Jump to content

Malwarebytes


widly05

Recommended Posts

On September 19, 2009, my laptop got the Windows Police Pro. I've been reading through some websites but I can't fully remove police pro. Because of Police Pro, the startup menu and desktop don't appear (only the background picture is seen). The only way I can navigate my pc is through the task manager. I have deleted some of the components of Windows Police Pro, but I still need help.

From what I have found through websites, I saw that I should use Malwarebytes to remove Windows police pro. However, every time I open Malwarebytes, it only scans for a couple seconds then closes.

Please tell me how I can fix my computer.

Link to post
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Hello widly05,

You will have to see if you can start/run Windows Explorer from Task Manager. (new Task > Explorer.exe)

Otherwise, force a restart and tap F8 and select Safe Mode with Networking.

Most of the tools I ask you to get will need to be placed on Desktop. So you must get Explorer (Windows Explorer) to show.

Failing that, it will be an exceedingly tough task.

Do as much as possible of the following. But we must have some report to work with.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member widly05 only. If you are a casual viewer, do NOT try this on your system!

If you are not widly05 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

=

Next do this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

(With much thanks to Tetonbob at TSF, whose methods & verbiage I'm using here).

Download This tool save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.

Click Start>Run and

Copy then Paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "C:\Program Files\C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

Repeat for these files, or simply find the files, and drag.drop them onto inherit.exe. Any other files you get an access denied message, you can do the same

"%userprofile%\desktop\Inherit.exe" "c:\WINDOWS\system32\wbem\wmiprvse.exe"

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then RIGHT click dds.scr and select "Run as Administrator" to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please include the following logs in your next reply:

the Win32kdiag.txt log

MBAM scan log

DDS.txt

Attach.txt

Link to post
Share on other sites

Because I have no desktop, I must run everything through taskmanager. I was able to place Win32kdiag, Inherent.exe, and dds on my desktop. However, even after I added Malwarebytes and dds to inherent, both Malwarebytes and dds would not open. So at this point, the only log I have now is the win32kdiag and ERUNT has backedup my registry.

Win32Kdiag Log:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\explorer.exe

[1] 2004-08-04 08:00:00 1032192 C:\WINDOWS\explorer.exe ()

[1] 2004-08-04 08:00:00 1032192 C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\explorer.exe (Microsoft Corporation)

[1] 2004-08-04 08:00:00 1032192 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\explorer.exe (Microsoft Corporation)

[1] 2004-08-04 08:00:00 1032192 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\IntelChip\IntelChip

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WPDNSE\WPDNSE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not widly05 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

There is one Windows DLL to be restored and more work to do.

Do NOT do any websurfing at all, of any kind ! Only go to this forum and websites I guide you to.

Do as much as possible of the following.

=

Start NOTEPAD and then copy and paste the codebox lines below into it.

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.

@echo off
copy C:\WINDOWS\system32\dllcache\eventlog.dll c:\

Double-click on fixes.bat file to run it.

Next, Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

=

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Avenger.txt

and C:\Combofix.txt

Following that, Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Now, reply with copy of the MBAM scan log.

Link to post
Share on other sites

When I tried to run fixes.bat, the screen came up then closed after a couple of seconds. I was able to complete avenger, and was to clean out some temp. files with ATF-cleaner. When I got to Combo-fix, it started deleting some files; but when combo-fix tried to reboot my computer (because now the only way to shut down my pc is to hold the on button), no log could be created. However, I did find a new file called "bug.txt" in my C: drive after completing Combo-fix. Moreover, MBam still says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item".

Here is the avenger log:

Logfile of The Avenger Version 2.0,

Link to post
Share on other sites

Do this one time, to attempt to clear blockage of MBAM:

Click Start button > select Run and

Copy then Paste the following bolded text exactly into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "C:\Program Files\C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

Do not run MBAM just yet.

Now, when Combofix runs, as part of its phases, it will reboot the system by itself. You need NOT do anything.

Just leave it on its own.

Redo the Combofix procedure to run Combofix one time. Double-click the red-lion Combo-fix icon on your desktop.

Answer the initial prompts, then let it run.

Have infinite patience.

If and only if it is truly stuck ( if it gets stuck) and you have waited at least 30 minutes, then reboot/restart the system.

=

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2845.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Reply with logs that you have gotten:

C:\Combofix.txt

Gmer.txt

MBAM scan log

Link to post
Share on other sites

I couldn't get Malwarebytes to work even after using inherent.exe. When I use inherent.exe, I would get a box, entitled "Finish" and a message that said "OK". However, MWB doesn't work. Here is the Combofix log:

ComboFix 09-09-22.02 - Administrator 09/23/2009 3:34.4.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.332 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AVAST!ANTIVIRUS

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_avast!Antivirus

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))

.

2009-09-22 21:58 . 2004-08-04 12:00 55808 ----a-w- C:\eventlog.dll

2009-09-22 16:41 . 2009-09-22 16:41 -------- d-----w- c:\program files\ERUNT

2009-09-20 23:24 . 2009-09-22 21:39 0 ----a-w- c:\windows\win32k.sys

2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-19 18:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 18:00 . 2009-09-22 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-19 18:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-19 04:04 . 2009-09-19 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MicrosoftProvisioning

2009-09-19 04:01 . 2009-09-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Provisioning

2009-09-18 00:27 . 2009-09-18 00:27 18658 --sha-w- c:\windows\system32\bovenage.exe

2009-09-18 00:24 . 2009-09-18 00:24 2685 --sha-w- c:\windows\system32\fezahoyu.exe

2009-08-24 22:54 . 2009-08-24 22:54 -------- d-----w- c:\windows\ServicePackFiles

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 22:04 . 2004-08-04 12:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys

2009-09-22 21:58 . 2009-06-05 02:40 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-22 21:58 . 2009-06-05 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-19 14:53 . 2009-06-19 14:52 88576 --sha-w- c:\windows\system32\dovamewo.dll

2009-09-18 00:21 . 2005-01-20 07:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-09-17 11:27 . 2009-06-11 18:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-16 22:27 . 2009-06-05 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-16 21:08 . 2009-09-16 21:07 51200 ----a-w- C:\E.tmp

2009-09-16 21:08 . 2009-09-16 21:07 38 ----a-w- C:\10.tmp

2009-09-15 23:28 . 2009-09-15 23:28 38 ----a-w- C:\D.tmp

2009-09-13 22:32 . 2009-09-13 22:32 38 ----a-w- C:\9.tmp

2009-09-12 19:29 . 2009-09-12 19:29 38 ----a-w- C:\7.tmp

2009-09-11 22:22 . 2009-09-11 22:22 38 ----a-w- C:\5.tmp

2009-09-01 22:43 . 2009-09-01 22:43 38 ----a-w- C:\C.tmp

2009-09-01 22:14 . 2009-09-01 22:14 38 ----a-w- C:\A.tmp

2009-08-07 01:09 . 2009-06-13 08:54 -------- d-----w- c:\program files\Windows Media Connect 2

2009-08-06 11:20 . 2009-08-01 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus

2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 01:10 . 2005-01-20 07:08 -------- d-----w- c:\program files\iTunes

2009-08-01 01:06 . 2009-08-01 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2009-08-01 01:03 . 2009-08-01 01:01 -------- d-----w- c:\program files\Vuze

2009-08-01 01:01 . 2009-08-01 01:01 -------- d-----w- c:\program files\Common Files\i4j_jres

2009-08-01 00:43 . 2009-08-01 00:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2009-08-01 00:33 . 2009-08-01 00:33 -------- d-----w- c:\program files\DivX

2009-08-01 00:33 . 2009-08-01 00:32 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-07-30 11:13 . 2009-06-13 11:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leawo

2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2004-08-04 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-04 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-04 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-04 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-04 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2004-08-04 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2004-08-04 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2004-08-04 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2004-08-04 12:00 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2004-08-04 12:00 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 18:36 . 2004-08-04 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 08:44 . 2004-08-04 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2004-08-04 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2004-08-04 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:44 . 2004-08-04 12:00 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-19 14:52 . 2009-06-19 14:52 183296 --sha-w- c:\windows\system32\binosino.exe

2009-06-19 14:52 . 2009-06-19 14:52 50688 --sha-w- c:\windows\system32\gepibura.dll

2009-06-18 00:24 . 2009-06-18 00:24 5120 --sha-w- c:\windows\system32\mesafari.exe

2009-06-18 00:18 . 2009-06-18 00:18 49152 --sha-w- c:\windows\system32\nimuhoke.dll

2009-06-18 00:24 . 2009-06-18 00:24 102400 --sha-w- c:\windows\system32\wiwisoho.exe

.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1032192 . . [------] . . c:\windows\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9fe3e1d1-7560-492b-9c0e-ba0c8a414163}]

2009-06-18 00:18 49152 --sha-w- c:\windows\system32\nimuhoke.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"punenajun"="c:\windows\system32\dovamewo.dll" [2009-09-19 88576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{5233d6d6-33fa-4ae1-a429-8df22e14fe6e}"= "c:\windows\system32\dovamewo.dll" [2009-09-19 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"gogamotav"= {5233d6d6-33fa-4ae1-a429-8df22e14fe6e} - c:\windows\system32\dovamewo.dll [2009-09-19 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2005-07-05 06:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\hkcmd.exe"=

"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [10/23/2003 6:04 PM 76160]

S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-22 c:\windows\Tasks\User_Feed_Synchronization-{0FE7FAD2-1B6E-4C54-B171-E9008D39FE3C}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ah8gbv1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-fidunojaho - nawowami.dll

AddRemove-{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1 - c:\program files\ConvertHelper\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 03:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,fe,e4,de,ef,b6,6c,43,9a,0e,92,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,fe,e4,de,ef,b6,6c,43,9a,0e,92,\

[HKEY_USERS\S-1-5-21-329068152-1202660629-1060284298-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dd,1c,37,1e,c2,ec,6c,4c,9b,26,03,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dd,1c,37,1e,c2,ec,6c,4c,9b,26,03,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)

c:\windows\System32\BCMLogon.dll

c:\windows\system32\LgNotify.dll

.

Completion time: 2009-09-23 3:41

ComboFix-quarantined-files.txt 2009-09-23 07:40

Pre-Run: 4,414,164,992 bytes free

Post-Run: 4,379,627,520 bytes free

182 --- E O F --- 2009-09-15 21:45

Link to post
Share on other sites

Gmer log:

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-23 05:13:55

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\axtdrpod.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

I am going to have you do a special run of Combo-fix

There's still several stubborn malwares laying about. icon8.gif

Make sure you run these tools in Normal mode of XP. I take it that normal mode is use-able !?

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not widly05 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

But it is important that you get going on these following steps. Do as much as possible of the following tools.

=

1. Close any open browsers and any of your open programs/windows.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you do not know how, then see this -- How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT disable the firewall.

3. Open notepad and copy/paste ALL the text in the quotebox below (including blank lines) into it:

KILLALL::

Driver::

punenajun

gogamotav

AntipPolice_

AntiPol

File::

c:\windows\win32k.sys

c:\windows\svchast.exe

c:\windows\system32\bovenage.exe

c:\windows\system32\fezahoyu.exe

c:\windows\system32\dovamewo.dll

c:\windows\system32\binosino.exe

c:\windows\system32\gepibura.dll

c:\windows\system32\mesafari.exe

c:\windows\system32\nimuhoke.dll

c:\windows\system32\wiwisoho.exe

C:\E.tmp

C:\10.tmp

C:\D.tmp

C:\9.tmp

C:\7.tmp

C:\5.tmp

C:\C.tmp

C:\A.tmp

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{{9fe3e1d1-7560-492b-9c0e-ba0c8a414163}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"punenajun"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{5233d6d6-33fa-4ae1-a429-8df22e14fe6e}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"gogamotav"=-

Folder::

C:\recycler

D:\recycler

e:\recycler

f:\recycler

g:\recycler

h:\recycler

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into Combo-Fix.exe (the red lion icon on desktop)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2847 or later.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

=

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Please include the following logs in your next reply:

C:\Combofix.txt

the latest MBAM scan log

Sysclean.log

DDS.txt

Attach.txt

and tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Link to post
Share on other sites

GOOD NEWS

Although MWB didn't work at fast, I reinstalled it and I got it to give me a report. I have both the Combofix and MWB logs. I will come back and give you the other logs after I run Trend Micro and dds.scr.

Combofix log:

ComboFix 09-09-22.02 - Administrator 09/23/2009 10:02.8.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.329 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\recycler

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ANTIPPOLICE_

-------\Service_AntipPolice_

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))

.

2009-09-23 07:33 . 2009-09-23 07:41 -------- d-----w- C:\Combo-Fix

2009-09-22 21:58 . 2004-08-04 12:00 55808 ----a-w- C:\eventlog.dll

2009-09-22 16:41 . 2009-09-22 16:41 -------- d-----w- c:\program files\ERUNT

2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-19 18:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 18:00 . 2009-09-22 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-19 18:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-19 04:04 . 2009-09-19 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MicrosoftProvisioning

2009-09-19 04:01 . 2009-09-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Provisioning

2009-08-24 22:54 . 2009-08-24 22:54 -------- d-----w- c:\windows\ServicePackFiles

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 22:04 . 2004-08-04 12:00 182912 ------w- c:\windows\system32\drivers\ndis.sys

2009-09-22 21:58 . 2009-06-05 02:40 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-22 21:58 . 2009-06-05 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-18 00:21 . 2005-01-20 07:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-09-17 11:27 . 2009-06-11 18:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-16 22:27 . 2009-06-05 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-07 01:09 . 2009-06-13 08:54 -------- d-----w- c:\program files\Windows Media Connect 2

2009-08-06 11:20 . 2009-08-01 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus

2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 01:10 . 2005-01-20 07:08 -------- d-----w- c:\program files\iTunes

2009-08-01 01:06 . 2009-08-01 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2009-08-01 01:03 . 2009-08-01 01:01 -------- d-----w- c:\program files\Vuze

2009-08-01 01:01 . 2009-08-01 01:01 -------- d-----w- c:\program files\Common Files\i4j_jres

2009-08-01 00:43 . 2009-08-01 00:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2009-08-01 00:33 . 2009-08-01 00:33 -------- d-----w- c:\program files\DivX

2009-08-01 00:33 . 2009-08-01 00:32 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-07-30 11:13 . 2009-06-13 11:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leawo

2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2004-08-04 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-04 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-04 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-04 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-04 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2004-08-04 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2004-08-04 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2004-08-04 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2004-08-04 12:00 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2004-08-04 12:00 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 18:36 . 2004-08-04 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll

.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe

[-] 2004-08-04 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 1032192 . . [------] . . c:\windows\explorer.exe

[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2005-07-05 06:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\hkcmd.exe"=

"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [10/23/2003 6:04 PM 76160]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-23 c:\windows\Tasks\User_Feed_Synchronization-{0FE7FAD2-1B6E-4C54-B171-E9008D39FE3C}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ah8gbv1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

.

- - - - ORPHANS REMOVED - - - -

BHO-{9fe3e1d1-7560-492b-9c0e-ba0c8a414163} - nimuhoke.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 10:06

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,fe,e4,de,ef,b6,6c,43,9a,0e,92,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,fe,e4,de,ef,b6,6c,43,9a,0e,92,\

[HKEY_USERS\S-1-5-21-329068152-1202660629-1060284298-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dd,1c,37,1e,c2,ec,6c,4c,9b,26,03,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dd,1c,37,1e,c2,ec,6c,4c,9b,26,03,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)

c:\windows\System32\BCMLogon.dll

c:\windows\system32\LgNotify.dll

.

Completion time: 2009-09-23 10:09

ComboFix-quarantined-files.txt 2009-09-23 14:09

ComboFix2.txt 2009-09-23 07:41

Pre-Run: 4,368,973,824 bytes free

Post-Run: 4,335,472,640 bytes free

153 --- E O F --- 2009-09-15 21:45

Link to post
Share on other sites

Mbam log:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 2

9/23/2009 10:20:01 AM

mbam-log-2009-09-23 (10-20-01).txt

Scan type: Quick Scan

Objects scanned: 85020

Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\15988204 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\All Users\Application Data\15988204\15988204.glu (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\15988204\pc15988204cnf (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\15988204\pc15988204ins (Rogue.Multiple) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Trend log:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-09-23, 10:43:42, Auto-clean mode specified.

2009-09-23, 10:43:43, Initialized Rootkit Driver version 2.2.0.1004.

2009-09-23, 10:43:43, Running scanner "C:\Documents and Settings\Administrator\Desktop\DCE\TSC.BIN"...

2009-09-23, 10:43:56, Scanner "C:\Documents and Settings\Administrator\Desktop\DCE\TSC.BIN" has finished running.

2009-09-23, 10:43:56, TSC Log:

Link to post
Share on other sites

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/21/2009 11:37:14 PM

System Uptime: 9/23/2009 10:31:40 AM (1 hours ago)

Motherboard: Dell Computer Corporation | | 0G5842

Processor: Intel® Pentium® M processor 1.60GHz | Microprocessor | 1594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 3.97 GiB free.

D: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/22/2009 6:41:30 PM - System Checkpoint

==== Installed Programs ======================

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.1

ALPS Touch Pad Driver

Apple Mobile Device Support

Apple Software Update

AutoUpdate

Bonjour

Broadcom Gigabit Integrated Controller

C-Major Audio

CardBus

Conexant D480 MDC V.92 Modem

Critical Update for Windows Media Player 11 (KB959772)

Dell Wireless WLAN Card

DivX Codec

DivX Version Checker

ERUNT 1.1j

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Intel® Extreme Graphics 2 Driver

Intel® PROSet

iTunes

Malwarebytes' Anti-Malware

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ Run Time Lib Setup

Mozilla Firefox (3.0.12)

PCI 7510 CardBus Controller with SmartCard and Software

QuickTime

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971032)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Update for Windows XP (KB898461)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

Vuze

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

WinRAR archiver

==== Event Viewer Messages From Past Week ========

9/23/2009 8:37:42 AM, error: Service Control Manager [7034] - The Spectrum24 Event Monitor service terminated unexpectedly. It has done this 1 time(s).

9/23/2009 8:37:42 AM, error: Service Control Manager [7034] - The Smart Card service terminated unexpectedly. It has done this 1 time(s).

9/23/2009 8:37:42 AM, error: Service Control Manager [7034] - The RegSrvc service terminated unexpectedly. It has done this 1 time(s).

9/23/2009 8:37:42 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).

9/23/2009 8:37:42 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

9/23/2009 8:37:42 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

9/23/2009 8:37:42 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/22/2009 6:33:27 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.

9/22/2009 6:33:20 PM, error: SRService [104] - The System Restore initialization process failed.

9/22/2009 6:19:10 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

9/22/2009 6:19:08 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

9/22/2009 5:55:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde

9/21/2009 4:45:43 PM, error: Service Control Manager [7000] - The AntiPol service failed to start due to the following error: The system cannot find the file specified.

9/20/2009 7:59:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

9/20/2009 7:05:02 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

9/20/2009 7:05:02 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

9/20/2009 7:05:02 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

9/20/2009 7:05:02 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

9/20/2009 7:05:02 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

9/20/2009 7:05:02 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

9/20/2009 7:05:02 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

9/20/2009 7:04:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

9/20/2009 6:27:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

9/19/2009 11:02:54 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000CF152DE74. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

9/19/2009 1:42:38 PM, error: Service Control Manager [7034] - The AntiPol service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Link to post
Share on other sites

Despite these efforts, I still can't see my desktop.

Here is the DDS.txt

DDS.txt:

DDS (Ver_09-07-30.01) - NTFSx86

Run by Administrator at 11:43:49.41 on Wed 09/23/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.274 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\1XConfig.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: H - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [TSC] "c:\documents and settings\administrator\desktop\dce\tsc_temp\tsc.exe" /HD

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

Notify: igfxcui - igfxsrvc.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3ah8gbv1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

============= SERVICES / DRIVERS ===============

R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]

=============== Created Last 30 ================

2009-09-23 10:01 <DIR> --d----- C:\Combo-Fix6175C

2009-09-23 03:33 <DIR> --d----- C:\Combo-Fix

2009-09-22 18:18 <DIR> a-dshr-- C:\cmdcons

2009-09-22 18:04 229,888 a------- c:\windows\PEV.exe

2009-09-22 18:04 161,792 a------- c:\windows\SWREG.exe

2009-09-22 18:04 98,816 a------- c:\windows\sed.exe

2009-09-22 17:58 55,808 a------- C:\eventlog.dll

2009-09-19 14:00 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes

2009-09-19 14:00 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-19 14:00 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-19 14:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-09-19 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MicrosoftProvisioning

2009-09-19 00:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Provisioning

2009-09-17 20:18 25,600 a------- c:\windows\system32\tftp.nfo

2009-08-24 18:54 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-09-22 18:04 182,912 -------- c:\windows\system32\drivers\ndis.sys

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll

2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll

2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll

2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll

2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll

2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll

2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll

2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll

2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll

2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll

2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll

2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll

2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll

2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll

============= FINISH: 11:44:11.05 ===============

Link to post
Share on other sites

On the off chance that your system requires login with password and you see a black screen, tap the space bar on keyboard one time. Do you see a desktop? Can you start Task Manager via CTRL+ALT+DEL and then do New Task (RUN) > and specify Explorer.exe

If not, force a restart/reboot and try Normal mode, at least one time.

If still no joy, repeat the restart and tap F8, and select Safe Mode with Networking.

Link to post
Share on other sites

Start NOTEPAD and then copy and paste the codebox lines below into it.

@echo off
c:\windows\system32\dllcache\explorer.exe c:\
del %0

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.

Double-click on fixes.bat file to run it.

Next, Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\explorer.exe | C:\WINDOWS\explorer.exe


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Link to post
Share on other sites

The fixes.bat works, but each time I reboot my computer, I must hit fixes.bat so that I can see a desktop.

avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\explorer.exe" is whitelisted

File move operation "C:\explorer.exe|C:\WINDOWS\explorer.exe" failed!

Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Try the following, but first close any of your open documents, programs, etc.

To attempt to restore XP Desktop icons and Taskbar

Download >> this file << from Kelly's Korner and save it to your system.

Next double click the file to run it. When prompted to Continue, press the YES button.

Tell me how it went. And also tell me if your system came with a full Windows XP CD, in case we may need to use it at some point.

And by the way, until your issues are resolved, do not shutdown your system. Just leave it running.

If you have other users of this system, put a note by pc and tell them NOT to use it.

Link to post
Share on other sites

Fixes.bat was only intended as a one-time fix. But if you must, use it to get desktop and Explorer running.

From Start menu (or Task Manager if needed) Run WINVER

Write down and post back here all of the description of Windows and especially all the numeric/alpha line that says Version .....

Link to post
Share on other sites

I'm of the opinion that explorer.exe needs to be restored from a proper source.

I'd like to have you run XP System File Checker.

Make sure you are logged in with a login-account that has administrator rights.

From Start menu, select Command prompt {or from RUN menu, type

CMD <enter>)

and then type in the command-prompt window

SFC / SCANNOW

and press OK or ENTER to start it. NOTE: there is one space before and after the forward slash.

That would get System File Checker running, and recheck your versions of Windows system files

You may refer to these MS artciles

Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)

Description of the Windows File Protection feature

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.