Jump to content

Computer Crippled, Need Assistance


keithbk
 Share

Recommended Posts

Well, it looks like the forum has recovered from a crash and the account I had previously was gone, so I re-signed up... Here we go...

A summary of my problems:

My son's laptop was infected with Malware, which I believe I was able to detect and dispose of with Spybot Search and Destroy, however, the computer still has the following problems:

Microsoft Internet Explorer will not load ANY pages; all attempts end up with error *website url* unavailable at this time.

I cannot get any Microsoft Updates

I cannot get any "Microsoft FixIt" programs to work

I appear to be unable to install ANY new programs (including MalwareBytes) that populate the Start Menu>All Programs group.

Double-clicking on an Icon on the desktop does nothing. I have to right click everything and tell it to "Open."

We had started the process of running some reports, looks like we will need to start over. I will attempt to reload new reports from the programs that were requested, including the ComboFix Log.

ComboFix 12-11-02.02 - Keith 11/02/2012 17:49:07.5.2 - x86

Running from: c:\documents and settings\Keith\My Documents\Downloads\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-10-02 to 2012-11-02 )))))))))))))))))))))))))))))))

.

.

2012-10-30 23:31 . 2012-10-31 00:14 -------- d-----w- C:\43f790986d3033110246f071

2012-10-30 22:40 . 2012-10-30 22:44 -------- d-----w- c:\program files\Free Window Registry Repair

2012-10-30 22:33 . 2012-10-30 22:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ErrorEND

2012-10-30 22:20 . 2012-10-30 22:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee

2012-10-30 09:06 . 2012-10-30 11:26 -------- d-----w- C:\c72af988d5de3091d39ac34930f6a07f

2012-10-30 05:10 . 2012-10-30 05:10 -------- d-----w- c:\program files\Probit Software

2012-10-30 02:18 . 2012-10-30 05:36 -------- d-----w- C:\95f515fb5263b23bb52f18427036

2012-10-30 01:16 . 2012-10-30 23:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-10-30 01:16 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-29 22:34 . 2012-10-29 22:34 -------- d-----w- c:\windows\tracing

2012-10-29 22:29 . 2012-10-29 22:34 -------- d-----w- c:\program files\Support Tools

2012-10-29 00:26 . 2012-10-29 00:26 -------- d-----w- C:\eeb21668ba4771c67303cffb2380bd

2012-10-28 23:03 . 2012-10-28 23:09 -------- d-----w- C:\96a35c32e70f6ca89501afd05475b7

2012-10-28 14:29 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2012-10-28 14:29 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2012-10-28 14:29 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2012-10-28 14:29 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2012-10-28 14:29 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2012-10-28 14:28 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2012-10-28 14:28 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2012-10-28 14:28 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2012-10-28 14:27 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2012-10-28 14:27 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2012-10-28 14:27 . 2004-08-04 02:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys

2012-10-28 14:27 . 2001-08-17 16:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys

2012-10-28 14:26 . 2001-08-17 17:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys

2012-10-28 14:26 . 2001-08-18 02:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll

2012-10-28 14:26 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2012-10-28 14:26 . 2001-08-17 17:28 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys

2012-10-28 14:26 . 2004-08-04 02:29 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys

2012-10-28 14:26 . 2008-04-13 18:45 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys

2012-10-28 14:26 . 2001-08-17 16:10 35871 -c--a-w- c:\windows\system32\dllcache\wbfirdma.sys

2012-10-28 14:26 . 2004-08-04 02:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys

2012-10-28 14:26 . 2004-08-04 02:29 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys

2012-10-28 14:26 . 2004-08-04 02:29 29311 -c--a-w- c:\windows\system32\dllcache\watv01nt.sys

2012-10-28 14:25 . 2004-08-04 02:29 11775 -c--a-w- c:\windows\system32\dllcache\wadv05nt.sys

2012-10-28 14:25 . 2004-08-04 02:29 12127 -c--a-w- c:\windows\system32\dllcache\wadv02nt.sys

2012-10-28 14:25 . 2004-08-04 02:29 12415 -c--a-w- c:\windows\system32\dllcache\wadv01nt.sys

2012-10-28 14:25 . 2001-08-17 16:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys

2012-10-28 14:25 . 2001-08-17 16:13 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys

2012-10-28 14:25 . 2001-08-17 16:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys

2012-10-28 14:25 . 2001-08-17 17:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys

2012-10-28 14:25 . 2001-08-17 17:28 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys

2012-10-28 14:25 . 2001-08-17 17:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys

2012-10-28 14:25 . 2001-08-17 16:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys

2012-10-28 14:25 . 2001-08-17 17:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys

2012-10-28 14:25 . 2008-04-13 18:40 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys

2012-10-28 14:23 . 2004-08-04 02:31 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys

2012-10-28 14:23 . 2001-08-18 02:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll

2012-10-28 14:23 . 2001-08-18 02:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll

2012-10-28 14:23 . 2001-08-18 02:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll

2012-10-28 14:23 . 2001-08-18 02:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll

2012-10-28 14:23 . 2001-08-18 02:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll

2012-10-28 14:23 . 2001-08-17 17:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys

2012-10-28 14:23 . 2001-08-18 02:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll

2012-10-28 14:23 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll

2012-10-28 14:23 . 2001-08-18 02:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll

2012-10-28 14:23 . 2001-08-18 02:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll

2012-10-28 14:23 . 2001-08-17 17:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys

2012-10-28 14:23 . 2001-08-17 17:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys

2012-10-28 14:22 . 2001-08-17 16:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys

2012-10-28 14:22 . 2001-08-18 02:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll

2012-10-28 14:22 . 2001-08-17 16:51 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys

2012-10-28 14:22 . 2001-08-17 18:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll

2012-10-28 14:22 . 2001-08-17 16:51 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys

2012-10-28 14:22 . 2001-08-17 18:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll

2012-10-28 14:22 . 2001-08-17 16:12 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys

2012-10-28 14:22 . 2001-08-18 02:35 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll

2012-10-28 14:22 . 2008-04-14 00:12 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe

2012-10-28 14:22 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll

2012-10-28 14:21 . 2001-08-17 17:51 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys

2012-10-28 14:21 . 2001-08-17 18:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys

2012-10-28 14:21 . 2001-08-17 18:01 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys

2012-10-28 14:21 . 2001-08-17 16:10 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys

2012-10-28 14:21 . 2001-08-17 16:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys

2012-10-28 14:21 . 2001-08-17 16:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys

2012-10-28 14:21 . 2001-08-17 18:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll

2012-10-28 14:21 . 2008-04-13 18:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys

2012-10-28 14:21 . 2001-08-17 16:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys

2012-10-28 14:21 . 2001-08-17 16:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys

2012-10-28 14:19 . 2001-08-18 02:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll

2012-10-28 14:19 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys

2012-10-28 14:19 . 2001-08-18 02:36 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll

2012-10-28 14:19 . 2001-08-18 02:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll

2012-10-28 14:19 . 2001-08-17 16:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys

2012-10-28 14:19 . 2001-08-17 17:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys

2012-10-28 14:19 . 2001-08-17 16:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys

2012-10-28 14:19 . 2001-08-18 02:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll

2012-10-28 14:19 . 2001-08-18 02:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll

2012-10-28 14:19 . 2001-08-17 17:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys

2012-10-28 14:18 . 2001-08-18 02:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll

2012-10-28 14:18 . 2001-08-17 18:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys

2012-10-28 14:18 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys

2012-10-28 14:18 . 2001-08-17 16:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys

2012-10-28 14:18 . 2001-08-18 02:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll

2012-10-28 14:18 . 2001-08-17 16:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys

2012-10-28 14:18 . 2001-08-17 17:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys

2012-10-28 14:18 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys

2012-10-28 14:18 . 2001-08-17 17:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys

2012-10-28 14:18 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys

2012-10-28 14:18 . 2001-08-17 18:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll

2012-10-28 14:18 . 2001-08-17 16:12 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys

2012-10-28 14:16 . 2004-08-04 02:31 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys

2012-10-28 14:16 . 2001-08-18 02:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll

2012-10-28 14:16 . 2001-08-17 16:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys

2012-10-28 14:16 . 2001-08-17 18:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll

2012-10-28 14:16 . 2001-08-17 16:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys

2012-10-28 14:16 . 2001-08-17 18:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll

2012-10-28 14:16 . 2001-08-17 16:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys

2012-10-28 14:16 . 2001-07-21 18:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys

2012-10-28 14:16 . 2001-07-21 18:29 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys

2012-10-28 14:16 . 2001-08-17 16:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys

2012-10-28 14:16 . 2001-08-18 02:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll

2012-10-28 14:16 . 2001-08-17 16:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys

2012-10-28 14:15 . 2001-08-17 17:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2012-10-28 14:15 . 2001-08-17 17:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys

2012-10-28 14:15 . 2001-08-17 17:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys

2012-10-28 14:15 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys

2012-10-28 14:15 . 2001-08-17 17:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys

2012-10-28 14:15 . 2001-08-17 17:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys

2012-10-28 14:15 . 2001-08-17 17:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys

2012-10-28 14:15 . 2001-08-17 17:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys

2012-10-28 14:13 . 2001-08-18 02:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll

2012-10-28 14:13 . 2001-08-18 02:36 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll

2012-10-28 14:13 . 2008-04-14 00:12 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-24 19:32 . 2012-05-07 21:11 477168 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-09-24 19:32 . 2012-05-07 21:11 473072 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-24 17:51 . 2008-05-15 22:59 73728 ----a-w- c:\windows\system32\javacpl.cpl

2007-11-10 00:09 . 2007-11-10 00:09 774144 ----a-w- c:\program files\RngInterstitial.dll

2007-09-16 06:35 . 2008-04-07 17:20 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-09-16 06:35 . 2008-04-07 17:20 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-09-16 06:35 . 2008-04-07 17:20 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-09-16 06:35 . 2008-04-07 17:20 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-09-16 06:35 . 2008-04-07 17:20 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Easy Driver Pro"="c:\program files\Probit Software\Easy Driver Pro\DPLauncher.exe" [2012-09-23 147312]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoPopUpsOnBoot"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-04-08 17:07 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]

R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [x]

R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [x]

S2 gupdate1cad1f486b49ef4;Google Update Service (gupdate1cad1f486b49ef4);c:\program files\Google\Update\GoogleUpdate.exe [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 23:39]

.

2012-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 23:39]

.

2012-11-02 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-09-29 03:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.drudgereport.com/

IE: E&xport to Microsoft Excel

IE: Send To &Bluetooth

LSP: bmnet.dll

TCP: DhcpNameServer = 192.168.1.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-02 18:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,69,4c,78,83,1a,d3,bb,42,b6,dc,dd,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,69,4c,78,83,1a,d3,bb,42,b6,dc,dd,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@DACL=(02 0010)

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@DACL=(02 0010)

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(868)

c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

.

- - - - - - - > 'lsass.exe'(928)

c:\windows\system32\bmnet.dll

.

- - - - - - - > 'explorer.exe'(3968)

c:\windows\system32\bmnet.dll

c:\windows\system32\WPDShServiceObj.dll

.

Completion time: 2012-11-02 18:08:15

ComboFix-quarantined-files.txt 2012-11-02 22:08

ComboFix2.txt 2012-10-31 21:16

ComboFix3.txt 2012-10-30 22:18

ComboFix4.txt 2012-10-29 12:23

.

Pre-Run: 25,157,193,728 bytes free

Post-Run: 25,140,211,712 bytes free

.

- - End Of File - - 11B01567C0865DF277778D2624F2E5D1

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:20:16 PM, on 11/2/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Keith\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [Easy Driver Pro] C:\Program Files\Probit Software\Easy Driver Pro\DPLauncher.exe

O4 - HKUS\S-1-5-21-1844237615-1972579041-682003330-1003\..\Run: [Easy Driver Pro] C:\Program Files\Probit Software\Easy Driver Pro\DPLauncher.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Snowy%20-%20Lunch%20Rush/Images/armhelper.ocx

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} -

O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)

O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)

O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: Google Update Service (gupdate1cad1f486b49ef4) (gupdate1cad1f486b49ef4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 5948 bytes

Link to post
Share on other sites

Hello keithbk. :)

The forum experienced a serious crash, and lost just over a week's worth of posts.

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post the contents of both logs in this thread.
  • You may need to use two posts to get it all.

Link to post
Share on other sites

Hey keithbk,

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.

rkill.exe

rkill.com

rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

===

Please do not reboot your computer.

Then, please reboot into Safe Mode (reboot and press F8 repeatedly to bring up the Advanced Boot Menu).

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.

Once you have run Rkill, please try OTL and see if it runs now.

Link to post
Share on other sites

Okay, rebooted in Safe Mode, ran RKILL successfully; could not run OTL, however. Still "Encounters problem, has to close."

RKILL's Log Follows:

Rkill 2.4.3 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/03/2012 06:54:05 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* AFD (AFD) is not Running.

Startup Type set to: System

* DHCP Client (Dhcp) is not Running.

Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.

Startup Type set to: Automatic

* COM+ Event System (EventSystem) is not Running.

Startup Type set to: Manual

* Network Connections (Netman) is not Running.

Startup Type set to: Manual

* Security Center (wscsvc) is not Running.

Startup Type set to: Automatic

* Automatic Updates (wuauserv) is not Running.

Startup Type set to: Automatic

* AFD (AFD) is not Running.

Startup Type set to: System

* IPSEC driver (IPSec) is not Running.

Startup Type set to: System

* NetBios over Tcpip (NetBT) is not Running.

Startup Type set to: System

* TCP/IP Protocol Driver (Tcpip) is not Running.

Startup Type set to: System

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 11/03/2012 06:55:04 PM

Execution time: 0 hours(s), 0 minute(s), and 58 seconds(s)

Link to post
Share on other sites

Hey keithbk,

Please try this tool instead.

For x32 (x86) bit systems please download the Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

For x64 bit systems please download the Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using the Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt.

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select Computer, find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to the disclaimer.

    [*]Press the Scan button.

    [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

Link to post
Share on other sites

I am not getting any of the System Recover Options information during a reboot, either from F8'ing during reboot, nor from the Windows Installation Disk.

I am given the following choices when performing a reboot from the Windows Install Disc:

To Setup Windows XP now, press ENTER.

To repair a Windows XP installation using Recovery Console, press R.

To quit...press F3

I press "R" for Repair

Now, in a DOS environment, I am given the prompt:

1: C:\WINDOWS

Which Windows installation would you like to log onto (to cancel, press ENTER):

I select 1

I am now at:

C:\WINDOWS

From here, I can do little else, other than run typical DOS commands. I am never prompted on a Keyboard language setting (this is a laptop, however, so I do not know if that makes a difference), nor do I see a System Recover Options menu.

Link to post
Share on other sites

It sounds like you are reaching a Command Prompt window. Please do the below once you get back to that window:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer, find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter.
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your reply.

Link to post
Share on other sites

Notepad will only open in a Windows environment. Windows has not loaded in the "R" Repair command prompt, therefore when I type "NOTEPAD," I receive an alert that it is an invalid command. Because FRST is not a recognized system command, it cannot be run, even though I can navigate to the flash drive through the command prompt through "CD E:\" and I can "DIR" and see the "FRST.EXE" in the list.

Link to post
Share on other sites

Hey keithbk. :)

Please try this tool instead.

Please download to the Desktop RogueKiller (by tigzy).

  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

Link to post
Share on other sites

RogueKiller V8.2.2 [11/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Keith [Admin rights]

Mode : Scan -- Date : 11/04/2012 19:17:48

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] a9bb472fb51553fabadeb1bfe4f4dfe2

[bSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 69845 Mo

2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 143123085 | Size: 4988 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: +++++

--- User ---

[MBR] 7eefe80158445dfa59d8801259b2bc1f

[bSP] 078a21b77873f5421b268438ba46d2c4 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 38 | Size: 3827 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_11042012_02d1917.txt >>

RKreport[1]_S_11042012_02d1917.txt

Link to post
Share on other sites

Hey keithbk,

Nothing in your logs so far.

Please give these tools a go.

Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif
  • Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select Run as administrator).

  • Click on the next button. You must agree with the terms of EULA.
  • Check the box beside "No, I only want to perform a one-time scan to check this computer".
  • Click on the next button.
  • The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
  • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
  • on the next button.
  • Click on the "Export scan results to XML file".
  • Save that file to your Desktop and zip and attach it in your next reply.

=====

Also, please download the Kaspersky Virus Removal Tool from here to your Desktop.

Double-click the Removal Tool.

Click the cog in the upper right corner:

AVPfront.gif

Select down to and including your main drive.

Once done please select the Automatic Scan tab and press Start Scan.

avpsettings.gif

Allow AVP to delete all infections found.

Once it has finished select the Report tab.

Select the Detected threats report from the left and press the Save button.

Save it to your Desktop and post the contents in your next reply.

=====

In your reply please post the contents of the logs from HitmanPro and Kaspersky.

Link to post
Share on other sites


HitmanPro 3.6.2.173
www.hitmanpro.com

Computer name . . . . : LAPTOP
Windows . . . . . . . : 5.1.3.2600.X86/2
User name . . . . . . : LAPTOP\Keith
License . . . . . . . : Trial (31 days left)

Scan date . . . . . . : 2012-11-04 19:55:07
Scan mode . . . . . . : Normal
Scan duration . . . . : 5m 44s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 37

Objects scanned . . . : 1,233,537
Files scanned . . . . : 46,660
Remnants scanned . . : 408,313 files / 778,564 keys

Suspicious files ____________________________________________________________

C:\Documents and Settings\i011768\Start Menu\Programs\DragonStone\lntnwxn.exe
Size . . . . . . . : 988,488 bytes
Age . . . . . . . : 1675.0 days (2008-04-04 20:20:56)
Entropy . . . . . : 7.1
SHA-256 . . . . . : B284940C2E6D3575377C15FC4E0AED490409252E4F525249D8209AC2F69F1A65
Product . . . . . : DragonStone™
Publisher . . . . : pixelStorm entertainment studios Inc.
Description . . . : DragonStone™
Version . . . . . : 8.3.7.3650
Copyright . . . . : Copyright (C) 2008. pixelStorm Inc.
RSA Key Size . . . : 1024
Authenticode . . . : Blacklisted
Fuzzy . . . . . . : 104.0
Program is code signed with a known fraudulent certificate.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

C:\Documents and Settings\i011768\Start Menu\Programs\Jane`s Hotel - Family Hero\janeshotel.exe
Size . . . . . . . : 1,348,936 bytes
Age . . . . . . . : 1675.0 days (2008-04-04 20:19:23)
Entropy . . . . . : 7.7
SHA-256 . . . . . : 9E660DC77FE4E2D83FD95A9378783CD52F1FD4497F70B318476254C62947992E
RSA Key Size . . . : 1024
Authenticode . . . : Blacklisted
Fuzzy . . . . . . : 114.0
Program is code signed with a known fraudulent certificate.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.

C:\WINDOWS\system32\RGSS100J.dll
Size . . . . . . . : 771,584 bytes
Age . . . . . . . : 196.0 days (2012-04-22 19:12:44)
Entropy . . . . . : 7.7
SHA-256 . . . . . : F646E0B2DB58D8FA881DFDE3002B736DC374ECAAAB15852B91EC719DA7D3B90B
Fuzzy . . . . . . : 24.0
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Program contains PE structure anomalies. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\WINDOWS\system32\RGSS102E.dll
Size . . . . . . . : 778,752 bytes
Age . . . . . . . : 196.0 days (2012-04-22 19:12:45)
Entropy . . . . . : 7.7
SHA-256 . . . . . : F079A18C0ABC9569429D402357E2DAA4FE2AF4CDBE3C002A5F05A70D33E7BFFB
Fuzzy . . . . . . : 24.0
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Program contains PE structure anomalies. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\WINDOWS\system32\RGSS102J.dll
Size . . . . . . . : 781,312 bytes
Age . . . . . . . : 196.0 days (2012-04-22 19:12:44)
Entropy . . . . . : 7.7
SHA-256 . . . . . : AB4F7CCC49D56161B38E0DA0DEBB05B6F522B00B1C48356F776910934122278F
Fuzzy . . . . . . : 24.0
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Program contains PE structure anomalies. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\WINDOWS\system32\RGSS103J.dll
Size . . . . . . . : 685,056 bytes
Age . . . . . . . : 196.0 days (2012-04-22 19:12:45)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 899B0D3DF7829345223A1D4C29D1246C5EECEC8E6D84151791F8505F7DD3C039
Fuzzy . . . . . . : 23.0
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Potential Unwanted Programs _________________________________________________

C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\ (AskBar)
C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\almost.xml (AskBar)
C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\cache.dat (AskBar)
C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\config.xml (AskBar)
C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\Downloaded Program Files\ (AskBar)
C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\Downloaded Program Files\xaddon.inf (AskBar)
C:\Documents and Settings\Jonathan.DELLLAPTOP\Local Settings\Application Data\AskToolbar\xaddon.cab (AskBar)
C:\Documents and Settings\Keith\Local Settings\Application Data\AskToolbar\ (AskBar)
C:\Documents and Settings\Keith\Local Settings\Application Data\AskToolbar\almost.xml (AskBar)
C:\Documents and Settings\Keith\Local Settings\Application Data\AskToolbar\cache.dat (AskBar)
C:\Documents and Settings\Keith\Local Settings\Application Data\AskToolbar\xaddon.cab (AskBar)
C:\Program Files\Ask.com\ (AskBar)
C:\Program Files\Ask.com\cobrand.ico (AskBar)
C:\Program Files\Ask.com\config.xml (AskBar)
C:\Program Files\Ask.com\favicon.ico (AskBar)
C:\Program Files\Ask.com\fv_aa.ico (AskBar)
C:\Program Files\Ask.com\mupcfg.xml (AskBar)
C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar)
C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe (AskBar)
Size . . . . . . . : 102,400 bytes
Age . . . . . . . : 714.3 days (2010-11-21 13:01:14)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 092D64E5DB4FA21D6719B3A6A30AD06A2CB0E1F897357CD4935BECA52E921274
Product . . . . . : InstallShield
Publisher . . . . : Acresso Software Inc.
Description . . . : InstallShield
Version . . . . . : 16.0.328
Copyright . . . . : Copyright (C) 2009 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
Fuzzy . . . . . . : 0.0

C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job (AskBar)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
HKU\.DEFAULT\Software\AskToolbar\ (AskBar)
HKU\S-1-5-18\Software\AskToolbar\ (AskBar)
HKU\S-1-5-21-1844237615-1972579041-682003330-1003\Software\AskToolbar\ (AskBar)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\AppDataLow\AskToolbarInfo\ (AskBar)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\Ask.com\ (AskBar)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\AskToolbar\ (AskBar)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\Microsoft\Internet Explorer\Approved Extensions\{9D717F81-9148-4F12-8568-69135F087DB0} (SearchQU)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0},\ (SearchQU)
HKU\S-1-5-21-1844237615-1972579041-682003330-1004\Software\Softonic\ (Softonic)


Link to post
Share on other sites

11/4/2012 11:15:50 PM Not processed C:\pagefile.sys Object is locked

11/4/2012 8:10:37 PM Not processed C:\pagefile.sys Object is locked

11/4/2012 10:40:13 PM Detected: not-a-virus:AdWare.Win32.MegaSearch.o C:\System Volume Information\_restore{3AB79E91-EC9A-4FD7-88AB-B73BA54C3737}\RP522\A0301614.old

11/4/2012 8:37:36 PM Detected: not-a-virus:AdWare.Win32.MegaSearch.o C:\Documents and Settings\Jonathan.DELLLAPTOP\Application Data\IObit\Advanced SystemCare V6\Disk Cleaner\EGAMES~11.old

11/4/2012 9:00:39 PM Detected: not-a-virus:AdWare.Win32.Gamevance.s C:\Documents and Settings\Keith\.housecall6.6\Quarantine\gamevance32.exe.bac_a01308/CryptFF.b

11/4/2012 9:00:39 PM Detected: not-a-virus:AdWare.Win32.Gamevance.heur C:\Documents and Settings\Keith\.housecall6.6\Quarantine\gvutil.dll.bac_a01308/CryptFF.b

11/4/2012 10:40:25 PM Detected: UDS:DangerousObject.Multi.Generic C:\System Volume Information\_restore{3AB79E91-EC9A-4FD7-88AB-B73BA54C3737}\RP522\A0301615.exe KSN service

11/4/2012 9:15:19 PM Detected: UDS:DangerousObject.Multi.Generic C:\My Games\Bugix\BugixRA.exe KSN service

11/4/2012 10:42:58 PM Deleted: not-a-virus:AdWare.Win32.MegaSearch.o C:\System Volume Information\_restore{3AB79E91-EC9A-4FD7-88AB-B73BA54C3737}\RP522\A0301614.old

11/4/2012 8:42:36 PM Deleted: not-a-virus:AdWare.Win32.MegaSearch.o C:\Documents and Settings\Jonathan.DELLLAPTOP\Application Data\IObit\Advanced SystemCare V6\Disk Cleaner\EGAMES~11.old

11/4/2012 9:03:08 PM Deleted: not-a-virus:AdWare.Win32.Gamevance.s C:\Documents and Settings\Keith\.housecall6.6\Quarantine\gamevance32.exe.bac_a01308

11/4/2012 9:02:18 PM Deleted: not-a-virus:AdWare.Win32.Gamevance.heur C:\Documents and Settings\Keith\.housecall6.6\Quarantine\gvutil.dll.bac_a01308

11/4/2012 10:43:19 PM Deleted: UDS:DangerousObject.Multi.Generic C:\System Volume Information\_restore{3AB79E91-EC9A-4FD7-88AB-B73BA54C3737}\RP522\A0301615.exe

11/4/2012 9:17:19 PM Deleted: UDS:DangerousObject.Multi.Generic C:\My Games\Bugix\BugixRA.exe

11/4/2012 8:32:06 PM Corrupted C:\Documents and Settings\i011768\Local Settings\Application Data\Microsoft\Messenger\engdaniel@hotmail.com\SharingMetadata\willyling@hotmail.com\DFSR\Staging\CS{5ECECA5E-D5D0-3556-C28F-4664266B302C}\39\39-{D293A446-5CF2-4ADC-B0DA-88A6D3144652}-v39-{D293A446-5CF2-4ADC-B0DA-88A6D3144652}-v39-Downloaded.frx/stretching.MPG

Link to post
Share on other sites

All the original problems still exist.

Internet Explorer will not load ANY websites. Attempting to navigate results in "*website* is currently unavailable" error.

Icons do not appear properly on most programs, even when going to "Properties," selecting an Icon, and hitting "Apply."

Cannot install Malwarebytes; I receive an error message regarding "CoCreateInstance failed; code 0x80040154"

Any new programs I attempt to install do not populate the Progams list from the Start Menu (most just say "Empty" upon installation attempt)

Cannot run any Microsoft FixIts, cannot reach Microsoft Updates

All these problems exist whether using my account (which has Administrator capabilities), or whether logged into the Administrator account.

I think we got the traces of malware out; I think there is residual damage that needs repaired, but I have not had any success using the Windows XP operating system disc (it actually asks for a 2nd disc to be inserted partway through a repair, which simply does not exist--at least, I've never had a 2nd OS disc).

Link to post
Share on other sites

Hey keithbk,

Please download Windows Repair (all in one) from this site.

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on the Do It button:

p22001645.gif

Once that is done then go to Step 3 and allow it to run System File Check by clicking on the Do It button:

p22001646.gif

Go to Step 4 and under "System Restore" click on the Create button:

p22001644.gif

Go to Start Repairs tab and click the Start button.

p22001166.gif

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

p22001647.gif

Click on box next to the Restart System when Finished. Then click on Start.

Do the issues still remain?

Link to post
Share on other sites

Hey keithbk,

OK. Let's address the issues with your programs first.

Please go to this site:

http://www.winhelponline.com/blog/restore-exe-file-asso-windows-7-vista-incorrectly-associated/

Download and use the exefix_cu.reg fix. Let me know if you still can't install any programs.

Link to post
Share on other sites

I am now caught in a loop...

I attempted to go back and run the Repair function from the Windows XP CD, hoping that the last procedure might have helped.

The system goes through a boot, copying files, ends up in Safe Mode, then tells me the repair cannot take place in Safe Mode, and forces a reboot. I try to break out of this cycle, but I cannot (even by selecting "Boot Windows Normally" or trying to do something through the Windows CD). The ONLY thing I can do is end up at the C:/Windows prompt outside of watching the computer trying to reboot over and over again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.