Jump to content

Struggling with Virtumonde (I think) MBAM won't install or run correct


Recommended Posts

for the past couple weeks my computer has basically been locked up by some malware. it keeps the most popular programs like IE and Windows Media Player,a nd most games from working, and it has affected the correct operation of dll's and prevented most installs from happening, and when I try to run programs that are isntalled like Word it just brings up a frozen installer.

Now I have scanned with Spybot, F-Prot, and they either didn't get anything or "fixed it" but nothing changed. Trendmicro Housecall picked up a bunch of stuff and said it fixed it but nothing really changed. Less popular or non microsoft programs like Firefox (what I'm using now) and Quicktime, Itunes, etc. work however.

SO at least a couple times I have thought I deleted the virtumonde files, but nothing changed after their deletion. Tried to install MBAM (changed the exe name multiple times with no avail) but I kept getting the Runtime error 0 Acceleration Grid,etc. and MBAM Runtime 404 error, a

"CoCreateInstance failed; code 0x80040154. Class not registered." when the .ink files tried to install. So MBAM installs but these errors come up both during install and when I tryto run it. I have seen other people's topics where MBAM eliminated their problems so I hope to get it installed and let it have a crack.

I have found some suspicious files like one related to a malware I got last year

C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat

and also wsil32.dll which i'm not sure about

In addition, attempted install of Superantispyware gives the same cocreate instance error, and I have already tried a number of specific virtumonde fix programs.

PLEASE HELP! I have tried all I can by myself before bugging y'all with this problem, but I need some more experienced help with this now, so I'll roll out the logs.

Gmer log

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-03-01 00:19:34

Windows 5.2.3790 Service Pack 2

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.14 ----

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23 AM, on 03/01/2009

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\Program Files (x86)\Java\jre6\bin\jqs.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Documents and Settings\Administrator\Desktop\system health tools\gmer.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =

http://go.microsoft.com/fwlink/?LinkId=54843

O1 - Hosts: be placed in the first column followed by the corresponding host

name.

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

(no file)

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files

(x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files

(x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files

(x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files

(x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft

Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d

locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files

(x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search

& Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [Aim6]

"C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User

'?')

O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [spybotSD

TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (User

'?')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User

'?')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User

'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files

(x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

(no file)

O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no

file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no

file)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} -

http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

http://upload.facebook.com/controls/2008.1...kPhotoUploader5.

cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -

http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

http://a840.g.akamai.net/7/840/537/2004061...icro.com/housec

all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} -

http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -

http://driveragent.com/files/driveragent.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - (no

file)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner -

C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program

Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner -

C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files (x86)\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -

C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files

(x86)\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner -

C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner -

C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown

owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner -

C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files

(x86)\Viewpoint\Common\ViewpointService.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner -

C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner -

C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. -

C:\WINDOWS\system32\wwSecure.exe

--

End of file - 8121 bytes

Deckard's System Scanner

Deckard's System Scanner v20071014.68

Run by Administrator on 2009-03-01 00:25:21

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:25 AM, on 03/01/2009

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\Program Files (x86)\Java\jre6\bin\jqs.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Documents and Settings\Administrator\Desktop\system health tools\gmer.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\system health tools\dss.exe

C:\PROGRA~2\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O1 - Hosts: be placed in the first column followed by the corresponding host name.

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')

O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - (no file)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--

End of file - 8180 bytes

-- Files created between 2009-02-01 and 2009-03-01 -----------------------------

2009-02-28 22:19:43 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2009-02-28 21:08:27 0 d-------- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2009-02-16 20:16:38 0 d-------- C:\VundoFix Backups

2009-02-16 02:51:29 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6

2009-02-15 01:07:42 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI

2009-02-15 00:34:09 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI(4)

2009-02-02 22:57:09 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI(3)

2009-02-02 22:40:32 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI(2)

-- Find3M Report ---------------------------------------------------------------

2009-02-28 22:18:59 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard

2009-02-16 21:43:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla

2009-02-16 20:16:37 0 d-------- C:\Program Files (x86)\zips of games

2009-02-15 11:46:19 0 d-------- C:\Program Files (x86)\GameSpy Arcade

2009-02-15 01:07:14 0 d-------- C:\Program Files (x86)\ATI Technologies

2009-02-10 21:41:16 0 d-------- C:\Program Files (x86)\botf

2009-02-08 23:00:45 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information

2009-02-02 23:12:27 0 d-------- C:\Program Files (x86)\CyberLink

2009-01-18 00:32:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Bioshock

2009-01-08 21:35:04 0 d-------- C:\Program Files (x86)\ubernesv3rev2

2008-12-07 22:39:06 8812 --ah----- C:\WINDOWS\system32\repefeji

-- Registry Dump ---------------------------------------------------------------

-- End of Deckard's System Scanner: finished at 2009-03-01 00:25:41 ------------

Link to post
Share on other sites

Also just a heads-up I run XP Professional x64 OS, so some things like ComboFix won't work with my x64 operating system b/c they are 32 only.

ONe other thing I want to mention is that My installer seems to be really messed up, nothing will install, always gives the error 1719 (problem with windows installer), or it gives me some thing about the permission settings not being right (though I am the sole administrator)

Link to post
Share on other sites

I ran Ad-Aware in the meantime while waiting for some help, so I'll post that log too

Ad-Aware 2007 Build

Log File Created on: 2009-03-01 23:11:40

Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef

Computer name: DREWS-SGAMER

Name of user performing scan: SYSTEM

System information

===========================

Number of processors: 1

Processor type: AMD Athlon 64 Processor 3200+

Memory Available: 25%

Total Physical Memory: 1073094656 Bytes

Available Physical Memory: 257556480 Bytes

Total Page File Size: 3148898304 Bytes

Available On Page File: 2420752384 Bytes

Total Virtual Memory: 2147352576 Bytes

Available Virtual Memory: 1772601344 Bytes

OS: Microsoft Windows Server 2003 family Service Pack 2 (Build 3790)

Ad-Aware 2007 Settings

===========================

Skipping files larger than 1048576 kB

Ignoring infections with lower TAI than: 3

Extended Ad-Aware 2007 Settings

===========================

Unloading known modules during scan

Ignoring spanned files when scanning cab archives

Reanalyzing results after scanning before displaying results

Trying to unload modules prior to removal

Unloading Explorer if necessary during removal

Let Windows remove files currently in use at next reboot

Removing quarantined objects after restore

Deactivating Ad-Watch during scans

Writeprotecting system files after repairs

Include info about ignored objects in log file

Including basic settings in log file

Including advanced settings in log file

Including user and computer name in log file

Create and save WebUpdate log file

Databaseinfo

===========================

Version number: 146

Build Number: 0

Build Date and Time: 2009/01/22 14:54:48

Scan Statistics

===========================

Method: Smart

Scan tracking cookies.............................: On

Scan ADS filestreams..............................: On

Item Scanned: 189436

Infections Detected: 7

Infections Ignored: 0

Scan detailed statistics

===========================

Type Critical Total

Process Scan....: 0 0

Registry Scan...: 0 0

Registry PE Scan: 0 0

Hosts File Scan.: 0 0

File Scan.......: 0 0

Folder Scan.....: 0 0

LSP Scan........: 0 0

ADS Scan........: 0 0

Cookie Scan.....: 4 4

File Hash Scan..: 0 0

Infections Found

===========================

Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3

Item Id: 409170 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com PrefID /

Item Id: 409170 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com CSList /

Item Id: 409363 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com cluid /

Item Id: 409363 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com imprs /

Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0

Item Id: 1 Value: MRU Path: C:\Documents and Settings\Administrator\Recent Count: 149

Item Id: 2 Value: MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Search Assistant\ACMru\5603 Count: 9

Item Id: 3 Value: MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Internet Explorer\TypedURLs Count: 10

Items Ignored During Scan

===========================

Listing of running processes

===========================

C:\PROGRAM FILES (X86)\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE

c:\program files (x86)\lavasoft\ad-aware 2007\aawservice.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\program files (x86)\lavasoft\ad-aware 2007\ceapi.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\program files (x86)\lavasoft\ad-aware 2007\pkarchive84cb.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\syswow64\wldap32.dll

c:\windows\system32\psapi.dll

c:\windows\syswow64\version.dll

c:\windows\syswow64\wininet.dll

c:\windows\syswow64\normaliz.dll

c:\windows\syswow64\iertutil.dll

c:\program files (x86)\lavasoft\ad-aware 2007\update.dll

c:\windows\system32\wsock32.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\userenv.dll

c:\windows\system32\imm32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\system32\rsaenh.dll

c:\windows\system32\mswsock.dll

c:\windows\system32\dnsapi.dll

c:\windows\system32\winrnr.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\wshtcpip.dll

c:\windows\system32\rasadhlp.dll

C:\PROGRAM FILES (X86)\FSI\F-PROT\FPAVUPDM.EXE

c:\program files (x86)\fsi\f-prot\fpavupdm.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\system32\wsock32.dll

c:\windows\system32\ws2_32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\system32\ws2help.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\wininet.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\normaliz.dll

c:\windows\syswow64\iertutil.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\system32\imm32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\syswow64\shell32.dll

c:\windows\system32\rasapi32.dll

c:\windows\system32\rasman.dll

c:\windows\syswow64\netapi32.dll

c:\windows\system32\tapi32.dll

c:\windows\system32\rtutils.dll

c:\windows\system32\winmm.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\system32\userenv.dll

c:\windows\system32\msapsspc.dll

c:\windows\system32\msvcrt40.dll

c:\windows\system32\msnsspc.dll

c:\windows\syswow64\msv1_0.dll

c:\windows\system32\iphlpapi.dll

c:\windows\system32\psapi.dll

c:\windows\system32\sensapi.dll

c:\windows\system32\uxtheme.dll

c:\windows\system32\mswsock.dll

c:\windows\system32\rasadhlp.dll

c:\windows\syswow64\urlmon.dll

c:\windows\system32\dnsapi.dll

c:\windows\system32\winrnr.dll

c:\windows\syswow64\wldap32.dll

c:\windows\system32\rsaenh.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\wshtcpip.dll

C:\PROGRAM FILES (X86)\JAVA\JRE6\BIN\JQS.EXE

c:\program files (x86)\java\jre6\bin\jqs.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\system32\ws2_32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\system32\ws2help.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\program files (x86)\java\jre6\bin\msvcr71.dll

c:\windows\system32\imm32.dll

c:\windows\system32\psapi.dll

c:\windows\system32\pdh.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\comdlg32.dll

c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78fcf8d0\comctl32.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\system32\odbc32.dll

c:\windows\system32\odbcbcp.dll

c:\windows\syswow64\version.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\system32\odbcint.dll

c:\windows\system32\mswsock.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\wshtcpip.dll

c:\windows\system32\perfos.dll

c:\windows\system32\perfdisk.dll

C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

c:\program files (x86)\common files\microsoft shared\vs7debug\mdm.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\syswow64\version.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\system32\shimeng.dll

c:\windows\system32\apphelp.dll

c:\windows\apppatch\acwow64.dll

c:\windows\system32\imm32.dll

c:\windows\system32\psapi.dll

c:\windows\system32\xpsp2res.dll

c:\windows\system32\clbcatq.dll

c:\windows\system32\comres.dll

c:\program files (x86)\common files\microsoft shared\vs7debug\msdbg2.dll

c:\windows\syswow64\netapi32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

C:\WINDOWS\SYSWOW64\PNKBSTRA.EXE

c:\windows\syswow64\pnkbstra.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\wsock32.dll

c:\windows\syswow64\ws2_32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\ws2help.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\wintrust.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\syswow64\imagehlp.dll

c:\windows\system32\imm32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\system32\mswsock.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\hnetcfg.dll

c:\windows\system32\wshtcpip.dll

C:\WINDOWS\SYSWOW64\WWSECURE.EXE

c:\windows\syswow64\wwsecure.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\version.dll

c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78fcf8d0\comctl32.dll

c:\windows\system32\imm32.dll

c:\windows\syswow64\uxtheme.dll

c:\windows\syswow64\sxs.dll

c:\windows\syswow64\xpsp2res.dll

c:\windows\syswow64\clbcatq.dll

c:\windows\syswow64\comres.dll

C:\WINDOWS\SYSWOW64\CTFMON.EXE

c:\windows\syswow64\ctfmon.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\msctf.dll

c:\windows\syswow64\msutb.dll

c:\windows\system32\imm32.dll

c:\windows\syswow64\uxtheme.dll

c:\windows\syswow64\apphelp.dll

c:\windows\system32\msctfime.ime

c:\windows\system32\ole32.dll

C:\PROGRAM FILES (X86)\FSI\F-PROT\F-SCHED.EXE

c:\program files (x86)\fsi\f-prot\f-sched.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\system32\mfc42.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\syswow64\wininet.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\normaliz.dll

c:\windows\syswow64\iertutil.dll

c:\windows\system32\wsock32.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\odbc32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\comdlg32.dll

c:\windows\system32\imm32.dll

c:\windows\system32\odbcint.dll

c:\program files (x86)\fsi\f-prot\schedeng.dll

c:\windows\system32\uxtheme.dll

c:\windows\syswow64\msctf.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msctfime.ime

C:\PROGRAM FILES (X86)\JAVA\JRE6\BIN\JUSCHED.EXE

c:\program files (x86)\java\jre6\bin\jusched.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\wininet.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\normaliz.dll

c:\windows\syswow64\iertutil.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\system32\imm32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\system32\uxtheme.dll

c:\windows\syswow64\msctf.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\rasapi32.dll

c:\windows\system32\rasman.dll

c:\windows\syswow64\netapi32.dll

c:\windows\system32\tapi32.dll

c:\windows\system32\rtutils.dll

c:\windows\system32\winmm.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\system32\userenv.dll

c:\windows\syswow64\msapsspc.dll

c:\windows\system32\msvcrt40.dll

c:\windows\syswow64\msnsspc.dll

c:\windows\syswow64\msv1_0.dll

c:\windows\system32\iphlpapi.dll

c:\windows\system32\psapi.dll

c:\windows\system32\sensapi.dll

c:\windows\system32\mswsock.dll

c:\windows\system32\rasadhlp.dll

c:\windows\system32\dnsapi.dll

c:\windows\system32\winrnr.dll

c:\windows\syswow64\wldap32.dll

c:\windows\system32\rsaenh.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\wshtcpip.dll

c:\windows\system32\dhcpcsvc.dll

c:\windows\system32\netman.dll

c:\windows\system32\netshell.dll

c:\windows\system32\credui.dll

c:\windows\system32\atl.dll

c:\windows\system32\clusapi.dll

c:\windows\system32\mprapi.dll

c:\windows\system32\activeds.dll

c:\windows\system32\adsldpc.dll

c:\windows\system32\samlib.dll

c:\windows\system32\setupapi.dll

c:\windows\system32\wzcsvc.dll

c:\windows\system32\wmi.dll

c:\windows\system32\wtsapi32.dll

c:\windows\system32\winsta.dll

c:\windows\system32\esent.dll

c:\windows\system32\wzcsapi.dll

c:\windows\syswow64\urlmon.dll

C:\PROGRAM FILES (X86)\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

c:\program files (x86)\common files\real\update_ob\realsched.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\version.dll

c:\windows\system32\imm32.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\system32\uxtheme.dll

c:\windows\syswow64\msctf.dll

c:\windows\system32\setupapi.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msctfime.ime

c:\windows\system32\xpsp2res.dll

c:\windows\system32\clbcatq.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\system32\comres.dll

c:\windows\system32\ntmarta.dll

c:\windows\syswow64\wldap32.dll

c:\windows\system32\samlib.dll

C:\PROGRAM FILES (X86)\IPOD\BIN\IPODSERVICE.EXE

c:\program files (x86)\ipod\bin\ipodservice.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\system32\cfgmgr32.dll

c:\windows\system32\setupapi.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\version.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\system32\imm32.dll

c:\program files (x86)\ipod\bin\ipodservice.resources\en.lproj\ipodservicelocalized.dll

c:\program files (x86)\ipod\bin\ipodservice.resources\ipodservice.dll

c:\windows\system32\xpsp2res.dll

c:\windows\system32\clbcatq.dll

c:\windows\system32\comres.dll

c:\windows\system32\uxtheme.dll

c:\windows\syswow64\wintrust.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\syswow64\imagehlp.dll

C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE

c:\program files (x86)\mozilla firefox\firefox.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\program files (x86)\mozilla firefox\xul.dll

c:\program files (x86)\mozilla firefox\sqlite3.dll

c:\program files (x86)\mozilla firefox\mozcrt19.dll

c:\windows\syswow64\msvcrt.dll

c:\program files (x86)\mozilla firefox\js3250.dll

c:\program files (x86)\mozilla firefox\nspr4.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\system32\wsock32.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\winmm.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\gdi32.dll

c:\program files (x86)\mozilla firefox\smime3.dll

c:\program files (x86)\mozilla firefox\nss3.dll

c:\program files (x86)\mozilla firefox\nssutil3.dll

c:\program files (x86)\mozilla firefox\plc4.dll

c:\program files (x86)\mozilla firefox\plds4.dll

c:\program files (x86)\mozilla firefox\ssl3.dll

c:\windows\syswow64\shell32.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\ole32.dll

c:\windows\syswow64\version.dll

c:\windows\system32\winspool.drv

c:\windows\syswow64\comdlg32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\system32\imm32.dll

c:\windows\system32\msimg32.dll

c:\windows\system32\usp10.dll

c:\windows\syswow64\oleaut32.dll

c:\program files (x86)\mozilla firefox\xpcom.dll

c:\windows\system32\dbghelp.dll

c:\windows\system32\uxtheme.dll

c:\windows\syswow64\msctf.dll

c:\windows\system32\setupapi.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msctfime.ime

c:\windows\system32\clbcatq.dll

c:\windows\system32\comres.dll

c:\program files (x86)\mozilla firefox\components\browserdirprovider.dll

c:\windows\system32\mswsock.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\wshtcpip.dll

c:\windows\system32\iphlpapi.dll

c:\windows\system32\psapi.dll

c:\windows\system32\dnsapi.dll

c:\windows\system32\winrnr.dll

c:\windows\syswow64\wldap32.dll

c:\windows\system32\xpsp2res.dll

c:\program files (x86)\mozilla firefox\components\brwsrcmp.dll

c:\windows\syswow64\netapi32.dll

c:\windows\system32\urlmon.dll

c:\windows\syswow64\iertutil.dll

c:\windows\system32\userenv.dll

c:\windows\system32\rsaenh.dll

c:\program files (x86)\mozilla firefox\softokn3.dll

c:\program files (x86)\mozilla firefox\nssdbm3.dll

c:\program files (x86)\mozilla firefox\freebl3.dll

c:\program files (x86)\mozilla firefox\nssckbi.dll

c:\windows\system32\rasadhlp.dll

c:\windows\syswow64\wintrust.dll

c:\windows\syswow64\crypt32.dll

c:\windows\syswow64\msasn1.dll

c:\windows\syswow64\imagehlp.dll

c:\windows\system32\wdmaud.drv

c:\windows\system32\msacm32.drv

c:\windows\system32\msacm32.dll

c:\windows\system32\midimap.dll

c:\windows\system32\ntshrui.dll

c:\windows\system32\linkinfo.dll

C:\PROGRAM FILES (X86)\LAVASOFT\AD-AWARE 2007\AD-AWARE2007.EXE

c:\program files (x86)\lavasoft\ad-aware 2007\ad-aware2007.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\user32.dll

c:\windows\syswow64\gdi32.dll

c:\windows\syswow64\advapi32.dll

c:\windows\syswow64\rpcrt4.dll

c:\windows\syswow64\secur32.dll

c:\windows\system32\imm32.dll

c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78fcf8d0\comctl32.dll

c:\windows\syswow64\comdlg32.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\shlwapi.dll

c:\windows\syswow64\shell32.dll

c:\windows\winsxs\wow64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5fa17f4e\comctl32.dll

c:\windows\syswow64\oleaut32.dll

c:\windows\syswow64\ole32.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\inetmib1.dll

c:\windows\system32\iphlpapi.dll

c:\windows\system32\psapi.dll

c:\windows\system32\snmpapi.dll

c:\windows\system32\mprapi.dll

c:\windows\system32\activeds.dll

c:\windows\system32\adsldpc.dll

c:\windows\syswow64\netapi32.dll

c:\windows\syswow64\wldap32.dll

c:\windows\system32\credui.dll

c:\windows\system32\atl.dll

c:\windows\system32\rtutils.dll

c:\windows\system32\samlib.dll

c:\windows\system32\setupapi.dll

c:\windows\syswow64\version.dll

c:\windows\syswow64\mpr.dll

c:\windows\system32\winmm.dll

c:\windows\system32\oleacc.dll

c:\windows\system32\msvcp60.dll

c:\windows\system32\uxtheme.dll

c:\windows\syswow64\msctf.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msctfime.ime

c:\windows\system32\olepro32.dll

c:\windows\system32\drprov.dll

c:\windows\system32\ntlanman.dll

c:\windows\system32\netui0.dll

c:\windows\system32\netui1.dll

c:\windows\system32\davclnt.dll

c:\windows\system32\userenv.dll

End of Scan Section

===========================

Quarantined Infections

===========================

Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com PrefID /, Belonging to Tracking Cookie

Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat adlegend.com CSList /, Belonging to Tracking Cookie

Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com cluid /, Belonging to Tracking Cookie

Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat kontera.com imprs /, Belonging to Tracking Cookie

MRU Path: C:\Documents and Settings\Administrator\Recent Count: 149, Belonging to MRU Object

MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Search Assistant\ACMru\5603 Count: 9, Belonging to MRU Object

MRU Registry Key: S-1-5-21-2712546392-667894355-3133765092-500\Software\Microsoft\Internet Explorer\TypedURLs Count: 10, Belonging to MRU Object

End of Quarantined Infections

===========================

Link to post
Share on other sites

  • Root Admin

Please run the following scanner.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

Dr.Web log found a lot of stuff but wasnt able to delete it all. Excel won't open due to the virus so this is the only way to put the drweb log in, since it won't let me upload .csv files

c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Moved.;

psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Moved.;

A0042298.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Siggen.568;Deleted.;

A0042299.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1459;Deleted.;

A0042301.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;

A0042302.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;

A0042303.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;

A0045631.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Siggen.568;Deleted.;

A0045632.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1459;Deleted.;

A0045633.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;

A0045634.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;

A0045635.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Virtumod.1534;Deleted.;

BACKUP-20071207-233006-457.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;

BACKUP-20071207-233103-479.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;

BACKUP-20071207-233123-734.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;

BACKUP-20071207-233141-958.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;

BACKUP-20071207-235336-312.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;

BACKUP-20071208-000717-169.0LL.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.Click.4871;Deleted.;

sch20ddshlp.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Probably Trojan.Packed.196;Moved.;

wnl32.dll.bac_a02020;C:\Documents and Settings\Administrator\.housecall6.6\Quarantine;Trojan.DownLoader.61955;Deleted.;

VirtumundoBeGone.exe\data005;C:\Documents and Settings\Administrator\Desktop\system health tools\VirtumundoBeGone.exe;Tool.Prockill;;

VirtumundoBeGone.exe;C:\Documents and Settings\Administrator\Desktop\system health tools;Archive contains infected objects;Moved.;

nsh2F.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;

nsuA.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;

nsv5.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;

nswD.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Tool.Prockill;Moved.;

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;

ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;;

ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;

regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;Incurable.Moved.;

RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

ylcgcuoq.dat;C:\WINDOWS\system32\Drivers;Trojan.NtRootKit.511;Deleted.;

new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:05 PM, on 03/02/2009

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\Program Files (x86)\Java\jre6\bin\jqs.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =

http://go.microsoft.com/fwlink/?LinkId=54843

O1 - Hosts: be placed in the first column followed by the corresponding host

name.

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

(no file)

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files

(x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files

(x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files

(x86)\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files

(x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft

Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d

locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files

(x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search

& Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [Aim6]

"C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User

'?')

O4 - HKUS\S-1-5-21-2712546392-667894355-3133765092-500\..\Run: [spybotSD

TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (User

'?')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User

'?')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User

'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall]

%systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files

(x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

(no file)

O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no

file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no

file)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} -

http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

http://upload.facebook.com/controls/2008.1...kPhotoUploader5.

cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -

http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

http://a840.g.akamai.net/7/840/537/2004061...icro.com/housec

all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} -

http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -

http://driveragent.com/files/driveragent.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - (no

file)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner -

C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program

Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner -

C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files (x86)\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -

C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files

(x86)\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner -

C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner -

C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown

owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner -

C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner -

C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files

(x86)\Viewpoint\Common\ViewpointService.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner -

C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner -

C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. -

C:\WINDOWS\system32\wwSecure.exe

--

End of file - 7986 bytes

Link to post
Share on other sites

Nothing will install, all programs taht were messed up before still are. There are a lot of files in the quarantine bins for trendmicro housecall and Dr. Web, but i dont think it moved anymore in there after my restart. I attached pictures of the two quarantine folders so you can see the files in there

post-10200-1236032345_thumb.jpg

post-10200-1236032358_thumb.jpg

post-10200-1236032345_thumb.jpg

post-10200-1236032358_thumb.jpg

Link to post
Share on other sites

Also I consulted Jotti online malware scan and Im pretty sure that the Dr.Web folder's AOL files, VirtumundobeGone, and the batch file, possibly the reg entries are false positives from the heuristics, but the other files in that folder showed up as infections.

Link to post
Share on other sites

  • Root Admin

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

Just attempted to run that program and I get this error

"Mismatch between the kernel reported by windows and the one reported by a hardware scan.

Do you want to use the kernel reported by windows?"

Yes No

If I click Yes it says Could not load driver (0xc000036b)!

same error no matter which option I pick. Apparently it does not work with my 64 bit OS from what a google search dug up--Windows XP Professional x64

Link to post
Share on other sites

Kaspersky won't start either--I know that some of those files in the Quarantine folder are viruses, and I hate it when none of these programs seems to work. You got anything else up your sleeve that might do the trick? You think if i delete those quarantined files it might make a difference?

Link to post
Share on other sites

  • Root Admin

No probably not. The issue is that it's 64 Bit and very few tools actually work well on 64 Bit, including Malware.

Please try the following BOOT CD AV Scanner.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

It starts to boot up (I can see the files loading up for it, but it never loads up), but then the monitor goes into the powersave mode as it would if the computer is turned off, like it's not even connected. I can't even see the GUI to use the commandline because it's like the computer isnt even connected to the monitor, though I know it is b/c it was showing just seconds before. What to do?

Link to post
Share on other sites

  • Root Admin

Well does the computer allow you to logon and still download and run programs or is Internet access down, or can't logon?

Do you have access to another computer to burn CD or do you have the Windows XP CD?

Can you run CHKDSK on it?

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

  • Root Admin

Post re-opened at user request.

Note. My current available time is very limited right now and I've asked other helpers to take over my current logs if possible. I will try to get back to you if no one has taken over, but please keep in mind that it could take a while so please post an update to ask that someone review your post.

Link to post
Share on other sites

Hi :(

AdvancedSetup is currently unavailable and I will now be assisting your good self.

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.