Jump to content
Sign in to follow this  
andyrt

Hijack.FolderOptions

Recommended Posts

Good Morning. I was infected from a website trying to download music. I was able to use Malware to remove everything except Hijack.FolderOptions

Is this the log you need?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4890

Windows 5.0.2195 Service Pack 4

Internet Explorer 6.0.2800.1106

10/28/2010 7:48:43 AM

mbam-log-2010-10-28 (07-48-43).txt

Scan type: Quick scan

Objects scanned: 139052

Time elapsed: 18 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Welcome to the forum.

Your database for MBAM is a little out of date, please update MBAM and run a quick scan.

Post the results back here.

What is your operating system? XP, Vista W7 32 or 64 bit

MrC

Share this post


Link to post
Share on other sites

Thanks for your response.

Windows 2000.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4980

Windows 5.0.2195 Service Pack 4

Internet Explorer 6.0.2800.1106

10/28/2010 7:36:21 PM

mbam-log-2010-10-28 (19-36-21).txt

Scan type: Quick scan

Objects scanned: 139715

Time elapsed: 18 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\-\Local Settings\Temp\xemnowracs.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\-\Local Settings\Temp\tmp_1344792176.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\-\Local Settings\Temp\tmp_1928952094.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\-\Local Settings\Temp\tmp_2030023530.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\-\Local Settings\Temp\tmp_2123996480.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\-\Local Settings\Temporary Internet Files\Content.IE5\EF4FPUVU\complmgr[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Welcome to the forum.

Your database for MBAM is a little out of date, please update MBAM and run a quick scan.

Post the results back here.

What is your operating system? XP, Vista W7 32 or 64 bit

MrC

Share this post


Link to post
Share on other sites

Lets look a little closer at the system.

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

---------------------------------------------------

Next:

Please download and run ComboFix:

A few notes first:

  • ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7 (32-bit only).
  • ComboFix must be run from an Administrative account.
  • Vista and W7 users - Right click, choose "Run as Administrator"
  • It must be downloaded to and run from your desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    ComboFix Guide <---please read!

---------------------------

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE<-------
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks

and Please disable Autorun ASAP!.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Share this post


Link to post
Share on other sites

Thanks for your help.

====

2010/10/29 06:37:57.0062 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/10/29 06:37:57.0062 ================================================================================

2010/10/29 06:37:57.0062 SystemInfo:

2010/10/29 06:37:57.0062

2010/10/29 06:37:57.0062 OS Version: 5.0.2195 ServicePack: 4.0

2010/10/29 06:37:57.0062 Product type: Workstation

2010/10/29 06:37:57.0062 ComputerName: LIVING

2010/10/29 06:37:57.0062 UserName: -

2010/10/29 06:37:57.0062 Windows directory: C:\WINNT

2010/10/29 06:37:57.0062 System windows directory: C:\WINNT

2010/10/29 06:37:57.0062 Processor architecture: Intel x86

2010/10/29 06:37:57.0062 Number of processors: 1

2010/10/29 06:37:57.0062 Page size: 0x1000

2010/10/29 06:37:57.0062 Boot type: Normal boot

2010/10/29 06:37:57.0062 ================================================================================

2010/10/29 06:37:57.0375 Initialize success

2010/10/29 06:38:29.0734 ================================================================================

2010/10/29 06:38:29.0734 Scan started

2010/10/29 06:38:29.0734 Mode: Manual;

2010/10/29 06:38:29.0734 ================================================================================

2010/10/29 06:38:30.0437 Suspicious service (Hidden): $sys$aries

2010/10/29 06:38:30.0968 $sys$aries (208c7a129f33e19bcfdec880616eb032) C:\WINNT\system32\$sys$filesystem\aries.sys

2010/10/29 06:38:31.0015 $sys$aries - detected Hidden service (1)

2010/10/29 06:38:31.0031 Suspicious service (Hidden): $sys$cor

2010/10/29 06:38:31.0812 $sys$cor (8c9e54f722b08148fed49fbd3edd615b) C:\WINNT\system32\Drivers\$sys$cor.sys

2010/10/29 06:38:31.0812 Suspicious file (NoAccess): C:\WINNT\system32\Drivers\$sys$cor.sys. md5: 8c9e54f722b08148fed49fbd3edd615b

2010/10/29 06:38:31.0812 Suspicious file (Hidden): C:\WINNT\system32\Drivers\$sys$cor.sys. md5: 8c9e54f722b08148fed49fbd3edd615b

2010/10/29 06:38:31.0859 $sys$cor - detected Hidden service (1)

2010/10/29 06:38:31.0875 Suspicious service (Hidden): $sys$crater

2010/10/29 06:38:32.0390 $sys$crater (93db3a3e09ab5dca68e2f2dca92f64c3) C:\WINNT\system32\$sys$filesystem\crater.sys

2010/10/29 06:38:32.0421 $sys$crater - detected Hidden service (1)

2010/10/29 06:38:32.0437 Suspicious service (Hidden): $sys$DRMServer

2010/10/29 06:38:33.0000 aaudstum (417d1880da61f437d12faf401119daa7) C:\DOCUME~1\-\LOCALS~1\Temp\aaudstum.sys

2010/10/29 06:38:34.0781 ACPI (083049d5dc3f32d17c2edfb732c78a09) C:\WINNT\system32\DRIVERS\ACPI.sys

2010/10/29 06:38:35.0359 ACPIEC (4b10b4db777ee2ef8e755e7f3d7c4fe8) C:\WINNT\system32\drivers\ACPIEC.sys

2010/10/29 06:38:36.0531 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINNT\system32\drivers\aeaudio.sys

2010/10/29 06:38:37.0156 AegisP (dcee132d2f76c47b209edd8e6b588608) C:\WINNT\system32\DRIVERS\AegisP.sys

2010/10/29 06:38:37.0750 AFD (320cac00366bb4d5684b46928cee5adf) C:\WINNT\System32\drivers\afd.sys

2010/10/29 06:38:38.0359 agp440 (cddb71a90077c93bea5c72507f0b1394) C:\WINNT\system32\DRIVERS\agp440.sys

2010/10/29 06:38:41.0218 ALABULK (8fd5d5b76f438d1999faa0066e9bf057) C:\WINNT\system32\Drivers\ALABULK2.sys

2010/10/29 06:38:44.0625 AsyncMac (5d3d77c9eb3a8e6a14cc8e1252b6cc5c) C:\WINNT\system32\DRIVERS\asyncmac.sys

2010/10/29 06:38:45.0218 atapi (8c718aa8c77041b3285d55a0ce980867) C:\WINNT\system32\DRIVERS\atapi.sys

2010/10/29 06:38:46.0390 ati2mtaa (ae351b6228107243f69f6e9490d54b5c) C:\WINNT\system32\DRIVERS\ati2mtaa.sys

2010/10/29 06:38:46.0984 Atmarpc (3e348b3313ea633d45caf59da0d631ba) C:\WINNT\system32\DRIVERS\atmarpc.sys

2010/10/29 06:38:47.0593 audstub (39d57104a45270f0d376e9ddb484ebbd) C:\WINNT\system32\DRIVERS\audstub.sys

2010/10/29 06:38:48.0296 BCM42RLY (438179abe9b7a922a21b8d6369ff52ff) C:\WINNT\System32\BCM42RLY.SYS

2010/10/29 06:38:48.0937 Beep (df012c2853281ce2bf536e8de871c8c1) C:\WINNT\system32\drivers\Beep.sys

2010/10/29 06:38:49.0625 BrPar (4a26f3d9d8a3383b236ad5989ab8e8e5) C:\WINNT\System32\drivers\BrPar.sys

2010/10/29 06:38:50.0218 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINNT\system32\DRIVERS\BrScnUsb.sys

2010/10/29 06:38:51.0375 CCDECODE (1478e6a09512235b9e119d2920477021) C:\WINNT\system32\DRIVERS\CCDECODE.sys

2010/10/29 06:38:52.0515 Cdaudio (b101e013d810d6125e17125e324fcd2c) C:\WINNT\system32\drivers\Cdaudio.sys

2010/10/29 06:38:53.0140 Cdfs (378bbf444d7232e74c74dfae04d4ded0) C:\WINNT\system32\drivers\Cdfs.sys

2010/10/29 06:38:53.0734 Cdr4_2K (50f612f80948a01e93a028dd9cb98982) C:\WINNT\system32\drivers\Cdr4_2K.sys

2010/10/29 06:38:54.0312 Cdralw2k (579da2f9f5401f55dae2cf8779d61dfc) C:\WINNT\system32\drivers\Cdralw2k.sys

2010/10/29 06:38:54.0875 Cdrom (4b86a90a7f0095d514d22a9083826488) C:\WINNT\system32\DRIVERS\cdrom.sys

2010/10/29 06:38:59.0453 Disk (322b9a3774dbf119f6635a476b0eb058) C:\WINNT\system32\DRIVERS\disk.sys

2010/10/29 06:39:00.0046 Diskperf (fd94497dd145b3920f5c393eab50ee3a) C:\WINNT\system32\drivers\Diskperf.sys

2010/10/29 06:39:00.0703 dmboot (0b91c63540682bc3c826fc6d8b3ecb7b) C:\WINNT\system32\drivers\dmboot.sys

2010/10/29 06:39:01.0312 dmio (6b35bfdbdbc247113852f18bf0f10e3c) C:\WINNT\system32\drivers\dmio.sys

2010/10/29 06:39:01.0937 dmload (3f1701ffa97ab012685abc8a2d6fce22) C:\WINNT\system32\drivers\dmload.sys

2010/10/29 06:39:02.0562 DMusic (3431984234b5988d4c09f043cf4cd779) C:\WINNT\system32\drivers\DMusic.sys

2010/10/29 06:39:03.0203 EFS (b2916926428c0410fc1a26da0b650e41) C:\WINNT\system32\drivers\EFS.sys

2010/10/29 06:39:03.0812 EL90BC (42b84a53ae478073dbe6bfdbe683df96) C:\WINNT\system32\DRIVERS\el90xbc5.sys

2010/10/29 06:39:04.0406 Fastfat (556a224f0bd4b0221fa08feca793cd05) C:\WINNT\system32\drivers\Fastfat.sys

2010/10/29 06:39:05.0562 Fdc (233e2c4dae9c84cef241f0ea30619629) C:\WINNT\system32\DRIVERS\fdc.sys

2010/10/29 06:39:06.0187 Fips (b27a36d4725a362a13d0c52ad6c7175b) C:\WINNT\system32\drivers\Fips.sys

2010/10/29 06:39:07.0921 Flpydisk (6ca845333da54f27a8657be7ee0b600d) C:\WINNT\system32\DRIVERS\flpydisk.sys

2010/10/29 06:39:08.0515 Fs_Rec (405f231ad65c03dac70992a2aba759a5) C:\WINNT\system32\drivers\Fs_Rec.sys

2010/10/29 06:39:09.0109 Ftdisk (9b73c6887c9e7aecaaca2a71363548e9) C:\WINNT\system32\DRIVERS\ftdisk.sys

2010/10/29 06:39:09.0734 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINNT\system32\Drivers\GEARAspiWDM.sys

2010/10/29 06:39:10.0328 Gpc (6667d07854a3ae7715d22b82761cf0e7) C:\WINNT\system32\DRIVERS\msgpc.sys

2010/10/29 06:39:10.0953 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINNT\system32\GTNDIS5.SYS

2010/10/29 06:39:11.0562 hidusb (ff2ca3c8d0193800e4fa510ffde0960e) C:\WINNT\system32\DRIVERS\hidusb.sys

2010/10/29 06:39:12.0187 ichaud (890e66a62ebab5fe7aab940abf5b25b6) C:\WINNT\system32\drivers\ichaud.sys

2010/10/29 06:39:13.0921 IpFilterDriver (09a604211e2b2334fc023a41337e3165) C:\WINNT\system32\DRIVERS\ipfltdrv.sys

2010/10/29 06:39:14.0531 IpInIp (dbc1437b56eea1af02cd39c011904491) C:\WINNT\system32\DRIVERS\ipinip.sys

2010/10/29 06:39:15.0140 IpNat (3509e9c33281f4343d2da5650039f59d) C:\WINNT\system32\DRIVERS\ipnat.sys

2010/10/29 06:39:15.0765 IPSEC (6bf394c7987fbc91b047eb0a8efb2aa5) C:\WINNT\system32\DRIVERS\ipsec.sys

2010/10/29 06:39:16.0921 IRENUM (7f5315e32be0632f680b30e03a2ca809) C:\WINNT\system32\DRIVERS\irenum.sys

2010/10/29 06:39:17.0578 isapnp (b630369ca276fd208c1b5146920b5f2e) C:\WINNT\system32\DRIVERS\isapnp.sys

2010/10/29 06:39:18.0187 Kbdclass (399055f5c4a98f39b47d26888a72145d) C:\WINNT\system32\DRIVERS\kbdclass.sys

2010/10/29 06:39:18.0796 kbdhid (5afd9413400ffb2b57e9be900a12b160) C:\WINNT\system32\DRIVERS\kbdhid.sys

2010/10/29 06:39:19.0390 kmixer (8e198ec9e823aa42edf45b07efe395ac) C:\WINNT\system32\drivers\kmixer.sys

2010/10/29 06:39:19.0968 KSecDD (74937a7d0c4354c025ba182aca00e41a) C:\WINNT\system32\drivers\KSecDD.sys

2010/10/29 06:39:21.0875 LVcKap (3eb293211b3adfa50c5bd84660c6ef33) C:\WINNT\system32\DRIVERS\LVcKap.sys

2010/10/29 06:39:22.0703 LVMVDrv (f323ba024da94ec7524755a3b3625097) C:\WINNT\system32\DRIVERS\LVMVDrv.sys

2010/10/29 06:39:23.0375 LVPr2Mon (6a5ceed6a3fa358a42654e7876cc81de) C:\WINNT\system32\DRIVERS\LVPr2Mon.sys

2010/10/29 06:39:24.0031 LVUSBSta (259690a8ea2d9164aba9cb80a9c3ddb1) C:\WINNT\system32\DRIVERS\LVUSBSta.sys

2010/10/29 06:39:24.0656 mnmdd (f9a1ccc84d1c8b392d67bf2e661ed334) C:\WINNT\system32\drivers\mnmdd.sys

2010/10/29 06:39:25.0265 Modem (37478d40030b15ca3860509d4f5d39d8) C:\WINNT\system32\drivers\Modem.sys

2010/10/29 06:39:25.0890 Mouclass (8d038dde3f19b88427968e99a6216766) C:\WINNT\system32\DRIVERS\mouclass.sys

2010/10/29 06:39:26.0515 mouhid (80d48f52414f7798432a4764beccbcec) C:\WINNT\system32\DRIVERS\mouhid.sys

2010/10/29 06:39:27.0109 MountMgr (5fe612cea2236543ed416de8554c3047) C:\WINNT\system32\drivers\MountMgr.sys

2010/10/29 06:39:27.0718 MPE (83eff7b976ae24f1a496ca94a8a19919) C:\WINNT\system32\DRIVERS\MPE.sys

2010/10/29 06:39:28.0875 MRxSmb (e0836182d738ebe0e958ee641fdfa597) C:\WINNT\system32\DRIVERS\mrxsmb.sys

2010/10/29 06:39:29.0515 Msfs (8840bc3953d2c0bbb104932cab848a27) C:\WINNT\system32\drivers\Msfs.sys

2010/10/29 06:39:30.0171 MSKSSRV (85736f804191cb420a31aca2a7f0674f) C:\WINNT\system32\drivers\MSKSSRV.sys

2010/10/29 06:39:30.0765 MSPCLOCK (e943adb93d83c5cbc0ca3f53f53b48cc) C:\WINNT\system32\drivers\MSPCLOCK.sys

2010/10/29 06:39:31.0359 MSPQM (bb041315c9930063e5eab0bee90acff6) C:\WINNT\system32\drivers\MSPQM.sys

2010/10/29 06:39:31.0968 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINNT\system32\drivers\MSTEE.sys

2010/10/29 06:39:32.0578 Mup (73aec5477e873efc74d0dfc37c695b6f) C:\WINNT\system32\drivers\Mup.sys

2010/10/29 06:39:33.0187 NABTSFEC (bb1c45d114b6dab0babf6b2fb0336db2) C:\WINNT\system32\DRIVERS\NABTSFEC.sys

2010/10/29 06:39:34.0343 NDIS (fb4f2d0595bd3546a4dd915e4a9b4809) C:\WINNT\system32\drivers\NDIS.sys

2010/10/29 06:39:34.0968 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINNT\system32\DRIVERS\NdisIP.sys

2010/10/29 06:39:35.0578 NdisTapi (e6f675c75c53887c58b98d6db356b153) C:\WINNT\system32\DRIVERS\ndistapi.sys

2010/10/29 06:39:36.0171 Ndisuio (69ecae880bdac3c288f0508df9cdeef0) C:\WINNT\system32\DRIVERS\ndisuio.sys

2010/10/29 06:39:36.0796 NdisWan (b86a37aa73868343a9eee148fdfce1e0) C:\WINNT\system32\DRIVERS\ndiswan.sys

2010/10/29 06:39:37.0437 NDProxy (1f426863d87bdf75aec76584223cd0c7) C:\WINNT\system32\drivers\NDProxy.sys

2010/10/29 06:39:38.0031 NetBIOS (5151e6020a26bf7bc21c18fd612506bd) C:\WINNT\system32\DRIVERS\netbios.sys

2010/10/29 06:39:38.0625 NetBT (e854473d50e5f7917767a7c10e08e5f8) C:\WINNT\system32\DRIVERS\netbt.sys

2010/10/29 06:39:39.0281 NetDetect (9b2a6147a22f7e696cc7538283de6346) C:\WINNT\system32\drivers\netdtect.sys

2010/10/29 06:39:39.0906 Npfs (e85a77dfcb8f1088f85120ca123ce191) C:\WINNT\system32\drivers\Npfs.sys

2010/10/29 06:39:40.0515 Ntfs (f6ab0e765d5b80443b93c52c42f2602a) C:\WINNT\system32\drivers\Ntfs.sys

2010/10/29 06:39:41.0156 Null (280209cde798720a24d232bf9cfda8e9) C:\WINNT\system32\drivers\Null.sys

2010/10/29 06:39:41.0750 NwlnkFlt (9b0d6fb5c5d6a7571aedb0c1a7a9c1b6) C:\WINNT\system32\DRIVERS\nwlnkflt.sys

2010/10/29 06:39:42.0328 NwlnkFwd (09fa39e4812fdd042834650df09675a0) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys

2010/10/29 06:39:43.0000 Parallel (ea27799907eabdb66d2d56af68cd4f06) C:\WINNT\system32\DRIVERS\parallel.sys

2010/10/29 06:39:43.0593 Parport (69b713583d6e063ac487e2da30c04289) C:\WINNT\system32\DRIVERS\parport.sys

2010/10/29 06:39:44.0187 PartMgr (f9e922dbe9f3719ce8376cc7ed18cb8d) C:\WINNT\system32\drivers\PartMgr.sys

2010/10/29 06:39:44.0796 ParVdm (888f6a6ad5810f5828de594e17fe8f3b) C:\WINNT\system32\drivers\ParVdm.sys

2010/10/29 06:39:45.0375 PCI (f0791b1f424f8d84a81d9ae6cfadf089) C:\WINNT\system32\DRIVERS\pci.sys

2010/10/29 06:39:46.0546 PCIIde (7d0bcb325d29d15024d6a572044e410b) C:\WINNT\system32\DRIVERS\pciide.sys

2010/10/29 06:39:47.0125 Pcmcia (b737c89d439b771d92d7c5e8b8d3917c) C:\WINNT\system32\drivers\Pcmcia.sys

2010/10/29 06:39:47.0734 pepifilter (c7c8310572eaee3b55ae1af150089c9b) C:\WINNT\system32\DRIVERS\lv302af.sys

2010/10/29 06:39:48.0406 PID_PEPI (108fa5084016074ba50856aac1f2bcc9) C:\WINNT\system32\DRIVERS\LV302V32.SYS

2010/10/29 06:39:49.0078 PptpMiniport (0e0212bbbf15800f1536cbfa157dddd6) C:\WINNT\system32\DRIVERS\raspptp.sys

2010/10/29 06:39:49.0703 Ptilink (b78775f217255f786c2e8dbe4334e413) C:\WINNT\system32\DRIVERS\ptilink.sys

2010/10/29 06:39:50.0328 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINNT\system32\Drivers\PxHelp20.sys

2010/10/29 06:39:53.0156 RasAcd (63051b814e005dc62c7a0971668c52b4) C:\WINNT\system32\DRIVERS\rasacd.sys

2010/10/29 06:39:53.0765 Rasl2tp (ec6037c594f20adedea65f0d809493d2) C:\WINNT\system32\DRIVERS\rasl2tp.sys

2010/10/29 06:39:54.0375 Raspti (cb09a98e97e52c389ab17b1e003c9566) C:\WINNT\system32\DRIVERS\raspti.sys

2010/10/29 06:39:54.0968 RCA (afce1f733a6aa3a90ac60794dfb26104) C:\WINNT\system32\drivers\RCA.sys

2010/10/29 06:39:55.0562 Rdbss (d3cb7a695a43a287979c03db94227d05) C:\WINNT\system32\DRIVERS\rdbss.sys

2010/10/29 06:39:56.0156 redbook (b5120cb5081865b0c7d93c305c7da939) C:\WINNT\system32\DRIVERS\redbook.sys

2010/10/29 06:39:56.0859 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\WINNT\system32\DRIVERS\RT61.sys

2010/10/29 06:39:57.0046 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/10/29 06:39:57.0109 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

2010/10/29 06:39:57.0171 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

2010/10/29 06:39:57.0906 serenum (6db5fdf67486679da3149ef212374861) C:\WINNT\system32\DRIVERS\serenum.sys

2010/10/29 06:39:58.0500 Serial (80f28698f48e298d278057f23206133b) C:\WINNT\system32\DRIVERS\serial.sys

2010/10/29 06:39:59.0109 Sfloppy (96b8aae4f799e81a23aeda935e14f768) C:\WINNT\system32\drivers\Sfloppy.sys

2010/10/29 06:40:00.0859 SLIP (92723fbdd30771c293fe5ed266a31ca6) C:\WINNT\system32\DRIVERS\SLIP.sys

2010/10/29 06:40:01.0468 smwdm (12d9287937366bf1c9ad7007b5407deb) C:\WINNT\system32\drivers\smwdm.sys

2010/10/29 06:40:02.0093 SONYPVM1 (795f7f5896a1196b9471099b900d314e) C:\WINNT\system32\DRIVERS\SONYPVM1.SYS

2010/10/29 06:40:02.0687 SONYPVU1 (bdd4c4a0be16413a87dd7de6ccaf6f44) C:\WINNT\system32\DRIVERS\SONYPVU1.SYS

2010/10/29 06:40:03.0859 Srv (42306c014d9e4d285eb5f49fe1178373) C:\WINNT\system32\DRIVERS\srv.sys

2010/10/29 06:40:04.0468 streamip (4544fd0db39cb7b385a5392c068162cd) C:\WINNT\system32\DRIVERS\StreamIP.sys

2010/10/29 06:40:05.0062 swenum (616a013d3ea068b6dee83d905e92ee9f) C:\WINNT\system32\DRIVERS\swenum.sys

2010/10/29 06:40:05.0671 swmidi (8c7cd06d097a59391d94b59715fca67c) C:\WINNT\system32\drivers\swmidi.sys

2010/10/29 06:40:07.0953 sysaudio (6c14d96f8c1ba929fad4ba40a29217fa) C:\WINNT\system32\drivers\sysaudio.sys

2010/10/29 06:40:08.0625 Tcpip (5f1be742b1f2196663255991ae7acc83) C:\WINNT\system32\DRIVERS\tcpip.sys

2010/10/29 06:40:09.0859 Udfs (248a63ca8075bdf40bb56ce34cdaf332) C:\WINNT\system32\drivers\Udfs.sys

2010/10/29 06:40:10.0453 uhcd (376fb5e14b9d375db3536ba563eae97a) C:\WINNT\system32\DRIVERS\uhcd.sys

2010/10/29 06:40:11.0640 Update (7a77f319935328cf30945fe0f3c69c9a) C:\WINNT\system32\DRIVERS\update.sys

2010/10/29 06:40:12.0281 usbaudio (b3555486f7786be1a46c3dad73db6d92) C:\WINNT\system32\drivers\usbaudio.sys

2010/10/29 06:40:12.0875 usbhub (5c202078f5d500786a1f3279fac3aa64) C:\WINNT\system32\DRIVERS\usbhub.sys

2010/10/29 06:40:13.0484 usbprint (e0e4367f5eff9e84fafeeba6ab937fd8) C:\WINNT\system32\DRIVERS\usbprint.sys

2010/10/29 06:40:14.0093 USBSTOR (13eba8a2da3447fe7f217e34210ac554) C:\WINNT\system32\DRIVERS\USBSTOR.SYS

2010/10/29 06:40:14.0687 VgaSave (1b0040415ba34497a8d76a553aee88aa) C:\WINNT\System32\drivers\vga.sys

2010/10/29 06:40:15.0328 Wanarp (aa8c76dfc4afa72f09fdbc6621b7d38d) C:\WINNT\system32\DRIVERS\wanarp.sys

2010/10/29 06:40:15.0921 wdmaud (997d25513bc89614417829b5bec7c75c) C:\WINNT\system32\drivers\wdmaud.sys

2010/10/29 06:40:16.0656 WSTCODEC (04aca6442e639a794293828e8dda7a44) C:\WINNT\system32\DRIVERS\WSTCODEC.SYS

2010/10/29 06:40:16.0875 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/10/29 06:40:16.0890 ================================================================================

2010/10/29 06:40:16.0890 Scan finished

2010/10/29 06:40:16.0890 ================================================================================

2010/10/29 06:40:16.0937 Detected object count: 4

2010/10/29 06:40:58.0625 Hidden service($sys$aries) - User select action: Skip

2010/10/29 06:40:58.0625 Hidden service($sys$cor) - User select action: Skip

2010/10/29 06:40:58.0640 Hidden service($sys$crater) - User select action: Skip

2010/10/29 06:40:58.0656 \HardDisk0\MBR - will be cured after reboot

2010/10/29 06:40:58.0656 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

2010/10/29 06:41:04.0781 Deinitialize success

====

ComboFix 10-10-28.03 - - 10/29/2010 6:59.1.1 - x86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.318 [GMT -4:00]

Running from: c:\documents and settings\-\Desktop\ComboFix.exe

.

/wow section - STAGE 10

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\-\.COMMgr

c:\documents and settings\-\Local Settings\Application Data\{E79F7BC7-2FDB-4EBE-84A7-73A10D953F67}

c:\documents and settings\-\Local Settings\Application Data\{E79F7BC7-2FDB-4EBE-84A7-73A10D953F67}\chrome.manifest

c:\documents and settings\-\Local Settings\Application Data\{E79F7BC7-2FDB-4EBE-84A7-73A10D953F67}\chrome\content\_cfg.js

c:\documents and settings\-\Local Settings\Application Data\{E79F7BC7-2FDB-4EBE-84A7-73A10D953F67}\chrome\content\overlay.xul

c:\documents and settings\-\Local Settings\Application Data\{E79F7BC7-2FDB-4EBE-84A7-73A10D953F67}\install.rdf

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\winnt\abasiquyicub.dll

c:\winnt\system32\spool\prtprocs\w32x86\BRPPROC.DLL

c:\winnt\Web\default.htt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_$SYS$ARIES

-------\Legacy_$SYS$DRMSERVER

-------\Legacy_CD_PROXY

-------\Service_$sys$aries

-------\Service_$sys$DRMServer

-------\Service_CD_Proxy

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))

.

2010-10-26 11:09 . 2010-10-26 11:09 1409 ----a-w- c:\winnt\QTFont.for

2010-10-20 10:35 . 2010-10-20 10:35 -------- d-----w- c:\documents and settings\-\Application Data\Malwarebytes

2010-10-20 10:35 . 2010-04-29 19:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-10-20 10:35 . 2010-10-20 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-10-20 10:35 . 2010-10-20 10:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-20 10:35 . 2010-04-29 19:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-10-19 10:57 . 2010-10-29 10:44 0 ----a-w- c:\winnt\Jjevux.bin

2010-10-19 10:55 . 2010-10-19 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-10-06 00:17 . 2010-10-06 00:17 398744 ----a-r- c:\winnt\system32\cpnprt2.cid

2010-10-06 00:17 . 2010-10-28 23:38 -------- d-----w- c:\winnt\Cache

2010-10-06 00:17 . 2010-10-06 00:17 -------- d-----w- c:\program files\Coupons

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

------- Sigcheck -------

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll

[-] 2004-07-09 08:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-28 271672]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 497176]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 756248]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

LivePerson.lnk - c:\program files\LivePerson\hc.exe [2008-7-31 5476352]

c:\documents and settings\-\Start Menu\Programs\Startup\

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

LivePerson.lnk - c:\program files\LivePerson\hc.exe [2008-7-31 5476352]

Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

R0 $sys$cor;$sys$cor;c:\winnt\system32\drivers\$sys$cor.sys [10/6/2004 10:11 AM 10368]

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [10/3/2008 10:37 PM 28224]

R1 $sys$crater;$sys$crater;c:\winnt\system32\$sys$filesystem\crater.sys [10/7/2004 3:57 AM 11776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2/22/2008 9:01 PM 61712]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]

S3 aaudstum;aaudstum;\??\c:\docume~1\-\LOCALS~1\Temp\aaudstum.sys --> c:\docume~1\-\LOCALS~1\Temp\aaudstum.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT

*NewlyCreated* - RASAUTO

*NewlyCreated* - SHAREDACCESS

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.mygameparts.com

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\-\Application Data\Mozilla\Firefox\Profiles\g14uxxdd.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Erihejejohehuc - c:\winnt\abasiquyicub.dll

HKLM-Run-MOk+ - c:\winnt\gdi32.exe

HKLM-Run-MOqf - c:\winnt\user.exe

HKLM-Run-MOora - c:\winnt\iexplarer.exe

HKLM-Run-MOupc - c:\winnt\sysedit.exe

HKLM-Run-MOrxc - c:\winnt\spoolsv.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-29 07:22

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(184)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(4768)

c:\winnt\AppPatch\AcLayers.DLL

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\system32\hidserv.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

c:\winnt\system32\regsvc.exe

c:\winnt\system32\MSTask.exe

c:\winnt\system32\stisvc.exe

c:\winnt\System32\WBEM\WinMgmt.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

c:\program files\iPod\bin\iPodService.exe

c:\winnt\system32\rundll32.exe

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\program files\Brother\Brmfcmon\BrMfcmon.exe

c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2010-10-29 07:31:59 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-29 11:31

Pre-Run: 61,549,064,192 bytes free

Post-Run: 63,275,192,320 bytes free

- - End Of File - - 621152BA049DDCD1D880361EF193D256

====

Share this post


Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
     :filefind
    mspmsnsv.dll
    d3d9.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Share this post


Link to post
Share on other sites

I'm having an issue very similar to the one identified by the original poster and I wanted to post my symptoms to see if mine match his/hers.

Avast! is identifying krhwcot.sys as a possible Win32:Bubak rootkit. From what I can tell, its primary purpose is link redirecting in internet browsers. It also sent some spam messages via my Facebook account. It has also disabled the "Folder Options" when viewing folders and made hidden files invisible by default. Last but not least, I am having periodic blue screens with "IRQL Not Less Or Equal" errors. So far, these screens appear to briefly for me to see the specific error listed.

I have run Avast!, Malwarebytes Anti-Malware, SuperAntiSpyware, Spybot, and AdAware, but none are able to resolve the problem. At best, they are detecting krhwcot.sys as a probable rootkit and the following registry value hijacking:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions)

I'm running a Windows XP computer with Service Pack 3.

I'm assuming this is a new variation of some virus, so I am updating my anti-virus programs as often as possible (updating can trigger crashes too, depending on the program). Any help with this would be much appreciated, though.

Share this post


Link to post
Share on other sites

voxpopuli1981

You already have a topic started and you're interfering in this persons post.

Please stay in your own topic, MrC

Share this post


Link to post
Share on other sites

I got the following error in a windows Dialog Box:

===

SystemLook.exe - Entry Point Not Found

The procedure entry point IsWow64Process could not be located in the dynamic link library KERNEL32.dll.

===

Share this post


Link to post
Share on other sites

Thanks for your help.

That one isn't working either. I get the following db when I double click it:

====

c:\Documents and Settings\-\Desktop\SystemLook_x64.exe

(X) Access to the specified drive, path, or file is denied.

====

After I click OK I get a Launch Application db with the following text:

====

This link needs to be opened with an application.

Send to:

rundll32.exe url.dll,FileProtocolHandler %l

Choose an Application [Choose...]

====

Share this post


Link to post
Share on other sites

OK, may be because you're running W2K

Please find and upload the files below to VirusTotal for a free scan, let me know the results:

http://www.virustotal.com/

c:\winnt\system32\mspmsnsv.dll

c:\winnt\system32\d3d9.dll

MrC

Share this post


Link to post
Share on other sites

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

mspmsnsv.dll

Submission date:

2010-10-31 09:20:50 (UTC)

Current status:

queued queued analysing finished

Result:

0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.10.31.00 2010.10.30 -

AntiVir 7.10.13.74 2010.10.29 -

Antiy-AVL 2.0.3.7 2010.10.31 -

Authentium 5.2.0.5 2010.10.31 -

Avast 4.8.1351.0 2010.10.30 -

Avast5 5.0.594.0 2010.10.30 -

AVG 9.0.0.851 2010.10.30 -

BitDefender 7.2 2010.10.31 -

CAT-QuickHeal 11.00 2010.10.26 -

ClamAV 0.96.2.0-git 2010.10.31 -

Comodo 6570 2010.10.31 -

DrWeb 5.0.2.03300 2010.10.30 -

Emsisoft 5.0.0.50 2010.10.31 -

eSafe 7.0.17.0 2010.10.28 -

eTrust-Vet 36.1.7943 2010.10.29 -

F-Prot 4.6.2.117 2010.10.30 -

F-Secure 9.0.16160.0 2010.10.31 -

Fortinet 4.2.249.0 2010.10.31 -

GData 21 2010.10.31 -

Ikarus T3.1.1.90.0 2010.10.31 -

Jiangmin 13.0.900 2010.10.31 -

K7AntiVirus 9.67.2865 2010.10.29 -

Kaspersky 7.0.0.125 2010.10.31 -

McAfee 5.400.0.1158 2010.10.31 -

McAfee-GW-Edition 2010.1C 2010.10.30 -

Microsoft 1.6301 2010.10.31 -

NOD32 5577 2010.10.31 -

Norman 6.06.10 2010.10.30 -

nProtect 2010-10-31.01 2010.10.31 -

Panda 10.0.2.7 2010.10.30 -

PCTools 7.0.3.5 2010.10.31 -

Prevx 3.0 2010.10.31 -

Rising 22.71.03.02 2010.10.29 -

Sophos 4.59.0 2010.10.31 -

Sunbelt 7176 2010.10.31 -

SUPERAntiSpyware 4.40.0.1006 2010.10.31 -

Symantec 20101.2.0.161 2010.10.31 -

TheHacker 6.7.0.1.074 2010.10.30 -

TrendMicro 9.120.0.1004 2010.10.31 -

TrendMicro-HouseCall 9.120.0.1004 2010.10.31 -

VBA32 3.12.14.1 2010.10.29 -

ViRobot 2010.10.30.4121 2010.10.30 -

VirusBuster 12.70.13.0 2010.10.30 -

====

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

d3d9.dll

Submission date:

2010-10-31 09:24:21 (UTC)

Current status:

queued (#3) queued (#3) analysing finished

Result:

0/ 42 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2010.10.31.00 2010.10.30 -

AntiVir 7.10.13.74 2010.10.29 -

Antiy-AVL 2.0.3.7 2010.10.31 -

Authentium 5.2.0.5 2010.10.31 -

Avast 4.8.1351.0 2010.10.30 -

Avast5 5.0.594.0 2010.10.30 -

AVG 9.0.0.851 2010.10.30 -

BitDefender 7.2 2010.10.31 -

CAT-QuickHeal 11.00 2010.10.26 -

ClamAV 0.96.2.0-git 2010.10.31 -

Comodo 6570 2010.10.31 -

Emsisoft 5.0.0.50 2010.10.31 -

eSafe 7.0.17.0 2010.10.28 -

eTrust-Vet 36.1.7943 2010.10.29 -

F-Prot 4.6.2.117 2010.10.30 -

F-Secure 9.0.16160.0 2010.10.31 -

Fortinet 4.2.249.0 2010.10.31 -

GData 21 2010.10.31 -

Ikarus T3.1.1.90.0 2010.10.31 -

Jiangmin 13.0.900 2010.10.31 -

K7AntiVirus 9.67.2865 2010.10.29 -

Kaspersky 7.0.0.125 2010.10.31 -

McAfee 5.400.0.1158 2010.10.31 -

McAfee-GW-Edition 2010.1C 2010.10.30 -

Microsoft 1.6301 2010.10.31 -

NOD32 5577 2010.10.31 -

Norman 6.06.10 2010.10.30 -

nProtect 2010-10-31.01 2010.10.31 -

Panda 10.0.2.7 2010.10.30 -

PCTools 7.0.3.5 2010.10.31 -

Prevx 3.0 2010.10.31 -

Rising 22.71.03.02 2010.10.29 -

Sophos 4.59.0 2010.10.31 -

Sunbelt 7176 2010.10.31 -

SUPERAntiSpyware 4.40.0.1006 2010.10.31 -

Symantec 20101.2.0.161 2010.10.31 -

TheHacker 6.7.0.1.074 2010.10.30 -

TrendMicro 9.120.0.1004 2010.10.31 -

TrendMicro-HouseCall 9.120.0.1004 2010.10.31 -

VBA32 3.12.14.1 2010.10.29 -

ViRobot 2010.10.30.4121 2010.10.30 -

VirusBuster 12.70.13.0 2010.10.30 -

Additional information

Show all

MD5 : 0e51bd586d186f61a9e4453db8aec774

SHA1 : f38b1addcfcd5e26855d43296d9950488b981548

SHA256: 4a7207cc8bcf398e817619c8d5ac78fe6d084380373afa77f7bd900b1f15a8fc

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5005

Windows 5.0.2195 Service Pack 4

Internet Explorer 6.0.2800.1106

10/31/2010 7:41:03 AM

mbam-log-2010-10-31 (07-41-03).txt

Scan type: Quick scan

Objects scanned: 108906

Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

OK, looks Good!

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

-------------------------

Please do this:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Share this post


Link to post
Share on other sites

Sorry for the late response. Got super busy with a move and such.

Results of screen317's Security Check version 0.99.6

Windows 2000 Service Pack 4

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 3

Out of date Java installed!

Adobe Flash Player 10.1.85.3

Adobe Reader 8

Out of date Adobe Reader installed!

Mozilla Firefox (3.5.15) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

````````````````````````````````

DNS Vulnerability Check:

nslookup.exe missing!

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

OK, looks Good!

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

-------------------------

Please do this:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Share this post


Link to post
Share on other sites

OK, a couple of problems you should fix:

Internet Explorer 6 Out of date!

Your IE is out of date, technically you should update to IE7 or IE8 > better yet use a different browser which is more secure.

---------------------------------

Antivirus/Firewall Check:

```````````````````````````````

I don't see any anti-virus or firewall listed > make sure you install both

-------------------------------

Java

Share this post


Link to post
Share on other sites

Glad we could help. :D

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.