Jump to content

Recommended Posts

Hello folks, 1st time poster

Sure got a mess to work out, been studying all night here goes. I run 2 Browsers, an old explorer 6 that I keep all the internet options closed, java, script, cookies etc., and Firefox new version for surfing and downloading. which I toggle Java script on & off. I delete new created files a couple times a day and am usually very careful w/ cookies & allowing permissions. A couple of Months ago I downloaded Mbam, my search pages were being misdirected, & Mbam worked like a charm to correct the problems, since then I've run the program 3 times, never to be reinfected.

2 Days ago when I had java script opened, I got one of those Infected Warnings on my task bar, not to worry I thought, I could use search & delete files, or click out of the warning, or if things got that bad run Malwarebytes from my desk top, or if I really had to restore to an earlier time since I knew I had 12 restore points.

Well, the files wouldn't delete like they usually do, Mbam wouldn't Open :) I went to open system restore & it was all gone Whew!

Google search brought me to your forum where I followed instructions to download Avatar and scan my Puker, I did that, quarantined results and tried opening Mbam. Just isn't working. OK next figured it was a good time to upgrade Windows to dotnetfix, so I did that nothing working there.

But I couldn't stop, no sir, I went and downloaded Spybot and that began to load till I hit that preserve feature and found out about TeaTimer :) That caused me to loose my google search features. long story short

My Task Manager isn't running anything funny

Ran HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 7:09:15 AM, on 4/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Browser MOUSE\mouse32a.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\msdtc.exe

c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Compaq User\My Documents\Downloaded Utilities\RootRepeal.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\Compaq User\My Documents\Downloaded Utilities\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll

O2 - BHO: (no name) - {E89B01F9-F30B-4944-84F2-5FAC73ABA0E4} - c:\windows\system32\aawluyx.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"

O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe

O4 - HKLM\..\Run: [Veoh Helper] "C:\Program Files\Veoh Helper\veohTray.exe"

O4 - HKLM\..\Run: [index.dat Suite] "C:\idsuite_run.bat"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O20 - Winlogon Notify: tomjmzip - C:\WINDOWS\SYSTEM32\aawluyx.dll

O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Refering to forum topic http://www.malwarebytes.org/forums/index.php?showtopic=12709

Fatdcuk recomends (thank you very much)

Download the following tool and only use as directed!

http://rootrepeal.googlepages.com/

I did and here R the Results from 2 scans

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/06 07:28

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Hidden Services

-------------------

Service Name: msqpdxserv.sys

Image Path: C:\WINDOWS\system32\drivers\msqpdxxjlhbaky.sys

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACkdulkawq.sys

&

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/06 07:30

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF7DBE000 Size: 187776 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2179328 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xF3F68000 Size: 138496 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF7D50000 Size: 95360 File Visible: -

Status: -

Name: ATMFD.DLL

Image Path: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000 Size: 286720 File Visible: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF848C000 Size: 3072 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF834F000 Size: 4224 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF823D000 Size: 12288 File Visible: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF801D000 Size: 63744 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF7EFD000 Size: 49536 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7E6D000 Size: 53248 File Visible: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7E5D000 Size: 36352 File Visible: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF7D68000 Size: 153344 File Visible: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF8333000 Size: 5888 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF7F2D000 Size: 61440 File Visible: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF3DEE000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF835D000 Size: 8192 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF70BE000 Size: 12288 File Visible: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF8572000 Size: 4096 File Visible: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xF2946000 Size: 143360 File Visible: -

Status: -

Name: fdc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xF811D000 Size: 27392 File Visible: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF7FFD000 Size: 34944 File Visible: -

Status: -

Name: flpydisk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys

Address: 0xF818D000 Size: 20480 File Visible: -

Status: -

Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF7D18000 Size: 128896 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF834B000 Size: 7936 File Visible: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7D8E000 Size: 125056 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806EC000 Size: 81280 File Visible: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF7FCD000 Size: 36864 File Visible: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF81D5000 Size: 28672 File Visible: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF7ACE000 Size: 9600 File Visible: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xF2D1C000 Size: 262784 File Visible: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF7EDD000 Size: 52736 File Visible: -

Status: -

Name: imagedrv.sys

Image Path: imagedrv.sys

Address: 0xF8335000 Size: 5888 File Visible: -

Status: -

Name: imagesrv.sys

Image Path: imagesrv.sys

Address: 0xF7DEC000 Size: 127488 File Visible: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF7F1D000 Size: 41856 File Visible: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xF3F8A000 Size: 134912 File Visible: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xF402B000 Size: 74752 File Visible: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF7E2D000 Size: 35840 File Visible: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF8105000 Size: 24576 File Visible: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF832D000 Size: 8192 File Visible: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xF259D000 Size: 172416 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF788F000 Size: 143360 File Visible: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF7D01000 Size: 92032 File Visible: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF8353000 Size: 4224 File Visible: -

Status: -

Name: Modem.SYS

Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Address: 0xF80E5000 Size: 30080 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF80FD000 Size: 23040 File Visible: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF82E9000 Size: 12160 File Visible: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7E3D000 Size: 42240 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xF3ECE000 Size: 453120 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF81B5000 Size: 19072 File Visible: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF7F6D000 Size: 35072 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF7B06000 Size: 15488 File Visible: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF7B36000 Size: 107904 File Visible: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7C47000 Size: 182912 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF8315000 Size: 9600 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xF3C8A000 Size: 12928 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xF71C4000 Size: 91776 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF7F8D000 Size: 38016 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF7FED000 Size: 34560 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xF3FAB000 Size: 162816 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF81C5000 Size: 30848 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7C74000 Size: 574592 File Visible: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2179328 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF84C4000 Size: 2944 File Visible: -

Status: -

Name: nv4_disp.dll

Image Path: C:\WINDOWS\System32\nv4_disp.dll

Address: 0xBF012000 Size: 4276224 File Visible: -

Status: -

Name: nv4_mini.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

Address: 0xF78F6000 Size: 1897408 File Visible: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys

Address: 0xF78B2000 Size: 80128 File Visible: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF80B5000 Size: 18688 File Visible: -

Status: -

Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xF8349000 Size: 6784 File Visible: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7DAD000 Size: 68224 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF80AD000 Size: 28672 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2179328 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF77DB000 Size: 147456 File Visible: -

Status: -

Name: processr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys

Address: 0xF7ECD000 Size: 35328 File Visible: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF839F000 Size: 7872 File Visible: No

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xF71B3000 Size: 69120 File Visible: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF816D000 Size: 17792 File Visible: -

Status: -

Name: ptserlp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptserlp.sys

Address: 0xF78C6000 Size: 112544 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF7E7D000 Size: 35648 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xF7AC6000 Size: 8832 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF7F3D000 Size: 51328 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF7F4D000 Size: 41472 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF7F5D000 Size: 48384 File Visible: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF817D000 Size: 16512 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2179328 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xF3F3D000 Size: 174592 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF8357000 Size: 4224 File Visible: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xF70E2000 Size: 196864 File Visible: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF7F0D000 Size: 57472 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF2DAD000 Size: 45056 File Visible: No

Status: -

Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS

Address: 0xF7D38000 Size: 98304 File Visible: -

Status: -

Name: SENSUPGD.SYS

Image Path: C:\WINDOWS\system32\drivers\SENSUPGD.SYS

Address: 0xF8488000 Size: 4096 File Visible: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xF82F5000 Size: 15488 File Visible: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xF7EED000 Size: 64896 File Visible: -

Status: -

Name: SMC1211.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\SMC1211.SYS

Address: 0xF80F5000 Size: 21504 File Visible: -

Status: -

Name: smwdm.sys

Image Path: C:\WINDOWS\system32\drivers\smwdm.sys

Address: 0xF77FF000 Size: 443584 File Visible: -

Status: -

Name: sr.sys

Image Path: C:\WINDOWS\System32\DRIVERS\sr.sys

Address: 0xF2CE2000 Size: 73472 File Visible: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xF35FF000 Size: 332928 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF833D000 Size: 4352 File Visible: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xF3B7E000 Size: 60800 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xF3FD3000 Size: 359808 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF815D000 Size: 20480 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF7F7D000 Size: 40704 File Visible: -

Status: -

Name: tmcomm.sys

Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys

Address: 0xF3651000 Size: 70912 File Visible: -

Status: -

Name: UACkdulkawq.sys

Image Path: C:\WINDOWS\system32\drivers\UACkdulkawq.sys

Address: 0xF7FBD000 Size: 61440 File Visible: -

Status: Hidden from Windows API!

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF7086000 Size: 209408 File Visible: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xF81F5000 Size: 31616 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF8347000 Size: 8192 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF7F9D000 Size: 57600 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF786C000 Size: 143360 File Visible: -

Status: -

Name: usbprint.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys

Address: 0xF8205000 Size: 25856 File Visible: -

Status: -

Name: usbscan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys

Address: 0xF70D6000 Size: 15104 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF8135000 Size: 20480 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF81A5000 Size: 20992 File Visible: -

Status: -

Name: viaagp.sys

Image Path: viaagp.sys

Address: 0xF7E9D000 Size: 42240 File Visible: -

Status: -

Name: viaide.sys

Image Path: viaide.sys

Address: 0xF8331000 Size: 5376 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF78E2000 Size: 81920 File Visible: -

Status: -

Name: vmodem.sys

Image Path: vmodem.sys

Address: 0xF7B51000 Size: 604224 File Visible: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7E4D000 Size: 52352 File Visible: -

Status: -

Name: vpctcom.sys

Image Path: vpctcom.sys

Address: 0xF7BE5000 Size: 397472 File Visible: -

Status: -

Name: vvoice.sys

Image Path: vvoice.sys

Address: 0xF7E8D000 Size: 64576 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF7FDD000 Size: 34560 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF822D000 Size: 20480 File Visible: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xF3939000 Size: 82944 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1843200 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1843200 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF832F000 Size: 8192 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2179328 File Visible: -

Status: -

Thank you in advance for all the help & knowledge you can lend, Sorry if this seems lengthy, but I wanted to get it posted before I take a break,

Be Well

Bronks

Link to post
Share on other sites

  • Staff

Hi,

Please read the following tutorial and perform the steps:

http://www.malwarebytes.org/forums/index.php?showtopic=12709

In your case, you should select to wipe the file C:\WINDOWS\system32\drivers\UACkdulkawq.sys

Then you should be able to run MBAM afterwards. Also, make sure you update MBAM (Update tab > check for updates), before you run the scan.

Then, once the scan has finished, reboot!

After reboot,

Post the log from MBAM in your next reply.

By the way, is there any reason why you don't have an antivirus installed?

Link to post
Share on other sites

Hi,

Please read the following tutorial and perform the steps:

http://www.malwarebytes.org/forums/index.php?showtopic=12709

In your case, you should select to wipe the file C:\WINDOWS\system32\drivers\UACkdulkawq.sys

Then you should be able to run MBAM afterwards. Also, make sure you update MBAM (Update tab > check for updates), before you run the scan.

Then, once the scan has finished, reboot!

After reboot,

Post the log from MBAM in your next reply.

By the way, is there any reason why you don't have an antivirus installed?

miekiemoes Hi there

Did as you said, I thought thats what I had to do. I wiped C:\WINDOWS\system32\drivers\UACkdulkawq.sys , just needed to check in first. Then I went to load MBAM. It Didn't work NO GO! What else do you see?

To answer your question about antivirus, guess I never had much luck or faith in them, been surfin & downloadin for alot of years was always able to handle it, But Now this infection could have only come from 3 sites I was on, & I thought trusted sites> Things are a Changin gettin Nasty out there..Time to address the antivirus issue. What do You Recomend? please sir

& thank you for your help.

ps do you see anything more?

How about this Scan I just did after wiping the above Driver

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/06 12:21

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Hidden Services

-------------------

Service Name: msqpdxserv.sys

Image Path: C:\WINDOWS\system32\drivers\msqpdxxjlhbaky.sys

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACkdulkawq.sys

I see C:\WINDOWS\system32\drivers\UACkdulkawq.sys still there as well as the other (w. the Hidden services Chosen>

Before I wipe or delete any thing further, I await your command.

Thanks

Link to post
Share on other sites

Check both above ones again and select to wipe.

Then run mbam again as well. It may also be a good idea to rename mbam.exe to bronks.exe or so :)

Ok Better miekiemoes tried again to wipe w/ rootrepeal but it reappeared quickly, thought of running rootrepeal like a twin carb., but you can't run more than 1 at a time.. So I decided to use the forced delete option. That worked!! & as soon as I loaded MBAM, my computer crashed. No Problem though, Ran a full MBAM scan heres the results:

Malwarebytes' Anti-Malware 1.35

Database version: 1945

Windows 5.1.2600 Service Pack 2

4/6/2009 1:37:40 PM

mbam-log-2009-04-06 (13-37-40).txt

Scan type: Full Scan (C:\|)

Objects scanned: 95157

Time elapsed: 27 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 2

Registry Data Items Infected: 6

Folders Infected: 2

Files Infected: 16

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e89b01f9-f30b-4944-84f2-5fac73aba0e4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tomjmzip (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e89b01f9-f30b-4944-84f2-5fac73aba0e4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wqrkyxvz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wqrkyxvz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wqrkyxvz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e89b01f9-f30b-4944-84f2-5fac73aba0e4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Compaq User\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:

c:\WINDOWS\system32\aawluyx.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\UACjbabotvy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UAClyxbxtcd.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACpjbgnhvm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACpsmrvhfh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq User\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.

C:\Documents and Settings\Compaq User\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\Fonts\error.exe (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACjajpgfqs.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACmppjnmde.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACyyxmupcc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

My Disc Defragmenter started working againhttp://www.malwarebytes.org/forums/style_images/1/folder_post_icons/icon1.gif

I hope you will explain what you mean by renaming mbam.exe to somethingelse.exe I've read others suggest the same, but I didn't understand how to do that?? Do you mean mbam-setup.exe. I'd sure like to know if there should be a next time. Any thing else you want me to do? I sure do appreciate this service

Stay Well

Bronks

Link to post
Share on other sites

Hi,

If the mbam scan works - then there's no need anymore to rename it. :)

I assume you have rebooted after the malwarebytes scan?

Can you also post a new HijackThislog please?

Sure here it is (you'll notice its an older version, Not a problem is it?)

Logfile of HijackThis v1.99.1

Scan saved at 2:45:23 PM, on 4/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

C:\Program Files\Browser MOUSE\mouse32a.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Webshots\Webshots.scr

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Compaq User\My Documents\Downloaded Utilities\HijackThis.exe

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"

O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s

O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [CamCheck] C:\Program Files\NuCam\CamCheck\CamCheck.exe

O4 - HKLM\..\Run: [Veoh Helper] "C:\Program Files\Veoh Helper\veohTray.exe"

O4 - HKLM\..\Run: [index.dat Suite] "C:\idsuite_run.bat"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O23 - Service: Blink2PnP - Unknown owner - C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

I'm not sure what 91.212.65.122 spyware-protector-2009.com is? anything of concern?

thanks

Link to post
Share on other sites

  • Staff

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O4 - HKLM\..\Run: [index.dat Suite] "C:\idsuite_run.bat" <== check this if you don't know it. If it's a batch file to delete the index.dat, then it's useless anyway because the index.dat is already in use then when that startup runs.

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then, you really need an Antivirus, so * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Link to post
Share on other sites

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O4 - HKLM\..\Run: [index.dat Suite] "C:\idsuite_run.bat" <== check this if you don't know it. If it's a batch file to delete the index.dat, then it's useless anyway because the index.dat is already in use then when that startup runs.

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Then, you really need an Antivirus, so * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Howdy

Got the Avira loaded, did full scan.. and have the report ready for your viewing:

Avira AntiVir Personal

Report file date: Monday, April 06, 2009 15:19

Scanning for 1342193 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : COMPAQ5000

Version information:

BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26

ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 19:17:58

ANTIVIR3.VDF : 7.1.3.21 99328 Bytes 4/6/2009 19:17:58

Engineversion : 8.2.0.138

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42

AESCRIPT.DLL : 8.1.1.73 373114 Bytes 4/6/2009 19:18:01

AESCN.DLL : 8.1.1.10 127348 Bytes 4/6/2009 19:18:01

AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41

AEPACK.DLL : 8.1.3.12 397687 Bytes 4/6/2009 19:18:01

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56

AEHEUR.DLL : 8.1.0.114 1700214 Bytes 4/6/2009 19:18:00

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56

AEGEN.DLL : 8.1.1.33 340340 Bytes 4/6/2009 19:17:59

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40

AECORE.DLL : 8.1.6.7 176502 Bytes 4/6/2009 19:17:58

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Monday, April 06, 2009 15:19

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msqpdxserv.sys\modules

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msqpdxserv.sys\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msqpdxserv.sys\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msqpdxserv.sys\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msqpdxserv.sys\group

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UACd.sys\modules

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UACd.sys\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UACd.sys\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UACd.sys\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UACd.sys\group

[iNFO] The registry entry is invisible.

'31192' objects were checked, '10' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'Webshots.scr' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'srvany.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'lxbmbmon.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'mouse32a.exe' - '1' Module(s) have been scanned

Scan process 'lxbmbmgr.exe' - '1' Module(s) have been scanned

Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

27 processes with 27 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '56' files ).

Starting the file scan:

Begin scan in 'C:\' <Hard Drive>

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

End of the scan: Monday, April 06, 2009 16:04

Used time: 45:10 Minute(s)

The scan has been done completely.

3484 Scanned directories

159016 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

159015 Files not concerned

1122 Archives were scanned

1 Warnings

1 Notes

31192 Objects were scanned with rootkit scan

10 Hidden objects were found

Thanks once again, Good timing too, The Yankees just started their 1st. Official game of the Year..

Go Bombers

Stay Well

Bronks_ball

Link to post
Share on other sites

Funny that the ControlSet004 is still hidden... Did you check the hidden objects in Avira for removal?

Anyway, please reboot.

Then,

Can you rescan with malwarebytes and post a new log in your next reply?

Hi Mieke

did as you asked, some strange things happened though

1. when I went to restart the puter it froze

2. I did not end items in task manager like I usually do

3. took a long time to scan

4. Reboot before last, I took 31 Microsoft updates, (i really have not taken any in a long time)

5. after I finished this scan, and restarted Firefox, Restore previous sessions was not there

Any ways heres the Scan, and to answer your previous question w/ the antivirus scan, I'm really not sure>>

thanks

Malwarebytes' Anti-Malware 1.35

Database version: 1945

Windows 5.1.2600 Service Pack 2

4/6/2009 5:35:53 PM

mbam-log-2009-04-06 (17-35-53).txt

Scan type: Full Scan (C:\|)

Objects scanned: 96065

Time elapsed: 36 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Let's have a final check, so * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi,

Let's have a final check, so * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Ok Mieke did as you asked

by the way my puter froze up again, thats one problem I've never had! Anyways

heres the scan log

ComboFix 09-04-04.01 - Compaq User 2009-04-06 18:49:50.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.704.484 [GMT -4:00]

Running from: c:\documents and settings\Compaq User\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\{54F33~1

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_COM+_MESSAGES

-------\Service_COM+ Messages

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

2009-04-06 15:12 . 2009-04-06 15:12 <DIR> d-------- c:\program files\Avira

2009-04-06 15:12 . 2009-04-06 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-04-06 13:06 . 2009-04-06 13:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-06 13:06 . 2009-04-06 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-06 13:06 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 13:06 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-06 02:52 . 2009-04-06 03:31 <DIR> d-------- c:\windows\system32\CatRoot_bak

2009-04-06 02:50 . 2008-06-13 09:10 272,128 --------- c:\windows\system32\drivers\bthport.sys

2009-04-06 02:50 . 2008-06-13 09:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys

2009-04-06 02:49 . 2008-08-14 06:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-04-06 02:49 . 2008-08-14 05:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-04-06 02:49 . 2008-08-14 05:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-04-06 02:49 . 2008-08-14 05:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-04-06 02:40 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui

2009-04-06 02:40 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui

2009-04-06 02:40 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-04-06 02:40 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui

2009-04-05 23:44 . 2009-04-05 23:49 <DIR> d-------- c:\windows\SxsCaPendDel

2009-04-05 16:19 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

2009-04-05 16:05 . 2009-04-05 16:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\glgqpbwt

2009-04-05 14:57 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll

2009-04-05 14:57 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll

2009-04-05 14:57 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-05 14:57 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll

2009-04-05 14:57 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-05 14:57 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll

2009-04-05 14:57 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-02 14:34 . 2009-04-06 02:57 <DIR> d-------- c:\windows\system32\XPSViewer

2009-04-02 14:34 . 2009-04-02 14:34 <DIR> d-------- c:\program files\Reference Assemblies

2009-04-02 14:34 . 2009-04-02 14:34 <DIR> d-------- c:\program files\MSXML 6.0

2009-04-02 14:34 . 2009-04-02 14:34 <DIR> d-------- c:\program files\MSBuild

2009-03-27 13:07 . 2009-04-06 00:00 69 --a------ c:\windows\NeroDigital.ini

2009-03-25 13:28 . 2009-03-25 13:28 <DIR> d-------- c:\program files\Common Files\Ahead

2009-03-25 13:28 . 2001-07-09 10:50 155,648 --a------ c:\windows\system32\NeroCheck.exe

2009-03-25 13:28 . 2005-09-01 11:03 127,488 --------- c:\windows\system32\drivers\imagesrv.sys

2009-03-25 13:28 . 2005-09-01 11:03 5,888 --------- c:\windows\system32\drivers\imagedrv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 03:58 --------- d-----w c:\program files\SolSuite

2009-04-06 03:57 --------- d-----w c:\program files\RGS-CardMaster

2009-04-06 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-05 18:14 --------- d-----w c:\program files\ReadIris

2009-04-05 18:14 --------- d-----w c:\program files\DocPad

2009-04-05 18:14 --------- d-----w c:\program files\Dictionary

2009-04-05 18:14 --------- d-----w c:\program files\Browser MOUSE

2009-03-25 17:28 --------- d-----w c:\program files\Ahead

2009-03-17 22:28 --------- d-----w c:\program files\Windows Media Connect

2009-03-17 22:28 --------- d-----w c:\program files\Common Files\MySoftware

2009-03-17 22:28 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint

2009-03-03 23:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-02 15:23 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-01 03:19 --------- d-----w c:\program files\Index.dat Suite

2009-03-01 02:48 --------- d-----w c:\documents and settings\Compaq User\Application Data\Malwarebytes

2009-02-18 16:15 --------- d-----w c:\program files\Lexmark 4200 Series

2009-02-15 01:40 --------- d-----w c:\program files\Duplicate File Eraser

2009-02-14 19:08 --------- d-----w c:\program files\Free Download Manager

2009-02-08 01:53 --------- d-----w c:\documents and settings\Compaq User\Application Data\SharpReader

2009-02-07 19:23 --------- d-----w c:\program files\SharpReader

2009-01-18 13:12 61,440 ----a-w c:\windows\wnUninstall.exe

2009-01-10 21:35 7,518,240 ----a-w c:\program files\Firefox Setup 3.0.5.exe

2008-11-13 18:41 1,618 ----a-w c:\program files\Calendar.ini

2008-11-13 18:15 325,947 ----a-w c:\program files\Calendars 2.01ZIP.zip

2008-05-09 02:22 2,060,592 ----a-w c:\program files\fdminst-lite.exe

2008-05-09 01:49 304,957 ----a-w c:\program files\hjsplit.zip

2008-03-20 00:23 9,730,800 -c--a-w c:\program files\vlc-0.8.6e-win32.exe

2007-08-03 05:15 675,840 ----a-w c:\program files\Calendar.exe

2007-07-02 15:05 1,764 -c--a-w c:\program files\README.TXT

2007-04-18 22:57 1,163,592 -c--a-w c:\program files\install_flash_player.exe

2007-03-15 15:37 491,768 -c--a-w c:\program files\ie6setup.exe

2007-03-09 23:17 1,145,896 -c--a-w c:\program files\GoogleToolbarInstaller.exe

2007-02-22 01:23 48,640 -c--a-w c:\program files\Weather-Install.exe

2007-02-09 16:18 824,901 -c--a-w c:\program files\oggcodecs_0.71.0946.exe

2007-01-27 13:31 70,487 ----a-w c:\program files\KillBox.zip

2006-04-11 00:29 305,416 -c--a-w c:\program files\office2003-KB907417-FullFile-ENU.exe

2006-04-11 00:21 393,416 -c--a-w c:\program files\LISTool.exe

2006-03-29 04:04 3,217,896 -c--a-w c:\program files\wbsamp.exe

2006-03-25 14:58 800,136 -c--a-w c:\program files\regclean.exe

2006-03-22 23:03 3,321,048 -c--a-w c:\program files\rminstall.exe

2006-03-06 02:35 72,294 -c--a-w c:\program files\shared.js

2006-02-20 16:48 299,288 -c--a-w c:\program files\GmailInstaller.exe

2006-02-20 16:24 89,600 -c--a-w c:\program files\ebay.msi

2006-02-20 16:12 1,623,608 -c--a-w c:\program files\GoogleDesktopSetup.exe

2006-02-19 15:22 811,146 -c--a-w c:\program files\idsuite_basic.exe

2006-02-15 05:25 3,528,344 ----a-w c:\program files\rgscards410uk.zip

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2006-01-29 200747]

"NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]

"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]

"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-12-24 360448]

"CamCheck"="c:\program files\NuCam\CamCheck\CamCheck.exe" [2003-02-06 90112]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"Tracker"="c:\program files\MySoftware\MyInvoices\tracker.exe" [2001-12-03 94208]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]

c:\documents and settings\Compaq User\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\Launcher.exe [2007-02-05 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"45706:TCP"= 45706:TCP:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-06 108289]

R2 Blink2PnP;Blink2PnP;c:\windows\twain_32\SiPix\SCBLINK2\srvany.exe [2006-12-23 13312]

R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-07-11 23153]

S3 DCamUSBBVI;SiPix StyleCam CAMeleon Dual Mode Camera;c:\windows\system32\drivers\biomini.sys [2006-12-23 397440]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wqrkyxvz

.

Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\At1.job

- c:\windows\system32\aawluyx.dll []

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe

HKLM-Run-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

HKLM-Run-Veoh Helper - c:\program files\Veoh Helper\veohTray.exe

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Trusted Zone: microsoft.com\office

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Compaq User\Application Data\Mozilla\Firefox\Profiles\0ucx831e.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 18:54:57

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\twain_32\SiPix\SCBLINK2\USBPNP.exe

c:\windows\system32\pctspk.exe

c:\program files\Lexmark 4200 Series\lxbmbmon.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wdfmgr.exe

c:\program files\WinZip\WZQKPICK.EXE

c:\program files\IncrediMail\bin\IMApp.exe

c:\program files\Webshots\Webshots.scr

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-04-06 18:58:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-06 22:58:51

Pre-Run: 2,564,276,224 bytes free

Post-Run: 3,446,042,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

210 --- E O F --- 2009-04-06 20:26:43

Waitin for your reply, PS cute lookin dog.. Black Lab??

Link to post
Share on other sites

  • Staff

Hi,

Just a few leftovers to delete here. MBAM already dealed with the main infection..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\Tasks\At1.job

Dirlook::

c:\documents and settings\NetworkService\Application Data\glgqpbwt

NetSvc::

wqrkyxvz

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

PS cute lookin dog.. Black Lab??
No, an American Staffordshire :)
Link to post
Share on other sites

Hi,

Just a few leftovers to delete here. MBAM already dealed with the main infection..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

No, an American Staffordshire :)

OK got this from the combofix scan report

ComboFix 09-04-04.01 - Compaq User 2009-04-06 19:23:57.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.704.454 [GMT -4:00]

Running from: c:\documents and settings\Compaq User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq User\My Documents\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

2009-04-06 15:12 . 2009-04-06 15:12 <DIR> d-------- c:\program files\Avira

2009-04-06 15:12 . 2009-04-06 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-04-06 13:06 . 2009-04-06 13:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-04-06 13:06 . 2009-04-06 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-06 13:06 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 13:06 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-04-06 02:52 . 2009-04-06 03:31 <DIR> d-------- c:\windows\system32\CatRoot_bak

2009-04-06 02:50 . 2008-06-13 09:10 272,128 --------- c:\windows\system32\drivers\bthport.sys

2009-04-06 02:50 . 2008-06-13 09:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys

2009-04-06 02:49 . 2008-08-14 06:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-04-06 02:49 . 2008-08-14 05:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-04-06 02:49 . 2008-08-14 05:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-04-06 02:49 . 2008-08-14 05:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-04-06 02:40 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui

2009-04-06 02:40 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui

2009-04-06 02:40 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui

2009-04-06 02:40 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui

2009-04-05 23:44 . 2009-04-05 23:49 <DIR> d-------- c:\windows\SxsCaPendDel

2009-04-05 16:19 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys

2009-04-05 16:05 . 2009-04-05 16:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\glgqpbwt

2009-04-05 14:57 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll

2009-04-05 14:57 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll

2009-04-05 14:57 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-04-05 14:57 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll

2009-04-05 14:57 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll

2009-04-05 14:57 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll

2009-04-05 14:57 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-04-02 14:34 . 2009-04-06 02:57 <DIR> d-------- c:\windows\system32\XPSViewer

2009-04-02 14:34 . 2009-04-02 14:34 <DIR> d-------- c:\program files\Reference Assemblies

2009-04-02 14:34 . 2009-04-02 14:34 <DIR> d-------- c:\program files\MSXML 6.0

2009-04-02 14:34 . 2009-04-02 14:34 <DIR> d-------- c:\program files\MSBuild

2009-03-27 13:07 . 2009-04-06 00:00 69 --a------ c:\windows\NeroDigital.ini

2009-03-25 13:28 . 2009-03-25 13:28 <DIR> d-------- c:\program files\Common Files\Ahead

2009-03-25 13:28 . 2001-07-09 10:50 155,648 --a------ c:\windows\system32\NeroCheck.exe

2009-03-25 13:28 . 2005-09-01 11:03 127,488 --------- c:\windows\system32\drivers\imagesrv.sys

2009-03-25 13:28 . 2005-09-01 11:03 5,888 --------- c:\windows\system32\drivers\imagedrv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 03:58 --------- d-----w c:\program files\SolSuite

2009-04-06 03:57 --------- d-----w c:\program files\RGS-CardMaster

2009-04-06 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-05 18:14 --------- d-----w c:\program files\ReadIris

2009-04-05 18:14 --------- d-----w c:\program files\DocPad

2009-04-05 18:14 --------- d-----w c:\program files\Dictionary

2009-04-05 18:14 --------- d-----w c:\program files\Browser MOUSE

2009-03-25 17:28 --------- d-----w c:\program files\Ahead

2009-03-17 22:28 --------- d-----w c:\program files\Windows Media Connect

2009-03-17 22:28 --------- d-----w c:\program files\Common Files\MySoftware

2009-03-17 22:28 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint

2009-03-03 23:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-02 15:23 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-01 03:19 --------- d-----w c:\program files\Index.dat Suite

2009-03-01 02:48 --------- d-----w c:\documents and settings\Compaq User\Application Data\Malwarebytes

2009-02-18 16:15 --------- d-----w c:\program files\Lexmark 4200 Series

2009-02-15 01:40 --------- d-----w c:\program files\Duplicate File Eraser

2009-02-14 19:08 --------- d-----w c:\program files\Free Download Manager

2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys

2009-02-08 01:53 --------- d-----w c:\documents and settings\Compaq User\Application Data\SharpReader

2009-02-07 19:23 --------- d-----w c:\program files\SharpReader

2009-01-18 13:12 61,440 ----a-w c:\windows\wnUninstall.exe

2009-01-10 21:35 7,518,240 ----a-w c:\program files\Firefox Setup 3.0.5.exe

2008-11-13 18:41 1,618 ----a-w c:\program files\Calendar.ini

2008-11-13 18:15 325,947 ----a-w c:\program files\Calendars 2.01ZIP.zip

2008-05-09 02:22 2,060,592 ----a-w c:\program files\fdminst-lite.exe

2008-05-09 01:49 304,957 ----a-w c:\program files\hjsplit.zip

2008-03-20 00:23 9,730,800 -c--a-w c:\program files\vlc-0.8.6e-win32.exe

2007-08-03 05:15 675,840 ----a-w c:\program files\Calendar.exe

2007-07-02 15:05 1,764 -c--a-w c:\program files\README.TXT

2007-04-18 22:57 1,163,592 -c--a-w c:\program files\install_flash_player.exe

2007-03-15 15:37 491,768 -c--a-w c:\program files\ie6setup.exe

2007-03-09 23:17 1,145,896 -c--a-w c:\program files\GoogleToolbarInstaller.exe

2007-02-22 01:23 48,640 -c--a-w c:\program files\Weather-Install.exe

2007-02-09 16:18 824,901 -c--a-w c:\program files\oggcodecs_0.71.0946.exe

2007-01-27 13:31 70,487 ----a-w c:\program files\KillBox.zip

2006-04-11 00:29 305,416 -c--a-w c:\program files\office2003-KB907417-FullFile-ENU.exe

2006-04-11 00:21 393,416 -c--a-w c:\program files\LISTool.exe

2006-03-29 04:04 3,217,896 -c--a-w c:\program files\wbsamp.exe

2006-03-25 14:58 800,136 -c--a-w c:\program files\regclean.exe

2006-03-22 23:03 3,321,048 -c--a-w c:\program files\rminstall.exe

2006-03-06 02:35 72,294 -c--a-w c:\program files\shared.js

2006-02-20 16:48 299,288 -c--a-w c:\program files\GmailInstaller.exe

2006-02-20 16:24 89,600 -c--a-w c:\program files\ebay.msi

2006-02-20 16:12 1,623,608 -c--a-w c:\program files\GoogleDesktopSetup.exe

2006-02-19 15:22 811,146 -c--a-w c:\program files\idsuite_basic.exe

2006-02-15 05:25 3,528,344 ----a-w c:\program files\rgscards410uk.zip

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\NetworkService\Application Data\glgqpbwt ----

2009-04-05 17:30 2048 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\cookies.sqlite

2009-04-05 17:10 96173 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\xpti.dat

2009-04-05 17:10 367 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\prefs.js

2009-04-05 17:10 207 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\compatibility.ini

2009-04-05 17:10 2048 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\webappsstore.sqlite

2009-04-05 17:10 131072 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\places.sqlite

2009-04-05 17:10 127885 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\compreg.dat

2009-04-05 17:10 0 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\places.sqlite-journal

2009-04-05 16:05 65536 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\cert8.db

2009-04-05 16:05 510 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\localstore.rdf

2009-04-05 16:05 4096 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\formhistory.sqlite

2009-04-05 16:05 2048 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\permissions.sqlite

2009-04-05 16:05 16384 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\secmod.db

2009-04-05 16:05 16384 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\key3.db

2009-04-05 16:05 1442 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\Profiles\zjohnzvn.default\pluginreg.dat

2009-04-05 16:05 111 --a------ c:\documents and settings\NetworkService\Application Data\glgqpbwt\profiles.ini

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2006-01-29 200747]

"NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]

"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]

"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-12-24 360448]

"CamCheck"="c:\program files\NuCam\CamCheck\CamCheck.exe" [2003-02-06 90112]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"Tracker"="c:\program files\MySoftware\MyInvoices\tracker.exe" [2001-12-03 94208]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]

c:\documents and settings\Compaq User\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\Launcher.exe [2007-02-05 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=

"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"45706:TCP"= 45706:TCP:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-06 108289]

R2 Blink2PnP;Blink2PnP;c:\windows\twain_32\SiPix\SCBLINK2\srvany.exe [2006-12-23 13312]

R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [2001-07-11 23153]

S3 DCamUSBBVI;SiPix StyleCam CAMeleon Dual Mode Camera;c:\windows\system32\drivers\biomini.sys [2006-12-23 397440]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Trusted Zone: microsoft.com\office

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Compaq User\Application Data\Mozilla\Firefox\Profiles\0ucx831e.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 19:26:10

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-04-06 19:28:43

ComboFix-quarantined-files.txt 2009-04-06 23:28:38

ComboFix2.txt 2009-04-06 22:59:02

Pre-Run: 3,441,438,720 bytes free

Post-Run: 3,425,591,296 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5

192 --- E O F --- 2009-04-06 20:26:43

How we lookin boss?

Bronks 4 Hire

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again :)

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi,

This looks OK again :o

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Hi

Been using the puter for 1 day now, Got new set of problems

!. when i Click to run MBAM I get error Code: 797 (2)

2. My task mngr has got wscntfy.exe running I can''t get rid of it, From the research I've done it seems to corelate w/ the problems I'm having, Like clicks on pages aren't working well, system slowed down off & on.

3. Although this computer hasn't froze up in the last hour, IT Has Frozen at least 10 times since yesterday

4. This Microsoft Recovery has been a pain in the ass, I'd like to shut it off or Better, Just Remove it

Help Please

Bronks

Link to post
Share on other sites

Hi

Been using the puter for 1 day now, Got new set of problems

!. when i Click to run MBAM I get error Code: 797 (2)

2. My task mngr has got wscntfy.exe running I can''t get rid of it, From the research I've done it seems to corelate w/ the problems I'm having, Like clicks on pages aren't working well, system slowed down off & on.

3. Although this computer hasn't froze up in the last hour, IT Has Frozen at least 10 times since yesterday

4. This Microsoft Recovery has been a pain in the ass, I'd like to shut it off or Better, Just Remove it

Help Please

Bronks

OK I was able to reload MBAM, Update & Scan, the scan detected 2 problems heres the scan results

Malwarebytes' Anti-Malware 1.36

Database version: 1949

Windows 5.1.2600 Service Pack 2

4/7/2009 8:35:10 PM

mbam-log-2009-04-07 (20-35-10).txt

Scan type: Full Scan (C:\|)

Objects scanned: 94968

Time elapsed: 31 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Bronks

Link to post
Share on other sites

  • Staff

Hi,

!. when i Click to run MBAM I get error Code: 797 (2)
Since you got it to run now, I assume that issue is resolved now?
2. My task mngr has got wscntfy.exe running I can''t get rid of it, From the research I've done it seems to corelate w/ the problems I'm having, Like clicks on pages aren't working well, system slowed down off & on.

That's the Windows security center notification (red shield you should see below). It's alerting you of your Antivirus or Firewall being disabled, or your Antivirus outdated. So open Avira, select update and make sure you have latest updates.

Also look in your Windows security center and enable the Windows firewall if disabled. Then this should go away.

This shouldn't cause the slowdown problems though...

3. Although this computer hasn't froze up in the last hour, IT Has Frozen at least 10 times since yesterday
Is it still doing this now?
4. This Microsoft Recovery has been a pain in the ass, I'd like to shut it off or Better, Just Remove it
What Microsoft Recovery are you talking about?
Link to post
Share on other sites

Hi,

Since you got it to run now, I assume that issue is resolved now?

That's the Windows security center notification (red shield you should see below). It's alerting you of your Antivirus or Firewall being disabled, or your Antivirus outdated. So open Avira, select update and make sure you have latest updates.

Also look in your Windows security center and enable the Windows firewall if disabled. Then this should go away.

This shouldn't cause the slowdown problems though...

Is it still doing this now?

What Microsoft Recovery are you talking about?

Good Morning (here) Mieke

MBAM issue resolved, Yes indeed

Yes I finally did more reading and decided to enable firewall (though in the past i've been advised not too) we'll see what lies ahead in the future

I don't fully understand why that combo fix seems to report or recommends "Windows Recovery Console" be activated for all the people you send there, me included. I don't know if you are aware or caught somewhere in my replies that I choose to allow 31 Microsoft updates the other day? But I finally gave in, my system was workin good before I did & to me it's like building some of the Worlds tallest buildings, not that it's "inviting" attacks but it becomes a target for attack, if u know what I mean. Anyway I stopped short w/ 3.0 netfix installed, not installing 3.5 version. I am also dealing w/ lack of memory issue, I'm at 18.4 GB & have only 8GB for download space. $$$ is the issue there, just gotta deal w/ it till $$ comes in. All these updates are eating into my memory.

Yes the red shield is still on because I won't turn on the auto updates

No, The puter hasn't frozen yet today

& yes the slowdown problem is still there, although the cursor clicking issue has cleared up & my download speed hasn't been affected.

Thank you for all the advice & your efforts so far

I'll await your reply, Bronks

Link to post
Share on other sites

  • Staff
I don't fully understand why that combo fix seems to report or recommends "Windows Recovery Console" be activated for all the people you send there
Trust me, having the recovery console installed is a great extra feature. This can be used in case you cannot boot anymore.

I don't understand why you see it as a pain in the ass since it's only showing that option for 2 seconds during boot.

If you really want to remove it, then it's your responsibility and your choice. Instructions here how to do it: http://support.microsoft.com/kb/555032

Just make sure you do it correctly and don't break it instead.

But if I were you, I would really leave it - this recovery console is really useful!

You really need all updates though. They are actually more important than anything else.

I am also dealing w/ lack of memory issue, I'm at 18.4 GB & have only 8GB for download space
You mean lack of space instead? I suggest you delete/uninstall everything you don't use anymore - burn on cd/whatever.

For example; all these installers can be removed - because, you've installed them already anyway and most of them are already updated:

2009-01-10 21:35 7,518,240 ----a-w c:\program files\Firefox Setup 3.0.5.exe

2008-11-13 18:41 1,618 ----a-w c:\program files\Calendar.ini

2008-11-13 18:15 325,947 ----a-w c:\program files\Calendars 2.01ZIP.zip

2008-05-09 02:22 2,060,592 ----a-w c:\program files\fdminst-lite.exe

2008-05-09 01:49 304,957 ----a-w c:\program files\hjsplit.zip

2008-03-20 00:23 9,730,800 -c--a-w c:\program files\vlc-0.8.6e-win32.exe

2007-08-03 05:15 675,840 ----a-w c:\program files\Calendar.exe

2007-04-18 22:57 1,163,592 -c--a-w c:\program files\install_flash_player.exe

2007-03-15 15:37 491,768 -c--a-w c:\program files\ie6setup.exe

2007-03-09 23:17 1,145,896 -c--a-w c:\program files\GoogleToolbarInstaller.exe

2007-02-22 01:23 48,640 -c--a-w c:\program files\Weather-Install.exe

2007-02-09 16:18 824,901 -c--a-w c:\program files\oggcodecs_0.71.0946.exe

2007-01-27 13:31 70,487 ----a-w c:\program files\KillBox.zip

2006-04-11 00:29 305,416 -c--a-w c:\program files\office2003-KB907417-FullFile-ENU.exe

2006-04-11 00:21 393,416 -c--a-w c:\program files\LISTool.exe

2006-03-29 04:04 3,217,896 -c--a-w c:\program files\wbsamp.exe

2006-03-25 14:58 800,136 -c--a-w c:\program files\regclean.exe

2006-03-22 23:03 3,321,048 -c--a-w c:\program files\rminstall.exe

2006-02-20 16:48 299,288 -c--a-w c:\program files\GmailInstaller.exe

2006-02-20 16:24 89,600 -c--a-w c:\program files\ebay.msi

2006-02-20 16:12 1,623,608 -c--a-w c:\program files\GoogleDesktopSetup.exe

2006-02-19 15:22 811,146 -c--a-w c:\program files\idsuite_basic.exe

2006-02-15 05:25 3,528,344 ----a-w c:\program files\rgscards410uk.zip

Not sure why you download the installers to your ProgramFiles folder though.

The fact that you don't have much space left also explains why your computer is a lot slower.

Anyway, Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.