Jump to content

SystemSecure has my machine


Recommended Posts

Greetings,

Yes, I've got the dreaded SystemSecure on my machine. I've tried to run pretty much everything that's been listed on this site with no success. Either it shuts down, or reboots my machine. Any help would be welcome.

For info purposes, I'm running XP Pro SP3, on a raid 5 array (3 500GB drives), and have pretty much downloaded every tool that I've read posted on this site.

Tell me where to begin, what to post, and I'll get on it.

Thank you in advance!

Link to post
Share on other sites

Please help me guys - I've got all the software loaded on my machine and it appears that you all have a good grasp of what to remove based on logs posted - if I can run an app and get you a log can you please start me in the right direction for cleaning up my machine?

What should I run and what should I post.

Please help in any way you can!

Link to post
Share on other sites

Here is the report I received when I ran this on the 22nd:

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 60928 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\Temp\History\History.IE5\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\History\History.IE5\desktop.ini

[1] 2007-04-16 15:39:37 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2007-04-15 18:27:13 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6L8789SD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IHE3KBKD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONCHO9CL\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVSRWVC9\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2007-04-15 18:26:41 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2007-04-15 18:27:34 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2007-04-15 18:27:34 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2007-04-15 18:27:34 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 08:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-08-12 21:14:42 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini ()

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini

[1] 2007-04-16 15:39:37 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2007-04-15 18:27:13 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6L8789SD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IHE3KBKD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONCHO9CL\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVSRWVC9\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2007-04-15 18:26:41 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2007-04-15 18:27:34 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2007-04-15 18:27:34 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2007-04-15 18:27:34 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 08:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-08-12 21:14:42 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini ()

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

[1] 2007-04-16 15:39:37 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2007-04-15 18:27:13 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6L8789SD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IHE3KBKD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONCHO9CL\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVSRWVC9\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2007-04-15 18:26:41 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2007-04-15 18:27:34 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2007-04-15 18:27:34 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2007-04-15 18:27:34 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 08:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-08-12 21:14:42 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini ()

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini

[1] 2007-04-16 15:39:37 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2007-04-15 18:27:13 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6L8789SD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IHE3KBKD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONCHO9CL\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVSRWVC9\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2007-04-15 18:26:41 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2007-04-15 18:27:34 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2007-04-15 18:27:34 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2007-04-15 18:27:34 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 08:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-08-12 21:14:42 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini ()

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini

[1] 2007-04-16 15:39:37 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2007-04-15 18:27:13 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6L8789SD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IHE3KBKD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONCHO9CL\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVSRWVC9\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2007-04-15 18:26:41 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2007-04-15 18:27:34 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2007-04-15 18:27:34 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2007-04-15 18:27:34 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 08:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-08-12 21:14:42 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini ()

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini

[1] 2007-04-16 15:39:37 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2007-04-15 18:27:13 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2007-04-15 18:26:39 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2007-04-15 18:26:59 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6L8789SD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IHE3KBKD\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONCHO9CL\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVSRWVC9\desktop.ini ()

[1] 2007-04-15 18:26:59 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2007-04-15 18:26:41 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2007-04-15 09:25:22 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2007-04-15 18:27:34 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2007-04-15 18:27:34 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2007-04-15 18:27:34 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2007-04-15 18:27:34 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 08:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 08:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-08-12 21:14:42 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\01234567\desktop.ini ()

[1] 2009-08-12 21:14:41 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G9EJG1M3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WPA3KHY3\desktop.ini ()

[1] 2009-08-12 21:14:42 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Z9J23VNX\desktop.ini ()

Finished!

Link to post
Share on other sites

And the report I got just now:

Log file is located at: C:\Documents and Settings\xXx\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ERDNT\ERDNT

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\K5ETWMWU\K5ETWMWU

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\K5ETWMWU\K5ETWMWU

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D65L77ET\D65L77ET

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D65L77ET\D65L77ET

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\LogFiles\LogFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\LogFiles

Found mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Finished!

Link to post
Share on other sites

  • Staff

Hi,

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thank you for your help so far. I finally got Avenger to post a report:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll" not found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|c:\WINDOWS\system32\eventlog.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

..I also ran another Win32Diag:

Log file is located at: C:\Documents and Settings\xXx\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\K5ETWMWU\K5ETWMWU

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D65L77ET\D65L77ET

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\LogFiles

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\Temp\HPSLPSVC0005.log

[1] 2009-08-28 22:00:00 2389 C:\WINDOWS\Temp\HPSLPSVC0005.log ()

Found mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Mount point destination : \Device\__max++>\^

Finished!

I could not get ComboFix to run, I tried more than three times and each time it blue screened my machine. This would happen within 25 seconds of the scan starting.

Link to post
Share on other sites

  • Staff

Let's run Avenger once more.

  1. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\system32\logevent.dll| C:\WINDOWS\system32\eventlog.dll


  2. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  3. Read the prompt that appears, and press OK.
  4. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  5. Press the "Execute" button.
  6. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  7. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Link to post
Share on other sites

Completed:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Staff

That is very good.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@Win32kDiag -F -R
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

## IMPORTANT ## Place fix.bat next to Win32kDiag.exe

Double click on fix.bat & allow it to run

Post back to tell me what it says

---------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Link to post
Share on other sites

I did as you specified, it ran, deleting itself in the process, and the dos box stated that everything ran successfully. I didn't get the exact words, but I can run it again if you like to get that.

I followed the steps to ensure that I had no antivirus running on my machine before downloading and running ComboFix. It crashed my machine again, and left me no report.

Link to post
Share on other sites

Oh! Yes it did:

Log file is located at: C:\Documents and Settings\xXx\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\K5ETWMWU\K5ETWMWU

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\K5ETWMWU\K5ETWMWU

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D65L77ET\D65L77ET

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D65L77ET\D65L77ET

Cannot access: C:\WINDOWS\Temp\HPSLPSVC0001.log

Attempting to restore permissions of : C:\WINDOWS\Temp\HPSLPSVC0001.log

[1] 2009-08-29 16:18:16 2503 C:\WINDOWS\Temp\HPSLPSVC0001.log ()

Found mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Finished!

Link to post
Share on other sites

Yes, brand new copy, crashed while running the scan.

Also, I've been having to transfer everything by flash drive because the virus/malware has disabled my browser, or somehow is partially blocking my internet connection. I can ping sites (like google.com) but not browse. Any ideas?

Link to post
Share on other sites

Mbam runs, but will no longer update (luckily I updated recently).

It reports 2 registry items in quick scan, but never seems to remove them. Here's the report:

Malwarebytes' Anti-Malware 1.40

Database version: 2710

Windows 5.1.2600 Service Pack 3

8/29/2009 11:31:35 PM

mbam-log-2009-08-29 (23-31-35).txt

Scan type: Quick Scan

Objects scanned: 87697

Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

MBAM's report looks pretty clean. You don't seem to have much malware in this machine. I'm a bit concerned about your being unable to update & that ComboFix not running. I shall require some extra logs:

=================================

Downloads and Reports Required:

=================================

Before scanning, make sure all other running programs are closed

There shouldn't be any scheduled antivirus scans running while the scan is being performed.

Do not use your computer for anything else during the scan.

====

DDS:

====

dds_scr.gif

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

=====

GMER:

=====

gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and uncheck the Show all box.
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

===========================

How the logs should be furnished:

===========================

Copy/Paste the contents of 'DDS.txt' to be posted as text to your post

The other two logs ...

* attach.txt

* gmer.txt

... should be zipped/archived before attaching to the post

zipIt.gif

Link to post
Share on other sites

As requested:

DDS:

DDS (Ver_09-07-30.01) - NTFSx86

Run by xXx at 13:08:55.50 on Sun 08/30/2009

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

============== Running Processes ===============

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uWinlogon: Shell=c:\recycler\s-1-5-21-9069486108-5653239274-086224103-4711\wnzip32.exe,explorer.exe,c:\recycler\s-1-5-21-2303105584-4757259529-846235293-3926\msimfo32.exe

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

uPolicies-system: disableregistrytools = 0

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

LSP: c:\windows\system32\winhelper.dll

DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176694849405

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://e:\cdviewer\CdViewer.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xxx\applic~1\mozilla\firefox\profiles\hb34jmmy.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.drjamez.com/genomex/forums/default.asp|http://gamingbungalow.com/forum/

FF - plugin: c:\program files\microsoft silverlight\npctrl.1.0.20926.0.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-08-30 00:58 <DIR> --ds---- C:\ComboFix

2009-08-30 00:58 389,120 a------- c:\windows\system32\CF7923.exe

2009-08-30 00:21 13,824 ac------ c:\windows\system32\dllcache\wscntfy.exe

2009-08-30 00:21 13,824 a------- c:\windows\system32\wscntfy.exe

2009-08-30 00:21 13,824 a------- c:\windows\system32\NEW_wscntfy.exe

2009-08-30 00:21 14,336 a------- c:\windows\system32\NEW_svchost.exe

2009-08-29 16:15 389,120 a------- c:\windows\system32\CF3648.exe

2009-08-28 22:39 389,120 a------- c:\windows\system32\CF26245.exe

2009-08-28 22:20 229,376 a------- c:\windows\PEV.exe

2009-08-28 22:20 161,792 a------- c:\windows\SWREG.exe

2009-08-28 22:20 98,816 a------- c:\windows\sed.exe

2009-08-28 22:20 389,120 a------- c:\windows\system32\CF22470.exe

2009-08-28 16:38 389,120 a------- c:\windows\system32\CF20989.exe

2009-08-28 16:33 389,120 a------- c:\windows\system32\CF20052.exe

2009-08-28 16:32 389,120 a------- c:\windows\system32\CF19650.exe

2009-08-27 19:40 <DIR> a-d----- c:\windows\system32\images

2009-08-22 19:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure

2009-08-22 18:23 389,120 a------- c:\windows\system32\CF19884.exe

2009-08-22 18:19 <DIR> --d----- c:\program files\FileASSASSIN

2009-08-22 18:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware1

2009-08-22 16:51 389,120 a------- c:\windows\system32\CF1789.exe

2009-08-22 16:50 389,120 a------- c:\windows\system32\CF1515.exe

2009-08-22 16:40 <DIR> a-dshr-- C:\cmdcons

2009-08-22 16:38 389,120 a------- c:\windows\system32\CF31612.exe

2009-08-22 16:10 <DIR> --d----- C:\ProfileClone-Temp

2009-08-22 16:09 <DIR> --d----- c:\program files\EasySuite

2009-08-16 17:45 <DIR> --d----- c:\program files\CCleaner

2009-08-16 17:37 0 a------- c:\windows\system.ini

2009-08-16 17:36 215 a------- c:\windows\system.ini.ini

2009-08-16 17:12 <DIR> --d----- c:\program files\Trend Micro

2009-08-16 14:24 0 a------- c:\windows\~system.ini

2009-08-16 14:22 <DIR> --d----- c:\windows\pss

2009-08-16 12:28 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

2009-08-16 12:27 <DIR> --dsh--- c:\windows\Installer

2009-08-12 21:32 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-12 21:24 <DIR> --d----- c:\docume~1\xxx\applic~1\Malwarebytes

2009-08-12 21:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-12 21:24 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-12 21:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-12 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll

2009-06-26 12:50 81,920 -------- c:\windows\system32\ieencode.dll

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 13:10:26.78 ===============

Attach.rar

gmer.rar

Link to post
Share on other sites

  • Staff

Hi Blackadder,

Run GMER again.

Right click this entry:

Service C:\WINDOWS\system32\drivers\kbiwkmwruxoymq.sys (*** hidden *** )

Click Disable Service. Answer yes to any prompts. Click Delete Service and answer yes to any prompts. Click Kill File and press yes to any prompts.

Delete your copy of ComboFix, download it, save it to your Desktop, then try running it.

-screen317

Link to post
Share on other sites

I did as you asked, but it doesn't seem to be to any benefit. I ran GMER, but there was no ability to select kill file after I disabled the service. I ran it twice just to make sure, with a reboot in between.

I deleted my copy of ComboFix, downloaded a new one, ran it on the infected machine and it still blue-screened me during the scan.

The BSOD stated that it was there because something tried to write to read-only memory, just in case that helps.

Also just in case it helps, I am getting a lovely little shield symbol that is stating that my firewall is off and I should click it for help to resolve it. I didn't do this, and checked the firewall directly and it is, in fact, enabled. But it might help you to know what I'm seeing.

I'm still not being able to browse the internet.

Link to post
Share on other sites

  • Staff

Hi,

Restart your computer, except instead of selecting your Windows version, select the Windows Recovery Console.

You will be presented with a command line.

Enter this command exactly as shown.

DISABLE kbiwkmhyvbltob

Press Enter.

Enter this command:

Exit

Press Enter and your computer should restart. Attempt to run ComboFix and MBAM now.

-screen317

Link to post
Share on other sites

When I reboot and hit F8 and attempt to do that, I am given the choice between Windows XP, or the Recovery Console.

When I choose the Recovery Console, I am not met with a command prompt, just a blinking curser and no typing ability.

I can ctrl-alt-del to restart, but that's it.

Should I use the XP install disk to get to the Recovery Console, or should this be a feature I should be able to use without it?

Link to post
Share on other sites

Hello! Thank you, I finally got ComboFix to run:

ComboFix 09-08-30.01 - xXx 09/02/2009 22:20.1.2 - NTFSx86

Running from: c:\documents and settings\xXx\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1077

c:\recycler\S-1-5-21-2303105584-4757259529-846235293-3926

c:\recycler\S-1-5-21-9069486108-5653239274-086224103-4711

c:\windows\Install.txt

c:\windows\system32\2222.exe

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk

c:\windows\system32\drivers\kbiwkmwruxoymq.sys

c:\windows\system32\drivers\kbiwkmwwbwhyen.sys

c:\windows\system32\drivers\Sonyhcp.dll

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\Install.txt

c:\windows\system32\kbiwkmadmxthor.dll

c:\windows\system32\kbiwkmdkmoydrm.dat

c:\windows\system32\kbiwkmentipuft.dll

c:\windows\system32\kbiwkmidxbjgoi.dat

c:\windows\system32\kbiwkmjvbwwxis.dat

c:\windows\system32\kbiwkmkrxmpfux.dll

c:\windows\system32\kbiwkmlrgskpma.dll

c:\windows\system32\kbiwkmmqxvmput.dll

c:\windows\system32\kbiwkmqpqjpbcw.dat

c:\windows\system32\kbiwkmswexvkbo.dll

c:\windows\system32\kbiwkmtnxgboib.dat

c:\windows\system32\kbiwkmvirdsvvt.dll

c:\windows\system32\kbiwkmvrtqibci.dll

c:\windows\system32\mdm.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6to4

-------\Legacy_kbiwkmhyvbltob

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}

-------\Service_kbiwkmhyvbltob

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))

.

2012-02-16 01:11 . 2009-09-01 02:23 -------- d-----w- C:\Movie

2009-08-31 23:29 . 2009-08-31 23:29 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2009-08-31 23:23 . 2009-08-31 23:23 -------- d-----w- c:\windows\ERUNT

2009-08-31 23:19 . 2009-09-01 01:40 -------- d-----w- C:\SDFix

2009-08-31 23:01 . 2009-08-31 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-30 04:21 . 2008-04-14 00:12 13824 ----a-w- c:\windows\system32\NEW_wscntfy.exe

2009-08-30 04:21 . 2008-04-14 00:12 13824 -c--a-w- c:\windows\system32\dllcache\wscntfy.exe

2009-08-30 04:21 . 2008-04-14 00:12 13824 ----a-w- c:\windows\system32\wscntfy.exe

2009-08-30 04:21 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\NEW_svchost.exe

2009-08-22 23:21 . 2009-08-22 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-08-22 22:17 . 2009-08-30 04:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1

2009-08-22 20:10 . 2009-08-22 20:10 -------- d-----w- C:\ProfileClone-Temp

2009-08-22 20:09 . 2009-08-22 20:09 -------- d-----w- c:\program files\EasySuite

2009-08-16 16:28 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-16 16:27 . 2009-08-29 02:38 -------- d-sh--w- c:\windows\Installer

2009-08-13 01:24 . 2009-08-13 01:24 -------- d-----w- c:\documents and settings\xXx\Application Data\Malwarebytes

2009-08-13 01:24 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-13 01:24 . 2009-08-22 20:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-13 01:24 . 2009-08-13 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-13 01:24 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-06 02:10 . 2009-08-06 02:10 152576 ----a-w- c:\documents and settings\xXx\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-16 21:49 . 2009-02-18 05:42 -------- d-----w- c:\program files\Essentials Codec Pack

2009-08-10 23:34 . 2007-04-16 20:36 -------- d-----w- c:\program files\City of Heroes

2009-08-06 02:13 . 2008-01-03 02:35 -------- d-----w- c:\program files\Java

2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-27 12:59 . 2009-05-10 13:53 -------- d-----w- c:\documents and settings\xXx\Application Data\HPAppData

2009-07-25 09:23 . 2008-11-22 20:21 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-22 00:36 . 2009-01-24 14:26 -------- d-----w- c:\program files\iTunes

2009-07-22 00:35 . 2009-07-22 00:35 -------- d-----w- c:\program files\iPod

2009-07-22 00:35 . 2009-01-24 14:20 -------- d-----w- c:\program files\Common Files\Apple

2009-07-22 00:30 . 2009-07-22 00:30 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-06-26 16:50 . 2004-01-08 19:23 666624 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll

2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-13 02:54 . 2009-06-13 02:54 152576 ----a-w- c:\documents and settings\xXx\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\windows\Media\Desktops\Neuromancer.jpg

FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

Source= c:\pics\T\DaCatTongue-desktop.jpg

FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\Stanza.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://e:\cdviewer\CdViewer.cab

FF - ProfilePath - c:\documents and settings\xXx\Application Data\Mozilla\Firefox\Profiles\hb34jmmy.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.drjamez.com/genomex/forums/default.asp|http://gamingbungalow.com/forum/

FF - plugin: c:\program files\Microsoft Silverlight\npctrl.1.0.20926.0.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 22:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2352)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\windows\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\update\update.exe

.

**************************************************************************

.

Completion time: 2009-09-03 22:46 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-03 02:45

Pre-Run: 734,201,204,736 bytes free

Post-Run: 733,956,722,688 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

194 --- E O F --- 2009-07-30 04:17

So what do you think? And internet browsing has been restored.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.