Jump to content

Malwarebytes and Hijackthis will not run


Recommended Posts

I have a HP notebook with MS Win XP SP2 Media Center Edition and need help in removing malware.

My problems started with unknown sounds playing by themselves on the notebook.

I tried upgrading my existing AVG but no response from PC.

Downloaded and installed Malwarebytes but will not run, not even in safe mode.

Downloaded Hijackthis but PC does not respond and it is not installed.

Tried to install VArestorepolicies but not sure if it is installed.

Downloaded FixPolicies.exe but will not install or run.

Silentrunners.vbs provided the log:

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"ERMINE" = "C:\Documents and Settings\ERMINE\ERMINE.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"

\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [file not found]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Windows Live Sign-in Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"

-> {HKLM...CLSID} = "IE Microsoft AutoComplete"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"

-> {HKLM...CLSID} = "ShellViewRTF"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {HKLM...CLSID} = "AVG7 Find Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

-> {HKLM...CLSID} = "My Sharing Folders"

\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {HKLM...CLSID} = "AVG7 Shell Extension Class"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

-> {HKLM...CLSID} = "MBAMShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

FAExt\(Default) = "{05672D66-9736-42F5-8BEB-FA1DD3CA51C4}"

-> {HKLM...CLSID} = "FAExt Class"

\InProcServer32\(Default) = "C:\PROGRA~1\FILEAS~1\FILEAS~1.DLL" ["Malwarebytes"]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

-> {HKLM...CLSID} = "MBAMShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme

{unrecognized setting}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\Wave.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\Wave.bmp"

Enabled Screen Saver:

---------------------

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\Berlitz.SCR" [empty string]

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

EHomeMusicDropTarget\

"Provider" = "Media Center"

"InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}"

-> {HKLM...CLSID} = "EHomeMusicDropTarget Class"

\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomePhotosHandler\

"Provider" = "Media Center"

"InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535}"

-> {HKLM...CLSID} = "EHomePhotosHandler Class"

\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideoDropTarget\

"Provider" = "Media Center"

"InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}"

-> {HKLM...CLSID} = "EHomeVideoDropTarget Class"

\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideosHandler\

"Provider" = "Media Center"

"InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}"

-> {HKLM...CLSID} = "EHomeVideosHandler Class"

\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

HPAutoplayExpress\

"Provider" = "HP Photosmart Express Software"

"InvokeProgID" = "HpqUnApl.Autoplay"

"InvokeVerb" = "Express"

HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Express\DropTarget\CLSID = "{57FA3F08-E36E-4820-9CC4-122D46114993}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]

HPUnloadAutoplay\

"Provider" = "HP Photosmart Transfer Software"

"InvokeProgID" = "HpqUnApl.Autoplay"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]

muveeVideoCameraArrival\

"Provider" = "muvee autoProducer 5.0"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\muvee Technologies\muvee autoProducer 5.0 - SE\muveeapp.exe" /RECORD"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

QuickPlayDCameraArrival\

"Provider" = "HP QuickPlay"

"InvokeProgID" = "Picture"

"InvokeVerb" = "PlayWithQuickPlay"

HKLM\SOFTWARE\Classes\Picture\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY DSC "%L"" ["CyberLink Corp."]

QuickPlayDVArrival\

"Provider" = "HP QuickPlay"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\HP\QuickPlay\QP.exe" DV "%L""

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

QuickPlayMusicFilesArrival\

"Provider" = "HP QuickPlay"

"InvokeProgID" = "MusicFiles"

"InvokeVerb" = "PlayWithQuickPlay"

HKLM\SOFTWARE\Classes\MusicFiles\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MUSIC "%L"" ["CyberLink Corp."]

QuickPlayPlayCDAudioOnArrival\

"Provider" = "HP QuickPlay"

"InvokeProgID" = "AudioCD"

"InvokeVerb" = "PlayWithQuickPlay"

HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY CD "%L"" ["CyberLink Corp."]

QuickPlayPlayDVDMovieOnArrival\

"Provider" = "HP QuickPlay"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithQuickPlay"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

QuickPlayVideoFilesArrival\

"Provider" = "HP QuickPlay"

"InvokeProgID" = "VideoFiles"

"InvokeVerb" = "PlayWithQuickPlay"

HKLM\SOFTWARE\Classes\VideoFiles\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY VIDEO "%L"" ["CyberLink Corp."]

RhapsodyCDBurningOnArrival\

"Provider" = "Rhapsody"

"InvokeProgID" = "Rhapsody.CDBurn.3"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\Rhapsody.CDBurn.3\shell\open\command\(Default) = ""C:\Program Files\HP Rhapsody\rhapsody.exe" /burn "%1"" ["RealNetworks, Inc."]

RhapsodyDeviceOnArrival\

"Provider" = "Rhapsody"

"ProgID" = "Rhapsody.HWEventHandler"

HKLM\SOFTWARE\Classes\Rhapsody.HWEventHandler\CLSID\(Default) = "{5717E2AC-8A5C-47b7-BFE5-50BAD65AB904}"

-> {HKLM...CLSID} = "Rhapsody Helper"

\LocalServer32\(Default) = ""C:\PROGRA~1\HPRHAP~1\rhaphlpr.exe"" ["RealNetworks, Inc."]

RhapsodyMusicDevice\

"Provider" = "Rhapsody"

"InvokeProgID" = "Rhapsody.MusicDevice.3"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\Rhapsody.MusicDevice.3\shell\open\command\(Default) = ""C:\Program Files\HP Rhapsody\rhapsody.exe" /device: "%1"" ["RealNetworks, Inc."]

RhapsodyPlayCDAudioOnArrival\

"Provider" = "Rhapsody"

"InvokeProgID" = "Rhapsody.AudioCD.3"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Rhapsody.AudioCD.3\shell\play\command\(Default) = ""C:\Program Files\HP Rhapsody\rhapsody.exe" /play "%1"" ["RealNetworks, Inc."]

SonicSCAudioCDTask\

"Provider" = "Sonic Audio Module"

"InvokeProgID" = "Sonic.SonicCentral"

"InvokeVerb" = "AudioCDTask"

HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]

SonicSCCopyCD\

"Provider" = "Sonic Copy Module"

"InvokeProgID" = "Sonic.SonicCentral"

"InvokeVerb" = "ExactCopyJob"

HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCCopyDisc\

"Provider" = "Sonic Copy Module"

"InvokeProgID" = "Sonic.SonicCentral"

"InvokeVerb" = "ExactCopyJob"

HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCDataProject\

"Provider" = "Sonic Data Module"

"InvokeProgID" = "Sonic.SonicCentral"

"InvokeVerb" = "DataGuide"

HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]

SonicSCDataTask\

"Provider" = "Sonic Data Module"

"InvokeProgID" = "Sonic.SonicCentral"

"InvokeVerb" = "DataTask"

HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]

SonicVideoCameraArrival\

"Provider" = "Sonic Solutions"

"ProgID" = "MyDVD.MyDVDAPHandler"

"InitCmdLine" = "new"

HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"

-> {HKLM...CLSID} = "MyDVDAPHandler Class"

\LocalServer32\(Default) = "C:\PROGRA~1\Sonic\DIGITA~1\MYDVDP~1\MyDVD.EXE -autoplay" ["Sonic Solutions"]

SonicVideoCameraArrivalDirect\

"Provider" = "Sonic Solutions"

"ProgID" = "MyDVD.MyDVDAPHandler"

"InitCmdLine" = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {3563B7B4-E6D4-4360-8E38-64E008F52C5C}"

HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"

-> {HKLM...CLSID} = "MyDVDAPHandler Class"

\LocalServer32\(Default) = "C:\PROGRA~1\Sonic\DIGITA~1\MYDVDP~1\MyDVD.EXE -autoplay" ["Sonic Solutions"]

Startup items in "ERMINE" & "All Users" startup folders:

--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Clean Access Agent" -> shortcut to: "C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe" ["Cisco Systems, Inc"]

"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points

------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

Missing lines (compared with English-language version):

[strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*l" (unwritable string)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]

hpqwmiex, hpqwmiex, "C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe" ["Hewlett-Packard Development Company, L.P."]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

LiveUpdate Notice Service, LiveUpdate Notice Service, ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"" ["Symantec Corporation"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]

Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]

Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]

Message Queuing, MSMQ, "C:\WINDOWS\system32\mqsvc.exe" [MS]

Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\system32\mqtgsvc.exe" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]

Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

LIDIL hpzll4pi\Driver = "hpzll4pi.dll" ["Hewlett-Packard Company"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

---------- (launch time: 2009-08-16 22:11:22)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 50 seconds, including 22 seconds for message boxes)

Link to post
Share on other sites

Hi orb0554, Welcome to Malwarebytes :(

Step #1

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Step #2

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

Link to post
Share on other sites

I am having problem with RootRepeal. I am getting an error message that it is not able to read boot sector and sugest using options to adjust Disk Access Level. I tried different setting and I am still getting the same error message.

I have tried running RootRepeal and system crashes after about 10 minutes. I have started Windows in safe mode with networking enabled but RootRepeal is taking too long, about 36 hours so far.

Also, while RootRepeal was running; IE opened up with Google's page without user intervention. IE had been started/opened.

Link to post
Share on other sites

i got this Starting up...

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA

P15CB.tmp\ZAP15CB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA

P25E.tmp\ZAP25E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA

P7B.tmp\ZAP7B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021095110

90400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021099100

90400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A100

90400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B100

90400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100

A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100

C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F2

31838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C6

48A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3

D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary

ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporar

y ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoi

nt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKU

s

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Do

wnloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867

bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb

4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\154fcf8f21f41

37d09271267cc1c5727\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33

978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b026489924040

8ce315fe572c84c0e59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b212

11a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf0471ca1f3f1

2affe6c8fea1ffc6ddb\cf0471ca1f3f12affe6c8fea1ffc6ddb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba57

09df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system\New Folder\New Folder

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2799858091-249677

3224-320642624-1006\S-1-5-21-2799858091-2496773224-320642624-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2799858091-249677

3224-320642624-1007\S-1-5-21-2799858091-2496773224-320642624-1007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2799858091-249677

3224-320642624-1008\S-1-5-21-2799858091-2496773224-320642624-1008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2799858091-249677

3224-320642624-1009\S-1-5-21-2799858091-2496773224-320642624-1009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2799858091-249677

3224-320642624-1011\S-1-5-21-2799858091-2496773224-320642624-1011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-D

C2DA45E9526}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Microsoft\Credentials\S-1-5-21-2799858091-2496773224-320642624-500\S-1-5-21-

2799858091-2496773224-320642624-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-8

61567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application D

ata\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Deskt

op

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\Google\Google Desktop\bdb073a547dc\bdb073a547dc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\Microsoft\Credentials\S-1-5-21-2799858091-2496773224-32064262

4-500\S-1-5-21-2799858091-2496773224-320642624-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543

-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Setting

s\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHo

od

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\Pri

ntHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Start Menu\Pr

ograms\Windows Antivirus Pro\Windows Antivirus Pro

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (

Microsoft Corporation)

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

See if you can run MBAM now.

-screen317

Link to post
Share on other sites

-screen317

Not having much luck. This is what I have so far in safe mode:

Log file is located at: C:\Documents and Settings\ERMINE\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

=====================================================

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 09:12

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

Drivers

-------------------

Name: dump_nvata.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys

Address: 0xEB0DD000 Size: 102400 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79B5000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB9355000 Size: 49152 File Visible: No Signed: -

Status: -

Stealth Objects

-------------------

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: winlogon.exe (PID: 836) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: services.exe (PID: 880) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: lsass.exe (PID: 892) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvrgixgotkq.dll]

Process: svchost.exe (PID: 1040) Address: 0x00820000 Size: 77824

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: svchost.exe (PID: 1040) Address: 0x009d0000 Size: 49152

Object: Hidden Module [Name: UACdlmlohlvrq.dll]

Process: svchost.exe (PID: 1040) Address: 0x00a80000 Size: 73728

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1040) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1136) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1180) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1300) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1388) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: spoolsv.exe (PID: 1664) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACvrgixgotkq.dll]

Process: Explorer.EXE (PID: 1868) Address: 0x10000000 Size: 77824

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: PIFSvc.exe (PID: 260) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: avgcc.exe (PID: 268) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: HPWuSchd2.exe (PID: 276) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: ctfmon.exe (PID: 300) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: MsnMsgr.Exe (PID: 320) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: ERMINE.exe (PID: 396) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: CCAAgent.exe (PID: 516) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: hpqtra08.exe (PID: 524) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: hpqSTE08.exe (PID: 1464) Address: 0x00aa0000 Size: 49152

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1440) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: msdtc.exe (PID: 1796) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: avgamsvr.exe (PID: 1960) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: avgupsvc.exe (PID: 2004) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: avgemc.exe (PID: 1144) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: ehRecvr.exe (PID: 2032) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: ehSched.exe (PID: 192) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: LSSrvc.exe (PID: 336) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: PIFSvc.exe (PID: 480) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: MDM.EXE (PID: 564) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: nvsvc32.exe (PID: 232) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: HPZipm12.exe (PID: 800) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1220) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: svchost.exe (PID: 1340) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: symlcsvc.exe (PID: 1128) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: wdfmgr.exe (PID: 1532) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: mcrdsvc.exe (PID: 1684) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: mqsvc.exe (PID: 2072) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: hpqwmiex.exe (PID: 2128) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: mqtgsvc.exe (PID: 2388) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: dllhost.exe (PID: 2680) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: alg.exe (PID: 2872) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: wuauclt.exe (PID: 3664) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: RootRepeal.exe (PID: 2992) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACypylcpaibh.dll]

Process: Iexplore.exe (PID: 2792) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAConevjkvotk.dll]

Process: WLLoginProxy.exe (PID: 1924) Address: 0x10000000 Size: 49152

==EOF==

Please let me know how to find and remove UCA....

Thanks, Oscar

Link to post
Share on other sites

Hi screen317,

I downloaded ComboFix using another computer and copied ComboFix to the infected computer's desktop. I double clicked on ComboFix and nothing happened. I rebooted in safe mode, double clicked on ComboFix and nothing happens.

Any suggestions on how to get these tools to start?

- Oscar

Link to post
Share on other sites

Hi Chris,

I renamed ComboFix to OscarFix and was able to start the program. ComboFix started as described and successfully downloaded the Microsoft Recovery Console. The problem begins when ComboFix starts the scanning of the computer files and XP crashes causing a reboot. I tried starting XP in safe mode and received the same results.

Any suggestions is greatly appreciated.

Thanks, Oscar

Link to post
Share on other sites

  • Staff

Hi Oscar,

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running ComboFix.

-screen317

Link to post
Share on other sites

Chris,

Here is the log from Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: could not open file "C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll" for move operation

File move operation "C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

I did a search and eventlog.dll was found in the following locations:

C:\WINDOWS\system32\

C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\

ComboFix started fine but during the scan I got the blue screen.

- Oscar

Link to post
Share on other sites

  • Staff

Thanks for letting me know.

Let's try that again.

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running ComboFix.

-screen317

Link to post
Share on other sites

Chris,

This is the log from Avenger2, Combofix still crashes the PC with blue screen dump.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Staff

Hi Oscar,

ComboFix was just updated. Could you grab a fresh copy for me and try again please?

As a side note, would this virus somehow dissable my wireless connection? I no longer have wireless and can not see it in device manager. The LAN hardwired connection works fine. The notebook is a HP Pavillion DV6000.
Are you in Safe Mode with Networking or in Normal Mode?

-screen317

Link to post
Share on other sites

Hi Oscar,

ComboFix was just updated. Could you grab a fresh copy for me and try again please?

Are you in Safe Mode with Networking or in Normal Mode?

-screen317

Normal Mode, I think it may be a HP issue. I found posts about others having the same wireless problems with the HP DV6000.

New version of ComboFix worked after renameming the file.

See uploaded file for results.

I just started MalwareBytes and will post log when completed.

Thank you, Oscar

ComboFix.txt

Link to post
Share on other sites

Here is the HJthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:18:16 AM, on 9/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

O15 - Trusted Zone: http://www.adobe.com

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 6166 bytes

Link to post
Share on other sites

  • Staff

Hi Oscar,

Normal Mode, I think it may be a HP issue. I found posts about others having the same wireless problems with the HP DV6000.
You may wish to contact HP regarding that issue then (sort of funny, I have the same laptop >_< ).
What is the best way to check/clean the removable drives like memory sticks?
With an antivirus, which I do not see installed.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!

AntiVir

AVG

When you have it installed, plug in all removable media and run a full scan with the antivirus you selected.

After that, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi Chris,

I had AVG installed but would not update, hence the issues with access to any of the security sites. I removed AVG during one of the tools we were trying to run. All seems to be normal except for the wireless card. I will try to get an external card that I can plug into the notebook.

Thanks for all you help and have a great weekend, Oscar

------------------------------------------------------------------------------------------------------

These are the reports you requested.

Scanning Report

Friday, September 4, 2009 09:13:08 - 10:03:43

Computer name: EBRUTUS

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

18 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Adtech (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Specificclick (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 45570

System: 3477

Not scanned: 6

Actions:

Disinfected: 18

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Adobe Flash Player 10

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

  • Staff

Hi Oscar,

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Reader 7.1.0

Restart your computer.

Get the latest version of Adobe Reader.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.