Don't even know where to begin on this one

View previous topic View next topic Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Sun Dec 20, 2009 11:07 pm

Nice one. How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Sun Dec 20, 2009 11:26 pm

computer is still sluggish but mainly due to hard drive being almost full. I don't thing it has anything to do with malware at this point. I do have some issues still with his computer I could use some help with but again I don't believe they are malware related. I will list them here and if you can help me great if you need or want me to start a new thread in hardware or software forum I can do that also. I have three issues.

1) I can't boot up in safe mode. Last file it either loads or gets stuck on is mup.sys
2) Upon booting up I get two error messages about scrnrdr.exe, I have no idea what file this is for the first message is:
Windows cannot find 'C:\WINDOWS\SYSTEM32\scrnrdr.exe' make sure you typed the name correctly etc....
It does have the red circle with the white X in it on the left side so it maybe associated with the Internet Security 2010 but not sure.
I hit ok
then this message comes up:
Error
could not execute the external program C:\\WINDOWS\SYSTEM32\scrnrdr.exe

last issue
3) I'm trying to get rid of all traces of the Vista Transformation pack he had on here. Somethings still show as Vista items, The first page that shows the users on here, then the splash screen as loading has the circle with the wavy windows icon in it. Some of the icons are still vista such as the drive icons etc. looks like xp now once everything loads except for a couple items like some icons.

Other than these three I think I'm fine. A little nervous about giving his computer back to him, because it was not showing anything last time and only took two days for it to come back....but you have been VERY helpful.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Sun Dec 20, 2009 11:40 pm

Lets go deeper then.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Sun Dec 20, 2009 11:45 pm

edit: woops read wrong post Smile will get combo fix logs for you here in a few

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 12:13 am

thought I had avg stopped but I guess not. Going to finish installing microsoft recovery then log it over again after I get AVG to quit.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 12:20 am

You have to go into UI (user interface) to stop the guard.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 12:38 am

it is running now, stage 32 Smile should have log for you here shortly.

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 12:38 am

Okay, good work.
Standing by.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 12:43 am

its at deleting folders and seems to have stopped......but no message saying its finished

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 12:47 am

Let it keep going, it usually seems to have "frozen" but it's actually doing something, especially if it's having to disinfect patched files.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 12:54 am

still not showing progress. Deleted files from a couple users which is listed and now and below that juat a blinking cursor. Normal?

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 12:56 am

nevermind says rebooting windows now Smile lol I was getting scared haha

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 12:57 am

Told ya. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 12:58 am

LOL yes you did hahaha

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 1:13 am

still waiting on combofix here, not worried just passing along info for ya Ahahaha

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 1:17 am

No one ever said malware removal was a quick task. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 1:21 am

success Smile

ComboFix 09-12-19.04 - Dad 12/20/2009 19:27:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.9 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alicia M. Kowalski\Local Settings\Temporary Internet Files\Tvm.log
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Bryan G. Sheftz\Cookies\Copy (2) of INDEX.DAT
c:\documents and settings\Bryan G. Sheftz\Cookies\Copy (3) of INDEX.DAT
c:\documents and settings\Bryan G. Sheftz\Cookies\Copy (4) of INDEX.DAT
c:\documents and settings\Bryan G. Sheftz\Local Settings\Temporary Internet Files\Tvm.log
c:\documents and settings\Dad\Start Menu\Internet Security 2010.lnk
c:\documents and settings\Stacey L. Sheftz\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
c:\program files\Common Files\SLMSS
c:\program files\Common
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1006
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1007
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1008
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-1009
c:\recycler\S-1-5-21-2213037970-2833957246-4191809102-500
C:\setup.exe
C:\Thumbs.db
c:\windows\bundles
c:\windows\system32\drivers\fad.sys
c:\windows\system32\P2P Networking
c:\windows\system32\pcs
c:\windows\system32\setup.ini

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-20 23:58 . 2009-12-21 00:12 -------- d-----w- C:\Combo-Fix
2009-12-18 06:17 . 2009-12-18 06:17 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\hcrruu
2009-12-14 20:43 . 2009-12-14 20:43 -------- d-----w- c:\program files\CCleaner
2009-12-14 20:11 . 2009-12-14 20:11 -------- d-----w- C:\_OTM
2009-12-14 06:44 . 2009-12-14 06:44 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-12-14 03:01 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 03:01 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:04 . 2008-04-11 12:52 722432 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys
2009-12-14 00:35 . 2009-12-14 00:35 -------- d-----w- c:\program files\TrendMicro
2009-12-13 23:40 . 2009-12-13 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-13 05:32 . 2009-12-13 05:32 -------- d-sh--w- c:\documents and settings\Mom\PrivacIE
2009-12-13 04:54 . 2009-12-13 04:54 -------- d-sh--w- c:\documents and settings\Mom\IETldCache
2009-12-13 04:12 . 2009-12-13 04:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-12-13 04:11 . 2009-12-20 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 02:27 . 2009-12-13 02:27 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\5400 Series
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2009-12-13 02:05 . 2009-12-13 02:05 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-12-12 05:55 . 2009-12-15 10:19 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\tjagic
2009-11-22 16:46 . 2009-11-22 16:46 18616 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 20:32 . 2003-07-10 05:34 -------- d-----w- c:\program files\Lavasoft
2009-12-14 06:35 . 2008-12-13 18:47 -------- d-----w- c:\program files\ViStart
2009-12-13 05:46 . 2004-12-05 16:11 17528 -c--a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 01:22 . 2005-07-23 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-12-12 01:05 . 2008-12-27 23:34 -------- d-----w- c:\program files\U.B. Funkeys
2009-12-11 17:18 . 2005-07-23 15:02 -------- d-----w- c:\program files\Kodak
2009-12-11 16:08 . 2008-02-19 20:03 -------- d-----w- c:\documents and settings\Dad\Application Data\5400 Series
2009-12-10 06:31 . 2008-02-19 19:49 -------- d-----w- c:\program files\Lx_cats
2009-12-07 00:16 . 2008-03-25 21:49 -------- d-----w- c:\program files\Safari
2009-12-06 23:53 . 2008-01-16 02:51 -------- d-----w- c:\program files\Common Files\Apple
2009-11-22 16:22 . 2005-03-29 17:05 -------- d-----w- c:\documents and settings\Dad\Application Data\Apple Computer
2009-10-29 07:45 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-09-03 16:50 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-09-03 16:55 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-09-03 16:54 79872 ----a-w- c:\windows\system32\raschap.dll
2008-08-01 03:20 . 2008-08-01 03:20 5271552 -c--a-w- c:\program files\PStory.msi
2008-08-01 01:31 . 2008-08-01 01:31 4853424 -c--a-w- c:\program files\InstallPhotoJam3DL.EXE
2007-09-17 00:26 . 2007-09-17 00:25 25755448 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2004-10-04 03:52 . 2004-10-04 03:52 490608 -c--a-w- c:\program files\ie6setup.exe
2004-08-30 03:52 . 2004-08-30 03:52 10135688 -c--a-w- c:\program files\MPSetupXP.exe
2003-07-03 06:20 . 2003-07-03 06:20 1856 -c--a-w- c:\program files\Microsoft Word (2).lnk
2003-03-07 02:17 . 2003-03-07 02:17 2765 -c--a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 -c--a-w- c:\program files\Common Files\AutoUpdate.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vista Rainbar"="c:\program files\Vista Rainbar\launcher.exe" [2008-11-15 131778]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-16 03:53 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
2004-09-20 06:27 65536 ----a-w- c:\program files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
2004-05-13 15:48 286720 ----a-w- c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\riktaqgj]
2009-12-18 06:14 250624 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\hcrruu\vnkosysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-06-06 23:52 936960 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
2008-11-14 15:33 69632 ----a-w- c:\program files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
2008-11-12 16:28 602112 ----a-w- c:\program files\ViStart\ViStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/6/2008 8:43 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2008 8:42 PM 297752]
R3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [12/13/2009 9:04 PM 722432]
S0 hmxntxw;hmxntxw;c:\windows\system32\drivers\fhvsqfow.sys --> c:\windows\system32\drivers\fhvsqfow.sys [?]
S2 Ca533av;DV Series Video Capture;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S2 ZKUVGFVV;ZKUVGFVV;\??\c:\windows\system32\zkuvgfvv.shx --> c:\windows\system32\zkuvgfvv.shx [?]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [9/3/2002 11:31 AM 5120]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cosmi Firewall - c:\program files\Cosmi\Firewall\firewall.exe
MSConfigStartUp-VisualTooltip - c:\program files\VisualTooltip\VisualToolTip.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-20 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ZKUVGFVV]
"ImagePath"="\??\c:\windows\system32\zkuvgfvv.shx"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\lxctcoms.exe
c:\windows\System32\snmp.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-20 20:17:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 01:17

Pre-Run: 5,829,853,184 bytes free
Post-Run: 6,772,195,328 bytes free

- - End Of File - - E36164EF85DB1D9EC4D85CE1DAEDB41D

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 1:23 am

Hello.
Bit more to do.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Folder::
    c:\documents and settings\Dad\Local Settings\Application Data\hcrruu

    Driver::
    hmxntxw
    Ca533av
    ZKUVGFVV

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\riktaqgj]
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ZKUVGFVV]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 1:48 am

aaahhhhh after I dropped the CFScript on combo fix it was doing its thing then I blew a fuse at my house. Re did it now and its at rebooting windows should have new log here for you shortly. After I got this computer back up it wouldn't let me log back in here I had to reset password for some reason...very strange, but I'm back Goofy

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 2:08 am

ComboFix 09-12-19.04 - Dad 12/20/2009 20:36:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.101 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dad\Local Settings\Application Data\hcrruu
c:\documents and settings\Dad\Local Settings\Application Data\hcrruu\vnkosysguard.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CA533AV
-------\Legacy_ZKUVGFVV
-------\Service_Ca533av
-------\Service_hmxntxw


((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-20 23:58 . 2009-12-21 01:18 -------- d-----w- C:\Combo-Fix
2009-12-14 20:43 . 2009-12-14 20:43 -------- d-----w- c:\program files\CCleaner
2009-12-14 20:11 . 2009-12-14 20:11 -------- d-----w- C:\_OTM
2009-12-14 06:44 . 2009-12-14 06:44 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-12-14 03:01 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 03:01 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:04 . 2008-04-11 12:52 722432 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys
2009-12-14 00:35 . 2009-12-14 00:35 -------- d-----w- c:\program files\TrendMicro
2009-12-13 23:40 . 2009-12-13 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-13 05:32 . 2009-12-13 05:32 -------- d-sh--w- c:\documents and settings\Mom\PrivacIE
2009-12-13 04:54 . 2009-12-13 04:54 -------- d-sh--w- c:\documents and settings\Mom\IETldCache
2009-12-13 04:12 . 2009-12-13 04:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-12-13 04:11 . 2009-12-20 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 02:27 . 2009-12-13 02:27 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\5400 Series
2009-12-13 02:06 . 2009-12-13 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon
2009-12-13 02:05 . 2009-12-13 02:05 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-12-12 05:55 . 2009-12-15 10:19 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\tjagic
2009-11-22 16:46 . 2009-11-22 16:46 18616 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 20:32 . 2003-07-10 05:34 -------- d-----w- c:\program files\Lavasoft
2009-12-14 08:51 . 2009-12-14 08:51 388096 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-14 06:35 . 2008-12-13 18:47 -------- d-----w- c:\program files\ViStart
2009-12-14 00:35 . 2009-12-14 00:35 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-13 05:46 . 2004-12-05 16:11 17528 -c--a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 20:23 . 2009-12-16 03:53 1143064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.exe
2009-12-12 20:23 . 2009-12-16 03:53 1478936 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgupd.dll
2009-12-12 20:23 . 2009-12-16 03:53 759064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avginet.dll
2009-12-12 01:22 . 2005-07-23 15:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-12-12 01:05 . 2008-12-27 23:34 -------- d-----w- c:\program files\U.B. Funkeys
2009-12-11 17:18 . 2005-07-23 15:02 -------- d-----w- c:\program files\Kodak
2009-12-11 16:08 . 2008-02-19 20:03 -------- d-----w- c:\documents and settings\Dad\Application Data\5400 Series
2009-12-10 06:31 . 2008-02-19 19:49 -------- d-----w- c:\program files\Lx_cats
2009-12-07 00:16 . 2008-03-25 21:49 -------- d-----w- c:\program files\Safari
2009-12-06 23:53 . 2008-01-16 02:51 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 23:48 . 2009-12-06 23:48 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-26 13:24 . 2009-12-16 03:57 2063640 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 13:24 . 2009-12-16 03:57 3514648 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgui.exe
2009-11-26 13:24 . 2009-12-16 03:57 2029336 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgtray.exe
2009-11-22 16:22 . 2005-03-29 17:05 -------- d-----w- c:\documents and settings\Dad\Application Data\Apple Computer
2009-10-29 07:45 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-09-03 16:50 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-09-03 16:55 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-09-03 16:54 79872 ----a-w- c:\windows\system32\raschap.dll
2008-08-01 03:20 . 2008-08-01 03:20 5271552 -c--a-w- c:\program files\PStory.msi
2008-08-01 01:31 . 2008-08-01 01:31 4853424 -c--a-w- c:\program files\InstallPhotoJam3DL.EXE
2007-09-17 00:26 . 2007-09-17 00:25 25755448 -c--a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2004-10-04 03:52 . 2004-10-04 03:52 490608 -c--a-w- c:\program files\ie6setup.exe
2004-08-30 03:52 . 2004-08-30 03:52 10135688 -c--a-w- c:\program files\MPSetupXP.exe
2003-07-03 06:20 . 2003-07-03 06:20 1856 -c--a-w- c:\program files\Microsoft Word (2).lnk
2003-03-07 02:17 . 2003-03-07 02:17 2765 -c--a-w- c:\program files\Common Files\AutoUpdate.rtf
2003-01-27 16:50 . 2003-01-27 16:50 1000448 -c--a-w- c:\program files\Common Files\AutoUpdate.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-16 03:53 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 08:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
2004-09-20 06:27 65536 ----a-w- c:\program files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
2004-05-13 15:48 286720 ----a-w- c:\program files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 19:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-06-06 23:52 936960 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
2008-11-14 15:33 69632 ----a-w- c:\program files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
2008-11-12 16:28 602112 ----a-w- c:\program files\ViStart\ViStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/6/2008 8:43 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2008 8:42 PM 297752]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\SYSTEM32\dllhost.exe [9/3/2002 11:31 AM 5120]
S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\SYSTEM32\DRIVERS\ZD1211BU.sys [12/13/2009 9:04 PM 722432]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-20 20:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,d9,ea,8b,f5,b1,f2,48,b3,14,84,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\lxctcoms.exe
c:\windows\System32\snmp.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-20 21:04:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 02:04
ComboFix2.txt 2009-12-21 01:17

Pre-Run: 6,817,300,480 bytes free
Post-Run: 6,778,875,904 bytes free

- - End Of File - - 45C64E252E0B32F29BA23BF189759D3D

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Mon Dec 21, 2009 2:12 am

also after I got the log from combofix and the computer rebooted I got a Handle license agreement from Sysinternals.....not sure what I'm supposed to do with this or what it is. I think its microsoft related but I dont know for sure. I dont want to hit agree if its not Smile

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Belahzur on Mon Dec 21, 2009 7:10 pm

Click yes, a licenses agreement isn't really anything to work about, just a legal thing. Goofy

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Don't even know where to begin on this one

Post by Flapjacks on Tue Dec 22, 2009 12:09 am

Thanks man!!!! The computer is much quicker than before and it let me boot in safe mode also. Still have the two scrnrdr.exe errors during windows load, and a lot of left over Vista transformation pack stuff. He can live with those thought Smile

bonus: ended up with about an extra gig of space on hard drive Smile

thanks again man, you were a HUGE help!!!!!!!!

Flapjacks
Novice
Novice

Posts Posts : 43
Joined Joined : 2009-12-13
Gender Gender : Male
OS OS : windows XP SP3
Points Points : 25974
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum