Help - reached the end of my rope....

View previous topic View next topic Go down

Help - reached the end of my rope....

Post by Heroes on 27th November 2009, 7:50 pm

Computer has been very slow and some programs not working. When I log on regularly I get a screen that begins "Problem has been detected and windows has been shut down to prevent damage to your computer". I can only up the computer using F8 and clicking "Last Known Good Configuration". Malwarebytes report shows Rootkit.Agent and Hijack.shell but never seems to get rid of them. Thank you so much for any help in advance.

Hijack this report follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:51, on 11/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\essledv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\Rick Hyman\Application Data\Macromedia\Common\1223407419.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\essledv.exe
O4 - HKUS\S-1-5-18\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10158 bytes

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 27th November 2009, 10:58 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [ttool] C:\WINDOWS\essledv.exe



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 1st December 2009, 3:20 am

Sorry, been away for a few days. I have been trying the scan but Malware continues to freeze during the scan. Each time I reboot, I still need to do so using "Last Known Good Configuration". I posted below another Hijack This logfile if that might help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:18:42, on 11/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\Rick Hyman\Application Data\Macromedia\Common\1223407419.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9786 bytes

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 1st December 2009, 10:07 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\Rick Hyman\Application Data\Macromedia\Common\1223407419.exe



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 2nd December 2009, 10:54 am

Unfortunately, I can't make it through a Malware scan without Malware freezing on me. I can't produce a scan report.

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 2nd December 2009, 8:44 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 3rd December 2009, 12:15 am

First one:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/1/2006 7:22:10 PM
System Uptime: 12/1/2009 7:32:02 AM (36 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 201.571 GiB free.
D: is CDROM (UDF)
F: is FIXED (FAT32) - 931 GiB total, 686.495 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) G965 Express Chipset Family
Device ID: PCI\VEN_8086&DEV_29A2&SUBSYS_01DD1028&REV_02\3&172E68DD&0&10
Manufacturer: Intel Corporation
Name: Intel(R) G965 Express Chipset Family
PNP Device ID: PCI\VEN_8086&DEV_29A2&SUBSYS_01DD1028&REV_02\3&172E68DD&0&10
Service: ialm

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) G965 Express Chipset Family
Device ID: PCI\VEN_8086&DEV_29A3&SUBSYS_01DD1028&REV_02\3&172E68DD&0&11
Manufacturer: Intel Corporation
Name: Intel(R) G965 Express Chipset Family
PNP Device ID: PCI\VEN_8086&DEV_29A3&SUBSYS_01DD1028&REV_02\3&172E68DD&0&11
Service: ialm

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic

==== System Restore Points ===================

RP955: 9/28/2009 9:18:29 AM - System Checkpoint
RP956: 9/28/2009 9:44:16 AM - System Checkpoint
RP957: 9/29/2009 5:29:30 PM - System Checkpoint
RP958: 9/30/2009 8:58:23 PM - System Checkpoint
RP959: 10/3/2009 9:21:58 AM - System Checkpoint
RP960: 10/3/2009 6:54:29 PM - Configured CA Desktop DNA Migrator
RP961: 10/8/2009 7:07:41 PM - System Checkpoint
RP962: 10/9/2009 7:15:52 PM - System Checkpoint
RP963: 10/13/2009 6:47:46 PM - System Checkpoint
RP964: 10/20/2009 9:13:23 AM - System Checkpoint
RP965: 10/27/2009 10:38:50 AM - System Checkpoint
RP966: 10/28/2009 4:24:58 PM - System Checkpoint
RP967: 10/30/2009 8:28:36 AM - System Checkpoint
RP968: 10/31/2009 9:24:09 AM - System Checkpoint
RP969: 11/1/2009 9:50:15 AM - System Checkpoint
RP970: 11/2/2009 7:18:08 PM - System Checkpoint
RP971: 11/3/2009 7:29:15 PM - System Checkpoint
RP972: 11/4/2009 10:42:09 PM - System Checkpoint
RP973: 11/5/2009 11:02:49 PM - System Checkpoint
RP974: 11/10/2009 7:48:47 PM - System Checkpoint
RP975: 11/11/2009 11:38:57 PM - System Checkpoint
RP976: 11/15/2009 7:46:29 PM - System Checkpoint
RP977: 11/23/2009 7:27:28 AM - System Checkpoint
RP978: 11/27/2009 2:31:02 PM - Removed Adobe Reader 8.1.2
RP979: 11/27/2009 2:41:20 PM - Installed Adobe Reader 9.2.

==== Installed Programs ======================

3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Download Manager
Adobe Reader 9.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 4.3
Bonjour
BufferChm
BUM
CA Desktop DNA Migrator
CA Internet Security Suite
CA Personal Firewall
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Conexant D850 56K V.9x DFVc Modem
Contextual Tool Adsoftinc
Cucusoft DVD to iPod Converter 7.27
D4100
D4100_Help
Dell CinePlayer
Dell Driver Reset Tool
Dell System Restore
DeviceManagementQFolder
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
eSupportQFolder
FlipShare
getPlus(R)_ocx
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections
iTunes
Java(TM) 6 Update 10
KODAK EASYSHARE Gallery Easy Upload, v2.1
KODAK EASYSHARE Gallery Upload ActiveX Control
KODAK Gallery Upload Software
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
muvee Plugin 1.0
NetWaiting
OverDrive Media Console
PanoStandAlone
QuickTime
RON Tool Adsoftinc
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SolutionCenter
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Status
Toolbox
TrayApp
Unity Web Player
Unload
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WebFldrs XP
WebReg
WildTangent Web Driver
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Works Upgrade

==== Event Viewer Messages From Past Week ========

12/2/2009 7:07:55 PM, error: Service Control Manager [7028] - The jlxhm Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
12/1/2009 7:41:35 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 85d958ec, parameter3 f792b970, parameter4 00000000.
11/30/2009 9:52:46 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 85a898ec, parameter3 f7933970, parameter4 00000000.
11/27/2009 2:29:03 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
11/27/2009 2:25:00 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 85dad8ec, parameter3 f7973970, parameter4 00000000.
11/27/2009 2:24:23 PM, error: Service Control Manager [7023] - The COM+ Event System service terminated with the following error: %1 is not a valid Win32 application.
11/27/2009 2:24:23 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
11/27/2009 2:24:23 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: %1 is not a valid Win32 application.
11/27/2009 2:24:23 PM, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: Access is denied.
11/27/2009 2:24:23 PM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: Access is denied.
11/27/2009 12:36:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/27/2009 12:34:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/27/2009 12:33:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/27/2009 12:32:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec KmxAgent KmxFile KmxFw KmxStart MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/27/2009 12:32:50 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/27/2009 12:32:50 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/27/2009 12:32:50 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/27/2009 12:32:50 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/27/2009 12:32:50 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/27/2009 12:32:50 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 3rd December 2009, 12:17 am

Second one:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rick Hyman at 19:07:47.94 on Wed 12/02/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.501 [GMT -5:00]

FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Rick Hyman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [cafw] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-25 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-16 38224]
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-30 64288]
UnknownUnknown jlxhm;jlxhm; [x]

=============== Created Last 30 ================

2009-12-01 02:53:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-01 02:42:53 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-12-01 02:42:53 208744 ----a-w- c:\windows\system32\muweb.dll
2009-11-27 19:29:39 213528 ----a-w- c:\windows\system32\wuaucpl.cpl
2009-11-27 16:37:04 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-11-27 16:37:03 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-11-27 16:37:02 217816 ----a-w- c:\windows\system32\dllcache\wuaucpl.cpl
2009-11-27 16:37:00 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-11-27 16:36:55 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-11-22 01:05:08 0 d-----w- c:\program files\iPod
2009-11-22 01:05:03 0 d-----w- c:\program files\iTunes
2009-11-19 11:55:08 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 10:26:54 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2009-11-12 12:07:19 0 d-----w- c:\windows\LastGood.Tmp
2009-11-12 12:06:41 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-12 12:05:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-06 23:39:53 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-12-01 12:27:55 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-12-01 12:27:55 436118 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-11-27 03:21:35 19178 -c--a-w- c:\docume~1\rickhy~1\applic~1\wklnhst.dat
2009-09-29 01:24:16 388608 ----a-w- c:\windows\system32\CF7074.exe
2009-09-29 00:19:18 388608 ----a-w- c:\windows\system32\CF20058.exe
2009-09-28 23:21:30 388608 ----a-w- c:\windows\system32\CF23298.exe
2009-09-28 19:47:54 388608 ----a-w- c:\windows\system32\CF6897.exe
2009-09-24 00:20:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-14 06:12:36 229888 ----a-w- c:\windows\PEV.exe
2008-06-08 12:15:40 0 -c--a-w- c:\program files\uninstall.dat
2007-10-19 00:35:55 88 -csh--r- c:\windows\system32\874376E414.sys
2007-10-19 00:36:11 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:10:17.18 ===============

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 3rd December 2009, 1:40 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 10

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 4th December 2009, 1:40 am

Hi. I did everything as you stated. Unfortunately, when I run Combofix, it reboots the computer before generating the log. Because my computer will only reboot if I use "last known configuration that worked", the log doesn't get generated and I have nothing to post. Any other ideas?

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 4th December 2009, 1:48 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 4th December 2009, 5:31 am

The results are far too long for a post. Is there some portion I should post? These two lines below were highlighted in Red.


Service C:\WINDOWS\system32\drivers\ziuohuddt.sys (*** hȋdden *** ) [AUTO] jlxhm

File C:\WINDOWS\system32\drivers\ziuohuddt.sys 75264 bytes executable

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 5th December 2009, 1:24 am

Can you look at the bottom of the log for something like thIS?

"C:\WINDOWS\system32\drivers\ziuohuddt.sys <-- ROOTKIT!!!"

Let me know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 5th December 2009, 3:53 am

This is just a sample from the botton of the log. Should I try to post more?



---- Threads - GMER 1.0.15 ----

Thread msmsgs.exe [4068:4072] SSDT 0x85DC7B90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.4072] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.4072] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.4072] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 msmsgs.exe [4068.4072] ZwWriteVirtualMemory [0x85DB171B]

---- Threads - GMER 1.0.15 ----

Thread msmsgs.exe [4068:476] SSDT 0x85DACB90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.476] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 msmsgs.exe [4068.476] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 msmsgs.exe [4068.476] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 msmsgs.exe [4068.476] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 msmsgs.exe [4068.476] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 msmsgs.exe [4068.476] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 msmsgs.exe [4068.476] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 msmsgs.exe [4068.476] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 msmsgs.exe [4068.476] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 msmsgs.exe [4068.476] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 msmsgs.exe [4068.476] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) msmsgs.exe [4068.476] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) msmsgs.exe [4068.476] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 msmsgs.exe [4068.476] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 msmsgs.exe [4068.476] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 msmsgs.exe [4068.476] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 msmsgs.exe [4068.476] ZwWriteVirtualMemory [0x85DB171B]

---- Threads - GMER 1.0.15 ----

Thread ISUSPM.exe [4092:2008] SSDT 0x85DC7B90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.2008] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.2008] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.2008] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 ISUSPM.exe [4092.2008] ZwWriteVirtualMemory [0x85DB171B]

---- Threads - GMER 1.0.15 ----

Thread ISUSPM.exe [4092:1424] SSDT 0x85DACB90 != 0x80504428

SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwCreateKey [0xEB0D66EA]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.1424] ZwCreateSection [0xF2C6FFD2]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwCreateSymbolicLinkObject [0xEB0D740B]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwDeleteValueKey [0x85DB15BD]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwEnumerateKey [0x85DB126D]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwEnumerateValueKey [0x85DB1379]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwMakeTemporaryObject [0xEB0D775C]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwOpenKey [0x85DB11B5]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwOpenProcess [0x85DB0F1F]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwOpenSection [0xEB0D7130]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwOpenThread [0x85DB0FA7]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwProtectVirtualMemory [0x85DB1781]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwQuerySystemInformation [0x85DB0E19]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwReadVirtualMemory [0x85DB16B5]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwSetContextThread [0x85DB1152]
SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ISUSPM.exe [4092.1424] ZwSetInformationProcess [0xF2C6F662]
SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ISUSPM.exe [4092.1424] ZwSetSystemInformation [0xEB0D7538]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwSetValueKey [0x85DB14B9]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwSuspendThread [0x85DB10EF]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwTerminateThread [0x85DB108C]
SSDT 00000C93 ISUSPM.exe [4092.1424] ZwWriteVirtualMemory [0x85DB171B]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ziuohuddt.sys (*** hȋdden *** ) [AUTO] jlxhm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@ImagePath \??\C:\WINDOWS\system32\drivers\ziuohuddt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@DisplayName jlxhm
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@RulesData 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@krnl_sleepfreq 0x08 0x07 0x00 0x00
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm@krnl_servers_list 0x68 0x74 0x74 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\jlxhm\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@ImagePath \??\C:\WINDOWS\system32\drivers\ziuohuddt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@DisplayName jlxhm
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@RulesData 0x03 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@krnl_sleepfreq 0x08 0x07 0x00 0x00
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm@krnl_servers_list 0x68 0x74 0x74 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\jlxhm\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\str.sys 213024 bytes
File C:\WINDOWS\system32\drivers\ziuohuddt.sys 75264 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 5th December 2009, 4:16 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
jlxhm

Drivers to delete:
jlxhm

Files to delete:
C:\WINDOWS\system32\drivers\ziuohuddt.sys
C:\WINDOWS\system32\drivers\str.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\jlxhm
HKLM\SYSTEM\ControlSet003\Services\jlxhm

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 5th December 2009, 8:19 pm

Hi, here is Avenger log file.


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

hȋdden driver "jlxhm" found!
DisplayName: jlxhm
ImagePath: \??\C:\WINDOWS\system32\drivers\ziuohuddt.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "jlxhm" disabled successfully.
Driver "jlxhm" deleted successfully.
File "C:\WINDOWS\system32\drivers\ziuohuddt.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\str.sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\jlxhm" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\jlxhm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\jlxhm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 6th December 2009, 12:56 am

Can you run Combofix now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 6th December 2009, 5:25 am

Yes, report is below.

ComboFix 09-12-02.05 - Rick Hyman 12/05/2009 22:43.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.402 [GMT -5:00]
Running from: c:\documents and settings\Rick Hyman\Desktop\Combo-Fix.exe
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
.
---- Previous Run -------
.
c:\windows\system32\drivers\str.sys . . . . failed to delete

-- Previous Run --

Infected copy of c:\windows\system32\es.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\es.dll

--------

.
((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-05 23:51 . 2009-08-12 21:48 270336 ----a-w- c:\windows\system32\cdg.dll
2009-12-05 23:51 . 2006-09-27 22:46 348160 ----a-w- c:\windows\system32\cdga.dll
2009-12-05 23:51 . 2006-07-18 02:42 14909 ----a-w- c:\windows\system32\A_reg.reg
2009-12-05 23:51 . 2009-12-05 23:51 -------- d-----w- c:\program files\Cucusoft
2009-12-05 17:27 . 2009-12-05 17:27 0 ----a-w- C:\backup.reg
2009-12-05 17:27 . 2009-12-05 17:27 574 ----a-w- C:\cleanup.bat
2009-12-05 17:27 . 2009-12-05 17:27 135168 ----a-w- C:\zip.exe
2009-12-04 00:52 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-04 00:42 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-12-04 00:42 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-12-04 00:42 . 2008-10-16 19:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-12-04 00:42 . 2008-10-16 19:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-12-04 00:42 . 2008-10-16 19:12 323608 ----a-w- c:\windows\system32\wucltui.dll
2009-12-04 00:42 . 2008-10-16 19:09 92696 ----a-w- c:\windows\system32\cdm.dll
2009-12-04 00:42 . 2008-10-16 19:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-12-03 09:11 . 2009-08-07 00:24 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-12-03 09:11 . 2009-08-07 00:24 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-12-03 09:11 . 2009-08-07 00:24 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-12-03 09:11 . 2009-08-07 00:23 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-12-03 09:11 . 2009-08-07 00:24 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-12-01 09:37 . 2009-12-01 09:37 79488 ----a-w- c:\documents and settings\Rick Hyman\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 19:42 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Rick Hyman\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-11-27 19:41 . 2009-11-27 19:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-27 19:40 . 2009-11-27 19:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-27 19:39 . 2009-11-27 19:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-27 19:39 . 2009-12-01 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-27 16:37 . 2008-10-16 19:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-11-27 16:37 . 2008-10-16 19:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-11-27 16:36 . 2008-10-16 19:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-11-22 01:05 . 2009-11-22 01:05 -------- d-----w- c:\program files\iPod
2009-11-22 01:05 . 2009-11-22 01:05 -------- d-----w- c:\program files\iTunes
2009-11-22 00:26 . 2009-11-22 00:26 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-19 11:55 . 2009-11-19 11:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-16 10:26 . 2004-08-10 10:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2009-11-15 19:56 . 2009-12-04 01:03 -------- d-----w- c:\windows\LastGood
2009-11-12 12:06 . 2009-11-12 12:06 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-12 12:06 . 2009-11-12 12:06 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-12 12:06 . 2009-11-12 12:06 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-12 12:06 . 2009-11-21 05:43 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-12 12:06 . 2009-11-12 12:06 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-12 12:06 . 2009-11-12 12:06 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-12 12:06 . 2009-11-12 12:06 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-12 12:06 . 2009-11-12 12:06 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-12 12:05 . 2009-11-12 12:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-12 12:05 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-06 23:39 . 2009-12-06 03:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-12-05 17:32 . 2009-01-25 08:09 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-12-05 17:32 . 2009-01-25 08:09 439158 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-12-02 00:53 . 2008-11-16 12:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 03:21 . 2006-12-03 22:28 19178 -c--a-w- c:\documents and settings\Rick Hyman\Application Data\wklnhst.dat
2009-11-23 12:09 . 2008-10-03 23:20 -------- d-----w- c:\program files\QuickTime
2009-11-22 01:05 . 2007-10-17 10:40 -------- d-----w- c:\program files\Common Files\Apple
2009-11-21 14:04 . 2006-11-27 21:08 96696 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 12:06 . 2009-08-04 10:22 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-12 12:06 . 2009-08-04 10:22 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-10-15 20:21 . 2009-10-15 20:21 -------- d-----w- c:\documents and settings\Jill Hyman\Application Data\Malwarebytes
2009-10-10 14:23 . 2009-09-22 21:12 3584 ----a-w- c:\documents and settings\Matthew Hyman\Application Data\Macromedia\Common\1223407419.exe
2009-10-09 22:41 . 2009-09-22 17:13 3584 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\1223407419.exe
2009-10-05 21:01 . 2009-09-28 21:22 3584 ----a-w- c:\documents and settings\Danni Hyman\Application Data\Macromedia\Common\1223407419.exe
2009-09-29 01:24 . 2009-09-29 01:25 388608 ----a-w- c:\windows\system32\CF7074.exe
2009-09-29 00:19 . 2009-09-29 00:21 388608 ----a-w- c:\windows\system32\CF20058.exe
2009-09-28 23:21 . 2009-09-28 23:54 388608 ----a-w- c:\windows\system32\CF23298.exe
2009-09-28 19:47 . 2009-09-28 19:49 388608 ----a-w- c:\windows\system32\CF6897.exe
2009-09-24 02:44 . 2009-09-24 02:44 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-24 00:20 . 2009-09-24 00:20 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-24 00:20 . 2009-03-28 21:15 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-24 00:20 . 2009-09-24 00:20 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-09-24 00:20 . 2009-09-24 00:20 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-24 00:19 . 2009-08-04 10:21 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-14 23:07 . 2007-03-25 23:59 13278 -c--a-w- c:\documents and settings\Danni Hyman\Application Data\wklnhst.dat
2009-09-10 19:54 . 2008-11-16 12:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-11-16 12:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-06-08 12:15 . 2008-06-08 12:15 0 -c--a-w- c:\program files\uninstall.dat
2007-10-19 00:35 . 2006-12-04 01:58 88 -csh--r- c:\windows\system32\874376E414.sys
2007-10-19 00:36 . 2006-12-04 01:58 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-24 181488]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-21 788880]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [3/19/2008 11:56 AM 93712]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/3/2009 7:52 PM 64288]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/21/2008 4:00 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [3/21/2008 4:00 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [3/19/2008 11:56 AM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/4/2008 12:27 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [3/21/2008 4:00 PM 66576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 11:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 11:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/15/2008 12:50 PM 281104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/25/2009 6:49 PM 24652]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [5/30/2008 4:56 PM 88816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:43]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - [You must be registered and logged in to see this link.]
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-atoysvfixkzwnqr - c:\windows\system32\atoysvfixkzwnqr.exe
AddRemove-cont_adsoftinc - c:\windows\system32\cont_adsoftinc-remove.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-05 22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-12-05 23:00
ComboFix-quarantined-files.txt 2009-12-06 04:00
ComboFix2.txt 2008-11-23 15:35

Pre-Run: 216,634,572,800 bytes free
Post-Run: 216,602,234,880 bytes free

- - End Of File - - AE4BDEAB7342375E6524B2E6BD0E2428

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 6th December 2009, 12:08 pm

Hello.
Nice work, this malware was quite stubborn, suprising to see Combofix failed to delete that str.sys, and the avenger easily trashed it.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 6th December 2009, 4:44 pm

Great. Here it is, computer is already a lot faster.

3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Reader 9.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Bonjour
BUM
CA Desktop DNA Migrator
CA Internet Security Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Conexant D850 56K V.9x DFVc Modem
Cucusoft DVD to iPod Converter 7.27
Dell CinePlayer
Dell Driver Reset Tool
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
FlipShare
getPlus(R)_ocx
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
iTunes
KODAK Gallery Upload Software
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
muvee Plugin 1.0
NetWaiting
OverDrive Media Console
QuickTime
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Unity Web Player
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WildTangent Web Driver
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 7th December 2009, 1:14 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Viewpoint Media Player

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 7th December 2009, 1:36 am

Seems much better. Is there anything else that I need to do?

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 7th December 2009, 8:56 pm

Nope, that should do it. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Heroes on 8th December 2009, 3:54 am

You guys are awesome. Thanks.

Heroes
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-10-03
OS OS : XP
Points Points : 27617
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help - reached the end of my rope....

Post by Belahzur on 8th December 2009, 9:41 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum