1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Super virus - help needed

Discussion in 'Virus & Other Malware Removal' started by tigron, Sep 8, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    Hey folks, It's been a long time since I've been in here but I really need some help. I've got a windows Vista machine that is was getting a BSOD 0x0000007. I used last known good configuration and was able to get back in to the desktop but the virus is still there. In safemode, every tool I have is useless as they open and seem to get shutdown almost immediatly and then it does something to the file ownership I think where you can't run it again without reinstalling. I've got a process 3203397148:3809022017.exe that I can't kill and I've taken the HD out of the system and used a USB adapter to scan the drive and malwarebytes found Win32.AutoRun.tmp on the first run I cleaned that, still no luck. While scanning Avira found APPL/KillApp.A found in E:\HP\BIN\EndProcess.exe which I left alone initially as a legit file. On a second attempt to scan via usb Malwarebytes found 10 infected but only 3 different culprits Trojan.BHO, Trojan.Vundo, Adware.MyWebSearch. If anyone can offer assistance, please do.
     
  2. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    No replies ? Well I'll give an update as I haven't been sitting on my hands waiting for help. I was finally able to get the internet working enough to run AVG live cd scan and it found 14 infected, one of which is windows/system32/drivers/tdx.sys - Trojan horse Backdoor.generic14.AGNE(critical system file), /appdata/local/temp/setup1114414592.exe - win32/cryptor, /appdata/local/temp/FBB5.tmp - win32/cryptor, /appdata/local/temp/DD5D.tmp - win32/cryptor, /appdata/locallow/sun/java/deployment/cache/6.0/63/5ad83dbf-18ff9749 - luhe.fiha.a, /appdata/locallow/sun/java/deployment/cache/6.0/63/5ad83dbf-1da3ea6e - luhe.fiha.a, windows/assembly/gac_msil/desktop.ini - Trojan horse agent_r.aks, windows/microsoft.net/framework/v4.0.30319/mscorsvw.exe - win32/katusha.a, windows/system32/drivers/xaudio.exe - win32/katusha.a, windows/system32/pmobserv.exe - win32/katusha.a, windows/system32/spool/drivers/w32x86/3/lxdxpswx.exe - win32/katusha.a, windows/system32/spool/drivers/w32x86/3/lxdxjswx.exe - win32/katusha.a, windows/system32/lxdxcoms.exe - win32/katusha.a, windows/winsxs/x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7/tdx.sy

    If anyone can help me get further that would be appreciated since I still have a redirect issue and can't run any virus programs in safemode or the regular desktop.
     
  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,163
    Do the following :-

    Boot your PC into Safe Mode with Networking. Next,



    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Root of C:\ Drive <--- Very important
    • Before saving rename to tigron.com so you end up with Combofix saved as C:\tigron.com
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Navigate to C:\tigron.com and double click to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  4. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    Thanks for the reply. I ran the first time without clicking on run as administrator as the option wasn't available for tigron.com. I ran it a second time using the admin cmd prompt, I hope that didn't skew the results. There was a comment in the beginning that it couldn't access and had to be run as admin but it said admin at the top of the cmd window.

    Here's the log results.

    ComboFix 11-09-05.05 - crellan 09/09/2011 18:59:44.1.2 - x86 NETWORK

    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2494.1863 [GMT -4:00]

    Running from: C:\tigron.com

    AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

    FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

    SP: Norton Internet Security *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    .

    .

    ((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))

    .

    .

    2011-09-09 23:06 . 2011-09-09 23:06 -------- d-----w- c:\users\crellan\AppData\Local\temp

    2011-09-09 23:06 . 2011-09-09 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

    2011-09-09 23:06 . 2011-09-09 23:06 -------- d-----w- c:\users\Default\AppData\Local\temp

    2011-09-09 22:32 . 2011-09-09 22:55 -------- d-----w- C:\tigron

    2011-09-09 14:37 . 2011-09-09 13:58 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

    2011-09-09 12:44 . 2011-09-09 12:44 709968 ----a-w- c:\windows\is-GJSIA.exe

    2011-09-09 02:13 . 2011-09-09 02:13 -------- d-----w- c:\programdata\Kaspersky Lab

    2011-09-09 01:45 . 2011-09-09 22:32 -------- d-----w- C:\ComboFix

    2011-09-09 00:22 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2011-09-09 00:22 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

    2011-09-07 22:41 . 2011-09-07 22:41 -------- d-----w- C:\found.000

    2011-09-07 22:06 . 2011-09-07 22:06 -------- d--h--w- c:\windows\PIF

    2011-09-07 20:32 . 2011-09-07 20:47 -------- d-----w- c:\users\Administrator

    2011-09-07 17:00 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys

    2011-09-07 17:00 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

    2011-09-07 17:00 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys

    2011-09-07 17:00 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

    2011-09-07 17:00 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

    2011-09-07 17:00 . 2011-07-04 11:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

    2011-09-07 16:58 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr

    2011-09-07 16:58 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe

    2011-09-07 16:58 . 2011-09-07 16:58 -------- d-----w- c:\programdata\AVAST Software

    2011-09-07 16:58 . 2011-09-07 16:58 -------- d-----w- c:\program files\AVAST Software

    2011-09-07 14:35 . 2011-09-09 14:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2011-09-07 05:55 . 2011-09-07 05:57 -------- d-----w- c:\programdata\MFAData

    2011-09-06 16:17 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{866A9F8C-8827-4E70-B592-039220005779}\mpengine.dll

    2011-09-04 19:17 . 2003-04-30 07:59 106496 ----a-w- c:\windows\_PMCMisc.dll

    2011-09-04 19:16 . 2000-09-18 09:54 45056 ----a-w- c:\windows\system32\ricnmon.dll

    2011-09-04 19:16 . 2000-09-18 09:51 45056 ----a-w- c:\windows\system32\ippmon.dll

    2011-09-04 19:16 . 2000-09-18 09:47 45056 ----a-w- c:\windows\system32\rpnvmon.dll

    2011-09-04 19:16 . 2011-09-04 19:16 -------- d-----w- c:\windows\NAVITEMP

    2011-09-04 18:51 . 2011-09-04 19:13 -------- d-----w- C:\driverslloyd

    2011-09-04 17:40 . 2011-09-04 17:40 -------- d-----w- c:\programdata\Tenda Driver

    2011-09-04 17:40 . 2009-12-10 15:16 776480 ----a-w- c:\windows\system32\RAIHV.dll

    2011-09-04 17:40 . 2009-12-10 15:16 1590560 ----a-w- c:\windows\system32\RaCertMgr.dll

    2011-09-04 17:40 . 2009-12-10 15:16 102688 ----a-w- c:\windows\system32\RAEXTUI.dll

    2011-09-04 17:40 . 2011-09-04 17:40 -------- d-----w- c:\program files\Tenda

    2011-09-01 21:07 . 2011-09-01 21:07 -------- d-sh--w- c:\windows\system32\%APPDATA%

    2011-09-01 19:13 . 2011-09-01 19:13 -------- d-----w- c:\users\crellan\AppData\Roaming\Malwarebytes

    2011-09-01 19:13 . 2011-09-01 19:13 -------- d-----w- c:\programdata\Malwarebytes

    2011-09-01 18:01 . 2011-09-01 18:01 4194304 ----a-w- c:\windows\system32\qnbwvoto.dll

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2011-07-28 11:01 . 2011-07-28 11:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

    2011-07-06 14:56 . 2011-08-10 00:39 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

    2011-06-23 19:48 . 2011-06-23 19:48 45056 ----a-r- c:\users\crellan\AppData\Roaming\Microsoft\Installer\{0dff3440-a901-11dc-8314-0800200c9a66}\NewShortcut1_A80EDC6C85754FF6B838BB92A8E49DC5.exe

    2011-06-12 22:34 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll

    2011-06-12 22:34 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll

    2011-06-12 21:42 . 2011-06-12 22:09 47560 ----a-w- c:\windows\system32\SPReview.exe

    2011-06-12 21:42 . 2011-06-12 22:09 152576 ----a-w- c:\windows\system32\SPWizUI.dll

    2011-04-14 16:26 . 2011-06-15 21:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

    @="{472083B0-C522-11CF-8763-00608CC02F24}"

    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 1773568]

    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

    "cdloader"="c:\users\crellan\AppData\Roaming\mjusbsp\cdloader2.exe" [2008-08-22 50520]

    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 39408]

    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]

    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]

    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]

    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]

    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

    "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 315392]

    "lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]

    "lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]

    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]

    "snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]

    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

    "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]

    "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]

    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]

    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]

    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-08 1047656]

    "JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2007-08-30 229481]

    "MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2007-08-30 49254]

    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]

    "InnoSetupRegFile.0000000001"="c:\windows\is-GJSIA.exe" [2011-09-09 709968]

    .

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "EnableUIADesktopToggle"= 0 (0x0)

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

    "DisableMonitoring"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

    "DisableMonitoring"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    "DisableMonitoring"=dword:00000001

    .

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [x]

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

    R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [x]

    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [x]

    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]

    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

    R3 PMObserv;PMObserv;c:\windows\system32\PMObserv.exe [x]

    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

    S3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2006-12-15 13824]

    S3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2006-12-15 35840]

    .

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    bthsvcs REG_MULTI_SZ BthServ

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2011-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601659496-17462574-2501975068-1000Core.job

    - c:\users\crellan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-31 19:06]

    .

    2011-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601659496-17462574-2501975068-1000UA.job

    - c:\users\crellan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-31 19:06]

    .

    2011-09-09 c:\windows\Tasks\User_Feed_Synchronization-{505258AB-8A08-43D7-9597-7A32E19A548C}.job

    - c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.com/

    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

    uInternet Settings,ProxyOverride = *.local

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

    Trusted Zone: alipay.com

    Trusted Zone: alisoft.com

    Trusted Zone: taobao.com

    FF - ProfilePath - c:\users\crellan\AppData\Roaming\Mozilla\Firefox\Profiles\tg1wjnqh.default\

    FF - prefs.js: network.proxy.type - 0

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2011-09-09 19:06

    Windows 6.0.6001 Service Pack 1 NTFS

    .

    scanning hidden processes ...

    .

    scanning hidden autostart entries ...

    .

    scanning hidden files ...

    .

    scan completed successfully

    hidden files: 0

    .

    **************************************************************************

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------

    .

    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

    @Denied: (A) (Users)

    @Denied: (A) (Everyone)

    @Allowed: (B 1 2 3 4 5) (S-1-5-20)

    "BlindDial"=dword:00000000

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    .

    - - - - - - - > 'Explorer.exe'(1524)

    c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll

    .

    Completion time: 2011-09-09 19:08:06

    ComboFix-quarantined-files.txt 2011-09-09 23:08

    ComboFix2.txt 2011-09-09 22:55

    .

    Pre-Run: 96,413,814,784 bytes free

    Post-Run: 96,378,011,648 bytes free

    .

    - - End Of File - - 9E5AF7032CC0888E3F1D1216119E711D
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,163
    I need you to uplad a file for analysis...

    Please visit Virustotal
    • Click the Browse... button
    • Navigate to the file c:\windows\system32\qnbwvoto.dll
    • Click the Open button
    • Click the Send button
    • If you get a message saying File has already been analyzed: click Reanalyze file now
    • Copy and paste the results back here please.

    Kevin
     
  6. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    Antivirus Version Last Update Result
    AhnLab-V3 2011.09.10.00 2011.09.10 -
    AntiVir 7.11.14.161 2011.09.09 -
    Antiy-AVL 2.0.3.7 2011.09.10 -
    Avast 4.8.1351.0 2011.09.09 -
    Avast5 5.0.677.0 2011.09.09 -
    AVG 10.0.0.1190 2011.09.10 -
    BitDefender 7.2 2011.09.10 -
    ByteHero 1.0.0.1 2011.09.10 -
    CAT-QuickHeal 11.00 2011.09.10 -
    ClamAV 0.97.0.0 2011.09.10 -
    Commtouch 5.3.2.6 2011.09.10 -
    Comodo 10064 2011.09.10 -
    DrWeb 5.0.2.03300 2011.09.10 -
    Emsisoft 5.1.0.11 2011.09.10 -
    eSafe 7.0.17.0 2011.09.07 -
    eTrust-Vet 36.1.8550 2011.09.10 -
    F-Prot 4.6.2.117 2011.09.10 -
    F-Secure 9.0.16440.0 2011.09.10 -
    Fortinet 4.3.370.0 2011.09.10 -
    GData 22 2011.09.10 -
    Ikarus T3.1.1.107.0 2011.09.10 -
    Jiangmin 13.0.900 2011.09.10 -
    K7AntiVirus 9.112.5114 2011.09.09 -
    Kaspersky 9.0.0.837 2011.09.10 -
    McAfee 5.400.0.1158 2011.09.10 -
    McAfee-GW-Edition 2010.1D 2011.09.10 -
    Microsoft 1.7604 2011.09.10 -
    NOD32 6452 2011.09.10 -
    Norman 6.07.11 2011.09.09 -
    nProtect 2011-09-10.01 2011.09.10 -
    Panda 10.0.3.5 2011.09.10 -
    PCTools 8.0.0.5 2011.09.10 -
    Prevx 3.0 2011.09.10 -
    Rising 23.74.03.03 2011.09.09 -
    Sophos 4.69.0 2011.09.10 -
    SUPERAntiSpyware 4.40.0.1006 2011.09.10 -
    Symantec 20111.2.0.82 2011.09.10 -
    TheHacker 6.7.0.1.293 2011.09.10 -
    TrendMicro 9.500.0.1008 2011.09.09 -
    TrendMicro-HouseCall 9.500.0.1008 2011.09.10 -
    VBA32 3.12.16.4 2011.09.09 -
    VIPRE 10431 2011.09.10 -
    ViRobot 2011.9.10.4666 2011.09.10 -
    VirusBuster 14.0.206.1 2011.09.10 -
    Additional informationShow all
    MD5 : 7536eb07efeaf009beb3e241b18c0068
    SHA1 : 0b30f9863358ee7cf05fd45ae6d0e116d9dba435
    SHA256: 65b394b8f0314884182c692ce04cffd2368e416a873e32e1d37b0ea909cf337b
    ssdeep: 98304:huz0tiMI4fFH/OcGkDJk29fTFCA7HWnLa+ryyC:huz0tiMI4fFH/OcGkDJk29fTFCA7HW
    nQ
    File size : 4194304 bytes
    First seen: 2011-09-10 16:21:15
    Last seen : 2011-09-10 16:21:15
    TrID:
    Unknown!
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    ExifTool:
    file metadata
    Error: File format error
    FileSize: 4.0 MB
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,163
    Dont see anything wrong with that log, boot into normal mode and RE-run DDS, post fresh DDS.txt. I`ll give instruction if required:

    We need to see some additional information about what is happening in your machine.*
    Please perform the following scan in Normal Mode:
    • Download DDS by sUBs from one of the following links.* Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.* *
    • When done, DDS will open two (2) logs
      * * * * *1. DDS.txt
      * * * * *2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
      *
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note:* You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.*
    Information on A/V control HERE
     
  8. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    I just wanted to let you know that I'm having issues restarting where it doesn't actually restart, I have to do a hard reboot. It also lags after login with the black screen before going to the desktop. I'm able to ctrl-alt-del and get to task manager during the black screen but that's all. Here are the requested logs.
    .

    DDS (Ver_2011-08-26.01) - NTFSx86

    Internet Explorer: 8.0.6001.19088

    Run by crellan at 18:45:35 on 2011-09-10

    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2494.1266 [GMT -4:00]

    .

    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    .

    ============== Running Processes ===============

    .

    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

    C:\Program Files\AVG\AVG2012\avgcsrvx.exe

    C:\Windows\system32\wininit.exe

    C:\Windows\system32\lsm.exe

    C:\Windows\system32\svchost.exe -k DcomLaunch

    C:\Windows\system32\svchost.exe -k rpcss

    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

    C:\Windows\system32\svchost.exe -k netsvcs

    C:\Windows\system32\svchost.exe -k GPSvcGroup

    C:\Windows\system32\SLsvc.exe

    C:\Windows\system32\svchost.exe -k LocalService

    C:\Windows\system32\svchost.exe -k NetworkService

    C:\Windows\System32\spoolsv.exe

    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

    C:\Windows\system32\Dwm.exe

    C:\Windows\system32\taskeng.exe

    C:\Windows\Explorer.EXE

    C:\Program Files\AVG\AVG2012\avgwdsvc.exe

    C:\Windows\system32\svchost.exe -k bthsvcs

    C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE

    C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE

    C:\Program Files\AVG\AVG2012\avgnsx.exe

    C:\Program Files\AVG\AVG2012\avgemcx.exe

    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

    C:\Windows\system32\svchost.exe -k imgsvc

    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe

    C:\Windows\System32\svchost.exe -k WerSvcGroup

    C:\Windows\system32\SearchIndexer.exe

    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    C:\Program Files\Hp\QuickPlay\QPService.exe

    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

    C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

    C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe

    C:\Windows\vsnp2uvc.exe

    C:\Program Files\Hp\HP Software Update\hpwuschd2.exe

    C:\HP\KBD\kbd.exe

    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

    C:\Windows\System32\rundll32.exe

    C:\Program Files\AVG\AVG2012\avgtray.exe

    C:\Program Files\AVG Secure Search\vprot.exe

    C:\Program Files\Windows Sidebar\sidebar.exe

    C:\Windows\ehome\ehtray.exe

    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    C:\Program Files\Skype\Phone\Skype.exe

    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

    C:\Program Files\RDS\RMClient\MplHDDisp.exe

    C:\Program Files\RDS\RMClient\PMJobCliMsg.exe

    C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe

    C:\Windows\ehome\ehmsas.exe

    C:\Windows\System32\rundll32.exe

    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

    C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe

    C:\Windows\system32\wuauclt.exe

    C:\Windows\system32\WUDFHost.exe

    \\?\C:\Windows\system32\wbem\WMIADAP.EXE

    C:\Windows\system32\wbem\wmiprvse.exe

    C:\Windows\system32\SearchProtocolHost.exe

    C:\Windows\system32\SearchFilterHost.exe

    C:\Windows\system32\wbem\wmiprvse.exe

    .

    ============== Pseudo HJT Report ===============

    .

    uStart Page = hxxp://www.google.com/

    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

    uInternet Settings,ProxyOverride = *.local

    uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll

    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

    BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll

    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll

    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

    TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll

    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

    uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun

    uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe

    uRun: [cdloader] "c:\users\crellan\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK

    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

    mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

    mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

    mRun: [PSDiagnosticM] "c:\program files\linksys wireless-g print server\PSDiagnosticM.exe"

    mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"

    mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"

    mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

    mRun: [snp2uvc] c:\windows\vsnp2uvc.exe

    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

    mRun: [KBD] c:\hp\kbd\KBD.EXE

    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart

    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

    mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exe

    mRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exe

    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

    mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-GJSIA.exe" /REG /REGSVRMODE

    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

    Trusted Zone: alipay.com

    Trusted Zone: alisoft.com

    Trusted Zone: taobao.com

    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    TCP: DhcpNameServer = 192.168.1.1 8.8.8.8

    TCP: Interfaces\{7C8380AB-CE91-49FF-8FAD-A6E933B3EDB8} : DhcpNameServer = 192.168.0.1

    TCP: Interfaces\{F73215BF-58AF-49C4-8C77-B0667C5B5B35} : DhcpNameServer = 192.168.1.1 8.8.8.8

    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll

    .

    ================= FIREFOX ===================

    .

    FF - ProfilePath - c:\users\crellan\appdata\roaming\mozilla\firefox\profiles\tg1wjnqh.default\

    FF - prefs.js: network.proxy.type - 0

    .

    ============= SERVICES / DRIVERS ===============

    .

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]

    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]

    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-8-16 5264736]

    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

    R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-9-10 246600]

    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]

    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

    R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [2008-11-29 13824]

    R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [2008-11-29 35840]

    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe --> c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [?]

    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

    S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]

    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]

    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

    S3 PMObserv;PMObserv;c:\windows\system32\pmobserv.exe --> c:\windows\system32\PMObserv.exe [?]

    S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-15 1245064]

    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    .

    =============== Created Last 30 ================

    .

    2011-09-10 17:44:00 -------- d--h--w- C:\$AVG

    2011-09-10 16:19:25 -------- d-----w- c:\users\crellan\appdata\roaming\AVG2012

    2011-09-10 16:17:26 -------- d-----w- c:\program files\common files\AVG Secure Search

    2011-09-10 16:17:25 -------- d-----w- c:\program files\AVG Secure Search

    2011-09-10 16:15:55 -------- d-----w- c:\windows\system32\drivers\AVG

    2011-09-10 16:15:55 -------- d-----w- c:\programdata\AVG2012

    2011-09-10 16:10:21 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{77ffa1c6-4249-4cc4-8d95-fd19cfa96fe7}\mpengine.dll

    2011-09-09 23:08:08 -------- d-----w- c:\users\crellan\appdata\local\temp

    2011-09-09 23:07:33 -------- d-sh--w- C:\$RECYCLE.BIN

    2011-09-09 22:32:55 -------- d-----w- C:\tigron

    2011-09-09 22:29:24 4195482 ------r- C:\tigron.com

    2011-09-09 14:37:53 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

    2011-09-09 12:44:25 709968 ----a-w- c:\windows\is-GJSIA.exe

    2011-09-09 02:13:42 -------- d-----w- c:\programdata\Kaspersky Lab

    2011-09-09 01:45:27 -------- d-----w- C:\ComboFix

    2011-09-09 00:22:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2011-09-09 00:22:03 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

    2011-09-08 15:09:17 -------- d-----w- C:\ComboFix(0)

    2011-09-08 12:34:26 98816 ----a-w- c:\windows\sed.exe

    2011-09-08 12:34:26 518144 ----a-w- c:\windows\SWREG.exe

    2011-09-08 12:34:26 256000 ----a-w- c:\windows\PEV.exe

    2011-09-08 12:34:26 208896 ----a-w- c:\windows\MBR.exe

    2011-09-07 22:41:11 -------- d-----w- C:\found.000

    2011-09-07 22:06:01 -------- d--h--w- c:\windows\PIF

    2011-09-07 16:58:34 -------- d-----w- c:\programdata\AVAST Software

    2011-09-07 16:58:34 -------- d-----w- c:\program files\AVAST Software

    2011-09-07 14:35:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2011-09-07 05:55:53 -------- d-----w- c:\programdata\MFAData

    2011-09-04 19:17:16 106496 ----a-w- c:\windows\_PMCMisc.dll

    2011-09-04 19:16:05 45056 ----a-w- c:\windows\system32\rpnvmon.dll

    2011-09-04 19:16:05 45056 ----a-w- c:\windows\system32\ricnmon.dll

    2011-09-04 19:16:05 45056 ----a-w- c:\windows\system32\ippmon.dll

    2011-09-04 19:16:02 -------- d-----w- c:\windows\NAVITEMP

    2011-09-04 18:51:11 -------- d-----w- C:\driverslloyd

    2011-09-04 17:40:20 -------- d-----w- c:\programdata\Tenda Driver

    2011-09-04 17:40:19 776480 ----a-w- c:\windows\system32\RAIHV.dll

    2011-09-04 17:40:19 1590560 ----a-w- c:\windows\system32\RaCertMgr.dll

    2011-09-04 17:40:19 102688 ----a-w- c:\windows\system32\RAEXTUI.dll

    2011-09-04 17:40:18 -------- d-----w- c:\program files\Tenda

    2011-09-01 21:07:07 -------- d-sh--w- c:\windows\system32\%APPDATA%

    2011-09-01 19:13:34 -------- d-----w- c:\users\crellan\appdata\roaming\Malwarebytes

    2011-09-01 19:13:29 -------- d-----w- c:\programdata\Malwarebytes

    2011-09-01 18:01:49 4194304 ----a-w- c:\windows\system32\qnbwvoto.dll

    .

    ==================== Find3M ====================

    .

    2011-07-28 11:01:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

    2011-07-11 05:14:38 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys

    2011-07-11 05:14:02 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys

    2011-07-11 05:14:02 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

    2011-07-11 05:14:00 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

    2011-07-11 05:13:58 134736 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

    2011-07-11 05:13:46 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys

    2011-07-11 05:13:42 32464 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

    2011-07-06 14:56:47 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

    .

    ============= FINISH: 18:47:34.11 ===============

    Attach.txt
    .

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

    IF REQUESTED, ZIP IT UP & ATTACH IT

    .

    DDS (Ver_2011-08-26.01)

    .

    Microsoft® Windows Vista™ Home Premium

    Boot Device: \Device\HarddiskVolume1

    Install Date: 6/28/2007 11:21:13 PM

    System Uptime: 9/10/2011 6:04:12 PM (0 hours ago)

    .

    Motherboard: Wistron | | 30B5

    Processor: AMD Turion(tm) 64 X2 | U1 | 1800/200mhz

    .

    ==== Disk Partitions =========================

    .

    C: is FIXED (NTFS) - 141 GiB total, 81.707 GiB free.

    D: is FIXED (NTFS) - 8 GiB total, 1.743 GiB free.

    E: is CDROM ()

    F: is Removable

    .

    ==== Disabled Device Manager Items =============

    .

    Class GUID:

    Description:

    Device ID: ROOT\LEGACY_RASMAN\0000

    Manufacturer:

    Name:

    PNP Device ID: ROOT\LEGACY_RASMAN\0000

    Service:

    .

    ==== System Restore Points ===================

    .

    .

    ==== Installed Programs ======================

    .

    Update for Microsoft Office 2007 (KB2508958)

    ABBYY FineReader 6.0 Sprint

    Activation Assistant for the 2007 Microsoft Office suites

    Adobe AIR

    Adobe Flash Player 10 ActiveX

    Adobe Flash Player 10 Plugin

    Adobe Reader 8.1.2

    Apple Application Support

    Apple Mobile Device Support

    Apple Software Update

    AVG 2012

    Bonjour

    Canon MP190 series MP Drivers

    CheckIt Diagnostics

    Conexant HD Audio

    Definition update for Microsoft Office 2010 (KB982726)

    Dell AIO Printer A940

    DeskTopBinder - SmartDeviceMonitor for Client

    EasyBits GO

    Enhanced Multimedia Keyboard Solution

    Epson Easy Photo Print 2

    EPSON NX300 Series Printer Uninstall

    EPSON Scan

    ESU for Microsoft Vista

    FileZilla Client 3.5.0

    GeoVision ADPCM

    GeoVision H264

    GeoVision JPEG

    GeoVision MPEG2

    GeoVision MPEG4

    GeoVision MPEG4 ASP

    GeoVision MPEG4 AVC

    Google Chrome

    Google Toolbar for Internet Explorer

    Google Update Helper

    GoToMeeting 4.1.0.366

    HDAUDIO Soft Data Fax Modem with SmartCP

    Hewlett-Packard Active Check for Health Check

    Hewlett-Packard Asset Agent for Health Check

    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

    HP Active Support Library

    HP Active Support Library 32 bit components

    HP Customer Experience Enhancements

    HP Doc Viewer

    HP Easy Setup - Frontend

    HP Help and Support

    HP Integrated Module with Bluetooth wireless technology

    HP Pavilion Webcam Driver for Vista v061.001.00006

    HP Photosmart Essential 2.0

    HP Photosmart Essential2.5

    HP Product Detection

    HP Quick Launch Buttons 6.40 F1

    HP QuickPlay 3.2

    HP Total Care Advisor

    HP Update

    HP User Guides 0083

    HP Wireless Assistant

    HPNetworkAssistant

    Inter-Tel Collaboration Client 2.0

    Java(TM) 6 Update 17

    Java(TM) 6 Update 3

    Java(TM) SE Runtime Environment 6

    Junk Mail filter update

    Lexmark 3600-4600 Series

    Lexmark Fax Solutions

    Lexmark Tools for Office

    LightScribe 1.4.136.1

    Linksys Wireless-G Print Server

    LiveUpdate (Symantec Corporation)

    LiveUpdate Notice (Symantec Corporation)

    Malwarebytes' Anti-Malware version 1.51.1.1800

    Microsoft .NET Framework 3.5 SP1

    Microsoft .NET Framework 4 Client Profile

    Microsoft Application Error Reporting

    Microsoft Choice Guard

    Microsoft Office 2007 Service Pack 2 (SP2)

    Microsoft Office Access MUI (English) 2010

    Microsoft Office Access Setup Metadata MUI (English) 2010

    Microsoft Office Excel MUI (English) 2007

    Microsoft Office Excel MUI (English) 2010

    Microsoft Office Home and Student 2007

    Microsoft Office Home and Student 2010

    Microsoft Office Live Add-in 1.3

    Microsoft Office OneNote MUI (English) 2007

    Microsoft Office OneNote MUI (English) 2010

    Microsoft Office Outlook MUI (English) 2010

    Microsoft Office PowerPoint MUI (English) 2007

    Microsoft Office PowerPoint MUI (English) 2010

    Microsoft Office Proof (English) 2007

    Microsoft Office Proof (English) 2010

    Microsoft Office Proof (French) 2007

    Microsoft Office Proof (French) 2010

    Microsoft Office Proof (Spanish) 2007

    Microsoft Office Proof (Spanish) 2010

    Microsoft Office Proofing (English) 2007

    Microsoft Office Proofing (English) 2010

    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

    Microsoft Office Publisher MUI (English) 2010

    Microsoft Office Shared MUI (English) 2007

    Microsoft Office Shared MUI (English) 2010

    Microsoft Office Shared Setup Metadata MUI (English) 2007

    Microsoft Office Shared Setup Metadata MUI (English) 2010

    Microsoft Office Single Image 2010

    Microsoft Office Word MUI (English) 2007

    Microsoft Office Word MUI (English) 2010

    Microsoft Office XP Professional

    Microsoft Search Enhancement Pack

    Microsoft Silverlight

    Microsoft SQL Server 2005 Compact Edition [ENU]

    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

    Microsoft Visual C++ 2005 Redistributable

    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

    Microsoft Web Platform Installer 3.0

    Microsoft Works

    Move Media Player

    Mozilla Firefox 4.0.1 (x86 en-US)

    MSCU for Microsoft Vista

    MSVCRT

    MSXML 4.0 SP2 (KB936181)

    MSXML 4.0 SP2 (KB941833)

    MSXML 4.0 SP2 (KB954430)

    MSXML 4.0 SP2 (KB973688)

    muvee autoProducer 6.0

    My HP Games

    My Webcam Broadcaster

    NetWaiting

    NVIDIA Drivers

    Octoshape add-in for Adobe Flash Player

    OGA Notifier 2.0.0048.0

    OpenOffice.org Installer 1.0

    PSSWCORE

    QuickTime

    Remote Viewlog

    Rhapsody

    Rhapsody Player Engine

    Roxio Activation Module

    Roxio Creator Audio

    Roxio Creator Basic v9

    Roxio Creator Copy

    Roxio Creator Data

    Roxio Creator EasyArchive

    Roxio Creator Tools

    Roxio Express Labeler 3

    Roxio MyDVD Basic v9

    Sandlot Games Client Services

    Security Update for 2007 Microsoft Office System (KB2288621)

    Security Update for 2007 Microsoft Office System (KB2288931)

    Security Update for 2007 Microsoft Office System (KB2345043)

    Security Update for 2007 Microsoft Office System (KB2509488)

    Security Update for 2007 Microsoft Office System (KB969559)

    Security Update for 2007 Microsoft Office System (KB976321)

    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

    Security Update for Microsoft Excel 2010 (KB2523021)

    Security Update for Microsoft Office 2007 System (KB2541012)

    Security Update for Microsoft Office 2010 (KB2289078)

    Security Update for Microsoft Office 2010 (KB2289161)

    Security Update for Microsoft Office Excel 2007 (KB2541007)

    Security Update for Microsoft Office InfoPath 2007 (KB979441)

    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

    Security Update for Microsoft Office system 2007 (972581)

    Security Update for Microsoft Office system 2007 (KB974234)

    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

    Security Update for Microsoft Office Word 2007 (KB2344993)

    Security Update for Microsoft PowerPoint 2010 (KB2519975)

    Security Update for Microsoft Publisher 2010 (KB2409055)

    Security Update for Microsoft Word 2010 (KB2345000)

    Serif PagePlus Essentials

    Skype Toolbars

    Skype™ 5.3

    Sony Picture Utility

    Sony USB Driver

    SymNet

    Synaptics Pointing Device Driver

    The Logo Creator v5

    The Print Shop® Labels & Logos 4.0.0.0

    Update for 2007 Microsoft Office System (KB967642)

    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

    Update for Microsoft Office 2007 Help for Common Features (KB963673)

    Update for Microsoft Office 2007 System (KB2539530)

    Update for Microsoft Office 2010 (KB2202188)

    Update for Microsoft Office 2010 (KB2413186)

    Update for Microsoft Office 2010 (KB2494150)

    Update for Microsoft Office 2010 (KB2523113)

    Update for Microsoft Office Excel 2007 Help (KB963678)

    Update for Microsoft Office OneNote 2007 (KB980729)

    Update for Microsoft Office OneNote 2007 Help (KB963670)

    Update for Microsoft Office Powerpoint 2007 Help (KB963669)

    Update for Microsoft Office Script Editor Help (KB963671)

    Update for Microsoft Office Word 2007 Help (KB963665)

    Update for Microsoft OneNote 2010 (KB2493983)

    Update for Microsoft Outlook Social Connector (KB2441641)

    VNC Free Edition 4.1.2

    Windows Live Communications Platform

    Windows Live Essentials

    Windows Live ID Sign-in Assistant

    Windows Live Mail

    Windows Live Movie Maker

    Windows Live Photo Gallery

    Windows Live Sync

    Windows Live Upload Tool

    Windows Live Writer

    WinRAR archiver

    Yahoo! Software Update

    Yahoo! Toolbar

    .

    ==== Event Viewer Messages From Past Week ========

    .

    9/7/2011 10:37:24 AM, Error: EventLog [6008] - The previous system shutdown at 10:35:47 AM on 9/7/2011 was unexpected.

    9/7/2011 1:24:33 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document Test Page, owned by crellan, failed to print on printer Lexmark 3600-4600 Series. Try to print the document again, or restart the print spooler. Data type: LEMF. Size of the spool file in bytes: 159068. Number of bytes printed: 159068. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\CRELLAN-PC. Win32 error code returned by the print processor: 0. The operation completed successfully.

    9/7/2011 1:01:39 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document https://www.fedex.com/shipping/html/en//PrintIFrame.html, owned by crellan, failed to print on printer Lexmark 3600-4600 Series. Try to print the document again, or restart the print spooler. Data type: LEMF. Size of the spool file in bytes: 124831. Number of bytes printed: 124831. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\CRELLAN-PC. Win32 error code returned by the print processor: 0. The operation completed successfully.

    9/6/2011 12:19:21 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070005: Definition Update for Windows Defender - KB915597 (Definition 1.111.1554.0).

    9/6/2011 12:05:15 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 10.50.4.143. The computer with the IP address 10.50.4.173 did not allow the name to be claimed by this computer.

    9/6/2011 12:02:04 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.106 for the Network Card with network address 001A736F237E has been denied by the DHCP server 10.50.4.1 (The DHCP Server sent a DHCPNACK message).

    9/6/2011 11:55:10 AM, Error: EventLog [6008] - The previous system shutdown at 11:52:46 AM on 9/6/2011 was unexpected.

    9/4/2011 3:24:54 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the MBAMService service to connect.

    9/4/2011 3:24:54 PM, Error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    9/4/2011 3:24:46 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.

    9/4/2011 3:24:46 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    9/4/2011 3:22:14 PM, Error: Service Control Manager [7022] - The CyberLink Background Capture Service (CBCS) service hung on starting.

    9/4/2011 3:22:14 PM, Error: Service Control Manager [7001] - The CyberLink Task Scheduler (CTS) service depends on the CyberLink Background Capture Service (CBCS) service which failed to start because of the following error: After starting, the service hung in a start-pending state.

    9/4/2011 3:21:46 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error 5 (0x5).

    9/4/2011 3:21:46 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

    9/4/2011 3:21:46 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

    9/4/2011 3:21:46 PM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    9/4/2011 3:21:46 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

    9/4/2011 3:21:46 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    9/4/2011 3:20:30 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Send To OneNote 2007 with shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used by others on the network.

    9/4/2011 3:20:01 PM, Error: Ntfs [137] - The default transaction resource manager on volume \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 encountered a non-retryable error and could not start. The data contains the error code.

    9/4/2011 2:20:23 PM, Error: RemoteAccess [20013] - The communication device attached to port VPN16-1 is not functioning.

    9/4/2011 2:20:23 PM, Error: RemoteAccess [20013] - The communication device attached to port VPN16-0 is not functioning.

    9/4/2011 1:24:37 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer BDL-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7C8380AB-CE91-49FF-8FAD-A6E933B3EDB. The master browser is stopping or an election is being forced.

    9/4/2011 1:17:20 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.106 for the Network Card with network address 001A736F237E has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

    .

    ==== End Of File ===========================
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,163
    Please download the AVP removal tool and save directly to your Desktop.


    Double-click the executable [​IMG] to install it.


    [​IMG]


    Select your language preference, accept the agreement and click the Start button. You should see something like this:


    [​IMG]


    Click the settings button...it's the small "Gear" icon just to the right of the large yellow button.


    [​IMG]


    Make sure the following boxes are checked:


    [​IMG]


    System memory
    Hidden startup objects
    Disk boot sectors
    Computer


    ...Next, click the Actions link and click the bullet item labeled "Select action". Disinfect and Delete if disinfection fails should already be checked by default...then return to the Automatic Scan tab and click the Start scanning button.


    [​IMG]


    Select "Automatic Scan" then "Start Scan"


    [​IMG]


    If you happen to receive a pop up during the scan which reads "File C:\(FILE NAME.extension)" is password protected, ignore these reports. The program will find any password protected files and report them during the scan. Malicious files that are password protected will be dealt with later as required.

    The scan will begin and you will see a progress bar and scanned objects counter.


    [​IMG]


    When the scan completes, the progress bar will disappear.

    Click the "Reports" tab icon to the far right, just under the large yellow button. Click on the "Automatic scan report" link, then click the save button.


    [​IMG]


    Save the report to your desktop as Scan 1. The report will be saved as a text file. Please post the contents of that report in your next reply.
     
  10. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    I wasn't able to copy this to the post as it's 84mb. What do you suggest ? I've lost almost a day not thinking and trying to copy and paste it.
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,163
    I`m unsure why AVP is returning such large logs, I`m not at home at present so am unable to run a scan on my test PC to check it out.

    OK, did the AVP scan actually find/kill anything?

    Start Task manager is 3203397148:3809022017.exe still running?

    Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste sfc /scannow > then enter. Type exit when its finished and re-boot your PC. See if that helps with problem start up.

    Next,

    Please download Junction.zip and save it to your desktop.
    Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe

    Next,
    Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

    Code:
    @ECHO OFF
    cd c:\
    junction -s c:\>log.txt
    start log.txt
    del %0
    
    Save it to your desktop as File name: junc.bat
    Save as type: All Files

    Next,
    Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.

    Kevin
     
  12. tigron

    tigron Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    93
    No it didn't kill anything. The process 3203397148:3809022017.exe is gone now. I'm not able to turn on windows firewall. I was able to run Malwarebytes and it found a Trojan.Downloader - c:\\windows\system32\spool\drivers\w32x86\3\DLBAJSWX.exe. sfc /scannow completed with no violations, was > a switch that I was supposed to include ?



    Junction v1.06 - Windows junction creator and reparse point viewer

    Copyright (C) 2000-2010 Mark Russinovich

    Sysinternals - www.sysinternals.com



    \\?\c:\\Documents and Settings: JUNCTION

    Print Name : C:\Users

    Substitute Name: C:\Users




    Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.





    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.





    Failed to open \\?\c:\\ComboFix\PV.3XE: Access is denied.





    Failed to open \\?\c:\\ComboFix(0)\PV.3XE: Access is denied.




    ...

    ...

    ...

    ...

    ...

    .
    Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe: Access is denied.


    ...

    ...
    Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\winlogon.exe: Access is denied.


    ...

    ...

    .\\?\c:\\ProgramData\Application Data: JUNCTION

    Print Name : C:\ProgramData

    Substitute Name: C:\ProgramData



    \\?\c:\\ProgramData\Desktop: JUNCTION

    Print Name : C:\Users\Public\Desktop

    Substitute Name: C:\Users\Public\Desktop



    \\?\c:\\ProgramData\Documents: JUNCTION

    Print Name : C:\Users\Public\Documents

    Substitute Name: C:\Users\Public\Documents



    \\?\c:\\ProgramData\Favorites: JUNCTION

    Print Name : C:\Users\Public\Favorites

    Substitute Name: C:\Users\Public\Favorites



    \\?\c:\\ProgramData\Start Menu: JUNCTION

    Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

    Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu



    \\?\c:\\ProgramData\Templates: JUNCTION

    Print Name : C:\ProgramData\Microsoft\Windows\Templates

    Substitute Name: C:\ProgramData\Microsoft\Windows\Templates



    ..
    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816df03c9dadad_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192c473772cf6_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676679ece8b24_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e16220788332b55d5_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae07882468403e48ac_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b76cb7da5fe_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490f4cb729c64_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    ...

    ...


    Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\LightningSand.CFD: Access is denied.

    Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\Quarantine: Access is denied.


    Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP: Access is denied.


    Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP: Access is denied.


    Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\75B62D4E.TMP: Access is denied.


    Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\EC945FE7.TMP: Access is denied.

    ...

    ...

    Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

    ...

    ...

    ...
    Failed to open \\?\c:\\System Volume Information\{1ef21d87-da19-11e0-a872-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{6923ed96-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.


    Failed to open \\?\c:\\System Volume Information\{6923edae-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{6923edc6-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{6923edcc-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{6923edd5-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{6e1a3f56-db05-11e0-b694-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{affb19fb-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{affb1a0e-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{b489af11-da11-11e0-8a7f-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{dc5523c3-dc23-11e0-a6f9-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    Failed to open \\?\c:\\System Volume Information\{e1c638d0-da80-11e0-803b-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

    \\?\c:\\Users\All Users: SYMBOLIC LINK

    Print Name : C:\ProgramData

    Substitute Name: \??\C:\ProgramData



    \\?\c:\\Users\Default User: JUNCTION

    Print Name : C:\Users\Default

    Substitute Name: C:\Users\Default



    \\?\c:\\Users\Administrator\Application Data: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming

    Substitute Name: C:\Users\Administrator\AppData\Roaming



    \\?\c:\\Users\Administrator\Cookies: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies



    \\?\c:\\Users\Administrator\Local Settings: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Local

    Substitute Name: C:\Users\Administrator\AppData\Local



    \\?\c:\\Users\Administrator\My Documents: JUNCTION

    Print Name : C:\Users\Administrator\Documents

    Substitute Name: C:\Users\Administrator\Documents



    \\?\c:\\Users\Administrator\NetHood: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts



    \\?\c:\\Users\Administrator\PrintHood: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts



    \\?\c:\\Users\Administrator\Recent: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent



    \\?\c:\\Users\Administrator\SendTo: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo



    \\?\c:\\Users\Administrator\Start Menu: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu



    \\?\c:\\Users\Administrator\Templates: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates

    Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates



    \\?\c:\\Users\Administrator\AppData\Local\Application Data: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Local

    Substitute Name: C:\Users\Administrator\AppData\Local



    \\?\c:\\Users\Administrator\AppData\Local\History: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Local\Microsoft\Windows\History

    Substitute Name: C:\Users\Administrator\AppData\Local\Microsoft\Windows\History



    \\?\c:\\Users\Administrator\AppData\Local\Temporary Internet Files: JUNCTION

    Print Name : C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files

    Substitute Name: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files



    \\?\c:\\Users\Administrator\Documents\My Music: JUNCTION

    Print Name : C:\Users\Administrator\Music

    Substitute Name: C:\Users\Administrator\Music



    \\?\c:\\Users\Administrator\Documents\My Pictures: JUNCTION

    Print Name : C:\Users\Administrator\Pictures

    Substitute Name: C:\Users\Administrator\Pictures



    \\?\c:\\Users\Administrator\Documents\My Videos: JUNCTION

    Print Name : C:\Users\Administrator\Videos

    Substitute Name: C:\Users\Administrator\Videos



    \\?\c:\\Users\Administrator.crellan-PC\Application Data: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming



    \\?\c:\\Users\Administrator.crellan-PC\Cookies: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Cookies

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Cookies



    \\?\c:\\Users\Administrator.crellan-PC\Local Settings: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Local

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local



    \\?\c:\\Users\Administrator.crellan-PC\My Documents: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\Documents

    Substitute Name: C:\Users\Administrator.crellan-PC\Documents



    \\?\c:\\Users\Administrator.crellan-PC\NetHood: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts



    \\?\c:\\Users\Administrator.crellan-PC\PrintHood: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts



    \\?\c:\\Users\Administrator.crellan-PC\Recent: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Recent

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Recent



    \\?\c:\\Users\Administrator.crellan-PC\SendTo: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\SendTo

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\SendTo



    \\?\c:\\Users\Administrator.crellan-PC\Start Menu: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Start Menu

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Start Menu



    \\?\c:\\Users\Administrator.crellan-PC\Templates: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Templates

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Templates



    \\?\c:\\Users\Administrator.crellan-PC\AppData\Local\Application Data: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Local

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local



    \\?\c:\\Users\Administrator.crellan-PC\AppData\Local\History: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\History

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\History



    \\?\c:\\Users\Administrator.crellan-PC\AppData\Local\Temporary Internet Files: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files

    Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files






    Failed to open \\?\c:\\Users\Administrator.crellan-PC\Desktop\HijackThis.exe: Access is denied.




    \\?\c:\\Users\Administrator.crellan-PC\Documents\My Music: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\Music

    Substitute Name: C:\Users\Administrator.crellan-PC\Music



    \\?\c:\\Users\Administrator.crellan-PC\Documents\My Pictures: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\Pictures

    Substitute Name: C:\Users\Administrator.crellan-PC\Pictures



    \\?\c:\\Users\Administrator.crellan-PC\Documents\My Videos: JUNCTION

    Print Name : C:\Users\Administrator.crellan-PC\Videos

    Substitute Name: C:\Users\Administrator.crellan-PC\Videos



    .\\?\c:\\Users\All Users\Application Data: JUNCTION

    Print Name : C:\ProgramData

    Substitute Name: C:\ProgramData



    \\?\c:\\Users\All Users\Desktop: JUNCTION

    Print Name : C:\Users\Public\Desktop

    Substitute Name: C:\Users\Public\Desktop



    \\?\c:\\Users\All Users\Documents: JUNCTION

    Print Name : C:\Users\Public\Documents

    Substitute Name: C:\Users\Public\Documents



    \\?\c:\\Users\All Users\Favorites: JUNCTION

    Print Name : C:\Users\Public\Favorites

    Substitute Name: C:\Users\Public\Favorites



    \\?\c:\\Users\All Users\Start Menu: JUNCTION

    Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

    Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu



    \\?\c:\\Users\All Users\Templates: JUNCTION

    Print Name : C:\ProgramData\Microsoft\Windows\Templates

    Substitute Name: C:\ProgramData\Microsoft\Windows\Templates



    ..
    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816df03c9dadad_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192c473772cf6_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676679ece8b24_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e16220788332b55d5_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae07882468403e48ac_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b76cb7da5fe_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.


    Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490f4cb729c64_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

    ...

    ...

    Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\LightningSand.CFD: Access is denied.

    Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\Quarantine: Access is denied.

    Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP: Access is denied.

    Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP: Access is denied.

    Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\75B62D4E.TMP: Access is denied.

    Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\EC945FE7.TMP: Access is denied.

    ...

    ...

    \\?\c:\\Users\crellan\Application Data: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming

    Substitute Name: C:\Users\crellan\AppData\Roaming



    \\?\c:\\Users\crellan\Cookies: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Cookies

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Cookies



    \\?\c:\\Users\crellan\Local Settings: JUNCTION

    Print Name : C:\Users\crellan\AppData\Local

    Substitute Name: C:\Users\crellan\AppData\Local



    \\?\c:\\Users\crellan\My Documents: JUNCTION

    Print Name : C:\Users\crellan\Documents

    Substitute Name: C:\Users\crellan\Documents



    \\?\c:\\Users\crellan\NetHood: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Network Shortcuts



    \\?\c:\\Users\crellan\PrintHood: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Printer Shortcuts



    \\?\c:\\Users\crellan\Recent: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Recent

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Recent



    \\?\c:\\Users\crellan\SendTo: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\SendTo

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\SendTo



    \\?\c:\\Users\crellan\Start Menu: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Start Menu

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Start Menu



    \\?\c:\\Users\crellan\Templates: JUNCTION

    Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Templates

    Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Templates



    \\?\c:\\Users\crellan\AppData\Local\Application Data: JUNCTION

    Print Name : C:\Users\crellan\AppData\Local

    Substitute Name: C:\Users\crellan\AppData\Local



    \\?\c:\\Users\crellan\AppData\Local\History: JUNCTION

    Print Name : C:\Users\crellan\AppData\Local\Microsoft\Windows\History

    Substitute Name: C:\Users\crellan\AppData\Local\Microsoft\Windows\History



    \\?\c:\\Users\crellan\AppData\Local\Temporary Internet Files: JUNCTION

    Print Name : C:\Users\crellan\AppData\Local\Microsoft\Windows\Temporary Internet Files

    Substitute Name: C:\Users\crellan\AppData\Local\Microsoft\Windows\Temporary Internet Files


    ...

    ...

    ...

    ...

    ...\\?\c:\\Users\crellan\Documents\My Music: JUNCTION

    Print Name : C:\Users\crellan\Music

    Substitute Name: C:\Users\crellan\Music



    \\?\c:\\Users\crellan\Documents\My Pictures: JUNCTION

    Print Name : C:\Users\crellan\Pictures

    Substitute Name: C:\Users\crellan\Pictures



    \\?\c:\\Users\crellan\Documents\My Videos: JUNCTION

    Print Name : C:\Users\crellan\Videos

    Substitute Name: C:\Users\crellan\Videos





    .\\?\c:\\Users\Default\Application Data: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming

    Substitute Name: C:\Users\Default\AppData\Roaming



    \\?\c:\\Users\Default\Local Settings: JUNCTION

    Print Name : C:\Users\Default\AppData\Local

    Substitute Name: C:\Users\Default\AppData\Local



    \\?\c:\\Users\Default\My Documents: JUNCTION

    Print Name : C:\Users\Default\Documents

    Substitute Name: C:\Users\Default\Documents



    \\?\c:\\Users\Default\NetHood: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts



    \\?\c:\\Users\Default\PrintHood: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts



    \\?\c:\\Users\Default\Recent: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent



    \\?\c:\\Users\Default\SendTo: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo



    \\?\c:\\Users\Default\Start Menu: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu



    \\?\c:\\Users\Default\Templates: JUNCTION

    Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

    Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates



    \\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION

    Print Name : C:\Users\Default\AppData\Local

    Substitute Name: C:\Users\Default\AppData\Local



    \\?\c:\\Users\Default\AppData\Local\History: JUNCTION

    Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History

    Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History



    \\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION

    Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

    Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files



    \\?\c:\\Users\Default\Documents\My Music: JUNCTION

    Print Name : C:\Users\Default\Music

    Substitute Name: C:\Users\Default\Music



    \\?\c:\\Users\Default\Documents\My Pictures: JUNCTION

    Print Name : C:\Users\Default\Pictures

    Substitute Name: C:\Users\Default\Pictures



    \\?\c:\\Users\Default\Documents\My Videos: JUNCTION

    Print Name : C:\Users\Default\Videos

    Substitute Name: C:\Users\Default\Videos



    \\?\c:\\Users\Public\Documents\My Music: JUNCTION

    Print Name : C:\Users\Public\Music

    Substitute Name: C:\Users\Public\Music



    \\?\c:\\Users\Public\Documents\My Pictures: JUNCTION

    Print Name : C:\Users\Public\Pictures

    Substitute Name: C:\Users\Public\Pictures



    \\?\c:\\Users\Public\Documents\My Videos: JUNCTION

    Print Name : C:\Users\Public\Videos

    Substitute Name: C:\Users\Public\Videos


    Failed to open \\?\c:\\Windows\bthservsdp.dat: Access is denied.

    ...

    ...

    ...

    ...


    Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6296.tmp: Access is denied.


    Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspC599.tmp: Access is denied.

    ...

    ..
    Failed to open \\?\c:\\Windows\System32\mrt.exe: Access is denied.


    ...

    ...

    ...
    Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.


    ...

    ..
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,163
    Run the following:

    Step 1

    • please download GrantPerms.zip and save it to your desktop.
    • Unzip the file and run GrantPerms.exe
    • Copy and paste the following in the edit box:

      Code:
      c:\ComboFix\PV.3XE
      c:\ComboFix(0)\PV.3XE
      c:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
      c:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816d f03c9dadad_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192 c473772cf6_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676 679ece8b24_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e162207 88332b55d5_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae078824 68403e48ac_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b 76cb7da5fe_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490 f4cb729c64_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\ProgramData\Symantec\SRTSP\LightningSand.CFD
      c:\ProgramData\Symantec\SRTSP\Quarantine
      c:\ProgramData\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP
      c:\ProgramData\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP
      c:\ProgramData\Symantec\SRTSP\SrtETmp\75B62D4E.TMP
      c:\ProgramData\Symantec\SRTSP\SrtETmp\EC945FE7.TMP
      c:\Qoobox\BackEnv
      c:\System Volume Information\{1ef21d87-da19-11e0-a872-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{6923ed96-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{6923edae-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{6923edc6-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{6923edcc-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{6923edd5-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{6e1a3f56-db05-11e0-b694-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{affb19fb-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{affb1a0e-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{b489af11-da11-11e0-8a7f-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{dc5523c3-dc23-11e0-a6f9-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\System Volume Information\{e1c638d0-da80-11e0-803b-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
      c:\Users\Administrator.crellan-PC\Desktop\HijackThis.exe
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816df03c9dadad_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192c473772cf6_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676679ece8b24_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e16220788332b55d5_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae07882468403e48ac_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b76cb7da5fe_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490f4cb729c64_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
      c:\Users\All Users\Symantec\SRTSP\LightningSand.CFD
      c:\Users\All Users\Symantec\SRTSP\Quarantine
      c:\Users\All Users\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP
      c:\Users\All Users\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP
      c:\Users\All Users\Symantec\SRTSP\SrtETmp\75B62D4E.TMP
      c:\Users\All Users\Symantec\SRTSP\SrtETmp\EC945FE7.TMP
      c:\Windows\bthservsdp.dat
      c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6296.tmp
      c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspC599.tmp..
      c:\Windows\System32\mrt.exe
      c:\Windows\System32\LogFiles\WMI\RtBackup
      
    • Now Click Unlock.
    • When it is done click "OK".
    • Now click List Permissions and post the result (Perms.txt) that pops up.
    • A copy of Perms.txt will be saved in the same directory the tool is run.

    Step 2

    Delete any versions of Combofix that you may have on your Computer, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the two logs in next reply please...

    Kevin
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1016598