1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

omg. cant open any programs or run any viruscans what the heck do i do

Discussion in 'Virus & Other Malware Removal' started by xxmjwxx823, Apr 10, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    Idk what to do. I got a virus a few days ago and haven't been able to use my comp since. I can log in, but get no connection and can't open programs. Like if I try to open firefox and asks what program I would like to run it from and its weird. Nothing works. My itunes alos cannot be found along with every other prgram. No idea how to fix. Please help
     
  2. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    Also a lot of times it says windows/system32/rundll32.exe...... Application not found. Any help would be greatly appreciated
     
  3. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    Akso just tried the recovery disk for windows xp. I went thru the whole process but it didn't change a thing. Is that what's suppose to happen?
     
  4. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Hello there :cool: Welcome to the TSG Forums.
    My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.


    Please note the following:
    • The fixes are specific to your problem and should only be used on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
    • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.


    Step 1

    Please download exeHelper to your desktop.
    Double-click on exeHelper.com to run the fix.
    A black window should pop up, press any key to close once the fix is completed.
    Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



    Step 2

    Download OTS to your Desktop

    • Close ALL OTHER PROGRAMS.
    • Double-click on OTS.exe to start the program.
    • Check the box that says Scan All Users
    • Under Basic Scans please change the radio button under Registry from Safe List to All.
    • Under Additional Scans check the following:
      • Reg - Desktop Components
      • Reg - Disabled MS Config Items
      • Reg - NetSvcs
      • Reg - Shell Spawning
      • Reg - Uninstall List
      • File - Lop Check
      • File - Purity Scan
      • Evnt - EvtViewer (last 10)
    • Please paste the contents of the following codebox into the Custom Scans box at the bottom
    Code:
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

    Step 3

    [​IMG] GMER Rootkit Scanner
    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable your security programs when done.
     
  5. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    thank you very much for the help. i did all those steps and have included the logs
     

    Attached Files:

  6. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Good Job. Please do the following now:


    NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop



    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
    • Double click on ComboFix.exe & follow the prompts.

      Note: Combofix will run without the Recovery Console installed.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  7. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    ComboFix 10-04-12.07 - Waski 04/13/2010 11:43:31.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.526 [GMT -4:00]
    Running from: c:\documents and settings\Waski\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\system32\_000229_.tmp.dll

    ----- BITS: Possible infected sites -----

    hxxp://suwus1.syr.edu
    .
    ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
    .

    2010-04-12 03:51 . 2010-04-12 09:00 -------- d-----w- c:\windows\LastGood
    2010-04-11 01:44 . 2005-12-14 04:40 135168 ----a-w- c:\windows\system32\igfxres.dll
    2010-04-11 01:34 . 2004-08-04 10:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
    2010-04-11 01:33 . 2004-08-04 10:00 257024 -c--a-w- c:\windows\system32\dllcache\infocomm.dll
    2010-04-11 01:32 . 2004-08-04 10:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
    2010-04-11 01:16 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-04-11 01:16 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-04-11 01:16 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-04-11 01:16 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-04-06 15:26 . 2010-04-06 15:26 52224 ----a-w- c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-06 15:26 . 2010-04-06 15:26 117760 ----a-w- c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-06 15:25 . 2010-04-06 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-04-06 15:25 . 2010-04-06 15:25 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-06 15:25 . 2010-04-06 15:25 -------- d-----w- c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com
    2010-04-06 15:21 . 2010-04-06 15:21 503808 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4081861e-n\msvcp71.dll
    2010-04-06 15:21 . 2010-04-06 15:21 499712 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4081861e-n\jmc.dll
    2010-04-06 15:21 . 2010-04-06 15:21 348160 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4081861e-n\msvcr71.dll
    2010-04-06 15:21 . 2010-04-06 15:21 61440 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f14f961-n\decora-sse.dll
    2010-04-06 15:21 . 2010-04-06 15:21 12800 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f14f961-n\decora-d3d.dll
    2010-04-06 15:12 . 2010-02-24 14:16 181632 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-04-06 15:03 . 2010-04-06 15:51 201216 --sha-w- c:\documents and settings\Waski\Local Settings\Application Data\1585116398.dll
    2010-03-24 21:04 . 2010-04-12 04:21 -------- d-----w- c:\documents and settings\Waski\Local Settings\Application Data\PMB Files
    2010-03-24 21:04 . 2010-03-24 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
    2010-03-24 21:03 . 2010-03-24 21:03 -------- d-----w- c:\program files\Pando Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-11 01:28 . 2004-08-11 22:12 23412 -c--a-w- c:\windows\system32\emptyregdb.dat
    2010-04-11 01:27 . 2010-04-11 01:27 1663 ----a-w- c:\windows\inf\COMC1.tmp
    2010-04-11 00:37 . 2010-04-11 00:37 1663 ----a-w- c:\windows\inf\COM143.tmp
    2010-04-06 15:21 . 2006-04-16 18:26 -------- d-----w- c:\program files\Java
    2010-03-13 18:17 . 2009-06-06 03:17 -------- d-----w- c:\program files\Full Tilt Poker
    2010-03-12 19:01 . 2009-10-17 17:08 -------- d-----w- c:\program files\thinkorswim
    2010-03-09 08:28 . 2008-11-08 15:25 411368 -c--a-w- c:\windows\system32\deploytk.dll
    2010-03-08 00:50 . 2008-01-06 20:32 -------- d-----w- c:\program files\PokerStars
    2010-03-04 17:27 . 2008-02-21 18:23 -------- d-----w- c:\program files\Diablo II
    2010-02-23 00:13 . 2010-03-12 23:15 52224 ----a-w- c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-02-23 00:13 . 2010-03-12 23:15 101376 ----a-w- c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-02-15 03:25 . 2010-02-15 03:25 50354 ----a-w- c:\documents and settings\Waski\Application Data\Facebook\uninstall.exe
    2010-02-15 03:25 . 2010-02-15 03:25 -------- d-----w- c:\documents and settings\Waski\Application Data\Facebook
    2010-02-13 02:58 . 2006-08-24 17:16 -------- d-----w- c:\documents and settings\Waski\Application Data\Apple Computer
    2010-02-13 02:57 . 2007-07-13 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Waski\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Waski\Application Data\Facebook\npfbplugin_1_0_1.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-24 2937528]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShowLOMControl"="" [X]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128]
    "AEXAgentEXE"="c:\program files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe" [2003-10-21 1765376]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-16 24576]
    SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2009-3-31 297240]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Diablo II\\Diablo II.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"= 6112:TCP:Diablo
    "6112:UDP"= 6112:UDP:Diablo2
    "58511:TCP"= 58511:TCP:pando Media Booster
    "58511:UDP"= 58511:UDP:pando Media Booster

    R0 OfmLvDrv;OfmLvDrv;c:\windows\system32\drivers\ofmlvdrv.sys [9/11/2003 07:10 PM 80691]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/15/2009 01:10 AM 28544]
    R0 WNT_FAL;Altiris Client Recovery FAL Driver;c:\windows\system32\drivers\WNT_FAL.sys [10/21/2003 01:33 PM 26112]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
    R2 Altiris Client Recovery Agent;Altiris Client Recovery Agent;c:\program files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe [10/21/2003 01:20 PM 1765376]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/24/2008 10:41 PM 24652]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 07:19 PM 13592]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/4/2006 11:26 PM 716272]
    S1 rmcastt;rmcastt;c:\windows\system32\drivers\rmcastt.sys --> c:\windows\system32\drivers\rmcastt.sys [?]
    S2 Altiris Client Recovery FAL Stopper;Altiris Client Recovery FAL Stopper;c:\program files\Altiris\eXpress\Client Recovery Agent\AeXFALS.exe [10/21/2003 01:32 PM 40960]
    S2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - BITS
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-10 c:\windows\Tasks\AeX Local Job 6478.job
    - c:\program files\Altiris\eXpress\Client Recovery Agent\AeXCmd.exe [2003-10-21 17:22]

    2010-04-13 c:\windows\Tasks\AeX Local Job 6489.job
    - c:\program files\Altiris\eXpress\Client Recovery Agent\AeXCmd.exe [2003-10-21 17:22]

    2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-04-13 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - AIM Search
    FF - prefs.js: browser.startup.homepage - hxxp://games.espn.go.com/frontpage
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
    FF - component: c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\documents and settings\Waski\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
    AddRemove-ActiveScan 2.0 - c:\program files\Panda Security\ActiveScan 2.0\as2uninst.exe
    AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE
    AddRemove-PConPoint_is1 - c:\program files\PConPoint\unins000.exe
    AddRemove-Ruckus Network Client - c:\progra~1\RUCKUS~1\UNWISE.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-13 11:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ *! <*]
    "Path"="c:\\Documents and Settings\\Waski\\Application Data\\Intel\\Wireless\\"

    [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ y*2*]
    "Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(688)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2010-04-13 11:53:32
    ComboFix-quarantined-files.txt 2010-04-13 15:53

    Pre-Run: 38,317,883,392 bytes free
    Post-Run: 38,725,259,264 bytes free

    Current=2 Default=2 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - 66FE8EFCFFE0798366C38D344744557A
     
  8. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Alright. Please do the following:

    1. Close any open open programs before running the fix.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

    Code:
    File::
    c:\documents and settings\Waski\Local Settings\Application Data\1585116398.dll
    c:\windows\system32\drivers\rmcastt.sys 
    
    Driver::
    rmcastt
    
    NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




    Also, please copy and paste the contents of C:\QooBox\ComboFix-quarantined-files.txt here for me. It seems as if this isn't the first time you ran this program and it needs to be removed properly after its use. Make sure you follow my cleanup instructions when I give them to you later.
     
  9. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    ComboFix 10-04-19.08 - Waski 04/20/2010 21:28:46.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.478 [GMT -4:00]
    Running from: c:\documents and settings\Waski\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Waski\Desktop\CFScript.txt.txt
    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    FILE ::
    "c:\documents and settings\Waski\Local Settings\Application Data\1585116398.dll"
    "c:\windows\system32\drivers\rmcastt.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Waski\Local Settings\Application Data\1585116398.dll

    ----- BITS: Possible infected sites -----

    hxxp://suwus1.syr.edu
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_RMCASTT
    -------\Service_rmcastt


    ((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
    .

    2010-04-11 01:44 . 2005-12-14 04:40 135168 ----a-w- c:\windows\system32\igfxres.dll
    2010-04-11 01:34 . 2004-08-04 10:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
    2010-04-11 01:33 . 2004-08-04 10:00 257024 -c--a-w- c:\windows\system32\dllcache\infocomm.dll
    2010-04-11 01:32 . 2004-08-04 10:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
    2010-04-11 01:16 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-04-11 01:16 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-04-11 01:16 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-04-11 01:16 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-04-06 15:25 . 2010-04-06 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-04-06 15:25 . 2010-04-06 15:25 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-06 15:25 . 2010-04-06 15:25 -------- d-----w- c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com
    2010-04-06 15:12 . 2010-02-24 14:16 181632 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-03-24 21:04 . 2010-04-20 19:41 -------- d-----w- c:\documents and settings\Waski\Local Settings\Application Data\PMB Files
    2010-03-24 21:04 . 2010-03-24 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
    2010-03-24 21:03 . 2010-03-24 21:03 -------- d-----w- c:\program files\Pando Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-21 01:36 . 2009-10-15 20:49 -------- d-----w- c:\program files\SafeConnect
    2010-04-11 01:28 . 2004-08-11 22:12 23412 -c--a-w- c:\windows\system32\emptyregdb.dat
    2010-04-11 01:27 . 2010-04-11 01:27 1663 ----a-w- c:\windows\inf\COMC1.tmp
    2010-04-11 00:37 . 2010-04-11 00:37 1663 ----a-w- c:\windows\inf\COM143.tmp
    2010-04-06 15:26 . 2010-04-06 15:26 52224 ----a-w- c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-06 15:26 . 2010-04-06 15:26 117760 ----a-w- c:\documents and settings\Waski\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-06 15:21 . 2010-04-06 15:21 503808 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4081861e-n\msvcp71.dll
    2010-04-06 15:21 . 2010-04-06 15:21 499712 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4081861e-n\jmc.dll
    2010-04-06 15:21 . 2010-04-06 15:21 348160 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4081861e-n\msvcr71.dll
    2010-04-06 15:21 . 2010-04-06 15:21 61440 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f14f961-n\decora-sse.dll
    2010-04-06 15:21 . 2010-04-06 15:21 12800 ----a-w- c:\documents and settings\Waski\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f14f961-n\decora-d3d.dll
    2010-04-06 15:21 . 2006-04-16 18:26 -------- d-----w- c:\program files\Java
    2010-03-13 18:17 . 2009-06-06 03:17 -------- d-----w- c:\program files\Full Tilt Poker
    2010-03-12 19:01 . 2009-10-17 17:08 -------- d-----w- c:\program files\thinkorswim
    2010-03-09 08:28 . 2008-11-08 15:25 411368 -c--a-w- c:\windows\system32\deploytk.dll
    2010-03-08 00:50 . 2008-01-06 20:32 -------- d-----w- c:\program files\PokerStars
    2010-03-04 17:27 . 2008-02-21 18:23 -------- d-----w- c:\program files\Diablo II
    2010-02-23 00:13 . 2010-03-12 23:15 52224 ----a-w- c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-02-23 00:13 . 2010-03-12 23:15 101376 ----a-w- c:\documents and settings\Waski\Application Data\Mozilla\Firefox\Profiles\hf32hlgp.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-02-15 03:25 . 2010-02-15 03:25 50354 ----a-w- c:\documents and settings\Waski\Application Data\Facebook\uninstall.exe
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Waski\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Waski\Application Data\Facebook\npfbplugin_1_0_1.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-24 2937528]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShowLOMControl"="" [X]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128]
    "AEXAgentEXE"="c:\program files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe" [2003-10-21 1765376]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
    "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-16 24576]
    SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2009-3-31 297240]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Diablo II\\Diablo II.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"= 6112:TCP:Diablo
    "6112:UDP"= 6112:UDP:Diablo2
    "58511:TCP"= 58511:TCP:pando Media Booster
    "58511:UDP"= 58511:UDP:pando Media Booster

    R0 OfmLvDrv;OfmLvDrv;c:\windows\system32\drivers\ofmlvdrv.sys [9/11/2003 07:10 PM 80691]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/15/2009 01:10 AM 28544]
    R0 WNT_FAL;Altiris Client Recovery FAL Driver;c:\windows\system32\drivers\WNT_FAL.sys [10/21/2003 01:33 PM 26112]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
    R2 Altiris Client Recovery Agent;Altiris Client Recovery Agent;c:\program files\Altiris\eXpress\Client Recovery Agent\AeXAgent.exe [10/21/2003 01:20 PM 1765376]
    R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart --> c:\program files\SafeConnect\scManager.sys servicestart [?]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/24/2008 10:41 PM 24652]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 07:19 PM 13592]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/4/2006 11:26 PM 716272]
    S2 Altiris Client Recovery FAL Stopper;Altiris Client Recovery FAL Stopper;c:\program files\Altiris\eXpress\Client Recovery Agent\AeXFALS.exe [10/21/2003 01:32 PM 40960]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-17 c:\windows\Tasks\AeX Local Job 6508.job
    - c:\program files\Altiris\eXpress\Client Recovery Agent\AeXCmd.exe [2003-10-21 17:22]

    2010-04-20 c:\windows\Tasks\AeX Local Job 6517.job
    - c:\program files\Altiris\eXpress\Client Recovery Agent\AeXCmd.exe [2003-10-21 17:22]

    2010-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

































    2010-04-21 01:32:59 . 2010-04-21 01:32:59 1,084 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_rmcastt.reg.dat
    2010-04-21 01:32:59 . 2010-04-21 01:32:59 1,208 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_RMCASTT.reg.dat
    2010-04-21 01:28:44 . 2010-04-21 01:28:44 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
    2010-04-13 16:19:01 . 2010-04-20 15:16:02 4,617 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
    2010-04-13 16:19:01 . 2010-04-20 15:16:02 4,232 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
    2010-04-13 15:52:41 . 2010-04-13 15:52:41 468 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Ruckus Network Client.reg.dat
    2010-04-13 15:52:41 . 2010-04-13 15:52:41 1,612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PConPoint_is1.reg.dat
    2010-04-13 15:52:41 . 2010-04-13 15:52:41 710 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3.reg.dat
    2010-04-13 15:52:41 . 2010-04-13 15:52:41 1,262 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-ActiveScan 2.0.reg.dat
    2010-04-13 15:52:23 . 2010-04-13 15:52:23 172 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SunJavaUpdateSched.reg.dat
    2010-04-13 15:48:04 . 2010-04-21 01:32:51 9,968 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2010-04-13 15:41:28 . 2010-04-21 01:27:34 306 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2010-04-06 15:03:17 . 2010-04-06 15:51:38 201,216 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Waski\Local Settings\Application Data\1585116398.dll.vir
    2004-08-04 10:00:00 . 2004-08-04 10:00:00 2,804,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000229_.tmp.dll.vir
     
  10. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Could you attach C:\ComboFix.txt instead of copy and pasting it? It seems to have been cut off at the end.
     
  11. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    tgrfds
     

    Attached Files:

  12. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Alright, these should be the last steps to make sure there isn't anything else on the computer:

    STEP 1

    Run OTS

    • Under the Paste Fix Here box on the right, paste in the contents of following code box

    Code:
    [Unregister Dlls]
    [Registry - All]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "" -> []
    YN -> "ShowLOMControl" -> []
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    YY -> "C:\WINDOWS\system32\config\systemprofile\Application Data\nscagent.exe" -> C:\WINDOWS\System32\config\systemprofile\Application Data\nscagent.exe [C:\WINDOWS\system32\config\systemprofile\Application Data\nscagent.exe:*:Enabled:Win32load]
    [Files/Folders - Modified Within 30 Days]
    NY ->  1585116398.dll -> C:\Documents and Settings\Waski\Local Settings\Application Data\1585116398.dll
    NY ->  K6sEH5Ir2Is -> C:\Documents and Settings\Waski\Local Settings\Application Data\K6sEH5Ir2Is
    NY ->  K6sEH5Ir2Is -> C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is
    NY ->  93 C:\Documents and Settings\Waski\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Waski\Local Settings\temp\*.tmp
    NY ->  6 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
    NY ->  15 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Empty Temp Folders]
    [EmptyFlash]
    [ClearAllRestorePoints]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

    Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
    If it seems to get stuck, give it some time. It's probably still working.


    STEP 2

    [​IMG] Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.

    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.



    STEP 3

    Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

    1. Click Accept, when prompted to download and install the program files and database of malware definitions.



    2. To optimize scanning time and produce a more sensible report for review:
    • Close any open programs
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
    3. Click Run at the Security prompt.


    The program will then begin downloading and installing and will also update the database.


    Please be patient as this can take quite a long time to download.
    • Once the update is complete, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

      • [*]Spyware, adware, dialers, and other riskware
        [*]Archives
        [*]E-mail databases
    • Click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
    • Click View report... at the bottom.
    • Click the Save report... button.

      [​IMG]
    • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
     
  13. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    All Processes Killed
    [Registry - All]
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ShowLOMControl deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\config\systemprofile\Application Data\nscagent.exe not found.
    File C:\WINDOWS\System32\config\systemprofile\Application Data\nscagent.exe not found.
    [Files/Folders - Modified Within 30 Days]
    File C:\Documents and Settings\Waski\Local Settings\Application Data\1585116398.dll not found!
    C:\Documents and Settings\Waski\Local Settings\Application Data\K6sEH5Ir2Is moved successfully.
    C:\Documents and Settings\All Users\Application Data\K6sEH5Ir2Is moved successfully.
    C:\WINDOWS\Temp\WFV10.tmp deleted successfully.
    C:\WINDOWS\SET111.tmp deleted successfully.
    C:\WINDOWS\SET112.tmp deleted successfully.
    C:\WINDOWS\SET65.tmp deleted successfully.
    C:\WINDOWS\SET68.tmp deleted successfully.
    C:\WINDOWS\SET74.tmp deleted successfully.
    C:\WINDOWS\SETA2.tmp deleted successfully.
    C:\WINDOWS\SETA5.tmp deleted successfully.
    C:\WINDOWS\SETAF.tmp deleted successfully.
    C:\WINDOWS\SETB0.tmp deleted successfully.
    C:\WINDOWS\SETB1.tmp deleted successfully.
    C:\WINDOWS\SETC5.tmp deleted successfully.
    C:\WINDOWS\SETC8.tmp deleted successfully.
    C:\WINDOWS\SETD4.tmp deleted successfully.
    C:\WINDOWS\SETEC.tmp deleted successfully.
    C:\WINDOWS\SETED.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    [Empty Temp Folders]


    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes
    ->FireFox cache emptied: 48315883 bytes

    User: NetworkService
    ->Temp folder emptied: 896 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Waski
    ->Temp folder emptied: 247606 bytes
    ->Temporary Internet Files folder emptied: 9516502 bytes
    ->Java cache emptied: 55449767 bytes
    ->FireFox cache emptied: 56781643 bytes
    ->Apple Safari cache emptied: 88895 bytes
    ->Flash cache emptied: 2210268 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1063 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34251 bytes
    RecycleBin emptied: 1112167 bytes

    Total Files Cleaned = 166.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Waski
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    Restorepoints cleared and new OTS Restore Point set!
    < End of fix log >
    OTS by OldTimer - Version 3.1.28.3 fix logfile created on 04212010_175103

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...








    also malware bytes came back with no infected files so i figured i wouldnt include the log. now im gonna run kaspersky and get back to u
     
  14. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Alright. Let me know if you have trouble with it, we can try something different.
     
  15. xxmjwxx823

    xxmjwxx823 Thread Starter

    Joined:
    Nov 8, 2008
    Messages:
    39
    yea i cant get the kapersky to finish up. it freezes at some point everytime i try
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/916090

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice