Jump to content

Quick scan stuck in an infinite loop


Recommended Posts

I recently had to rebuild my PC due to some pernicious malware, but it was long overdue regardless. After my rebuild and installing all my programs I ran a quick test on Malwarebytes, but it proved to not be so quick after all, in fact it was stuck in what seemed to be in infinite loop. I gave up after about 1.5 hours and 80,000 files being scanned. You can see in the pic below that it seemed to be endlessly generating some kind of All Users\All Users\All Users path that went nowhere. Browsing from the start only took me to the 3rd level of that tree. Thinking my new install was a dud I updated the Malwarebytes on my other PC and encountered the same problem. Does anyone know what the problem might be? I've googled and searched here as best I could but to no avail, though I don't really know how to phrase this problem.

Stuck.jpg

Link to post
Share on other sites

Hello Swank and welcome to MalwareBytes forums.

Always state your Windows version/edition.

First, set your Windows Explorer view options to see all files.

IF Vista Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

IF Windows 7 Show all files:

  • Click the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33.jpg , and then click Control Panel >> Appearance and Personalization >> Folder Options.
  • Click the View tab.
    Under Advanced settings, click Show hidden files, folders, and drives, and then click OK.
  • Click Apply > OK.

IF Windows XP: Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

After that, use My Computer (Windows Explorer) to view that folder structure and see if that is truly how it is.

If true, then you have a horked setup.

How did you start (do) the install? as a new (clean) install or a repair install?

Given that the system had a malware infection, you must do a new ( as in wipe and re-do as new) install.

Link to post
Share on other sites

Oops, sorry, Windows XP SP3, not sure if you need more specifics, but if so I would need to know how to get them.

This was a completely new install, in fact I bought a new SSD drive to treat myself, it's great!

I did everything you mentioned and the furthest I can drill down is C:Users/All Users/Start Menu/Programs/Startup. There is a desktop.ini file in there and that's it. It contains this:

[.ShellClassInfo]

LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

There are other desktop.ini files in almost all of the other branches along the way, each reading somewhat differently, though not much more than 5-7 lines of seemingly harmless code similar to what I pasted above.

I tried deleting the desktop.ini file and running the scan again and have the same results.

Link to post
Share on other sites

The desktop.ini files may be deleted without ill effect. And they're not the real problem.

What is unusual, is to have the user structure as you have under the folder C:\Users

The standard location is C:\Documents and settings

under which would be All Users and then 1 for each login account, plus administrator

The one good thing you noted was that the folder structure does not recurse.

Give the following a try, and then retry a quick scan.

Please folow this sequence for MBAM removal & re-install:

1) Go to Control Panel and Add-or-Remove programs.

uninstall Malwarebytes' Anti-Malware

Exit Control Panel

2) Logoff and restart your computer

Get, save, and then run the utility at the following link

http://www.malwarebytes.org/mbam-clean.exe

3)Logoff and restart your computer again.

4)Now, reinstall Malwarebytes' Anti-Malware.

You may download a fresh copy for the reinstall from the following link:

http://malwarebytes.org/mbam.php

If you purchased MBAM (have a license) you will need to reenter your ID and Key afterwards to get the Protection module enabled.

Link to post
Share on other sites

I followed the above steps but unfortunately the 'All Users' loop persists, right around the 13000 Objects Scanned mark. I have run a Spybot S&D full scan as well as a Symantec corp edition full scan and all is clean. Additionally, the Malwarebytes full scan works well without incident (no loop or malicious items), so I feel I do have a clean system and adequate protection. I just miss the convenience of the quick scan and would like to add to the knowledge base if others encounter this issue. Given that I have 2 PCs here with the same OS that are showing the same symptom I thought it might be more widespread. If there is anything else you'd like me to try I'm game :-)

Link to post
Share on other sites

  • Root Admin

Hello Swank,

Please run the following and post back the logs.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Here are DDS and Attach respectively:

DDS.txt**********************************************************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by Swank at 21:33:01.51 on Thu 06/17/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1331 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\ASUS\Asus Probe\AsusProb.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\vVX3000.exe

C:\WINDOWS\system32\taskswitch.exe

C:\WINDOWS\system32\fast.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Users\Swank\Local Settings\Application Data\LClock\LClock.exe

C:\Program Files\VisualTaskTips\VisualTaskTips.exe

svchost.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\Fast.exe

C:\WINDOWS\system32\dllhost.exe

C:\Users\Swank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Users\Swank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

F:\Torrents\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll

TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll

TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll

uRun: [Google Update] "c:\users\swank\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [LClock] c:\users\swank\local settings\application data\lclock\LClock.exe

uRun: [VisualTaskTips] c:\program files\visualtasktips\VisualTaskTips.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [ASUS Probe] c:\program files\asus\asus probe\AsusProb.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [VX3000] c:\windows\vVX3000.exe

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [FastUser] c:\windows\system32\fast.exe

StartupFolder: c:\users\swank\startm~1\programs\startup\wallma~1.lnk - c:\program files\wallmaster\wallmast.exe

uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\swank\applic~1\mozilla\firefox\profiles\altmiiaw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.winxpu.info | http://www.winxpu.info/forums

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\users\swank\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-6-15 9968]

R1 SASKUTIL;SASKUTIL;c:\users\swank\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-6-15 74480]

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-14 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100614.003\naveng.sys [2010-6-14 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100614.003\navex15.sys [2010-6-14 1347504]

S0 3112Rx47;3112Rx47;c:\windows\system32\drivers\3112Rx47.sys [2009-12-18 110128]

S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-6-14 14424]

S3 SASENUM;SASENUM;\??\c:\users\swank\locals~1\temp\sas_selfextract\sasenum.sys --> c:\users\swank\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]

S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-6-10 53032]

=============== Created Last 30 ================

2010-06-17 05:40:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-17 05:40:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-17 05:40:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-17 04:42:23 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys

2010-06-17 04:42:23 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS

2010-06-17 02:43:44 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb0dc6e775aa48.mof

2010-06-16 03:59:21 0 d-----w- c:\program files\VisualTaskTips

2010-06-16 03:33:47 306688 ----a-w- c:\windows\IsUninst.exe

2010-06-16 03:31:12 0 d-----w- c:\program files\Sony

2010-06-16 03:30:30 0 d-----w- c:\program files\VSTplugins

2010-06-16 03:01:09 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2010-06-16 03:01:09 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2010-06-16 03:01:09 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2010-06-16 03:01:08 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2010-06-16 03:01:08 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2010-06-16 02:59:59 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys

2010-06-16 02:58:59 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys

2010-06-16 02:57:56 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys

2010-06-16 02:56:59 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys

2010-06-16 02:55:58 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys

2010-06-16 02:54:58 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2010-06-16 02:53:42 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-06-16 02:52:59 8576 -c--a-w- c:\windows\system32\dllcache\hidgame.sys

2010-06-16 02:51:59 53248 -c--a-w- c:\windows\system32\dllcache\eqndiag.exe

2010-06-16 02:50:59 4096 -c--a-w- c:\windows\system32\dllcache\ctwdm32.dll

2010-06-16 02:49:58 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys

2010-06-16 02:48:59 14848 -c--a-w- c:\windows\system32\dllcache\asc3550.sys

2010-06-16 02:22:35 0 d-----w- c:\windows\SxsCaPendDel

2010-06-16 02:16:21 0 d-----w- c:\users\swank\applic~1\SUPERAntiSpyware.com

2010-06-16 02:16:21 0 d-----w- c:\users\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-16 02:01:07 2350 ----a-w- c:\windows\system32\tmp.reg

2010-06-16 01:20:06 0 d-----w- c:\program files\WallMaster

2010-06-15 13:26:20 0 d-----w- c:\program files\Windows Installer Clean Up

2010-06-15 13:25:30 0 d-----w- c:\program files\MSECACHE

2010-06-15 13:16:36 0 d--h--w- c:\windows\system32\GroupPolicy

2010-06-15 13:10:32 0 d-----w- c:\program files\Sony Setup

2010-06-15 13:07:22 0 d-----w- c:\program files\Acoustica Mp3 To Wave Converter Plus

2010-06-15 05:32:35 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2010-06-15 05:08:09 0 d-----w- c:\windows\Downloaded Installations

2010-06-15 04:15:37 2002 ---ha-w- c:\users\swank\Default.rdp

2010-06-15 04:02:35 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb0c3f9620f4aa.mof

2010-06-15 04:00:54 0 d-----w- c:\users\swank\applic~1\Mp3tag

2010-06-15 04:00:49 0 d-----w- c:\program files\Mp3tag

2010-06-15 03:56:53 0 d-----w- c:\program files\XviD

2010-06-15 03:56:43 0 d-----w- c:\program files\AviSynth 2.5

2010-06-15 03:56:17 0 d-----w- c:\program files\AutoGK

2010-06-15 03:55:34 0 d-----w- c:\program files\DVD Decrypter

2010-06-15 03:52:22 376 ----a-w- c:\windows\ODBC.INI

2010-06-15 03:52:19 28040 ----a-w- c:\windows\system32\mdimon.dll

2010-06-15 03:51:25 0 d-----w- c:\program files\Microsoft ActiveSync

2010-06-15 03:51:09 0 d-----w- c:\windows\SHELLNEW

2010-06-15 03:37:16 0 d-----w- c:\program files\CCleaner

2010-06-15 03:35:53 0 d-----w- c:\users\swank\LimeWire

2010-06-15 03:35:30 0 d-----w- c:\users\swank\applic~1\LimeWire

2010-06-15 03:35:16 0 d-----w- c:\program files\LimeWire

2010-06-15 03:35:04 28672 ----a-w- c:\windows\system32\AVEQT.dll

2010-06-15 03:35:04 129024 ----a-w- c:\windows\system32\AVERM.dll

2010-06-15 03:35:01 0 d-----w- c:\program files\Ultra Video Joiner

2010-06-15 03:28:02 0 d-----w- c:\program files\VideoLAN

2010-06-15 03:27:16 69 ----a-w- c:\windows\NeroDigital.ini

2010-06-15 03:17:08 0 d-----w- c:\users\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-15 03:17:08 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-15 03:15:43 0 d-----w- c:\users\swank\applic~1\Malwarebytes

2010-06-15 03:15:35 0 d-----w- c:\users\alluse~1\applic~1\Malwarebytes

2010-06-15 03:14:53 48 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-06-15 03:14:16 0 d-----r- c:\program files\Skype

2010-06-15 03:12:53 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-06-15 03:12:06 0 d-----w- c:\program files\Microsoft LifeCam

2010-06-15 03:10:07 27744 ----a-w- c:\windows\system32\drivers\point32.sys

2010-06-15 03:10:02 0 d-----w- c:\program files\Microsoft IntelliPoint

2010-06-15 03:07:33 0 d-----w- c:\program files\Microsoft IntelliType Pro

2010-06-15 03:00:54 0 d-----w- c:\program files\ACW

2010-06-15 02:42:06 0 d-----w- c:\program files\uTorrent

2010-06-15 02:41:43 0 d-----w- c:\users\swank\applic~1\uTorrent

2010-06-15 02:39:47 0 d-----w- c:\program files\PeerBlock

2010-06-15 02:36:57 2190080 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-06-15 02:36:56 2066944 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-06-15 02:34:53 6656 ----a-w- c:\windows\system32\drivers\AsProbe.sys

2010-06-15 02:34:53 245912 ----a-w- c:\windows\system\VCLX35.BPL

2010-06-15 02:34:52 996872 ----a-w- c:\windows\system\CP3240MT.DLL

2010-06-15 02:34:52 458752 ----a-w- c:\windows\system\COMCTL32.DLL

2010-06-15 02:34:52 29952 ----a-w- c:\windows\system\BORLNDMM.DLL

2010-06-15 02:34:52 187392 ----a-w- c:\windows\system\BCBSMP35.BPL

2010-06-15 02:34:52 1455736 ----a-w- c:\windows\system\VCL35.BPL

2010-06-15 02:34:41 6272 ----a-w- c:\windows\system32\drivers\ASLM75.SYS

2010-06-15 02:34:41 0 d-----w- c:\program files\ASUS

2010-06-15 02:34:37 299008 ----a-w- c:\windows\uninst.exe

2010-06-15 02:34:35 0 d-----w- c:\users\swank\WINDOWS

2010-06-15 02:33:16 0 d-----w- c:\program files\Realtek Sound Manager

2010-06-15 02:33:12 0 d-----w- c:\program files\AvRack

2010-06-15 02:33:11 164 ------w- c:\windows\avrack.ini

2010-06-15 02:33:09 765952 ----a-w- c:\windows\system\crlds3d.dll

2010-06-15 02:33:08 65536 -c--a-w- c:\windows\system32\dllcache\a3d.dll

2010-06-15 02:33:08 65536 ----a-w- c:\windows\system32\Audio3D.dll

2010-06-15 02:33:08 65536 ----a-w- c:\windows\system32\a3d.dll

2010-06-15 02:33:04 400384 ----a-w- c:\windows\system32\drivers\ALCXSENS.SYS

2010-06-15 02:33:03 611820 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS

2010-06-15 02:33:02 65024 ----a-w- c:\windows\SOUNDMAN.EXE

2010-06-15 02:33:02 155648 ----a-w- c:\windows\system32\RTLCPAPI.dll

2010-06-15 02:32:58 6584832 ----a-w- c:\windows\system32\RTLCPL.EXE

2010-06-15 02:32:53 141016 ----a-w- c:\windows\system32\ALSNDMGR.WAV

2010-06-15 02:32:43 14225408 ----a-w- c:\windows\system32\ALSNDMGR.CPL

2010-06-15 02:32:42 208896 ------w- c:\windows\alcupd.exe

2010-06-15 02:32:41 139264 ------w- c:\windows\alcrmv.exe

2010-06-15 02:32:40 744 ------w- c:\windows\system32\drivers\alcxinit.dat

2010-06-15 02:32:13 3223 ----a-w- c:\windows\Ascd_tmp.ini

2010-06-15 02:32:11 5824 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS

2010-06-15 02:29:54 0 ----a-w- c:\windows\vpc32.INI

2010-06-15 02:24:04 87808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-06-15 02:24:04 107696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-15 02:24:02 0 d-----w- c:\program files\Symantec

2010-06-15 02:23:59 0 d-----w- c:\users\alluse~1\applic~1\Symantec

2010-06-15 02:23:59 0 d-----w- c:\program files\Symantec AntiVirus

2010-06-15 02:23:59 0 d-----w- c:\program files\common files\Symantec Shared

2010-06-15 02:21:51 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-06-15 01:51:03 0 d-----w- c:\program files\AVG

2010-06-15 01:46:15 0 d---a-w- c:\program files\Nero

2010-06-15 01:46:15 0 d-----w- c:\users\alluse~1\applic~1\Nero

2010-06-15 01:44:52 0 d---a-w- c:\users\swank\applic~1\ViGlance

2010-06-15 01:44:52 0 d---a-w- c:\users\swank\applic~1\OtakuSoftware

2010-06-15 01:32:53 0 d-----w- c:\program files\TUGZip

2010-06-15 01:32:46 0 d---a-w- c:\program files\Firefox

2010-06-15 01:28:33 0 d-----w- c:\program files\ffdshow

2010-06-15 01:28:06 0 d---a-w- c:\program files\Windows Plus

2010-06-15 01:20:42 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-06-15 01:18:56 0 d-----w- c:\program files\MSXML 4.0

2010-06-15 01:18:14 0 d-sh--w- c:\users\all users\DRM

2010-06-15 01:18:02 0 d--h--w- c:\program files\WindowsUpdate

2010-06-15 01:17:26 0 d-----w- c:\program files\common files\MSSoap

2010-06-15 01:16:11 0 d-----w- c:\program files\Windows Media Connect 2

2010-06-15 01:16:05 0 d-----w- c:\program files\MSN Gaming Zone

2010-06-15 01:15:30 0 d-----w- c:\program files\Windows NT

2010-06-14 19:10:38 0 d-----r- c:\users\all users\Public

2010-06-14 19:07:08 0 d-----w- c:\program files\common files\ODBC

2010-06-14 19:07:05 0 d-----w- c:\program files\common files\SpeechEngines

==================== Find3M ====================

2010-06-15 03:07:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2010-06-15 03:07:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-06-15 03:07:46 60416 ----a-w- c:\windows\ALCFDRTM.EXE

2010-06-15 01:32:11 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-06-15 01:16:17 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-05-20 21:27:26 762736 ----a-w- c:\windows\vVX3000.exe

2010-05-20 21:27:26 677232 ----a-w- c:\windows\system32\LCCoin32.dll

2010-05-20 21:27:26 227696 ----a-w- c:\windows\vVX3000.dll

2010-05-20 21:27:26 1961328 ----a-w- c:\windows\system32\drivers\VX3000.sys

2010-05-20 21:27:26 175472 ----a-w- c:\windows\system32\cVX3000.dll

2010-05-20 21:27:26 101232 ----a-w- c:\windows\VX3000.dll

2010-05-04 17:20:03 841216 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:19:59 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 06:34:15 1860352 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-01-22 03:51:13 121 ---ha-w- c:\program files\desktop.ini

============= FINISH: 21:33:24.85 ===============

Attach.txt****************************************************************

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 6/14/2010 7:42:55 PM

System Uptime: 6/17/2010 8:58:25 PM (1 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800-E

Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 2998/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 23.938 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 932 GiB total, 619.486 GiB free.

F: is FIXED (NTFS) - 112 GiB total, 59.861 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: BLUETOOTH USB +EDR ADAPTER v2.1 UHE

Device ID: USB\VID_050D&PID_016A\00190E0458EF

Manufacturer:

Name: BLUETOOTH USB +EDR ADAPTER v2.1 UHE

PNP Device ID: USB\VID_050D&PID_016A\00190E0458EF

Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Link to post
Share on other sites

  • Root Admin

Please run the following

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

Then after it restarts download and run the following and post back the log please.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

  • Root Admin

Please post back the logs and we'll see if we can make this work or not. However the reality appears to be that this computer used to have either Windows Vista or Windows 7 on it and it was not properly formatted or fdisk so it still has junctions and or symbolic links from it.

If you really want the computer to run properly with XP I would highly suggest re-installing but this time FDISK the partition and FORMAT it and THEN install XP or whichever OS you have a legal copy of.

Link to post
Share on other sites

The above got me thinking so I disconnected my other hard drive that was in my PC from a previous Vista install thinking it might have shortcuts based on it's file structure. I ran another scan after that and it worked perfectly so that must be the culprit. I'm going to reconnect it and see if deleting all of the shortcut files helps. Thanks for you help on this one, at least I can run quick scans again, but I'll let you know if I have any other problems.

Link to post
Share on other sites

<comments & kibbitz>

@Swank

IF you ran Combofix, then, copy and paste into a reply contents of C:\Combofix.txt. Plus we would need to guide you to remove CF.

Regarding LimeWire and utorrent:

Peer-to-peer filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

See these articles

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

I'd urge you to de-install those apps to reduce exposure to security risks.

Your last note is appreciated. Though I'm a bit confused as to which HD had the shortcuts to which drive ?

How did you have this other drive connected physically? as a secondary drive ?

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.