erobando Posted September 2, 2010 ID:308485 Share Posted September 2, 2010 (edited) Hello, I ran MBAM for the first time, below is the resulting log with 3 detections. I have also attached my GMER and Hijack This Logs.I would like to run this by an expert before removing any files.I appreciate any assistance you can provide.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4532Windows 5.1.2600 Service Pack 2Internet Explorer 7.0.5730.139/3/2010 5:20:58 AMmbam-log-2010-09-03 (05-20-58).txtScan type: Full scan (C:\|D:\|)Objects scanned: 171771Time elapsed: 21 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\makecab.exe (Malware.Packer.Gen) -> No action taken.C:\WINDOWS\system32\TCPLimit.exe (Malware.Tool) -> No action taken.GMER logGMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-09-03 06:19:26Windows 5.1.2600 Service Pack 2Running: q6flp8qy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys---- System - GMER 1.0.15 ----SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF30F0CD2]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF30F0B8E]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF30F1142]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF30F106C]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF30F0764]SSDT sptd.sys ZwEnumerateKey [0xF7739CCC]SSDT sptd.sys ZwEnumerateValueKey [0xF773A05A]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF30F0C68]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF30F06A4]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF30F0708]SSDT sptd.sys ZwQueryKey [0xF773A132]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF30F0D88]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF30F1210]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF30F0D48]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF30F0EC8]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF30FDB9C]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF30FD9C0]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF30FDAFA]Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSectionCode \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObjectCode \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject---- Kernel code sections - GMER 1.0.15 ----? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process..text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6EB1360, 0x372FAD, 0xE8000020].text USBPORT.SYS!DllUnload F6E6C80C 5 Bytes JMP 865A1778 pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xBA9CDF00, 0x24000, 0x48000000]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!DialogBoxIndirectParamW 77D6204B 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxIndirectA 77D6A062 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!DialogBoxParamA 77D6B124 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxExW 77D80540 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxExA 77D80564 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!DialogBoxIndirectParamA 77D86CB5 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxIndirectW 77D9609B 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\WINDOWS\Explorer.EXE[2372] SHELL32.dll!SHFileOperationW 7CA70488 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll---- Devices - GMER 1.0.15 ----Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)Device \FileSystem\Ntfs \Ntfs 8676C1E8AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)Device \Driver\NetBT \Device\NetBT_Tcpip_{502208F7-1FC2-484E-BF26-31804A922A4C} 86165980Device \Driver\usbuhci \Device\USBPDO-0 8659E1E8Device \Driver\dmio \Device\DmControl\DmIoDaemon 8676F1E8Device \Driver\dmio \Device\DmControl\DmConfig 8676F1E8Device \Driver\dmio \Device\DmControl\DmPnP 8676F1E8Device \Driver\dmio \Device\DmControl\DmInfo 8676F1E8Device \Driver\usbuhci \Device\USBPDO-1 8659E1E8Device \Driver\usbuhci \Device\USBPDO-2 8659E1E8Device \Driver\usbuhci \Device\USBPDO-3 8659E1E8Device \Driver\usbehci \Device\USBPDO-4 8655D1E8AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)Device \Driver\Ftdisk \Device\HarddiskVolume1 867701E8Device \Driver\Ftdisk \Device\HarddiskVolume2 867701E8Device \Driver\Cdrom \Device\CdRom0 865331E8Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8676E1E8Device \Driver\atapi \Device\Ide\IdePort0 8676E1E8Device \Driver\atapi \Device\Ide\IdePort1 8676E1E8Device \Driver\atapi \Device\Ide\IdePort2 8676E1E8Device \Driver\atapi \Device\Ide\IdePort3 8676E1E8Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 8676E1E8Device \Driver\NetBT \Device\NetBt_Wins_Export 86165980Device \Driver\NetBT \Device\NetbiosSmb 86165980AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)Device \Driver\usbuhci \Device\USBFDO-0 8659E1E8Device \Driver\usbuhci \Device\USBFDO-1 8659E1E8Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85FD91E8Device \Driver\usbuhci \Device\USBFDO-2 8659E1E8Device \FileSystem\MRxSmb \Device\LanmanRedirector 85FD91E8Device \Driver\usbuhci \Device\USBFDO-3 8659E1E8Device \Driver\usbehci \Device\USBFDO-4 8655D1E8Device \Driver\Ftdisk \Device\FtControl 867701E8Device \FileSystem\Cdfs \Cdfs 85F94980---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression FilterReg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1---- EOF - GMER 1.0.15 ---- Edited September 4, 2010 by Maurice Naggar GMER log placed In-line Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 4, 2010 ID:309207 Share Posted September 4, 2010 Hello Erobando and welcome to MalwareBytes forums,Step 11. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 2Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. Step 3Take out the trash (temporary files & temporary internet files) Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).It will close all programs when run, so make sure you have saved all your work before you begin.Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.IF prompted to Reboot, reply "Yes".Step 4Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or http://www.forospyware.com/sUBs/ddsDisable any script blocker if your antivirus/antimalware has it.Then double click dds.scr to run the tool.DDS will run in a command prompt window and will take 3 to 4 minutes or so.When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop.Download Security Check by screen317 and save it to your Desktop: here or hereRun Security Check Follow the onscreen instructions inside of the command window.A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.Please include the following logs in your next reply:DDS.txtAttach.txtCheckup.txtDo not use the attachment feature to place any of your reports.Always put them in-line inside the body of reply.Be sure to do a Preview prior to pressing Add Reply because all reports may not fit into 1 single reply. You may have to do more than 1 reply. Link to post Share on other sites More sharing options...
erobando Posted September 6, 2010 Author ID:309993 Share Posted September 6, 2010 Hello, Maurice Naggar. Thank you very much for responding to my inquiry!I have followed the steps and pasted the results below. Thank you and I look forward to your response...DDS (Ver_10-03-17.01) - NTFSx86 Run by Administrator at 14:01:09.20 on Mon 09/06/2010Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.1023.592 [GMT 7:00]AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\VistaDrive\VistaDrive.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Alwil Software\Avast5\avastUI.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\ControlCenter2\brctrcen.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\LClock\LClock.exeC:\Program Files\uTorrent\uTorrent.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Secunia\PSI\psi.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Windows Live\Toolbar\wltuser.exeC:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exeC:\Documents and Settings\Administrator\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/mWinlogon: SfcDisable=-99 (0xffffff9d)BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dlluRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exeuRun: [LClock] c:\program files\lclock\LClock.exeuRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimizedmRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exemRun: [unlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -HmRun: [RTHDCPL] RTHDCPL.EXEmRun: [skyTel] SkyTel.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /noguimRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -bootmRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exemRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exemRun: [setDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exemRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorunmRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRun: [LClock] c:\program files\lclock\LClock.exedRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,NStartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXEStartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secunia psi.lnk - c:\program files\secunia\psi\psi.exeuPolicies-explorer: ForceClassicControlPanel = 1 (0x1)uPolicies-explorer: NoResolveTrack = 1 (0x1)dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)dPolicies-explorer: NoResolveTrack = 1 (0x1)IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLLDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279724130046DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279724108578DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cabHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll============= SERVICES / DRIVERS ===============R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-23 165456]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-23 17744]R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-23 40384]R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-3-24 54752]R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-23 40384]R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-23 40384]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 14904]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-23 135664]S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]=============== Created Last 30 ================2010-09-06 06:42:09 791393 ----a-w- c:\program files\erunt-setup.exe2010-09-02 23:16:05 152491 ----a-w- c:\program files\hosts.zip2010-09-02 22:53:42 0 d-----w- c:\program files\Trend Micro2010-09-02 22:53:22 812344 ----a-w- c:\program files\HJTInstall.exe2010-09-02 21:15:24 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes2010-09-02 21:15:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-09-02 21:15:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-09-02 21:15:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-09-02 21:15:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-09-02 21:14:18 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe2010-09-01 06:55:51 0 d-----w- c:\program files\Microsoft Office Outlook Connector==================== Find3M ====================2010-09-01 14:01:09 328568 ----a-w- c:\program files\utorrent.exe2010-08-22 03:00:36 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr2010-06-04 12:23:24 297660 ----a-w- c:\program files\PSISetup.exe2010-05-23 07:23:48 10518984 ----a-w- c:\program files\windows-kb890830-x64-v3.7.exe2010-03-24 17:02:35 4938120 ----a-w- c:\program files\Silverlight.exe2010-03-23 15:13:52 1688360 ----a-w- c:\program files\SkypeSetup.exe2010-03-23 14:44:40 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe============= FINISH: 14:01:20.12 ===============____________________________________________________________________________________________________UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH ITDDS (Ver_10-03-17.01)Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 3/23/2010 6:02:51 PMSystem Uptime: 9/6/2010 1:49:21 PM (1 hours ago)Motherboard: ASUSTeK Computer INC. | | P5GC-MXProcessor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | LGA 775 | 1800/200mhzProcessor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | LGA 775 | 1800/200mhz==== Disk Partitions =========================C: is FIXED (NTFS) - 49 GiB total, 38.672 GiB free.D: is FIXED (NTFS) - 100 GiB total, 28.182 GiB free.E: is CDROM ()==== Disabled Device Manager Items ================= System Restore Points ===================RP125: 7/27/2010 9:20:42 AM - System CheckpointRP126: 7/28/2010 6:50:25 PM - System CheckpointRP127: 7/30/2010 6:34:24 AM - System CheckpointRP128: 7/31/2010 7:03:47 AM - System CheckpointRP129: 8/1/2010 3:56:14 PM - System CheckpointRP130: 8/2/2010 8:11:02 PM - System CheckpointRP131: 8/2/2010 11:41:13 PM - Removed Java 6 Update 20RP132: 8/2/2010 11:41:54 PM - Installed Java 6 Update 20RP133: 8/4/2010 4:19:35 AM - System CheckpointRP134: 8/5/2010 9:56:07 AM - System CheckpointRP135: 8/6/2010 11:03:32 PM - System CheckpointRP136: 8/8/2010 1:32:24 AM - System CheckpointRP137: 8/9/2010 6:04:23 AM - System CheckpointRP138: 8/10/2010 1:55:30 PM - System CheckpointRP139: 8/11/2010 6:07:44 PM - System CheckpointRP140: 8/12/2010 9:50:42 PM - System CheckpointRP141: 8/14/2010 1:37:32 AM - System CheckpointRP142: 8/15/2010 12:53:03 PM - System CheckpointRP143: 8/16/2010 4:10:30 PM - System CheckpointRP144: 8/18/2010 5:03:27 AM - System CheckpointRP145: 8/19/2010 5:29:14 AM - System CheckpointRP146: 8/20/2010 5:53:00 AM - System CheckpointRP147: 8/21/2010 8:01:11 AM - System CheckpointRP148: 8/22/2010 9:31:55 AM - Removed Java 6 Update 20RP149: 8/22/2010 10:00:30 AM - Installed Java 6 Update 20RP150: 8/23/2010 4:00:02 PM - System CheckpointRP151: 8/24/2010 4:22:29 PM - System CheckpointRP152: 8/25/2010 7:06:42 PM - System CheckpointRP153: 8/31/2010 1:30:33 AM - System CheckpointRP154: 9/1/2010 1:52:22 AM - System CheckpointRP155: 9/1/2010 1:54:03 PM - Installed DirectXRP156: 9/1/2010 9:28:17 PM - Removed Java 6 Update 20RP157: 9/3/2010 4:49:44 AM - System CheckpointRP158: 9/4/2010 5:39:38 AM - System CheckpointRP159: 9/5/2010 5:58:38 AM - System CheckpointRP160: 9/6/2010 6:29:48 AM - System Checkpoint==== Installed Programs ======================?TorrentAcrobat.comAdobe AIRAdobe Flash Player 10 ActiveXAdobe Reader 9.3.4ASUS nVidia DriverAtheros Communications Inc.® L2 Fast Ethernet Driveravast! Free AntivirusBrother MFL-Pro SuiteCPL All-in-OneERUNT 1.1jGoogle Update HelperGoToMeeting 4.5.0.457HijackThis 2.0.2Hotfix for Windows XP (KB954708)Java Auto UpdaterJava 6 Update 20Java SE Runtime Environment 6Junk Mail filter updateK-Lite Mega Codec Pack 1.69 BETALClockMalwarebytes' Anti-MalwareMicrosoft .NET Framework 1.1 SP1Microsoft .NET Framework 2.0Microsoft Application Error ReportingMicrosoft Choice GuardMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office Live Add-in 1.3Microsoft Office Outlook ConnectorMicrosoft Office Professional Edition 2003Microsoft Search Enhancement PackMicrosoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Sync Framework Runtime Native v1.0 (x86)Microsoft Sync Framework Services Native v1.0 (x86)Microsoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual J# 1.1 Redistributable PackageMicrosoft Visual J# 2.0 RedistributableMicrosoft Visual J# 2.0 Redistributable PackageMSVCRTNero 7.0.8.2NVIDIA DriversNVIDIA WDM DriversPaperPortPowerDVDRealtek High Definition Audio DriverSecunia PSISecurity Update for Microsoft .NET Framework 2.0 (KB917283)Security Update for Microsoft .NET Framework 2.0 (KB922770)Segoe UISkype ToolbarsSkype? 4.2sKz Control Panel PackSoftware Update for Web FoldersVAIOXPVLC media player 1.1.4Windows Imaging ComponentWindows Internet Explorer 7Windows Live CallWindows Live Communications PlatformWindows Live EssentialsWindows Live Family SafetyWindows Live MailWindows Live MessengerWindows Live Photo GalleryWindows Live Sign-in AssistantWindows Live SyncWindows Live ToolbarWindows Live WriterWindows Media Format 11 runtimeWindows Media Player 11Windows Sidebar GadgetInstallerWinRAR archiver???????????????????? Windows Live==== Event Viewer Messages From Past Week ========9/6/2010 1:48:10 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).9/6/2010 1:48:10 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).9/6/2010 1:48:10 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).9/3/2010 6:55:43 AM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.9/1/2010 8:29:18 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.==== End Of File ===========================____________________________________________________________________________________________________ Results of screen317's Security Check version 0.99.5 Windows XP Service Pack 2 Out of date service pack!! Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! avast! Free Antivirus Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 Java 6 Update 20 Java SE Runtime Environment 6 Out of date Java installed! Adobe Flash Player Adobe Reader 9.3.4 ```````````````````````````````` Process Check: objlist.exe by Laurent Alwil Software Avast5 AvastSvc.exe Alwil Software Avast5 avastUI.exe ````````````````````````````````DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) ``````````End of Log```````````` Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 6, 2010 ID:310073 Share Posted September 6, 2010 Your logs show uTorrent running and active:C:\Program Files\uTorrent\uTorrent.exeI request you Close & de-install it.I do not recommend the use of peer-to-peer apps since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.P2P file sharing: Know the risksStep 2This has MBAM installed. You no longer need the setup file. Use My Computer {Windows Explorer} & locate the exe & delete itc:\program files\mbam-setup-1.46.exe <<- this fileStep 3Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from >>> here <<< Double-click FixPolicies.exe. Click the "Install" button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. A black box will briefly appear and then close. This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.Step 4Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):*****************************************************************:processes:filesrecycler /alldrives:reg[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]:Commands[purity][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]*****************************************************************Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.Close any browser(s) windows that may be open.Using your mouse, click on the red-lettered button Run Fix.Once you see a message box "Fix complete! Click OK to open the fix log."Click the OK buttonThe log will open in Notepad (your default text editor).Save the log. Post a copy of that log in your next reply.Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.Step 5Start your MBAM MalwareBytes' Anti-Malware. Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.Then click the Scanner sub-tab. Make sure all option lines have a checkmark.Next, Click the Update tab. Press the "Check for Updates" button. When done, click the Scanner tab.Do a Quick Scan. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Step 6Go to Control Panel >> Add-or-Remove Programs.Look for & remove (de-install) HijackThis 2.0.2 If foundExit Control PanelDownload and SAVE HijackThisSave the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.Do a "Scan and Save log".Step 7Reply with copy of the OTL MovedFiles logthe latest MBAM scan logthe new HijackThis logand tell me, How is the system now?Do not think that you are done. Once we determine that the system is "cleared", you must go about getting XP Service Pack 3.That is long overdue. Without it, your system is NO Longer getting updates from Microsoft, and is exposed to potential security risks.Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product ended July 13, 2010! To ensure that you will receive all important security updates for Windows you need to upgrade to Windows XP with Service Pack 3 (SP3)Save this for much later. A reference page at Microsoft on XP SP3 Learn how to install Windows XP Service Pack 3 (SP3)http://windows.microsoft.com/en-us/windows...vice-pack-3-sp3 Link to post Share on other sites More sharing options...
erobando Posted September 8, 2010 Author ID:310808 Share Posted September 8, 2010 Hello, thank you again for your reply.I have uninstalled uTorrent and have followed the steps you provided.Log files are pasted below.The system appears to be running normally now.I appreciate all the help you are providing!All processes killedError: Unable to interpret <*****************************************************************> in the current context!========== PROCESSES ==================== FILES ==========C:\RECYCLER\S-1-5-21-606747145-651377827-725345543-500 folder moved successfully.C:\RECYCLER folder moved successfully.D:\RECYCLER\S-1-5-21-682003330-1682526488-839522115-500 folder moved successfully.D:\RECYCLER\S-1-5-21-606747145-651377827-725345543-500 folder moved successfully.D:\RECYCLER\S-1-5-21-1409082233-776561741-725345543-501 folder moved successfully.D:\RECYCLER\S-1-5-21-1409082233-776561741-725345543-500 folder moved successfully.D:\RECYCLER folder moved successfully.========== REGISTRY ==========Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.========== COMMANDS ==========[EMPTYTEMP]User: Administrator->Temp folder emptied: 588785 bytes->Temporary Internet Files folder emptied: 20101671 bytes->Java cache emptied: 0 bytes->Flash cache emptied: 2667 bytesUser: All UsersUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes->Flash cache emptied: 0 bytesUser: Guest->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytesUser: LocalService->Temp folder emptied: 66016 bytes->Temporary Internet Files folder emptied: 33170 bytesUser: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 33170 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 0 bytes%systemroot%\System32 .tmp files removed: 0 bytes%systemroot%\System32\dllcache .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytesRecycleBin emptied: 0 bytesTotal Files Cleaned = 20.00 mbRestore point Set: OTL Restore Point (0)[EMPTYFLASH]User: Administrator->Flash cache emptied: 0 bytesUser: All UsersUser: Default User->Flash cache emptied: 0 bytesUser: GuestUser: LocalServiceUser: NetworkServiceTotal Flash Files Cleaned = 0.00 mbError: Unable to interpret <*****************************************************************> in the current context!OTL by OldTimer - Version 3.2.11.0 log created on 09082010_041052Files\Folders moved on Reboot...File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.Registry entries deleted on Reboot..._____________________________________________________________________________________________________Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4564Windows 5.1.2600 Service Pack 2Internet Explorer 7.0.5730.139/8/2010 4:56:49 AMmbam-log-2010-09-08 (04-56-49).txtScan type: Quick scanObjects scanned: 140911Time elapsed: 4 minute(s), 43 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\makecab.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.C:\WINDOWS\system32\TCPLimit.exe (Malware.Tool) -> Quarantined and deleted successfully._____________________________________________________________________________________________________Logfile of Trend Micro HijackThis v2.0.4Scan saved at 7:35:19 AM, on 9/8/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\VistaDrive\VistaDrive.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Alwil Software\Avast5\avastUI.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Brother\ControlCenter2\brctrcen.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\LClock\LClock.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Secunia\PSI\psi.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Windows Live\Toolbar\wltuser.exeC:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Administrator\Desktop\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exeO4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -HO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [skyTel] SkyTel.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /noguiO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorunO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXEO4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1279724130046O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1279724108578O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cabO18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 9433 bytes Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 8, 2010 ID:310909 Share Posted September 8, 2010 MBAM found and removed a couple of malwares. Let's follow-up with a run of Combofix. Read all of the instructions first. Print this as needed or Save directions to Notepad.Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewallIf you have a prior copy of Combofix, delete it now !Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stagesIt will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on Combo-Fix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.------------------------------------------------------- A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. RE-Enable your AntiVirus and AntiSpyware applications. Link to post Share on other sites More sharing options...
erobando Posted September 8, 2010 Author ID:311153 Share Posted September 8, 2010 Hello, thank you again for your help.I followed the steps and ran Combo-Fix, disabled my antivirus and followed the prompts to download Microsoft Windows Recovery Console.However, after 50 stages I received a blue screen error with a prompt to reboot.Upon reboot there was a message that my computer recovered from a serious error. I copied the error report but am uable to paste it in the this post.The error reads... Error Signature:BCCode: 24 BCP1 : 001902FE BCP2 : F7C62AB4 BCP3 : F7C627B0BP4 : F75D3198 OSVer : 5_1_2600 SP : 2_0 Product: 256_1When I click on view technical information about the report...The following files will be included in the report:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER93d2.dir00\Mini071910-01.dmpC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER93d2.dir00\Sysdata.xmlThe Combofix.txt reads...ComboFix 10-09-08.01 - Administrator 09/09/2010 2:36:49.1.2 - x86Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.1023.509 [GMT 7:00]Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exeAV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} * Created a new restore point Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 9, 2010 ID:311353 Share Posted September 9, 2010 See this article at Microsoft Knowledge Base"You receive a "System Has Recovered from a Serious Error" message after every restart"Do the section titled "Workaround".Then, Go into your Control Panel | Performance and Maintenance | System icon | System properties | "Advanced" TAB | in the "Startup and Recovery" section....click the "settings" button. "Un-check" the "automatically restart" line. And in the "Write debugging information" select "NONE". This turns off the error "dumps".(That's a suggestion; most people won't need them) Do the apply change, make clean exit. The message you got "System Has Recovered from a Serious Error" is Windows' way of saying"Hey, this system just had an abnormal termination" and "I want to initiate a memory dump and to see if you want to send a report".No, I do not need the minidump or that error report.Let's continue the malware hunt. Let's do a check to see IF there is a hint of a rootkit, and then run a virus/malware scan:Step 1Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewall========================================================Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.========================================================Double-click gmer.exe. The program will begin to run. **Caution**These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security AnalystIf possible rootkit activity is found, you will be asked if you would like to perform a full scan.Click Yes.Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt". Save it where you can easily find it, such as your desktop.If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt". Save it where you can easily find it, such as your desktop.Step 2Download Dr.Web CureIt to the desktop. Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, chose the Complete Scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look and see if you can click the following icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer to allow files that were in use to be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.Re-enable your antivirus program.Reply with copy of the GMER logand the Dr Web Cure-It log Link to post Share on other sites More sharing options...
erobando Posted September 10, 2010 Author ID:311876 Share Posted September 10, 2010 Hello,I followed the instructions in the Microsoft Knowledge Base article up through step...6. For Paging file size for selected drive, click No Paging File, and then click Set. After that, the instructions did not seem to match the options on my system. Maybe because I am using Service Pack 2?I did make your suggested changes in the Control Panel/System icon.I have pasted the GMER and Dr. Web CureIt results below.Thank you again for your help!GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-09-10 10:58:37Windows 5.1.2600 Service Pack 2Running: q6flp8qy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys---- System - GMER 1.0.15 ----SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF383BCF0]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF383BBAC]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF383C160]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF383C08A]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF383B782]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF383BC86]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF383B6C2]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF383B726]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF383BDA6]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF383C22E]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF383BD66]SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF383BEE6]---- Kernel code sections - GMER 1.0.15 ----.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6FCC360, 0x372FAD, 0xE8000020]pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xBA64AF00, 0x24000, 0x48000000]---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\Explorer.EXE[612] SHELL32.dll!SHFileOperationW 7CA70488 5 Bytes JMP 01131102 C:\Program Files\Unlocker\UnlockerHook.dll.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }---- User IAT/EAT - GMER 1.0.15 ----IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)---- Registry - GMER 1.0.15 ----Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yesReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression FilterReg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1---- EOF - GMER 1.0.15 ----Contents of DrWeb.csv...RemoveWGA.exe;D:\;Tool.RemoveWGA;Moved.; Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 11, 2010 ID:312501 Share Posted September 11, 2010 Please download and run the Trend Micro Sysclean Package on your computer.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Sysclean PackageMake sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1stBasically there are 2 parts that need to be downloaded and SAVED from these links:Download Sysclean Package Download Malware CPR (Windows Virus Pattern) Files that will be a LPTxxx.ZIP fileCreate a brand new folder to copy these files to.As an example: C:\DCEThen open each of the zipped archive files and extract their contents to C:\DCEDouble-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
erobando Posted September 12, 2010 Author ID:312720 Share Posted September 12, 2010 Hello, Below is the sysclean.log content.Thank you again for your help!/--------------------------------------------------------------\| Trend Micro System Cleaner || Copyright 2009-2010, Trend Micro, Inc. || http://www.trendmicro.com |\--------------------------------------------------------------/2010-09-12, 18:17:02, Auto-clean mode specified.2010-09-12, 18:17:02, Initialized Rootkit Driver version 2.2.0.1004.2010-09-12, 18:17:02, Running scanner "C:\Temp DCE\TSC.BIN"...2010-09-12, 18:17:16, Scanner "C:\Temp DCE\TSC.BIN" has finished running.2010-09-12, 18:17:16, TSC Log:??D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 2 ( B u i l d 1 0 1 6 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 ) W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 2 ) S t a r t t i m e : S u n S e p 1 2 2 0 1 0 1 8 : 1 7 : 0 3 L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ T e m p D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ] L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ T e m p D C E \ t s c . p t n " ( v e r s i o n 1 0 9 2 ) [ s u c c e s s ] C o m p l e t e t i m e : S u n S e p 1 2 2 0 1 0 1 8 : 1 7 : 1 6 E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 ) 2010-09-12, 18:17:16, Running scanner "C:\Temp DCE\VSCANTM.BIN"...2010-09-12, 18:38:20, Scanner "C:\Temp DCE\VSCANTM.BIN" has finished running.2010-09-12, 18:38:20, VSCANTM Log:2010-09-12, 18:38:20, Files Detected:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 9/12/2010 18:17:16VSAPI Engine Version : 9.120-1004VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invokedVirus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Temp DCE\lpt$vpn.457 29860 files have been read.29860 files have been checked.29798 files have been scanned.95807 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 9/12/2010 18:38:20 21 minutes 3 seconds (1262.75 seconds) has elapsed.(42.289 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2010-09-12, 18:38:20, Files Clean:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 9/12/2010 18:17:16VSAPI Engine Version : 9.120-1004VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invokedVirus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Temp DCE\lpt$vpn.457 29860 files have been read.29860 files have been checked.29798 files have been scanned.95807 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 9/12/2010 18:38:20 21 minutes 3 seconds (1262.75 seconds) has elapsed.(42.289 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2010-09-12, 18:38:20, Clean Fail:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 9/12/2010 18:17:16VSAPI Engine Version : 9.120-1004VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invokedVirus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Temp DCE\lpt$vpn.457 29860 files have been read.29860 files have been checked.29798 files have been scanned.95807 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 9/12/2010 18:38:20 21 minutes 3 seconds (1262.75 seconds) has elapsed.(42.289 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2010-09-12, 18:38:20, Running scanner "C:\Temp DCE\VSCANTM.BIN"...2010-09-12, 18:42:20, Scanner "C:\Temp DCE\VSCANTM.BIN" has finished running.2010-09-12, 18:42:20, VSCANTM Log:2010-09-12, 18:42:20, Files Detected:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 9/12/2010 18:38:20VSAPI Engine Version : 9.120-1004VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invokedVirus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Temp DCE\lpt$vpn.457 2542 files have been read.2542 files have been checked.2517 files have been scanned.13691 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 9/12/2010 18:42:20 3 minutes 59 seconds (238.59 seconds) has elapsed.(93.861 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2010-09-12, 18:42:20, Files Clean:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 9/12/2010 18:38:20VSAPI Engine Version : 9.120-1004VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invokedVirus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Temp DCE\lpt$vpn.457 2542 files have been read.2542 files have been checked.2517 files have been scanned.13691 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 9/12/2010 18:42:20 3 minutes 59 seconds (238.59 seconds) has elapsed.(93.861 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2010-09-12, 18:42:20, Clean Fail:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 9/12/2010 18:38:20VSAPI Engine Version : 9.120-1004VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invokedVirus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Temp DCE\lpt$vpn.457 2542 files have been read.2542 files have been checked.2517 files have been scanned.13691 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 9/12/2010 18:42:20 3 minutes 59 seconds (238.59 seconds) has elapsed.(93.861 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2010-09-12, 18:42:20, Running SSAPI scanner ""...2010-09-12, 18:49:35, SSAPI Log:SSAPI Scanner Version: 1.0.1003SSAPI Engine Version: 5.2.1032SSAPI Pattern Version: 7.01SSAPI Anti-Rootkit Version: 2.2.0.1004Spyware Scan Started: 09/12/2010 18:42:20Detected: 0 items.Spyware Scan Ended: 09/12/2010 18:49:35Scan Complete. Time=435.115479. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 12, 2010 ID:312730 Share Posted September 12, 2010 We're ready to wrap this up. You are good to go after the following.Sysclean found no viruses. Very good result.After the cleanups below, your next major goal should be to get and apply Windows XP Service Pack 3.Otherwise, this system will not be getting any Windows updates from Microsoft, thus putting this sys at risk.See Windows XP Service Pack 3 (SP3): Installation Guidealso Windows Xp Service Pack 3 (sp3) Informationhttp://www.bleepingcomputer.com/forums/topic146857.htmlHard disk space requirements for Windows XP Service Pack 3http://support.microsoft.com/kb/947311/Support for WinXP (x86) SP2 ends on 13 July 2010. After that date, computers running WinXP (x86) SP2 "will no longer receive software updates from Windows Update" (i.e., Automatic Updates will not work and Windows Update website will not be accessible) until SP3 has been installed. Extended Support for WinXP SP3 will continue through 08 April 2014. What does it mean if my version of Windows is no longer supported?http://windows.microsoft.com/en-us/windows...of-support-meam I see that you are clear of your original issues. If you have a problem with these steps, or something does not quite work here, do let me know.The following few steps will remove tools we used; followed by advice on staying safer.We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.Note the space after exe and before the slash mark.The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.Click Start, then click Run. Then type in CMD and press Enter-key.This will open a command-prompt window.In the command box that opens, type or copy/paste C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe /uninstall and then click OK. Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run.Delete the Dr Web Cure-It downloads and files, if still present.Delete the SYSCLEAN downloads and the C:\Temp DCE folderRun Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVPhttp://bertk.mvps.org/html/diskclean.html Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.Check in at Windows Update and install any Critical Updates offered.Make certain that Automatic Updates is enabled.How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Check on other update issues as well, visit Secunia Online Software Inspector (OSI)Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc.On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:Kaspersky Webscan Online Virus Scanner ESET Online ScannerPanda ActiveScan Trend Micro HousecallF-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First PlaceMS Online Safety & Privacy Education Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !We are finished here. Best regards. Link to post Share on other sites More sharing options...
erobando Posted September 13, 2010 Author ID:313109 Share Posted September 13, 2010 Thank you for all of your help clearing the problems as well as the suggestions/links!I followed the clean-up steps and removed Combo-Fix, OTL, Dr Web Cure-It and Sysclean and associated files.Should I do the same for the other programs used (FixPolicies, TFC by OldTimer, HiJackThis, GMER and ERUNT)?Thanks again! Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 13, 2010 ID:313193 Share Posted September 13, 2010 Delete Gmer.zip or Gmer.exe if still present.You may if you wish de-install Hijacthis. Your option.TFC Temp file cleaner is very useful and you may keep it. Use it on some regular basis to flush temporary files.ERUNT is a handy program to backup the registry. It will provide an added measure of backup. More important is to do frequent regular backups.Fixpolicies you may delete if you wish. It is not by any means harmful.You are very welcome. Stay safe.I am closing this topic. Anyone else having issues, please create your own topic.The procedures used here are strictly for this system, and no other. Link to post Share on other sites More sharing options...
Recommended Posts