Jump to content

Infected?


Recommended Posts

Hello, I ran MBAM for the first time, below is the resulting log with 3 detections.

I have also attached my GMER and Hijack This Logs.

I would like to run this by an expert before removing any files.

I appreciate any assistance you can provide.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4532

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

9/3/2010 5:20:58 AM

mbam-log-2010-09-03 (05-20-58).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 171771

Time elapsed: 21 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\makecab.exe (Malware.Packer.Gen) -> No action taken.

C:\WINDOWS\system32\TCPLimit.exe (Malware.Tool) -> No action taken.

GMER log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-03 06:19:26

Windows 5.1.2600 Service Pack 2

Running: q6flp8qy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF30F0CD2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF30F0B8E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF30F1142]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF30F106C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF30F0764]

SSDT sptd.sys ZwEnumerateKey [0xF7739CCC]

SSDT sptd.sys ZwEnumerateValueKey [0xF773A05A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF30F0C68]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF30F06A4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF30F0708]

SSDT sptd.sys ZwQueryKey [0xF773A132]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF30F0D88]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF30F1210]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF30F0D48]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF30F0EC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF30FDB9C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF30FD9C0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF30FDAFA]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6EB1360, 0x372FAD, 0xE8000020]

.text USBPORT.SYS!DllUnload F6E6C80C 5 Bytes JMP 865A1778

pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xBA9CDF00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!DialogBoxIndirectParamW 77D6204B 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxIndirectA 77D6A062 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!DialogBoxParamA 77D6B124 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxExW 77D80540 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxExA 77D80564 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!DialogBoxIndirectParamA 77D86CB5 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[1176] USER32.dll!MessageBoxIndirectW 77D9609B 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\WINDOWS\Explorer.EXE[2372] SHELL32.dll!SHFileOperationW 7CA70488 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

Device \FileSystem\Ntfs \Ntfs 8676C1E8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{502208F7-1FC2-484E-BF26-31804A922A4C} 86165980

Device \Driver\usbuhci \Device\USBPDO-0 8659E1E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8676F1E8

Device \Driver\dmio \Device\DmControl\DmConfig 8676F1E8

Device \Driver\dmio \Device\DmControl\DmPnP 8676F1E8

Device \Driver\dmio \Device\DmControl\DmInfo 8676F1E8

Device \Driver\usbuhci \Device\USBPDO-1 8659E1E8

Device \Driver\usbuhci \Device\USBPDO-2 8659E1E8

Device \Driver\usbuhci \Device\USBPDO-3 8659E1E8

Device \Driver\usbehci \Device\USBPDO-4 8655D1E8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 867701E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 867701E8

Device \Driver\Cdrom \Device\CdRom0 865331E8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8676E1E8

Device \Driver\atapi \Device\Ide\IdePort0 8676E1E8

Device \Driver\atapi \Device\Ide\IdePort1 8676E1E8

Device \Driver\atapi \Device\Ide\IdePort2 8676E1E8

Device \Driver\atapi \Device\Ide\IdePort3 8676E1E8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 8676E1E8

Device \Driver\NetBT \Device\NetBt_Wins_Export 86165980

Device \Driver\NetBT \Device\NetbiosSmb 86165980

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 8659E1E8

Device \Driver\usbuhci \Device\USBFDO-1 8659E1E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85FD91E8

Device \Driver\usbuhci \Device\USBFDO-2 8659E1E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 85FD91E8

Device \Driver\usbuhci \Device\USBFDO-3 8659E1E8

Device \Driver\usbehci \Device\USBFDO-4 8655D1E8

Device \Driver\Ftdisk \Device\FtControl 867701E8

Device \FileSystem\Cdfs \Cdfs 85F94980

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1

---- EOF - GMER 1.0.15 ----

Edited by Maurice Naggar
GMER log placed In-line
Link to post
Share on other sites

Hello Erobando and welcome to MalwareBytes forums,

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Take out the trash (temporary files & temporary internet files)

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 4

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or

http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Checkup.txt

Do not use the attachment feature to place any of your reports.

Always put them in-line inside the body of reply.

Be sure to do a Preview prior to pressing Add Reply because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Link to post
Share on other sites

Hello, Maurice Naggar. Thank you very much for responding to my inquiry!

I have followed the steps and pasted the results below.

Thank you and I look forward to your response...

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 14:01:09.20 on Mon 09/06/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.1023.592 [GMT 7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Secunia\PSI\psi.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [LClock] c:\program files\lclock\LClock.exe

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe

mRun: [unlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe

mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [setDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [LClock] c:\program files\lclock\LClock.exe

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secunia psi.lnk - c:\program files\secunia\psi\psi.exe

uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

uPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279724130046

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279724108578

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-23 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-23 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-23 40384]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-3-24 54752]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-23 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-23 40384]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 14904]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-23 135664]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

=============== Created Last 30 ================

2010-09-06 06:42:09 791393 ----a-w- c:\program files\erunt-setup.exe

2010-09-02 23:16:05 152491 ----a-w- c:\program files\hosts.zip

2010-09-02 22:53:42 0 d-----w- c:\program files\Trend Micro

2010-09-02 22:53:22 812344 ----a-w- c:\program files\HJTInstall.exe

2010-09-02 21:15:24 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-09-02 21:15:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-02 21:15:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-02 21:15:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-02 21:15:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-02 21:14:18 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe

2010-09-01 06:55:51 0 d-----w- c:\program files\Microsoft Office Outlook Connector

==================== Find3M ====================

2010-09-01 14:01:09 328568 ----a-w- c:\program files\utorrent.exe

2010-08-22 03:00:36 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr

2010-06-04 12:23:24 297660 ----a-w- c:\program files\PSISetup.exe

2010-05-23 07:23:48 10518984 ----a-w- c:\program files\windows-kb890830-x64-v3.7.exe

2010-03-24 17:02:35 4938120 ----a-w- c:\program files\Silverlight.exe

2010-03-23 15:13:52 1688360 ----a-w- c:\program files\SkypeSetup.exe

2010-03-23 14:44:40 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe

============= FINISH: 14:01:20.12 ===============

________________________________________________________________________________

____________________

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/23/2010 6:02:51 PM

System Uptime: 9/6/2010 1:49:21 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5GC-MX

Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | LGA 775 | 1800/200mhz

Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | LGA 775 | 1800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 49 GiB total, 38.672 GiB free.

D: is FIXED (NTFS) - 100 GiB total, 28.182 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP125: 7/27/2010 9:20:42 AM - System Checkpoint

RP126: 7/28/2010 6:50:25 PM - System Checkpoint

RP127: 7/30/2010 6:34:24 AM - System Checkpoint

RP128: 7/31/2010 7:03:47 AM - System Checkpoint

RP129: 8/1/2010 3:56:14 PM - System Checkpoint

RP130: 8/2/2010 8:11:02 PM - System Checkpoint

RP131: 8/2/2010 11:41:13 PM - Removed Java 6 Update 20

RP132: 8/2/2010 11:41:54 PM - Installed Java 6 Update 20

RP133: 8/4/2010 4:19:35 AM - System Checkpoint

RP134: 8/5/2010 9:56:07 AM - System Checkpoint

RP135: 8/6/2010 11:03:32 PM - System Checkpoint

RP136: 8/8/2010 1:32:24 AM - System Checkpoint

RP137: 8/9/2010 6:04:23 AM - System Checkpoint

RP138: 8/10/2010 1:55:30 PM - System Checkpoint

RP139: 8/11/2010 6:07:44 PM - System Checkpoint

RP140: 8/12/2010 9:50:42 PM - System Checkpoint

RP141: 8/14/2010 1:37:32 AM - System Checkpoint

RP142: 8/15/2010 12:53:03 PM - System Checkpoint

RP143: 8/16/2010 4:10:30 PM - System Checkpoint

RP144: 8/18/2010 5:03:27 AM - System Checkpoint

RP145: 8/19/2010 5:29:14 AM - System Checkpoint

RP146: 8/20/2010 5:53:00 AM - System Checkpoint

RP147: 8/21/2010 8:01:11 AM - System Checkpoint

RP148: 8/22/2010 9:31:55 AM - Removed Java 6 Update 20

RP149: 8/22/2010 10:00:30 AM - Installed Java 6 Update 20

RP150: 8/23/2010 4:00:02 PM - System Checkpoint

RP151: 8/24/2010 4:22:29 PM - System Checkpoint

RP152: 8/25/2010 7:06:42 PM - System Checkpoint

RP153: 8/31/2010 1:30:33 AM - System Checkpoint

RP154: 9/1/2010 1:52:22 AM - System Checkpoint

RP155: 9/1/2010 1:54:03 PM - Installed DirectX

RP156: 9/1/2010 9:28:17 PM - Removed Java 6 Update 20

RP157: 9/3/2010 4:49:44 AM - System Checkpoint

RP158: 9/4/2010 5:39:38 AM - System Checkpoint

RP159: 9/5/2010 5:58:38 AM - System Checkpoint

RP160: 9/6/2010 6:29:48 AM - System Checkpoint

==== Installed Programs ======================

?Torrent

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.3.4

ASUS nVidia Driver

Atheros Communications Inc.® L2 Fast Ethernet Driver

avast! Free Antivirus

Brother MFL-Pro Suite

CPL All-in-One

ERUNT 1.1j

Google Update Helper

GoToMeeting 4.5.0.457

HijackThis 2.0.2

Hotfix for Windows XP (KB954708)

Java Auto Updater

Java 6 Update 20

Java SE Runtime Environment 6

Junk Mail filter update

K-Lite Mega Codec Pack 1.69 BETA

LClock

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1 SP1

Microsoft .NET Framework 2.0

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Live Add-in 1.3

Microsoft Office Outlook Connector

Microsoft Office Professional Edition 2003

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual J# 1.1 Redistributable Package

Microsoft Visual J# 2.0 Redistributable

Microsoft Visual J# 2.0 Redistributable Package

MSVCRT

Nero 7.0.8.2

NVIDIA Drivers

NVIDIA WDM Drivers

PaperPort

PowerDVD

Realtek High Definition Audio Driver

Secunia PSI

Security Update for Microsoft .NET Framework 2.0 (KB917283)

Security Update for Microsoft .NET Framework 2.0 (KB922770)

Segoe UI

Skype Toolbars

Skype? 4.2

sKz Control Panel Pack

Software Update for Web Folders

VAIOXP

VLC media player 1.1.4

Windows Imaging Component

Windows Internet Explorer 7

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Messenger

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Player 11

Windows Sidebar GadgetInstaller

WinRAR archiver

???????????????????? Windows Live

==== Event Viewer Messages From Past Week ========

9/6/2010 1:48:10 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).

9/6/2010 1:48:10 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

9/6/2010 1:48:10 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

9/3/2010 6:55:43 AM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.

9/1/2010 8:29:18 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

==== End Of File ===========================

________________________________________________________________________________

____________________

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Free Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 20

Java SE Runtime Environment 6

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.3.4

````````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe

Alwil Software Avast5 avastUI.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

Your logs show uTorrent running and active:

C:\Program Files\uTorrent\uTorrent.exe

I request you Close & de-install it.

I do not recommend the use of peer-to-peer apps since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Step 2

This has MBAM installed. You no longer need the setup file. Use My Computer {Windows Explorer} & locate the exe & delete it

c:\program files\mbam-setup-1.46.exe <<- this file

Step 3

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 4

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :processes
    :files
    recycler /alldrives
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 5

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 6

Go to Control Panel >> Add-or-Remove Programs.

Look for & remove (de-install) HijackThis 2.0.2 If found

Exit Control Panel

Download and SAVE HijackThis

Save the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.

Do a "Scan and Save log".

Step 7

Reply with copy of the OTL MovedFiles log

the latest MBAM scan log

the new HijackThis log

and tell me, How is the system now?

Do not think that you are done. Once we determine that the system is "cleared", you must go about getting XP Service Pack 3.

That is long overdue. Without it, your system is NO Longer getting updates from Microsoft, and is exposed to potential security risks.

Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product ended July 13, 2010! To ensure that you will receive all important security updates for Windows you need to upgrade to Windows XP with Service Pack 3 (SP3)

Save this for much later. A reference page at Microsoft on XP SP3 Learn how to install Windows XP Service Pack 3 (SP3)

http://windows.microsoft.com/en-us/windows...vice-pack-3-sp3

Link to post
Share on other sites

Hello, thank you again for your reply.

I have uninstalled uTorrent and have followed the steps you provided.

Log files are pasted below.

The system appears to be running normally now.

I appreciate all the help you are providing!

All processes killed

Error: Unable to interpret <*****************************************************************> in the current context!

========== PROCESSES ==========

========== FILES ==========

C:\RECYCLER\S-1-5-21-606747145-651377827-725345543-500 folder moved successfully.

C:\RECYCLER folder moved successfully.

D:\RECYCLER\S-1-5-21-682003330-1682526488-839522115-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-606747145-651377827-725345543-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-1409082233-776561741-725345543-501 folder moved successfully.

D:\RECYCLER\S-1-5-21-1409082233-776561741-725345543-500 folder moved successfully.

D:\RECYCLER folder moved successfully.

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 588785 bytes

->Temporary Internet Files folder emptied: 20101671 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 2667 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 20.00 mb

Restore point Set: OTL Restore Point (0)

[EMPTYFLASH]

User: Administrator

->Flash cache emptied: 0 bytes

User: All Users

User: Default User

->Flash cache emptied: 0 bytes

User: Guest

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Error: Unable to interpret <*****************************************************************> in the current context!

OTL by OldTimer - Version 3.2.11.0 log created on 09082010_041052

Files\Folders moved on Reboot...

File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

________________________________________________________________________________

_____________________

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4564

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

9/8/2010 4:56:49 AM

mbam-log-2010-09-08 (04-56-49).txt

Scan type: Quick scan

Objects scanned: 140911

Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\makecab.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TCPLimit.exe (Malware.Tool) -> Quarantined and deleted successfully.

________________________________________________________________________________

_____________________

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:35:19 AM, on 9/8/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\VistaDrive\VistaDrive.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Secunia\PSI\psi.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe

O4 - HKLM\..\Run: [unlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [LClock] C:\Program Files\LClock\LClock.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1279724130046

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1279724108578

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9433 bytes

Link to post
Share on other sites

MBAM found and removed a couple of malwares. Let's follow-up with a run of Combofix. Read all of the instructions first. Print this as needed or Save directions to Notepad.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Link to post
Share on other sites

Hello, thank you again for your help.

I followed the steps and ran Combo-Fix, disabled my antivirus and followed the prompts to download Microsoft Windows Recovery Console.

However, after 50 stages I received a blue screen error with a prompt to reboot.

Upon reboot there was a message that my computer recovered from a serious error. I copied the error report but am uable to paste it in the this post.

The error reads...

Error Signature:

BCCode: 24 BCP1 : 001902FE BCP2 : F7C62AB4 BCP3 : F7C627B0

BP4 : F75D3198 OSVer : 5_1_2600 SP : 2_0 Product: 256_1

When I click on view technical information about the report...

The following files will be included in the report:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER93d2.dir00\Mini071910-01.dmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER93d2.dir00\Sysdata.xml

The Combofix.txt reads...

ComboFix 10-09-08.01 - Administrator 09/09/2010 2:36:49.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.874.1.1033.18.1023.509 [GMT 7:00]

Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

Link to post
Share on other sites

See this article at Microsoft Knowledge Base

"You receive a "System Has Recovered from a Serious Error" message after every restart"

Do the section titled "Workaround".

Then, Go into your Control Panel | Performance and Maintenance | System icon | System properties | "Advanced" TAB | in the "Startup and Recovery"

section....click the "settings" button. "Un-check" the "automatically restart" line.

And in the "Write debugging information" select "NONE". This turns off the error "dumps".

(That's a suggestion; most people won't need them) Do the apply change, make clean exit.

The message you got "System Has Recovered from a Serious Error" is Windows' way of saying

"Hey, this system just had an abnormal termination" and "I want to initiate a memory dump and to see if you want to send a report".

No, I do not need the minidump or that error report.

Let's continue the malware hunt. Let's do a check to see IF there is a hint of a rootkit, and then run a virus/malware scan:

Step 1

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Step 2

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-enable your antivirus program.

Reply with copy of the GMER log

and the Dr Web Cure-It log

Link to post
Share on other sites

Hello,

I followed the instructions in the Microsoft Knowledge Base article up through step...

6. For Paging file size for selected drive, click No Paging File, and then click Set.

After that, the instructions did not seem to match the options on my system. Maybe because I am using Service Pack 2?

I did make your suggested changes in the Control Panel/System icon.

I have pasted the GMER and Dr. Web CureIt results below.

Thank you again for your help!

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-09-10 10:58:37

Windows 5.1.2600 Service Pack 2

Running: q6flp8qy.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF383BCF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF383BBAC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF383C160]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF383C08A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF383B782]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF383BC86]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF383B6C2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF383B726]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF383BDA6]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF383C22E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF383BD66]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF383BEE6]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6FCC360, 0x372FAD, 0xE8000020]

pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xBA64AF00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[612] SHELL32.dll!SHFileOperationW 7CA70488 5 Bytes JMP 01131102 C:\Program Files\Unlocker\UnlockerHook.dll

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002

IAT C:\WINDOWS\system32\services.exe[736] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1

---- EOF - GMER 1.0.15 ----

Contents of DrWeb.csv...

RemoveWGA.exe;D:\;Tool.RemoveWGA;Moved.;

Link to post
Share on other sites

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and extract their contents to C:\DCE
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Link to post
Share on other sites

Hello,

Below is the sysclean.log content.

Thank you again for your help!

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2010-09-12, 18:17:02, Auto-clean mode specified.

2010-09-12, 18:17:02, Initialized Rootkit Driver version 2.2.0.1004.

2010-09-12, 18:17:02, Running scanner "C:\Temp DCE\TSC.BIN"...

2010-09-12, 18:17:16, Scanner "C:\Temp DCE\TSC.BIN" has finished running.

2010-09-12, 18:17:16, TSC Log:

??D a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 2 ( B u i l d 1 0 1 6 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )

W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 2 )

S t a r t t i m e : S u n S e p 1 2 2 0 1 0 1 8 : 1 7 : 0 3

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ T e m p D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]

L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ T e m p D C E \ t s c . p t n " ( v e r s i o n 1 0 9 2 ) [ s u c c e s s ]

C o m p l e t e t i m e : S u n S e p 1 2 2 0 1 0 1 8 : 1 7 : 1 6

E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )

2010-09-12, 18:17:16, Running scanner "C:\Temp DCE\VSCANTM.BIN"...

2010-09-12, 18:38:20, Scanner "C:\Temp DCE\VSCANTM.BIN" has finished running.

2010-09-12, 18:38:20, VSCANTM Log:

2010-09-12, 18:38:20, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/12/2010 18:17:16

VSAPI Engine Version : 9.120-1004

VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)

Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Temp DCE\lpt$vpn.457

29860 files have been read.

29860 files have been checked.

29798 files have been scanned.

95807 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/12/2010 18:38:20 21 minutes 3 seconds (1262.75 seconds) has elapsed.(42.289 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2010-09-12, 18:38:20, Files Clean:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/12/2010 18:17:16

VSAPI Engine Version : 9.120-1004

VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)

Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Temp DCE\lpt$vpn.457

29860 files have been read.

29860 files have been checked.

29798 files have been scanned.

95807 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/12/2010 18:38:20 21 minutes 3 seconds (1262.75 seconds) has elapsed.(42.289 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2010-09-12, 18:38:20, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/12/2010 18:17:16

VSAPI Engine Version : 9.120-1004

VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)

Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Temp DCE\lpt$vpn.457

29860 files have been read.

29860 files have been checked.

29798 files have been scanned.

95807 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/12/2010 18:38:20 21 minutes 3 seconds (1262.75 seconds) has elapsed.(42.289 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2010-09-12, 18:38:20, Running scanner "C:\Temp DCE\VSCANTM.BIN"...

2010-09-12, 18:42:20, Scanner "C:\Temp DCE\VSCANTM.BIN" has finished running.

2010-09-12, 18:42:20, VSCANTM Log:

2010-09-12, 18:42:20, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/12/2010 18:38:20

VSAPI Engine Version : 9.120-1004

VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)

Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Temp DCE\lpt$vpn.457

2542 files have been read.

2542 files have been checked.

2517 files have been scanned.

13691 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/12/2010 18:42:20 3 minutes 59 seconds (238.59 seconds) has elapsed.(93.861 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2010-09-12, 18:42:20, Files Clean:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/12/2010 18:38:20

VSAPI Engine Version : 9.120-1004

VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)

Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Temp DCE\lpt$vpn.457

2542 files have been read.

2542 files have been checked.

2517 files have been scanned.

13691 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/12/2010 18:42:20 3 minutes 59 seconds (238.59 seconds) has elapsed.(93.861 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2010-09-12, 18:42:20, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/12/2010 18:38:20

VSAPI Engine Version : 9.120-1004

VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 457 (536557/536557 Patterns) (2010/09/11) (745700)

Command Line: C:\Temp DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\Temp DCE\lpt$vpn.457

2542 files have been read.

2542 files have been checked.

2517 files have been scanned.

13691 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/12/2010 18:42:20 3 minutes 59 seconds (238.59 seconds) has elapsed.(93.861 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2010-09-12, 18:42:20, Running SSAPI scanner ""...

2010-09-12, 18:49:35, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 7.01

SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 09/12/2010 18:42:20

Detected: 0 items.

Spyware Scan Ended: 09/12/2010 18:49:35

Scan Complete. Time=435.115479.

Link to post
Share on other sites

We're ready to wrap this up. You are good to go after the following.

Sysclean found no viruses. Very good result.

After the cleanups below, your next major goal should be to get and apply Windows XP Service Pack 3.

Otherwise, this system will not be getting any Windows updates from Microsoft, thus putting this sys at risk.

See Windows XP Service Pack 3 (SP3): Installation Guide

also Windows Xp Service Pack 3 (sp3) Information

http://www.bleepingcomputer.com/forums/topic146857.html

Hard disk space requirements for Windows XP Service Pack 3

http://support.microsoft.com/kb/947311/

Support for WinXP (x86) SP2 ends on 13 July 2010. After that date, computers running WinXP (x86) SP2 "will no longer receive software updates from Windows Update" (i.e., Automatic Updates will not work and Windows Update website will not be accessible) until SP3 has been installed. Extended Support for WinXP SP3 will continue through 08 April 2014.

  • What does it mean if my version of Windows is no longer supported?
http://windows.microsoft.com/en-us/windows...of-support-meam

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run. Then type in
    CMD

    and press Enter-key.
    This will open a command-prompt window.
    In the command box that opens, type or copy/paste
    C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe /uninstall
    and then click OK.

  • Please double-click OTL.exe otlDesktopIcon.png to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

Link to post
Share on other sites

Thank you for all of your help clearing the problems as well as the suggestions/links!

I followed the clean-up steps and removed Combo-Fix, OTL, Dr Web Cure-It and Sysclean and associated files.

Should I do the same for the other programs used (FixPolicies, TFC by OldTimer, HiJackThis, GMER and ERUNT)?

Thanks again!

Link to post
Share on other sites

Delete Gmer.zip or Gmer.exe if still present.

You may if you wish de-install Hijacthis. Your option.

TFC Temp file cleaner is very useful and you may keep it. Use it on some regular basis to flush temporary files.

ERUNT is a handy program to backup the registry. It will provide an added measure of backup. More important is to do frequent regular backups.

Fixpolicies you may delete if you wish. It is not by any means harmful.

You are very welcome. Stay safe.

I am closing this topic. Anyone else having issues, please create your own topic.

The procedures used here are strictly for this system, and no other.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.