Safety Center - please help removal (computer will not start in safe mode)

View previous topic View next topic Go down

Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 29th October 2009, 6:18 am

Hi there

I'm wondering if you could help me rmeove this v. pesky malware/virus that I know others have had - the Safet Center virus

I have run MalwareBytes, SmitFraudFix and super anti spyware ahnd it seems to have gotten rid of the popups. however, the computer is still running slow. In addition, every time i try to start in safe mode with networking to really remove stuff i get the Blue Screen of death telling me there has been a stop error and that I need to run chkdsk /f (which i dfid, with no result)

Here is the Hijack This log, thanks in advance for the help




ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:28, on 10/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\winlogon.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;;localhost;
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [002k0cho.dll] RUNDLL32.EXE 002k0cho.dll,b 13048421
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [DACSMiniApp] C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [zwfr] C:\PROGRA~1\COMMON~1\zwfr\zwfrm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zwfr] C:\PROGRA~1\COMMON~1\zwfr\zwfrm.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: c:\windows\system32\melusume.dll c:\windows\system32\sehaniju.dll,rufupiba.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\mv66l9js1.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlcf_device - Unknown owner - C:\WINDOWS\system32\dlcfcoms.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 10309 bytes

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Belahzur on 29th October 2009, 5:28 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 31st October 2009, 5:18 am

Here are the MBAM log contents

Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 2

10/30/2009 10:01:11 PM
mbam-log-2009-10-30 (22-01-11).txt

Scan type: Quick Scan
Objects scanned: 119825
Time elapsed: 30 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Belahzur on 31st October 2009, 8:00 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O4 - HKUS\S-1-5-18\..\Run: [zwfr] C:\PROGRA~1\COMMON~1\zwfr\zwfrm.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [zwfr] C:\PROGRA~1\COMMON~1\zwfr\zwfrm.exe (User 'Default user')
    O20 - AppInit_DLLs: c:\windows\system32\melusume.dll c:\windows\system32\sehaniju.dll,rufupiba.dll
    O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\mv66l9js1.dll (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

What information does the blue screen give? any driver name/file name?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 1st November 2009, 12:25 am

Ok did that - but while doing ti recieved the following error.


An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: c:\windows\system32\melusume.dll c:\windows\system32\sehaniju.dll,rufupiba.dll)
Error #5 - Invalid procedure call or argument

Also, did not see

O4 - HKUS\S-1-5-18\..\Run: [zwfr] C:\PROGRA~1\COMMON~1\zwfr\zwfrm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zwfr] C:\PROGRA~1\COMMON~1\zwfr\zwfrm.exe (User 'Default user')

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 1st November 2009, 12:40 am

The technical information for when the safe mode error is:

stop: 0x0000007B (COXF8BCF528,0XC0000034,0X00000000,0X00000000)

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Belahzur on 1st November 2009, 10:46 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 2nd November 2009, 8:21 am

Thanks..here's the combofix log:

ComboFix 09-11-01.04 - Owner 11/01/2009 23:47.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.268 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\LocalService\Application Data\Install.dat
c:\documents and settings\Owner\Local Settings\Temp\IadHide4.dll
C:\lswmv.ini
c:\program files\Common Files\uninstall information
c:\windows\system32\bazoveza.dll.tmp
c:\windows\system32\command.pif
c:\windows\system32\dvdkernl.sys
c:\windows\system32\hisozega.dll.tmp
c:\windows\system32\open.ico
c:\windows\system32\Packet.dll
c:\windows\system32\tayanage.dll.tmp
c:\windows\system32\tmp.reg
c:\windows\system32\wpcap.dll
c:\windows\Tasks\bdgvpopv.job

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-10-29 06:05 . 2009-10-29 06:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 03:40 . 2009-10-29 03:40 -------- d-----w- c:\program files\CCleaner
2009-10-29 01:56 . 2009-10-29 03:37 -------- d-----w- c:\program files\PC Cleaner
2009-10-28 06:03 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 06:03 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 03:15 . 2009-10-28 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-28 03:14 . 2009-10-28 03:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-28 03:14 . 2009-10-28 03:14 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-10-28 03:14 . 2009-10-28 03:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 07:56 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-27 07:56 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-27 07:56 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-27 07:56 . 2009-10-27 07:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-27 07:56 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-27 07:55 . 2009-11-02 06:59 -------- d-----w- c:\program files\Spyware Doctor
2009-10-27 07:55 . 2009-10-27 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-10-27 07:55 . 2009-10-27 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-27 07:55 . 2009-11-02 07:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-27 04:53 . 2009-10-28 06:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 17:08 . 2009-10-26 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-26 17:08 . 2009-10-26 17:08 -------- d-----w- c:\windows\system32\drivers\NSS
2009-10-26 17:08 . 2009-10-26 17:08 -------- d-----w- c:\program files\NortonInstaller
2009-10-26 17:08 . 2009-10-26 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-26 15:57 . 2005-05-26 08:16 18200 ---ha-w- c:\windows\system32\wups2.dll
2009-10-26 15:57 . 2005-05-26 08:16 41240 ---ha-w- c:\windows\system32\wups.dll
2009-10-24 14:37 . 2009-10-24 14:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2009-10-23 15:30 . 2009-10-23 15:30 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-23 15:30 . 2009-10-23 15:30 -------- d-----w- c:\program files\MSBuild
2009-10-23 15:29 . 2009-10-23 15:29 -------- d-----w- c:\program files\Reference Assemblies
2009-10-23 15:29 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-23 15:29 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-23 15:29 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-23 15:29 . 2009-10-23 15:29 -------- d-----w- C:\2b3bd9fa927ebb7c45651ef8
2009-10-23 15:29 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-23 15:29 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-23 15:29 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-23 15:29 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-23 15:28 . 2009-10-24 14:29 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-23 15:22 . 2009-10-23 15:22 -------- d-----w- c:\program files\MSXML 6.0
2009-10-06 17:13 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-06 17:13 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-06 17:13 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-10-06 17:13 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-06 17:13 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-06 17:13 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-06 17:12 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-06 17:06 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-10-06 17:05 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 08:04 . 2005-11-14 01:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-10-29 06:08 . 2005-02-23 04:18 -------- d-----w- c:\program files\Java
2009-10-28 18:58 . 2005-12-31 20:49 -------- d-----w- c:\program files\MSN Messenger
2009-10-27 04:38 . 2009-10-27 04:38 693760 ----a-w- c:\windows\isRS-000.tmp
2009-10-27 04:02 . 2004-03-27 19:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-26 17:08 . 2008-02-23 19:57 -------- d-----w- c:\program files\Norton Security Scan
2009-10-26 17:08 . 2004-03-27 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-24 14:33 . 2004-05-10 02:45 28512 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 15:38 . 2006-04-03 14:43 443794 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-09-10 06:36 . 2004-05-08 13:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-10 06:32 . 2009-09-10 06:31 -------- d-----w- c:\program files\iTunes
2009-09-10 06:32 . 2009-09-10 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 06:31 . 2005-07-27 03:08 -------- d-----w- c:\program files\iPod
2009-09-10 06:31 . 2007-10-24 03:01 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 06:30 . 2009-09-10 06:29 -------- d-----w- c:\program files\QuickTime
2009-09-10 04:58 . 2009-06-09 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-29 02:42 . 2009-08-16 19:15 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2007-11-07 09:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-07 02:24 . 2004-08-19 00:47 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-19 00:47 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2004-03-27 16:21 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2003-07-16 20:25 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-19 00:47 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2004-03-27 16:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2003-07-16 20:37 204800 ---ha-w- c:\windows\system32\mswebdvd.dll
2005-11-08 01:26 . 2005-11-08 01:26 791 ----a-w- c:\program files\ewido security suite.lnk
2005-06-22 03:01 . 2005-06-22 03:01 26161916 ----a-w- c:\program files\NAV05ENG.exe
2005-06-14 00:17 . 2005-06-14 00:17 841 ----a-w- c:\program files\Ad-Aware SE Personal.lnk
2004-11-08 15:23 . 2004-11-08 15:23 16674304 ----a-w- c:\program files\downloadable_install_wizard.exe
2004-05-08 13:36 . 2004-04-06 03:36 724 ----a-w- c:\program files\QuickTime Player.lnk
2004-04-17 13:49 . 2004-04-17 13:49 5425288 ----a-w- c:\program files\msgrplus.exe
2001-11-11 04:50 . 2004-05-24 03:07 41558 ----a-w- c:\program files\RegSetup.exe
2001-11-11 01:36 . 2004-05-24 03:07 603 ----a-w- c:\program files\setup.bat
2001-11-11 00:59 . 2004-05-24 03:07 180881147 ----a-w- c:\program files\gamedata.uha
2001-11-10 20:45 . 2004-05-24 03:07 1336 ----a-w- c:\program files\Harry Potter.lnk
2001-10-24 09:09 . 2004-05-24 03:07 6473 ------w- c:\program files\ReadMe_eng.txt
2001-03-27 20:50 . 2004-05-24 03:07 29696 ----a-w- c:\program files\STARTW.EXE
2000-06-15 10:51 . 2004-05-24 03:07 218112 ----a-w- c:\program files\uhcls.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-12-18 20480]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-29 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2007-07-24 197888]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"002k0cho.dll"="002k0cho.dll" - c:\windows\system32\002k0cho.dll [2005-11-25 49152]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-5-25 315392]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-12-18 450560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu.lnk
backup=c:\windows\pss\eFax Tray Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\windows\pss\Live Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=c:\windows\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/26/2009 11:56 PM 206256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 lac97inf;lac97inf;\??\c:\docume~1\Owner\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Owner\LOCALS~1\Temp\lac97inf.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/26/2009 11:55 PM 348824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-11-02 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-26 02:58]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;;localhost;
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vfe5xu2b.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-zwfr - c:\progra~1\COMMON~1\zwfr\zwfrm.exe
Notify-= - (no file)
AddRemove-3ivx D4 4.5.1 Decoder - c:\program files\3ivx\3ivx D4 4.5.1



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-02 00:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTECT_DECOMPRESSION_FILTER_FROM_ABORT_KB942367]
@DACL=(02 0000)
@=""
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\uni]
@DACL=(02 0000)
"1150"=dword:00000001
"350"=dword:0000018f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3132)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\System32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-02 0:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 08:19

Pre-Run: 47,891,562,496 bytes free
Post-Run: 48,392,622,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 877A5CB0260B674DEF3ED9CE45AAE696

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Belahzur on 2nd November 2009, 9:48 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\002k0cho.dll

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "002k0cho.dll"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-

    :services
    lac97inf


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 6th November 2009, 7:17 am

Here you go (sorry for the delay)

========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\002k0cho.dll
c:\windows\system32\002k0cho.dll NOT unregistered.
c:\windows\system32\002k0cho.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\002k0cho.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\\AntiVirusOverride deleted successfully.
========== SERVICES/DRIVERS ==========

Service\Driver lac97inf deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 11052009_231639

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Dr Jay on 6th November 2009, 3:59 pm

Download [You must be registered and logged in to see this link.]

  • Load SuperAntiSpyware and click the Check for updates button.
  • Once the update is finished click the Scan your computer button.
  • Check Perform Complete Scan and then next.
  • SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 7th November 2009, 8:27 am

Here you go

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 11/06/2009 at 11:21 PM

Application Version : 4.29.1004

Core Rules Database Version : 4242
Trace Rules Database Version: 2138

Scan type : Complete Scan
Total Scan Time : 00:43:49

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 5662
Registry threats detected : 0
File items scanned : 24162
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Owner\cookies\owner@adecn[2].txt
C:\Documents and Settings\Owner\cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\cookies\owner@ads.sun[2].txt
C:\Documents and Settings\Owner\cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\cookies\owner@serving-sys[1].txt

Adware.Vundo/Variant-Frauder
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DD5A0872-CA41-4F9A-ABC3-B23EE9F02180}\RP93\A0009696.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DD5A0872-CA41-4F9A-ABC3-B23EE9F02180}\RP93\A0009697.DLL

Trojan.Agent/Gen-RogueDropper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DD5A0872-CA41-4F9A-ABC3-B23EE9F02180}\RP93\A0010734.EXE

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Dr Jay on 7th November 2009, 7:57 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


==

Please download CKScanner by askey127 from [You must be registered and logged in to see this link.]

Save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

==

Please post the (Full) Malwarebytes and CKScanner logs in your next reply.

I noticed in your first Malwarebytes log above, you left out part of the log. In order for us to help your properly, it helps us see what is wrong - so please post full logs.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 12th November 2009, 6:44 am

Here is the Malware bytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3153
Windows 5.1.2600 Service Pack 2

11/11/2009 10:36:04 PM
mbam-log-2009-11-11 (22-36-04).txt

Scan type: Quick Scan
Objects scanned: 108681
Time elapsed: 7 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{459b6bf8-5320-4c41-8833-85baedf31086} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{459b6bf8-5320-4c41-8833-85baedf31086} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the CK scanner log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\my documents\my music\cracker - low.mp3
c:\documents and settings\owner\my documents\my music\itunes\mobile applications\crackcode.ipa
c:\program files\jasc software inc\paint shop pro 8\presets\preset_fineleather_more cracks.pspscript
c:\program files\jasc software inc\paint shop pro 8\presets\preset_fineleather_small cracks.pspscript
scanner sequence 3.BB.11
----- EOF -----

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Dr Jay on 12th November 2009, 4:09 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by lewisusauk on 26th November 2009, 11:51 pm

Here is the malwarebytes log - overall the omputer is fine and running fairly fast

alwarebytes' Anti-Malware 1.41
Database version: 3239
Windows 5.1.2600 Service Pack 2

11/26/2009 3:50:19 PM
mbam-log-2009-11-26 (15-50-19).txt

Scan type: Quick Scan
Objects scanned: 111329
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

lewisusauk
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-10-29
OS OS : windows xp
Points Points : 26028
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Safety Center - please help removal (computer will not start in safe mode)

Post by Dr Jay on 27th November 2009, 6:35 am

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13810
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302437
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum