which follows on the c drive main directory. I also found a cleanup.bat file which I clicked on and it disappeared. Tried run MBAM - still get the "windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item." Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate.
  9. ligerjack
    No dice. I can get avenger open by right clicking and then clicking on "run as". However, when I try to execute that code, I get the first prompt, but then a series of error messages like -- error: can't open file 'c:\zip.exe' (error 5:access denied) followed by error: could not open zipfile aborting execution! (error 6: the handle is invalid), and then Error: can't open file 'c:\avenger.txt' (error 5:access denied) and then perhaps another error.
  10. ligerjack
    When I try to run the bolded text - I get a message saying "Windows cannot open this file: Win32kDiag.exe. To open this file, Windows needs to know what program created it. Windows can go online to look it up automatically, or you can manually select from a list ....."
  11. ligerjack
    I downloaded and ran Win32Kdiag and will post the log below. I will also mention that I updated Norton Antivirus - which appeared to update fine. However, when I attempted to launch it to run a scan -- nothing. While I was running the Win32Kdiag, however, Norton alert popped up and indicated it had nabbed 6 viruses or trojans and that I should restart. I let win32kdiag finish and then rebooted. Now instead of the three or four little icons in the system tray, I just have two new installed programs - the so-called Windows Antivirus Pro and the PC_Antispyware. Additionally the virus has appeared to have knocked out norton from the system tray but the pop-ups appear to have stopped. Worse - every program I click on says "This file does not have a program associated with it....." I get this not just from clicking on shortcuts but the actual program .exe files. I then attempted to manually delete some files with a modified date of 3/23/09 (when the virus struck), but it wouldn't delete in normal mode. Those files did delete in safe mode. The only way I was able to get on the internet is that we had some website shortcuts saved to the desktop that appear to be working now. Anyway here is the win32kdiag log. Let me know if you want to run it again since the thing with Norton happened right in the middle of its running. Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP210.tmp\ZAP210.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP26F.tmp\ZAP26F.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40D.tmp\ZAP40D.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP428.tmp\ZAP428.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP448.tmp\ZAP448.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\UserMode\UserMode Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe [1] 2003-03-31 07:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) [1] 2004-08-04 02:56:50 743936 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe () [1] 2004-08-04 02:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation) [1] 2008-04-13 19:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation) Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Adobe\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2003-03-31 07:00:00 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2004-08-04 02:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation) [1] 2004-08-04 02:56:42 62464 C:\WINDOWS\system32\eventlog.dll () [2] 2004-08-04 02:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Futuremark\MSC\MSC Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Macromed\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log [1] 2009-08-26 23:24:21 1040 C:\WINDOWS\system32\wbem\Logs\FrameWork.log () Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\slu4412.tmp\slu4412.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!
  12. ligerjack
    Got a virus last night just surfing the Net (no downloads/risky sites). Running XP home with SP2 and I believe all the most recent XP updates. It appears to be one of the fake antivirus programs (maybe called antivirus pro or something like that). (little white cross in red background in the system tray at the lower right corner - with the popup about having spotted an infection on my computer). Norton Antivirus with relatively recent definitions (updated about two or three weeks ago) spotted the thing breaking in but could not do anything about it. A Norton scan doesn't get very far but does say trojan metajuan is present (but can't be removed). Anywho this monster won't let me run MBAM (I had it already installed and was updated as of 8/15/09). It also gives me popups saying that I don't have permission to edit the registry. When I tried a restore point it said something similar - that I don't have permission. It has even prevented imgburn from accessing my CD writer and DVD writer to prevent me from evacuating files (insidious). I tried the trick of renaming MBAM and it loaded. I did not update, but just started the quick scan. The quick scan lasted about 10 seconds and then the program closed. Now when I try to load or even rename it says something about the disk being write-protected (this is true in both safe and regular mode). The most recent time I tried to access the internet there now appears to be 4 or 5 of these fake programs running (I have 3 or 4 different little icons in the system tray). Sorry I don't know what the specific infection is, but given that it seems to be rapidly shutting down access to the computer I thought I'd see if anyone had seen this before. I really don't want to reformat (and by the way this thing has taken over, I'm not sure it will let me anyway). Any help is greatly appreciated.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.