Jump to content

Infected and ran scans


Recommended Posts

I have windows XP and got a XP Security scan 2012 virus.

I was able to use a tool online (winlogon.exe ) and got rid of that virus, but then I have another that I guess was in my browser that sent me to spam websites every time I went on the internet. I already had malwarbytes and a few others installed on my CPU so I ran each trying to get rid of it. Problem is as soon as I started the scan the virus would kill the program and it would disappear. If I tried to run them again it tells me I do not have permission. I tried all this in safe mode and as administrator and nothing has worked. Last thing I tried I guess I somehow downloaded Windows XP Repair (it says under properties its real name is 20373284.exe) and also downloaded Paretologic PC Health Advisor which was actually able to run and says I have 200 errors most of which are in my registry. Unfortunately, It will not let me clean the CPU unless I buy the program and I can not seem to get online even if I wanted to purchase it. When I ran this scan I had a lot of errors come up and then my computer shut down. When I booted it back up everything was gone however I noticed after doing some digging that everything is simply hidden on the computer and it is just hard to find. I have a 300gb external hard drive that I can save everything to if I need to reboot windows, but when I plug it in I can not find it in my computer with all the other drives to send all my files to.

Any help you could be would be much appreciated. I am using my home computer to send you this. Thanks in advance for helping me.

I ran the scans and they are below:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by end user at 12:56:13 on 2011-07-05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.503 [GMT -5:00]

.

.

============== Running Processes ===============

.

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\lxdncoms.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lexmark 2600 Series\lxdnmon.exe

C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brownie\brpjp04a.exe

C:\Program Files\Brownie\brpjp04a.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search/msie?p={searchTerms}&ei=UTF-8

uStart Page = hxxp://www.google.com/

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [T-Mobile Connection Manager] "c:\program files\t-mobile\connection manager\TMobileCM.exe" -a

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [seekmoSA] "c:\program files\seekmo\bin\10.0.275.0\SeekmoSA.exe"

mRun: [seekmoOE] c:\program files\seekmo\bin\10.0.275.0\OEAddOn.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"

mRun: [lxdnamon] "c:\program files\lexmark 2600 series\lxdnamon.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [bacstray] c:\program files\broadcom\bacs\\BacsTray.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

uPolicies-explorer: NoDesktop = 1 (0x1)

mPolicies-system: DisableTaskMgr = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14

\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14

\ONBttnIELinkedNotes.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxps://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-

33205bf43143/WebCleaner.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab

DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F127} - hxxp://www.swiftview.com/product/public/svinstall_green.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://flagstar.webex.com/client/T27LB/training/ieatgpc.cab

TCP: DhcpNameServer = 192.168.0.1 192.168.1.1

TCP: Interfaces\{8FDB8E57-BF36-43D2-878C-17AF4FE5F6A7} : NameServer = 4.2.2.2,4.2.2.6

TCP: Interfaces\{8FDB8E57-BF36-43D2-878C-17AF4FE5F6A7} : DhcpNameServer = 192.168.0.1 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

Notify: luuyioot - luuyioot.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

.

============= SERVICES / DRIVERS ===============

.

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-10-21 80384]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070709.039\naveng.sys [2007-7-9 77688]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070709.039\navex15.sys [2007-7-9 852824]

S2 Diskeeper Administrator;Diskeeper Administrator;c:\program files\diskeeper corporation\diskeeper administrator\DKSAdmin.exe [2008-5-8

20480]

S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2011-6-4 98984]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]

S2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2010-4-17 618896]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]

S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]

S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [2003-11-23 50360]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14

\GROOVE.EXE [2010-1-21 30963576]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft

shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2009-12-26 114704]

S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-3-23 54416]

S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-3-23 160272]

S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-3-23 160272]

S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-3-23 11920]

S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-3-23 113680]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [2005-1-2 371584]

S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [2005-1-2 106624]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [2005-1-2 52992]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~2\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [2004-12-21 19328]

.

=============== File Associations ===============

.

regfile=regedit.exe "%1" %*

scrfile="%1" %*

.

=============== Created Last 30 ================

.

2011-07-03 23:24:28 -------- d--h--w- c:\documents and settings\end user\application data\DriverCure

2011-07-03 23:24:27 -------- d--h--w- c:\documents and settings\end user\application data\ParetoLogic

2011-07-03 23:24:00 -------- d--h--w- c:\program files\common files\ParetoLogic

2011-07-03 23:23:59 -------- d--h--w- c:\program files\ParetoLogic

2011-07-03 23:23:59 -------- d--h--w- c:\documents and settings\all users\application data\ParetoLogic

2011-07-03 23:21:30 388096 ---ha-r- c:\documents and settings\end user\application data\microsoft\installer\{45a66726-69bc-

466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-03 23:21:29 -------- d--h--w- c:\program files\Trend Micro

2011-07-03 19:48:39 -------- d--h--w- c:\program files\Malwarebytesrs

2011-07-01 21:42:35 25984 ----a-w- c:\windows\system32\drivers\1129937788.sys

2011-07-01 21:42:16 352256 ---ha-w- c:\documents and settings\end user\local settings\application data\lbj.exe

2011-06-16 14:16:23 105472 ---h--w- c:\windows\system32\dllcache\mup.sys

2011-06-09 15:35:26 -------- d-----w- c:\documents and settings\end user\local settings\application data\Citrix

2011-06-09 15:35:13 103720 ---h--w- c:\documents and settings\end user\GoToAssistDownloadHelper.exe

2011-06-07 17:17:32 -------- d--h--w- c:\program files\FreeSpan

2011-06-07 17:15:55 53248 ---ha-w- c:\program files\common files\installshield\engine\6\intel 32\msihook.dll

2011-06-07 17:15:54 126976 ---ha-w- c:\program files\common files\installshield\engine\6\intel 32\knlwrap.exe

2011-06-07 17:15:51 114688 ---ha-w- c:\program files\common files\installshield\engine\6\intel 32\scpthdlr.dll

2011-06-07 16:45:39 -------- d--h--w- c:\program files\SwiftView

.

==================== Find3M ====================

.

2011-06-29 20:32:45 48 ---ha-w- c:\windows\wpd99.drv

2011-05-23 17:51:39 73728 ---ha-w- c:\windows\system32\javacpl.cpl

2011-05-23 17:51:38 472808 ---ha-w- c:\windows\system32\deployJava1.dll

2011-05-02 15:31:52 692736 ---ha-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ---ha-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ---ha-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ---ha-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ---ha-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ---ha-w- c:\windows\system32\drivers\mup.sys

2011-04-20 15:12:14 365456 ---ha-w- c:\windows\Unwash6.exe

2006-12-29 17:23:40 774144 ---ha-w- c:\program files\RngInterstitial.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: FUJITSU_MHV2080AH rev.00000096 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF19D0890]<<

_asm { PUSH ECX; MOV EAX, [ESP+0x8]; PUSH EBX; PUSH EBP; PUSH ESI; PUSH EDI; CMP EAX, [0xf19d6964]; JNZ 0x22; MOV EBX, [ESP+0x1c]; CALL

0xfffffffffffffcc0; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x87159AB8]

3 CLASSPNP[0xF7607FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86F6A660]

\Driver\Disk[0x86ACC6E8] -> IRP_MJ_CREATE -> 0xF19D0890

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH

DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi -> 0x87147f16

user & kernel MBR OK

Warning: possible MBR rootkit infection !

.

============= FINISH: 13:04:16.10 ===============

Since all functions are hidden and I have limited access I could only copy and paste the other logs and could not compress them to a ZIP "SORRY"

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-23.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 12/11/2005 2:24:04 PM

System Uptime: 7/5/2011 12:35:49 PM (1 hours ago)

.

Motherboard: Dell Inc. | | 0U8082

Processor: Intel® Pentium® M processor 2.00GHz | Microprocessor |

1995/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 74 GiB total, 49.889 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}

Description: Plug and Play Monitor

Device ID: DISPLAY\SEC3450\4&277C3EC6&0&80861500&00&02

Manufacturer: (Standard monitor types)

Name: Plug and Play Monitor

PNP Device ID: DISPLAY\SEC3450\4&277C3EC6&0&80861500&00&02

Service: pdiddcci

.

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}

Description: Plug and Play Monitor

Device ID: DISPLAY\SEC3450\4&277C3EC6&0&00000400&00&02

Manufacturer: (Standard monitor types)

Name: Plug and Play Monitor

PNP Device ID: DISPLAY\SEC3450\4&277C3EC6&0&00000400&00&02

Service: pdiddcci

.

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}

Description: Plug and Play Monitor

Device ID: DISPLAY\SEC3450\4&14A70AE9&0&80871400&00&22

Manufacturer: (Standard monitor types)

Name: Plug and Play Monitor

PNP Device ID: DISPLAY\SEC3450\4&14A70AE9&0&80871400&00&22

Service: pdiddcci

.

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}

Description: Conexant D110 MDC V.9x Modem

Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3

Manufacturer: Conexant

Name: Conexant D110 MDC V.9x Modem

PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3

Service: Modem

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

ABBYY FineReader 6.0 Sprint

Acrobat.com

Ad-Aware SE Personal

Adobe Flash Player 10 ActiveX

Adobe Reader 9.1.2

Adobe Reader 9.3

Adobe® Flash® Player 10 Plugin

AiOSoftware

ALPS Touch Pad Driver

Apple Software Update

BPD_Scan

Broadcom Advanced Control Suite 2

Broadcom ASF Management Applications

Broadcom Gigabit Integrated Controller

Brother HL-2140

Calyx LoanBridge 5.3

CelsiusProd

Compatibility Pack for the 2007 Office system

Conduit Engine

Copy

CreativeProjects

Critical Update for Windows Media Player 11 (KB959772)

Definition update for Microsoft Office 2010 (KB982726)

Dell ResourceCD

Digital Line Detect

Director

Diskeeper 2008 Administrator

Diskeeper Professional Premier Edition

DocProc

Fax

Free Spanish CD-ROM

Garmin City Navigator North America NT 2009 Update

Garmin Communicator Plugin

Garmin USB Drivers

Garmin WebUpdater

GdiplusUpgrade

Google Earth

GoToMeeting 4.8.0.723

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP My Display

HP Officejet 9100 series

HP Photo & Imaging 3.1

HP Product Detection

HP Update

hpmdtab

HPSystemDiagnostics

InstantShare

InstantShareAlert

Intel® Graphics Media Accelerator Driver for Mobile

Intel® PROSet/Wireless Software

Internal Network Card Power Management

Java 2 Runtime Environment, SE v1.4.2_03

Java Auto Updater

Java 6 Update 25

Lexmark 2600 Series

LinkedIn Outlook Connector

LiveLink

LiveLink 6

LiveLoad Ford

LiveUpdate 2.6 (Symantec Corporation)

mCore

mDriver

mDrWiFi

Memories Disc Creator 2.0

mHlpDell

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft ActiveSync

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Software Update for Web Folders (English) 14

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Web Publishing Wizard 1.52

Microsoft WSE 2.0 SP3 Runtime

mIWA

mLogView

mMHouse

Modem Helper

mPfMgr

mPfWiz

mProSafe

MSN Music Assistant

mSSO

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

mToolkit

mWlsSafe

mWMI

mXML

mZConfig

PANTECH PC Card Software

PANTECH UM175 Driver

ParetoLogic PC Health Advisor

PC5750 Firmware Updates

Pdf995

PhotoGallery

Point

Point 7.3

Power Commander 3 USB

Power Commander Control Center 3.2.0 (Test Build 1)

PowerDVD 5.1

PrintScreen

QFolder

Quicken 2005

QuickProjects

QuickSet

Readiris Pro 8

Real Estate Transaction Viewer

Registry Repair 1.45

Scan

SCTDrivers32

SDK

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Encoder (KB2447961)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Encoder (KB979332)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Serif DrawPlus 3.0

Setup

SkinsHP1

SkinsHP2

Sonic DLA

Sonic RecordNow! Plus

Sonic Update Manager

Spybot - Search & Destroy

Spybot - Search & Destroy 1.5.2.20

SwiftView Viewer

Symantec AntiVirus

TrayApp

Tuner Internet Update Application

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

uTorrentBar Toolbar

VistaPrint Electronic Business Card

VZAccess Manager

WebEx

WebFldrs XP

WebReg

Window Washer

Windows Defender Signatures

Windows Driver Package - FTDI CDM Driver Package (03/13/2008 2.04.06)

Windows Driver Package - FTDI CDM Driver Package (06/27/2007 2.02.04)

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Safety scanner

Windows Media Connect

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 10 Hotfix - KB894476

Windows Media Player 11

Windows Mobile Daylight Saving Time 2007 Updates

Windows Search 4.0

Windows XP Service Pack 3

WinRAR archiver

Yahoo! Messenger

Yahoo! Toolbar

.

==== Event Viewer Messages From Past Week ========

.

7/5/2011 12:37:42 PM, error: Service Control Manager [7023] - The System Restore

Service service terminated with the following error: The system cannot find the

file specified.

7/5/2011 12:36:59 PM, error: SRService [104] - The System Restore initialization

process failed.

7/5/2011 11:43:36 AM, error: Service Control Manager [7023] - The Network Location

Awareness (NLA) service terminated with the following error: The specified

procedure could not be found.

7/5/2011 11:43:28 AM, error: Service Control Manager [7023] - The Diskeeper service

terminated with the following error: The service has not been started.

7/5/2011 11:43:28 AM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the Window Washer Engine service to connect.

7/5/2011 11:43:28 AM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the Symantec AntiVirus service to connect.

7/5/2011 11:43:28 AM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the lxdnCATSCustConnectService service to connect.

7/5/2011 11:43:28 AM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the Diskeeper Administrator service to connect.

7/5/2011 11:43:28 AM, error: Service Control Manager [7000] - The Window Washer

Engine service failed to start due to the following error: The service did not

respond to the start or control request in a timely fashion.

7/5/2011 11:43:28 AM, error: Service Control Manager [7000] - The

lxdnCATSCustConnectService service failed to start due to the following error: The

service did not respond to the start or control request in a timely fashion.

7/5/2011 11:43:28 AM, error: Service Control Manager [7000] - The Diskeeper

Administrator service failed to start due to the following error: The service did

not respond to the start or control request in a timely fashion.

7/3/2011 9:07:38 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to

start the service winmgmt with arguments "" in order to run the server: {C49E32C6-

BC8B-11D2-85D4-00105A1F8304}

7/3/2011 8:14:08 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to

start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-

D86B-11D0-A075-00C04FB68820}

7/3/2011 7:20:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service EventSystem with arguments "" in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}

7/3/2011 7:11:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service netman with arguments "" in order to run the server: {BA126AE5-

2166-11D1-B1D0-00805FC1270E}

7/3/2011 7:07:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service BITS with arguments "" in order to run the server: {4991D34B-80A1

-4291-83B6-3328366B9097}

7/3/2011 6:58:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service StiSvc with arguments "" in order to run the server: {A1F4E726-

8CF1-11D1-BF92-0060081ED811}

7/3/2011 6:58:10 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to

start the service dmadmin with arguments "/com" in order to run the server:

{4FB6BB00-3347-11D0-B40A-00AA005FF586}

7/3/2011 6:38:28 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to

start the service wwEngineSvc with arguments "" in order to run the server:

{4C3EFFC6-C5C0-4EB1-B249-3D3C86BEEAF6}

7/3/2011 5:51:32 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to

start the service wwEngineSvc with arguments "" in order to run the server:

{82E7813C-ADA2-44A2-9738-66B9B7FDB268}

7/3/2011 5:46:23 PM, error: SideBySide [59] - Resolve Partial Assembly failed for

Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not

installed on your system. .

7/3/2011 5:46:23 PM, error: SideBySide [59] - Generate Activation Context failed

for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-

ww_b77cec8e\MFC80.DLL. Reference error message: The operation completed

successfully. .

7/3/2011 5:46:23 PM, error: SideBySide [32] - Dependent Assembly

Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly

is not installed on your system.

7/3/2011 10:54:04 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service WSearch with arguments "" in order to run the server: {7D096C5F-

AC08-4F1F-BEB7-5C22C517CE39}

7/3/2011 10:46:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service ntmssvc with arguments "-Service" in order to run the server:

{D61A27C6-8F53-11D0-BFA0-00A024151983}

7/3/2011 10:45:48 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to

start the service helpsvc with arguments "" in order to run the server: {833E4010-

AFF7-4AC3-AAC2-9F24C1457BCE}

7/2/2011 10:23:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to

start the service MSIServer with arguments "" in order to run the server: {000C101C

-0000-0000-C000-000000000046}

.

==== End Of File ===========================

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-07-05 14:22:20

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2080AH rev.00000096

Running: vrqebfbd[1].exe; Driver: C:\DOCUME~1\ENDUSE~1\LOCALS~1\Temp\uxtdapow.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello and :welcome:

It looks like you have a new rootkit variant on your computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Elise,

Thank you for your troubles. I tried to run the TDSS, but was unable to. I tried to rename it with the same result. I even downloaded it to my home (clean) computer and the file ran fine so I put it on a flash drive and tried to open it from there on the infected cpu, but same result. I tried this in safe mode as well and it did not open. When I click on the TDSS to open it there is no idication it is opening or will ever open. Did I also tell you that my desktop is blank? It has nothing on it and if I try to drag a file to it I get the circle with line through it which means nothing can be dropped there. I can not even right click on my desktop to do anything. MAybe this is why the TDSS isn't opening? If I go to my computer and find my desktop through that way it shows that there are still items on the desktop though (they are just not visible looking at the actual desktop itself. Please help :(

Link to post
Share on other sites

In that case, lets do this manually. :)

Do the following on a working computer:

Please download ARCDC from Artellos.com.

  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC

Your ISO is located on your desktop.

  • Insert the CD-ROM you just made into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.

    [*]Your PC should now boot from your XP-CD.

    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

    [*]When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

    [*]When prompted to choose a windows installation, type 1 and press enter.

    [*]When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

    [*]A command prompt will open

Type fixmbr and press enter. If asked to confirm/continue, do so.

When done, type exit and press enter. When back in Windows, do the following (you can run this directly from a flash drive).

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Got all the wat to :

Type fixmbr and press enter. If asked to confirm/continue, do so.

But it gives me a caution message saying and it is going to basically wipe out my computer and start it over? I need to back everything up before I do this right? I have a lot of files on this computer that I can not afford to lose. What is it going to do if I hit yes to the MBR question?

Link to post
Share on other sites

Don't worry, your data will never be wiped, in worst case it may become inaccessible (which is quite easy to fix). I have quite some experience with that kind of problem, so I can assure you, would things go wrong (which of course we don't hope), I will be able to help you to fix things. :)

At this point the choice is simple; either run fixmbr, or leave your computer infected; this is a very advanced rootkit, which hooks up your hard disk's master boot record.

Link to post
Share on other sites

Executed the MBR by typing fixmbr. It said it was successful. I took the CD out and hit exit and CPU rebooted. Nothing looked the same or acted the same. I downloaded Combofix from both websites, however when I run the program it dissapears and a few seconds later gives me an error message saying !ALERT it is not safe to continue!

There is a note: You may be infected with a file patching virus 'Virut'

Link to post
Share on other sites

ComboFix 11-07-10.03 - end user 07/10/2011 15:54:49.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.658 [GMT -5:00]

Running from: c:\documents and settings\end user\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\end user\Application Data\PriceGong

c:\documents and settings\end user\Application Data\PriceGong\Data\1.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\a.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\b.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\c.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\d.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\e.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\f.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\g.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\h.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\i.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\J.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\k.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\l.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\m.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\n.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\o.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\p.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\q.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\r.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\s.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\t.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\u.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\v.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\w.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\x.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\y.xml

c:\documents and settings\end user\Application Data\PriceGong\Data\z.xml

c:\documents and settings\end user\GoToAssistDownloadHelper.exe

c:\documents and settings\end user\Start Menu\Programs\Windows XP Repair

c:\windows\assembly\GAC_MSIL\desktop.ini

c:\windows\Downloaded Program Files\ODCTOOLS

c:\windows\security\ofinkba.bak1

c:\windows\security\ofinkba.bak2

c:\windows\security\ofinkba.ini

c:\windows\security\ofinkba.ini2

c:\windows\security\ofinkba.tmp

c:\windows\system32\drivers\fad.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

c:\windows\vb.ini

.

.

((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))

.

.

2011-07-08 14:31 . 2011-06-20 13:57 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{255A6A6B-DADB-47CC-B97B-D1FC756B5BAA}\mpengine.dll

2011-07-08 14:25 . 2011-07-08 14:26 -------- d-----w- c:\program files\Microsoft Security Client

2011-07-08 14:16 . 2011-07-08 14:16 -------- d-----w- c:\documents and settings\end user\Local Settings\Application Data\uTorrentBar

2011-07-08 02:35 . 2011-07-08 02:35 388096 ----a-r- c:\documents and settings\end user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-08 02:35 . 2011-07-08 02:35 -------- d-----w- c:\program files\HJT

2011-07-07 22:44 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 22:44 . 2011-07-07 22:44 -------- d-----w- c:\program files\Malwarebyter

2011-07-07 22:37 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-07 22:23 . 2011-07-07 22:23 -------- d-----w- c:\documents and settings\end user\DoctorWeb

2011-07-07 19:02 . 2011-07-07 20:02 -------- d-----w- C:\backupfiles

2011-07-07 18:58 . 2011-07-07 18:58 -------- d-----w- c:\documents and settings\end user\Application Data\Ahead

2011-07-07 18:58 . 2011-07-07 18:58 -------- d-----w- c:\documents and settings\end user\Local Settings\Application Data\Ahead

2011-07-07 18:50 . 2011-07-08 14:22 -------- d-----w- c:\program files\Common Files\Ahead

2011-07-07 18:50 . 2011-07-07 18:50 -------- d-----w- c:\program files\Nero

2011-07-07 18:44 . 2011-07-07 18:45 -------- d-----w- c:\documents and settings\end user\Application Data\U3

2011-07-07 16:33 . 2011-05-25 00:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-07-07 16:01 . 2011-07-07 16:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-07-07 16:00 . 2011-07-07 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2011-07-06 18:47 . 2011-07-06 18:47 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-07-03 23:24 . 2011-07-03 23:24 -------- d--h--w- c:\documents and settings\end user\Application Data\DriverCure

2011-07-03 23:24 . 2011-07-03 23:24 -------- d--h--w- c:\documents and settings\end user\Application Data\ParetoLogic

2011-07-03 23:23 . 2011-07-08 14:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\ParetoLogic

2011-07-03 23:21 . 2011-07-03 23:21 -------- d-----w- c:\program files\Trend Micro

2011-07-03 20:42 . 2011-07-03 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-07-03 19:48 . 2011-07-03 21:18 -------- d-----w- c:\program files\Malwarebytesrs

2011-07-03 15:27 . 2011-07-03 15:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

2011-07-01 22:15 . 2011-07-01 22:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-06-16 14:16 . 2011-04-21 13:37 105472 ---h--w- c:\windows\system32\dllcache\mup.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-07 22:30 . 2004-08-11 22:00 384768 ----a-w- c:\windows\system32\drivers\update.sys

2011-05-23 17:51 . 2011-05-23 17:52 73728 ---ha-w- c:\windows\system32\javacpl.cpl

2011-05-23 17:51 . 2011-05-23 17:52 472808 ---ha-w- c:\windows\system32\deployJava1.dll

2011-05-02 15:31 . 2004-08-11 22:12 692736 ---ha-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-11 22:00 151552 ---ha-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2005-10-21 23:28 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-11 22:00 916480 ---ha-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-11 22:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-11 22:00 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-11 22:00 385024 ---ha-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-11 22:00 105472 ---ha-w- c:\windows\system32\drivers\mup.sys

2011-04-20 15:12 . 2005-12-19 19:15 365456 ---ha-w- c:\windows\Unwash6.exe

2006-12-29 17:23 . 2006-12-29 17:23 774144 ----a-w- c:\program files\RngInterstitial.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 07:57 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2004-04-26 13:04 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]

2010-11-30 18:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"osppsvc"=3 (0x3)

"ose"=3 (0x3)

"Microsoft SharePoint Workspace Audit Service"=3 (0x3)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

"c:\\Program Files\\HP\\HP Officejet 9100 series\\Toolbox\\HPWKTBX.exe"=

"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=

"c:\\Program Files\\Microsoft Security Client\\msseces.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Documents and Settings\\end user\\Application Data\\U3\\01650218F400EF2D\\LaunchPad.exe"=

"c:\\Documents and Settings\\end user\\Local Settings\\Apps\\2.0\\2333KQCJ.V19\\9R0C6RW6.AG4\\poin..tion_d0c2e8166a83378f_0001.0000_df1681a2242bc9da\\PointStarter.exe"=

"c:\\WINPOINT\\Winpoint.exe"=

"c:\\Program Files\\Malwarebyter\\mbam.exe"=

.

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [10/21/2005 6:29 PM 80384]

S2 Diskeeper Administrator;Diskeeper Administrator;"c:\program files\Diskeeper Corporation\Diskeeper Administrator\DKSAdmin.exe" --> c:\program files\Diskeeper Corporation\Diskeeper Administrator\DKSAdmin.exe [?]

S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [6/4/2011 7:29 PM 98984]

S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]

S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [11/23/2003 5:07 PM 50360]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/7/2011 5:44 PM 39984]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [12/26/2009 6:34 PM 114704]

S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [3/23/2010 7:56 PM 54416]

S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [3/23/2010 7:56 PM 160272]

S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [3/23/2010 7:56 PM 160272]

S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [3/23/2010 7:56 PM 11920]

S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [3/23/2010 7:56 PM 113680]

S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [1/2/2005 11:49 PM 371584]

S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [1/2/2005 11:32 PM 106624]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [1/2/2005 11:32 PM 52992]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~2\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/21/2004 12:33 PM 19328]

S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 6:51 PM 30963576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2007-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42]

.

2011-07-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]

.

2011-07-10 c:\windows\Tasks\MpIdleTask.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]

.

2011-07-10 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 04:18]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search/msie?p={searchTerms}&ei=UTF-8

uStart Page = hxxp://www.google.com/

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{8FDB8E57-BF36-43D2-878C-17AF4FE5F6A7}: NameServer = 4.2.2.2,4.2.2.6

DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F127} - hxxp://www.swiftview.com/product/public/svinstall_green.exe

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

Notify-luuyioot - luuyioot.dll

Notify-NavLogon - (no file)

SafeBoot-75089108.sys

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

MSConfigStartUp-T-Mobile Connection Manager - c:\program files\T-Mobile\Connection Manager\TMobileCM.exe

AddRemove-HijackThis - f:\apps\HijackThis.exe

AddRemove-Power Commander 3 Usb_is1 - c:\pwrcmdr\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-10 16:00

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ *z*0 ]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\È*~*0 ]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ *©*]

"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\*PNPc7da\0000]

@DACL=(02 0000)

"Service"="1129937788"

"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"

"Class"="System"

"DeviceDesc"="PCI bus"

"Mfg"="Technologies Inc"

"LocationInformation"="on Microsoft ACPI-Compliant System"

"ConfigFlags"=dword:00000000

"Capabilities"=dword:00000000

.

Completion time: 2011-07-10 16:03:56

ComboFix-quarantined-files.txt 2011-07-10 21:03

.

Pre-Run: 47,855,702,016 bytes free

Post-Run: 48,002,637,824 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 40A41BC01D09B0809B8EB6F91C3D6BC8

Link to post
Share on other sites

Hi again, that is looking a lot better! :) Do you have any problem left?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 26 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-6u26-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

I am not sure if you can help me, but since all this has taken place and items were moved and/or hidden by the virus I do not know how to get items back into my program folders that now say empty and I do not know what items to hide in folders the are now unhidden. For example (thumbs.db)

I also have all the programs I was attempting to download like anti malware, highjackthis ect. that are on my desktop. If I try to remove them it says cannot delete: Access is denied. Make sure the disk is not full or write proteced and that the file is not currently in use.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7114

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2011 12:32:01 PM

mbam-log-2011-07-13 (12-32-01).txt

Scan type: Full scan (C:\|)

Objects scanned: 270737

Time elapsed: 1 hour(s), 25 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

2011-07-10 21:02:41 . 2011-07-10 21:02:41 1,704 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Power Commander 3 Usb_is1.reg.dat

2011-07-10 21:02:41 . 2011-07-10 21:02:41 770 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat

2011-07-10 21:02:21 . 2011-07-10 21:02:21 680 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-T-Mobile Connection Manager.reg.dat

2011-07-10 21:02:21 . 2011-07-10 21:02:21 634 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-NeroFilterCheck.reg.dat

2011-07-10 21:02:21 . 2011-07-10 21:02:21 612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-iTunesHelper.reg.dat

2011-07-10 21:02:21 . 2011-07-10 21:02:21 716 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat

2011-07-10 21:02:21 . 2011-07-10 21:02:21 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-75089108.sys.reg.dat

2011-07-10 21:02:19 . 2011-07-10 21:02:19 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat

2011-07-10 21:02:19 . 2011-07-10 21:02:19 582 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-luuyioot.reg.dat

2011-07-10 21:02:12 . 2011-07-10 21:02:12 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}.reg.dat

2011-07-10 20:58:44 . 2011-07-10 20:58:44 18,356 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-07-10 20:49:25 . 2011-07-10 20:49:25 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-06-09 15:35:13 . 2011-06-09 15:35:19 103,720 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\GoToAssistDownloadHelper.exe.vir

2011-02-17 15:28:20 . 2011-02-18 16:53:47 2,664 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\mru.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 23,296 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\1.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 125,672 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\a.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 165,160 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\b.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 172,176 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\c.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 105,704 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\d.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 108,920 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\e.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 60,048 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\f.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 70,624 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\g.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 52,920 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\h.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 48,336 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\i.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 28,000 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\J.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 28,080 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\k.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 69,168 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\l.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 104,888 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\m.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 36,808 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\n.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 41,072 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\o.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 96,480 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\p.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 4,440 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\q.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 36,768 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\r.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 159,760 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\s.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 95,664 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\t.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 20,960 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\u.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 30,528 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\v.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 43,520 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\w.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 2,888 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\x.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 10,744 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\y.xml.vir

2011-01-05 12:02:22 . 2011-01-05 12:02:22 11,648 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\end user\Application Data\PriceGong\Data\z.xml.vir

2008-04-23 18:19:12 . 2008-04-23 18:23:58 1,334 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir

2008-04-23 18:18:40 . 2007-10-04 05:36:46 25,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\WS2Fix.exe.vir

2008-04-23 18:18:39 . 2007-09-06 05:22:23 289,144 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\VCCLSID.exe.vir

2008-04-23 18:18:39 . 2004-07-31 23:50:36 51,200 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dumphive.exe.vir

2008-04-23 18:18:39 . 2006-04-27 22:49:30 288,417 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SrchSTS.exe.vir

2008-04-23 18:18:39 . 2003-06-06 02:13:00 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir

2006-11-05 06:32:21 . 2006-11-18 06:18:53 1,496,826 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\security\ofinkba.ini2.vir

2006-11-05 06:32:21 . 2006-11-03 19:24:50 1,487,161 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\security\ofinkba.ini.vir

2006-11-05 06:22:05 . 2006-11-05 06:27:20 1,492,051 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\security\ofinkba.tmp.vir

2006-11-03 05:01:08 . 2006-11-07 03:57:41 1,487,450 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\security\ofinkba.bak2.vir

2006-11-02 17:00:09 . 2006-11-02 17:00:09 1,486,406 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\security\ofinkba.bak1.vir

2004-08-11 22:12:00 . 2004-08-11 22:12:02 36 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\vb.ini.vir

2003-01-30 16:52:48 . 2003-01-30 16:52:48 12,073 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fad.sys.vir

Link to post
Share on other sites

Hi, it is possible to recreate the shortcuts, but you will have to do that manually unfortunately. See the spoiler link below (its a fairly long set of instructions).

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:

To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.

  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

p4481214.gif

NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

p4481211.gif

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

p4481212.gif

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

p4481213.gif

In case, program's link shows as (empty):

p4481404.gif

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

p4481405.gif

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....

...you paste that shortcut in:

(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast

(Vista/7) - C:\Program Data\Start Menu\Programs\Avast

Next, lets see what we can do about these tools. :)

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Link to post
Share on other sites

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Access is denied.

.

Failed to open \\?\c:\\Documents and Settings\All Users\Desktop\HijackThis.exe: Access is denied.

..

...

..

Failed to open \\?\c:\\Documents and Settings\end user\Desktop\3nx114s8.exe: Access is denied.

.

...

Failed to open \\?\c:\\Documents and Settings\end user\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.

Failed to open \\?\c:\\Documents and Settings\end user\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.

Failed to open \\?\c:\\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe: Access is denied.

..

...

...

...

.

Failed to open \\?\c:\\Program Files\Registry Repair\regrepair.exe: Access is denied.

.

Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\TeaTimer.exe: Access is denied.

.

..

Failed to open \\?\c:\\Program Files\Symantec AntiVirus\VPC32.exe: Access is denied.

Failed to open \\?\c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.

.

.

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

..

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.

Link to post
Share on other sites

Hi again, the following steps shoudl restore the file permissions for all affected files (including the two on your desktop).

We need to reset the permissions altered by the malware on a file.

  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\All Users\Desktop\HijackThis.exe"

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\end user\Desktop\3nx114s8.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Registry Repair\regrepair.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Symantec AntiVirus\VPC32.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe"


  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.