removed antivirus soft demo virus, now locking up

View previous topic View next topic Go down

removed antivirus soft demo virus, now locking up

Post by mattk25 on 3rd March 2010, 10:29 pm

I had the antivirus soft demo virus a few days ago. removed it with malwarebytes but now my computer is running slow and locking up several times a day.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 3rd March 2010, 11:22 pm

I ran the mbr rootkit detection and it looks like the mbr rootkit is infected

here is the mbr.log file

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x89dc14b8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x89280330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 4th March 2010, 12:46 am

Hello.

Please make sure mbr.exe is located on the Desktop BEFORE doing the following:


Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

cmd

Enter the following in to the command prompt, pressing enter after each line:

Code:
cd desktop

mbr.exe -f

exit

Please post the resulting log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 4th March 2010, 2:19 am

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Matt Kenney>cd desktop

C:\Documents and Settings\Matt Kenney\Desktop>mbr.exe -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x89bfa668
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHan
dler -> 0x8924e330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !
Use "Recovery Console" command "fixmbr" to clear infection !

C:\Documents and Settings\Matt Kenney\Desktop>

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 4th March 2010, 3:39 am

do i need to run the xp recovery console now??

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 4th March 2010, 4:24 pm

i tried running the recovery console from a windows xp cd (this is not the cd that was used to install windows on this computer - i did not get a windows cd with this computer)
when I hit "R" to go to the recovery console it says that no harddrive is connected
not sure what would cause this...

thanks for the help!

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 4th March 2010, 9:21 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 4th March 2010, 10:28 pm

ComboFix 10-03-04.02 - Matt Kenney 03/04/2010 17:12:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -5:00]
Running from: c:\documents and settings\Matt Kenney\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-03 22:10 . 2010-03-03 22:10 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-03-03 21:56 . 2010-03-03 21:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 21:53 . 2010-03-03 21:55 -------- d-----w- c:\documents and settings\Matt Kenney\.SunDownloadManager
2010-03-03 13:56 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 13:56 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 13:56 . 2010-03-03 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 02:34 . 2010-03-03 02:35 -------- d-----w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\Move Networks
2010-03-03 02:34 . 2010-03-03 02:34 144160 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Move Networks\uninstall.exe
2010-03-03 02:34 . 2010-03-03 02:34 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Move Networks
2010-02-25 20:07 . 2010-02-25 20:07 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Malwarebytes
2010-02-25 20:07 . 2010-02-25 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 20:07 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Matt Kenney\Application Data\U3\temp\cleanup.exe
2010-02-25 20:06 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\Matt Kenney\Application Data\U3\temp\Launchpad Removal.exe
2010-02-25 20:06 . 2010-02-25 20:06 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\U3
2010-02-25 16:53 . 2010-02-25 16:53 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-25 16:36 . 2010-03-03 22:10 -------- d-----w- c:\documents and settings\HelpAssistant
2010-02-25 15:19 . 2010-02-27 05:46 -------- d-----w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\pdgnyb
2010-02-25 15:19 . 2010-02-27 04:56 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\pdgnyb
2010-02-10 16:53 . 2010-02-10 16:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-08 16:39 . 2010-02-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2010-02-08 16:38 . 2010-02-08 16:38 -------- d-----w- c:\program files\Macrium
2010-02-03 16:41 . 2010-02-03 16:41 -------- d-----w- c:\program files\SHARP
2010-02-03 16:40 . 2007-04-17 09:07 98304 ----a-w- c:\windows\system32\SN0ELMON.dll
2010-02-03 16:40 . 2005-07-14 09:28 49152 ----a-w- c:\windows\system32\SN0EMTNT.dll
2010-02-03 16:40 . 2005-06-11 06:40 100 ----a-w- c:\windows\system32\SN0ELMON.dat
2010-02-03 16:39 . 2006-01-27 06:36 53248 ----a-w- c:\windows\system32\SCN2PMR.dll
2010-02-03 16:39 . 2007-05-31 08:07 397 ----a-w- c:\windows\system32\SCN2PM.DAT
2010-02-03 16:39 . 2007-05-30 10:40 50319 ----a-w- c:\windows\system32\SCN2PMUI.dll
2010-02-03 16:39 . 2007-05-30 10:40 75933 ----a-w- c:\windows\system32\SCN2PM.dll
2010-02-03 16:39 . 2008-04-22 09:35 172128 ------r- c:\windows\_isusr32.dll
2010-02-03 16:39 . 2004-04-12 07:17 45056 ------w- c:\windows\system32\_isusr2k.dll
2010-02-03 16:38 . 2010-02-03 16:40 -------- d-----w- c:\windows\system32\SCDRV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 21:32 . 2007-09-12 18:26 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-03 22:24 . 2007-09-12 18:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 21:58 . 2009-07-20 16:02 -------- d-----w- c:\program files\Java
2010-03-03 21:56 . 2009-07-20 16:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 02:34 . 2009-12-07 01:22 5603776 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Move Networks\plugins\npqmp071705000014.dll
2010-03-02 21:15 . 2008-12-08 15:03 -------- d-----w- c:\program files\Google
2010-03-02 20:51 . 2009-01-30 19:57 -------- d-----w- c:\program files\Common Files\Apple
2010-03-01 22:20 . 2007-09-12 13:54 42953 ----a-w- c:\windows\system32\nvModes.dat
2010-02-27 20:03 . 2009-02-04 16:26 -------- d-----w- c:\program files\Yahoo!
2010-02-27 20:00 . 2009-04-20 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-27 19:52 . 2008-12-08 14:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-27 19:46 . 2008-12-08 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 16:07 . 2007-09-13 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-26 14:25 . 2008-12-08 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-26 13:28 . 2008-12-08 20:27 -------- d-----w- c:\program files\CCleaner
2010-02-16 13:22 . 2010-01-26 16:48 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\vlc
2010-02-03 18:15 . 2008-12-03 20:10 81600 ----a-w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 16:38 . 2007-09-12 13:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 03:13 . 2010-01-29 17:05 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Dropbox
2010-01-29 17:05 . 2010-01-29 17:05 89854 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\Uninstall.exe
2010-01-28 21:12 . 2010-01-28 21:12 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys
2010-01-28 21:12 . 2010-01-28 21:12 32736 ----a-w- c:\windows\system32\drivers\psmounter.sys
2010-01-18 02:16 . 2009-06-08 03:37 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Skype
2010-01-18 01:38 . 2009-06-08 03:53 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\skypePM
2010-01-08 22:34 . 2009-06-28 03:40 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\dvdcss
2010-01-05 10:00 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-29 13:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 00:48 . 2009-12-31 00:48 21968784 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\Dropbox.exe
2009-12-16 18:43 . 2007-09-12 12:55 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 01:19 . 2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-20 503808]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\
CTL.bat [2010-2-24 132]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Matt Kenney^Start Menu^Programs^Startup^GoZone iSync.lnk]
path=c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\GoZone iSync.lnk
backup=c:\windows\pss\GoZone iSync.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SN0EACFM.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Matt Kenney\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [1/28/2010 4:12 PM 15328]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [1/28/2010 4:12 PM 220128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/2/2010 9:33 PM 102448]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10/20/2008 8:26 AM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10/20/2008 8:26 AM 43608]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/22/2008 9:37 AM 717296]
S3 {164745EA-22E4-4113-8F8649C8AE8EEA0C};{164745EA-22E4-4113-8F8649C8AE8EEA0C};\??\c:\windows\TEMP\EF.tmp --> c:\windows\TEMP\EF.tmp [?]
S3 {27E5CD32-F335-48A2-A9CB4A908CE17CEF};{27E5CD32-F335-48A2-A9CB4A908CE17CEF};c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/8/2008 10:03 AM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/3/2010 8:56 AM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 10:00 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-25 20:48]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: donan.com\vision
DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - [You must be registered and logged in to see this link.]
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
AddRemove-HijackThis - c:\documents and settings\Matt Kenney\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-04 17:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{164745EA-22E4-4113-8F8649C8AE8EEA0C}]
"ImagePath"="\??\c:\windows\TEMP\EF.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{27E5CD32-F335-48A2-A9CB4A908CE17CEF}]
"ServiceDll"="c:\docume~1\MATTKE~1\LOCALS~1\Temp\E3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-03-04 17:25:30
ComboFix-quarantined-files.txt 2010-03-04 22:25

Pre-Run: 23,557,263,360 bytes free
Post-Run: 23,917,223,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\windows="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4DC645240BD82B2EC6ADBA22D253C4C6

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 4th March 2010, 11:26 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\CTL.bat

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
    "65533:TCP"=-
    "52344:TCP"=-
    "3246:TCP"=-
    "2479:TCP"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{164745EA-22E4-4113-8F8649C8AE8EEA0C}]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{27E5CD32-F335-48A2-A9CB4A908CE17CEF}]

    Driver::
    {164745EA-22E4-4113-8F8649C8AE8EEA0C}
    {27E5CD32-F335-48A2-A9CB4A908CE17CEF}

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 1:50 am

ComboFix 10-03-04.02 - Matt Kenney 03/04/2010 20:26:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1548 [GMT -5:00]
Running from: c:\documents and settings\Matt Kenney\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Matt Kenney\Desktop\CFscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\CTL.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\CTL.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{27E5CD32-F335-48A2-A9CB4A908CE17CEF}


((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-03 22:10 . 2010-03-03 22:10 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-03-03 21:56 . 2010-03-03 21:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 21:53 . 2010-03-03 21:55 -------- d-----w- c:\documents and settings\Matt Kenney\.SunDownloadManager
2010-03-03 13:56 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 13:56 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 13:56 . 2010-03-03 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 02:34 . 2010-03-03 02:35 -------- d-----w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\Move Networks
2010-03-03 02:34 . 2010-03-03 02:34 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Move Networks
2010-02-25 20:07 . 2010-02-25 20:07 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Malwarebytes
2010-02-25 20:07 . 2010-02-25 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 20:06 . 2010-02-25 20:06 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\U3
2010-02-25 16:53 . 2010-02-25 16:53 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-25 16:36 . 2010-03-03 22:10 -------- d-----w- c:\documents and settings\HelpAssistant
2010-02-25 15:19 . 2010-02-27 05:46 -------- d-----w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\pdgnyb
2010-02-25 15:19 . 2010-02-27 04:56 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\pdgnyb
2010-02-10 16:53 . 2010-02-10 16:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-08 16:39 . 2010-02-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2010-02-08 16:38 . 2010-02-08 16:38 -------- d-----w- c:\program files\Macrium
2010-02-03 16:41 . 2010-02-03 16:41 -------- d-----w- c:\program files\SHARP
2010-02-03 16:40 . 2007-04-17 09:07 98304 ----a-w- c:\windows\system32\SN0ELMON.dll
2010-02-03 16:40 . 2005-07-14 09:28 49152 ----a-w- c:\windows\system32\SN0EMTNT.dll
2010-02-03 16:40 . 2005-06-11 06:40 100 ----a-w- c:\windows\system32\SN0ELMON.dat
2010-02-03 16:39 . 2006-01-27 06:36 53248 ----a-w- c:\windows\system32\SCN2PMR.dll
2010-02-03 16:39 . 2007-05-31 08:07 397 ----a-w- c:\windows\system32\SCN2PM.DAT
2010-02-03 16:39 . 2007-05-30 10:40 50319 ----a-w- c:\windows\system32\SCN2PMUI.dll
2010-02-03 16:39 . 2007-05-30 10:40 75933 ----a-w- c:\windows\system32\SCN2PM.dll
2010-02-03 16:39 . 2008-04-22 09:35 172128 ------r- c:\windows\_isusr32.dll
2010-02-03 16:39 . 2004-04-12 07:17 45056 ------w- c:\windows\system32\_isusr2k.dll
2010-02-03 16:38 . 2010-02-03 16:40 -------- d-----w- c:\windows\system32\SCDRV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 01:21 . 2007-09-12 18:26 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-03 22:24 . 2007-09-12 18:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 21:58 . 2009-07-20 16:02 -------- d-----w- c:\program files\Java
2010-03-03 21:56 . 2009-07-20 16:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-02 21:15 . 2008-12-08 15:03 -------- d-----w- c:\program files\Google
2010-03-02 20:51 . 2009-01-30 19:57 -------- d-----w- c:\program files\Common Files\Apple
2010-03-01 22:20 . 2007-09-12 13:54 42953 ----a-w- c:\windows\system32\nvModes.dat
2010-02-27 20:03 . 2009-02-04 16:26 -------- d-----w- c:\program files\Yahoo!
2010-02-27 20:00 . 2009-04-20 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-27 19:52 . 2008-12-08 14:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-27 19:46 . 2008-12-08 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 16:07 . 2007-09-13 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-26 14:25 . 2008-12-08 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-26 13:28 . 2008-12-08 20:27 -------- d-----w- c:\program files\CCleaner
2010-02-16 13:22 . 2010-01-26 16:48 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\vlc
2010-02-03 18:15 . 2008-12-03 20:10 81600 ----a-w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 16:38 . 2007-09-12 13:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 03:13 . 2010-01-29 17:05 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Dropbox
2010-01-28 21:12 . 2010-01-28 21:12 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys
2010-01-28 21:12 . 2010-01-28 21:12 32736 ----a-w- c:\windows\system32\drivers\psmounter.sys
2010-01-18 02:16 . 2009-06-08 03:37 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Skype
2010-01-18 01:38 . 2009-06-08 03:53 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\skypePM
2010-01-08 22:34 . 2009-06-28 03:40 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\dvdcss
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-29 13:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2007-09-12 12:55 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-20 503808]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Matt Kenney^Start Menu^Programs^Startup^GoZone iSync.lnk]
path=c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\GoZone iSync.lnk
backup=c:\windows\pss\GoZone iSync.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SN0EACFM.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Matt Kenney\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [1/28/2010 4:12 PM 15328]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/22/2008 9:37 AM 717296]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [1/28/2010 4:12 PM 220128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/2/2010 9:33 PM 102448]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10/20/2008 8:26 AM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10/20/2008 8:26 AM 43608]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/8/2008 10:03 AM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/3/2010 8:56 AM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 10:00 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-25 20:48]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: donan.com\vision
DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - [You must be registered and logged in to see this link.]
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-04 20:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys sppb.sys >>UNKNOWN [0x8A7D8938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba667cb8
\Driver\atapi -> atapi.sys @ 0xba53eb40
\Driver\iaStor -> iaStor.sys @ 0xba58ad30
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba434bb0
PacketIndicateHandler -> NDIS.sys @ 0xba423a0d
SendHandler -> NDIS.sys @ 0xba437b40
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2492)
c:\windows\system32\WININET.dll
c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-03-04 20:47:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 01:47
ComboFix2.txt 2010-03-04 22:25

Pre-Run: 23,933,747,200 bytes free
Post-Run: 23,767,437,312 bytes free

- - End Of File - - 72DED6752CB6B8E3DF108FF587C7D793

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 5th March 2010, 1:51 am


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 2:02 am

21:01:07:296 2384 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
21:01:07:296 2384 ================================================================================
21:01:07:296 2384 SystemInfo:

21:01:07:296 2384 OS Version: 5.1.2600 ServicePack: 3.0
21:01:07:296 2384 Product type: Workstation
21:01:07:296 2384 ComputerName: DONANLAPTOP0998
21:01:07:296 2384 UserName: Matt Kenney
21:01:07:296 2384 Windows directory: C:\windows
21:01:07:296 2384 Processor architecture: Intel x86
21:01:07:296 2384 Number of processors: 2
21:01:07:296 2384 Page size: 0x1000
21:01:07:312 2384 Boot type: Normal boot
21:01:07:312 2384 ================================================================================
21:01:07:312 2384 UnloadDriverW: NtUnloadDriver error 2
21:01:07:312 2384 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
21:01:07:343 2384 Initialize success
21:01:07:343 2384
21:01:07:343 2384 Scanning Services ...
21:01:07:343 2384 wfopen_ex: Trying to open file C:\windows\system32\config\system
21:01:07:343 2384 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:01:07:343 2384 wfopen_ex: Trying to KLMD file open
21:01:07:343 2384 wfopen_ex: File opened ok (Flags 2)
21:01:07:343 2384 wfopen_ex: Trying to open file C:\windows\system32\config\software
21:01:07:343 2384 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:01:07:343 2384 wfopen_ex: Trying to KLMD file open
21:01:07:343 2384 wfopen_ex: File opened ok (Flags 2)
21:01:07:531 2384 GetAdvancedServicesInfo: Raw services enum returned 387 services
21:01:07:546 2384 fclose_ex: Trying to close file C:\windows\system32\config\system
21:01:07:546 2384 fclose_ex: Trying to close file C:\windows\system32\config\software
21:01:07:546 2384
21:01:07:546 2384 Scanning Kernel memory ...
21:01:07:546 2384 Devices to scan: 4
21:01:07:546 2384
21:01:07:546 2384 Driver Name: Disk
21:01:07:546 2384 IRP_MJ_CREATE : BA90EBB0
21:01:07:546 2384 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
21:01:07:546 2384 IRP_MJ_CLOSE : BA90EBB0
21:01:07:546 2384 IRP_MJ_READ : BA908D1F
21:01:07:546 2384 IRP_MJ_WRITE : BA908D1F
21:01:07:546 2384 IRP_MJ_QUERY_INFORMATION : 804F4562
21:01:07:546 2384 IRP_MJ_SET_INFORMATION : 804F4562
21:01:07:546 2384 IRP_MJ_QUERY_EA : 804F4562
21:01:07:546 2384 IRP_MJ_SET_EA : 804F4562
21:01:07:546 2384 IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:01:07:546 2384 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
21:01:07:546 2384 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
21:01:07:546 2384 IRP_MJ_DIRECTORY_CONTROL : 804F4562
21:01:07:546 2384 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
21:01:07:546 2384 IRP_MJ_DEVICE_CONTROL : BA9093BB
21:01:07:546 2384 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:01:07:546 2384 IRP_MJ_SHUTDOWN : BA9092E2
21:01:07:546 2384 IRP_MJ_LOCK_CONTROL : 804F4562
21:01:07:546 2384 IRP_MJ_CLEANUP : 804F4562
21:01:07:546 2384 IRP_MJ_CREATE_MAILSLOT : 804F4562
21:01:07:546 2384 IRP_MJ_QUERY_SECURITY : 804F4562
21:01:07:546 2384 IRP_MJ_SET_SECURITY : 804F4562
21:01:07:546 2384 IRP_MJ_POWER : BA90AC82
21:01:07:546 2384 IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:01:07:546 2384 IRP_MJ_DEVICE_CHANGE : 804F4562
21:01:07:546 2384 IRP_MJ_QUERY_QUOTA : 804F4562
21:01:07:546 2384 IRP_MJ_SET_QUOTA : 804F4562
21:01:07:546 2384 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
21:01:07:546 2384 sion
21:01:07:562 2384 C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
21:01:07:562 2384
21:01:07:562 2384 Driver Name: Disk
21:01:07:562 2384 IRP_MJ_CREATE : BA90EBB0
21:01:07:562 2384 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
21:01:07:562 2384 IRP_MJ_CLOSE : BA90EBB0
21:01:07:562 2384 IRP_MJ_READ : BA908D1F
21:01:07:562 2384 IRP_MJ_WRITE : BA908D1F
21:01:07:562 2384 IRP_MJ_QUERY_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_SET_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_EA : 804F4562
21:01:07:562 2384 IRP_MJ_SET_EA : 804F4562
21:01:07:562 2384 IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:01:07:562 2384 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_DIRECTORY_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_DEVICE_CONTROL : BA9093BB
21:01:07:562 2384 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:01:07:562 2384 IRP_MJ_SHUTDOWN : BA9092E2
21:01:07:562 2384 IRP_MJ_LOCK_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_CLEANUP : 804F4562
21:01:07:562 2384 IRP_MJ_CREATE_MAILSLOT : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_SECURITY : 804F4562
21:01:07:562 2384 IRP_MJ_SET_SECURITY : 804F4562
21:01:07:562 2384 IRP_MJ_POWER : BA90AC82
21:01:07:562 2384 IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:01:07:562 2384 IRP_MJ_DEVICE_CHANGE : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_QUOTA : 804F4562
21:01:07:562 2384 IRP_MJ_SET_QUOTA : 804F4562
21:01:07:562 2384 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
21:01:07:562 2384 sion
21:01:07:562 2384 C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
21:01:07:562 2384
21:01:07:562 2384 Driver Name: Disk
21:01:07:562 2384 IRP_MJ_CREATE : BA90EBB0
21:01:07:562 2384 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
21:01:07:562 2384 IRP_MJ_CLOSE : BA90EBB0
21:01:07:562 2384 IRP_MJ_READ : BA908D1F
21:01:07:562 2384 IRP_MJ_WRITE : BA908D1F
21:01:07:562 2384 IRP_MJ_QUERY_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_SET_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_EA : 804F4562
21:01:07:562 2384 IRP_MJ_SET_EA : 804F4562
21:01:07:562 2384 IRP_MJ_FLUSH_BUFFERS : BA9092E2
21:01:07:562 2384 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_DIRECTORY_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_DEVICE_CONTROL : BA9093BB
21:01:07:562 2384 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
21:01:07:562 2384 IRP_MJ_SHUTDOWN : BA9092E2
21:01:07:562 2384 IRP_MJ_LOCK_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_CLEANUP : 804F4562
21:01:07:562 2384 IRP_MJ_CREATE_MAILSLOT : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_SECURITY : 804F4562
21:01:07:562 2384 IRP_MJ_SET_SECURITY : 804F4562
21:01:07:562 2384 IRP_MJ_POWER : BA90AC82
21:01:07:562 2384 IRP_MJ_SYSTEM_CONTROL : BA90F99E
21:01:07:562 2384 IRP_MJ_DEVICE_CHANGE : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_QUOTA : 804F4562
21:01:07:562 2384 IRP_MJ_SET_QUOTA : 804F4562
21:01:07:562 2384 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
21:01:07:562 2384 sion
21:01:07:562 2384 C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
21:01:07:562 2384
21:01:07:562 2384 Driver Name: iastor
21:01:07:562 2384 IRP_MJ_CREATE : BA58AD30
21:01:07:562 2384 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
21:01:07:562 2384 IRP_MJ_CLOSE : BA58AD30
21:01:07:562 2384 IRP_MJ_READ : 804F4562
21:01:07:562 2384 IRP_MJ_WRITE : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_SET_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_EA : 804F4562
21:01:07:562 2384 IRP_MJ_SET_EA : 804F4562
21:01:07:562 2384 IRP_MJ_FLUSH_BUFFERS : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
21:01:07:562 2384 IRP_MJ_DIRECTORY_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_DEVICE_CONTROL : BA58AD30
21:01:07:562 2384 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA58AD30
21:01:07:562 2384 IRP_MJ_SHUTDOWN : 804F4562
21:01:07:562 2384 IRP_MJ_LOCK_CONTROL : 804F4562
21:01:07:562 2384 IRP_MJ_CLEANUP : 804F4562
21:01:07:562 2384 IRP_MJ_CREATE_MAILSLOT : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_SECURITY : 804F4562
21:01:07:562 2384 IRP_MJ_SET_SECURITY : 804F4562
21:01:07:562 2384 IRP_MJ_POWER : BA58AD30
21:01:07:562 2384 IRP_MJ_SYSTEM_CONTROL : BA58AD30
21:01:07:562 2384 IRP_MJ_DEVICE_CHANGE : 804F4562
21:01:07:562 2384 IRP_MJ_QUERY_QUOTA : 804F4562
21:01:07:562 2384 IRP_MJ_SET_QUOTA : 804F4562
21:01:07:562 2384 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
21:01:07:562 2384 sion
21:01:07:593 2384 C:\windows\system32\DRIVERS\iaStor.sys - Verdict: Clean
21:01:07:593 2384
21:01:07:593 2384 Completed
21:01:07:593 2384
21:01:07:593 2384 Results:
21:01:07:593 2384 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
21:01:07:593 2384 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:01:07:593 2384 File objects infected / cured / cured on reboot: 0 / 0 / 0
21:01:07:593 2384
21:01:07:593 2384 KLMD(ARK) unloaded successfully

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 1:24 pm

anything else to do??

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 5th March 2010, 7:57 pm

Hello.

Please create a folder on your Desktop called SWReg.

  1. Download SWReg.exe from [You must be registered and logged in to see this link.].
  2. Save SWReg.exe inside the SWReg folder you just created.

    Do not run SWReg.exe just yet.

    Now open a new Notepad file, and input this into the Notepad file:

    @echo off
    swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >>log.txt
    swreg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /s >>log.txt
    start notepad log.txt

  3. Save this as SWReg.bat, save it inside the SWReg folder as well.
  4. Make sure both SWReg.exe and SWReg.bat as located next to each other for this to work.
  5. Now, double click on SWReg.bat to run the script.
  6. Once done, a Notepad log file will open, copy and paste that log back here.


Next,

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.



Copy and paste the 2 logs back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 11:06 pm

here is the log file from running SWReg.bat:

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 1 (0x1)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1389604006 (0xad2c535a)
ProfileLoadTimeHigh REG_DWORD 30063760 (0x1cabc90)
RefCount REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1406166506 (0xac2f9a16)
ProfileLoadTimeHigh REG_DWORD 30063760 (0x1cabc90)
RefCount REG_DWORD 2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1123561945-1801674531-839522115-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant
Sid REG_BINARY 010500000000000515000000d931f842235f636b43170a32e8030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1347950310 (0x505816e6)
ProfileLoadTimeHigh REG_DWORD 30063390 (0x1cabb1e)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1123561945-1801674531-839522115-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Mike
Sid REG_BINARY 010500000000000515000000d931f842235f636b43170a32eb030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1430806814 (0x5548611e)
ProfileLoadTimeHigh REG_DWORD 29971841 (0x1c95581)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1123561945-1801674531-839522115-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Matt Kenney
Sid REG_BINARY 010500000000000515000000d931f842235f636b43170a32ed030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1360072756 (0xaeeeefcc)
ProfileLoadTimeHigh REG_DWORD 30063760 (0x1cabc90)
RefCount REG_DWORD 2 (0x2)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll
Certificate REG_BINARY 01000000010000000100000006005c005253413148000000000200003f00000001000100d571736cf0b9eb0454bf0241f8fc2409802e44773c6c7b19ef481af539982619d216e218315a6209b51db4f5be36a5dc0f2d1bc4fb850efd0a643af619c7dde6000000000000000008004800ba190a1a17431b2065169480d649d96620a8acdeb3a72884f8bb1ee81af7904129245ba985374f24f38b8d085704366f67fa730ed0cb9ddac606044a5ae415530000000000000000

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 11:08 pm

here is the log file from running fix.bat:

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 3/3/2010 5:10 PM
Password expires Never
Password changeable 3/3/2010 5:10 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/3/2010 5:10 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 5th March 2010, 11:17 pm

Okay, now run this one.

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.
Please post the resulting log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 11:22 pm

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 3/3/2010 5:10 PM
Password expires Never
Password changeable 3/3/2010 5:10 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/3/2010 5:10 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 5th March 2010, 11:23 pm

Hello.
Nearly done now, we've beaten this, we just have to delete these 2 things, then a final check and make sure we haven't missed anything.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Folders to delete:
C:\Documents and Settings\HelpAssistant

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1123561945-1801674531-839522115-1000

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 5th March 2010, 11:34 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\HelpAssistant" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1123561945-1801674531-839522115-1000" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 5th March 2010, 11:36 pm

Okay, re-run Combofix now and we can make sure it's dead and buried.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 6th March 2010, 12:12 am

ComboFix 10-03-04.02 - Matt Kenney 03/05/2010 18:45:06.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1461 [GMT -5:00]
Running from: c:\documents and settings\Matt Kenney\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 14:01 . 2010-03-05 14:02 -------- d-----w- C:\a81dadb5bcbf210cfd
2010-03-03 21:56 . 2010-03-03 21:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 21:53 . 2010-03-03 21:55 -------- d-----w- c:\documents and settings\Matt Kenney\.SunDownloadManager
2010-03-03 13:56 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 13:56 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 13:56 . 2010-03-03 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 02:34 . 2010-03-03 02:35 -------- d-----w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\Move Networks
2010-03-03 02:34 . 2010-03-03 02:34 144160 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Move Networks\uninstall.exe
2010-03-03 02:34 . 2010-03-03 02:34 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Move Networks
2010-02-25 20:07 . 2010-02-25 20:07 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Malwarebytes
2010-02-25 20:07 . 2010-02-25 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 20:07 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Matt Kenney\Application Data\U3\temp\cleanup.exe
2010-02-25 20:06 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\Matt Kenney\Application Data\U3\temp\Launchpad Removal.exe
2010-02-25 20:06 . 2010-02-25 20:06 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\U3
2010-02-25 15:19 . 2010-02-27 05:46 -------- d-----w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\pdgnyb
2010-02-25 15:19 . 2010-02-27 04:56 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\pdgnyb
2010-02-10 16:53 . 2010-02-10 16:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-08 16:39 . 2010-02-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2010-02-08 16:38 . 2010-02-08 16:38 -------- d-----w- c:\program files\Macrium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 23:39 . 2007-09-12 18:26 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-05 14:12 . 2008-12-03 20:10 81600 ----a-w- c:\documents and settings\Matt Kenney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 14:03 . 2009-11-25 21:15 176056 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-03 22:24 . 2007-09-12 18:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 21:58 . 2009-07-20 16:02 -------- d-----w- c:\program files\Java
2010-03-03 21:56 . 2009-07-20 16:02 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 02:34 . 2009-12-07 01:22 5603776 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Move Networks\plugins\npqmp071705000014.dll
2010-03-02 21:15 . 2008-12-08 15:03 -------- d-----w- c:\program files\Google
2010-03-02 20:51 . 2009-01-30 19:57 -------- d-----w- c:\program files\Common Files\Apple
2010-03-01 22:20 . 2007-09-12 13:54 42953 ----a-w- c:\windows\system32\nvModes.dat
2010-02-27 20:03 . 2009-02-04 16:26 -------- d-----w- c:\program files\Yahoo!
2010-02-27 20:00 . 2009-04-20 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-27 19:52 . 2008-12-08 14:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-27 19:46 . 2008-12-08 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 16:07 . 2007-09-13 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-26 14:25 . 2008-12-08 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-26 13:28 . 2008-12-08 20:27 -------- d-----w- c:\program files\CCleaner
2010-02-16 13:22 . 2010-01-26 16:48 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\vlc
2010-02-03 16:41 . 2010-02-03 16:41 -------- d-----w- c:\program files\SHARP
2010-02-03 16:38 . 2007-09-12 13:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-31 03:13 . 2010-01-29 17:05 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Dropbox
2010-01-29 17:05 . 2010-01-29 17:05 89854 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\Uninstall.exe
2010-01-28 21:12 . 2010-01-28 21:12 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys
2010-01-28 21:12 . 2010-01-28 21:12 32736 ----a-w- c:\windows\system32\drivers\psmounter.sys
2010-01-18 02:16 . 2009-06-08 03:37 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\Skype
2010-01-18 01:38 . 2009-06-08 03:53 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\skypePM
2010-01-08 22:34 . 2009-06-28 03:40 -------- d-----w- c:\documents and settings\Matt Kenney\Application Data\dvdcss
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-29 13:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 00:48 . 2009-12-31 00:48 21968784 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\Dropbox.exe
2009-12-16 18:43 . 2007-09-12 12:55 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 01:19 . 2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 23:43 . 2010-03-05 23:43 16384 c:\windows\Temp\Perflib_Perfdata_254.dat
+ 2004-08-04 10:00 . 2010-03-05 23:48 65510 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-03-04 21:41 65510 c:\windows\system32\perfc009.dat
+ 2010-03-05 14:00 . 2010-03-05 14:00 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-10-14 12:41 . 2009-10-14 12:41 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-04 10:00 . 2010-03-05 23:48 423732 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-03-04 21:41 423732 c:\windows\system32\perfh009.dat
- 2007-09-12 08:49 . 2010-02-03 18:14 328296 c:\windows\system32\FNTCACHE.DAT
+ 2007-09-12 08:49 . 2010-03-05 18:21 328296 c:\windows\system32\FNTCACHE.DAT
- 2009-08-14 12:28 . 2009-08-14 12:28 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2010-03-05 14:03 . 2010-03-05 14:03 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2010-03-05 14:00 . 2010-03-05 14:00 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-10-14 12:41 . 2009-10-14 12:41 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-10-14 12:41 . 2009-10-14 12:41 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-10-14 12:41 . 2009-10-14 12:41 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2007-09-12 17:05 . 2008-07-06 21:36 2936832 c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
+ 2007-09-12 17:05 . 2008-07-06 22:36 2936832 c:\windows\system32\spool\XPSEP\amd64\xpssvcs.dll
+ 2007-09-12 17:05 . 2008-07-06 22:36 2936832 c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
- 2007-09-12 17:05 . 2008-07-06 21:36 2936832 c:\windows\system32\spool\XPSEP\amd64\amd64\xpssvcs.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-10-14 12:41 . 2009-10-14 12:42 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-10-14 12:41 . 2009-10-14 12:41 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-10-14 12:42 . 2009-10-14 12:42 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-03-05 14:00 . 2010-03-05 14:00 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Matt Kenney\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-20 503808]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-17 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Matt Kenney^Start Menu^Programs^Startup^GoZone iSync.lnk]
path=c:\documents and settings\Matt Kenney\Start Menu\Programs\Startup\GoZone iSync.lnk
backup=c:\windows\pss\GoZone iSync.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SN0EACFM.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Matt Kenney\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [1/28/2010 4:12 PM 15328]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [1/28/2010 4:12 PM 220128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/2/2010 9:33 PM 102448]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10/20/2008 8:26 AM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10/20/2008 8:26 AM 43608]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/22/2008 9:37 AM 717296]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/8/2008 10:03 AM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/3/2010 8:56 AM 38224]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-01-05 10:00 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-25 20:48]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: donan.com\vision
DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - [You must be registered and logged in to see this link.]
DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-05 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
Completion time: 2010-03-05 18:59:58
ComboFix-quarantined-files.txt 2010-03-05 23:59
ComboFix2.txt 2010-03-04 22:25

Pre-Run: 21,680,652,288 bytes free
Post-Run: 22,987,341,824 bytes free

- - End Of File - - B7FFED3632E935BC5F3EB346F318B185

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 6th March 2010, 12:18 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 6th March 2010, 5:12 am

after the scan when i hit remove selected, it asked me to reboot and i hit yes. during reboot i think it got to the windows screen then rebooted again and went to the black screen that says windows did not start normally last time and gives you the option to start windows in safe mode. i selected to start windows normally. when windows started the first thing that popped up was a window that said select program to open file with. i hit cancel and then windows started.
i don't know if any of this is usual or expected....

here is the log file from the malwarebytes quick scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3828
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/5/2010 11:59:39 PM
mbam-log-2010-03-05 (23-59-39).txt

Scan type: Quick Scan
Objects scanned: 123666
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Matt Kenney\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 6th March 2010, 3:48 pm

Hello.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 6th March 2010, 6:13 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=dff18b2b47ab7243be7e6002441e77fb
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-06 05:52:37
# local_time=2010-03-06 12:52:37 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=146809
# found=3
# cleaned=3
# scan_time=6241
C:\Avenger\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\5VE9OU26\oHceed913bV0100f070006Ra14ff540102T856b05db201l0409K20ebe8e2317[1].pdf JS/Exploit.Pdfka.NTY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Avenger\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\E7HB6M9Z\KAV3[1].htm JS/Exploit.Agent.NBA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Avenger\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\P0D5YYXM\kav3[1].htm JS/Exploit.Agent.NBA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 6th March 2010, 8:40 pm

Heh, we won, it's over.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 8th March 2010, 1:40 am

my computer seems to be back to normal.

i just ran a full scan in malwarebytes and it came up with 2 infected files. is this anything to worry about or did it take care of them ??

here is the log file:

Malwarebytes' Anti-Malware 1.44
Database version: 3830
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/7/2010 1:04:22 AM
mbam-log-2010-03-07 (01-04-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 241159
Time elapsed: 1 hour(s), 55 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3FAB122E-C061-4E9C-B2E1-422E57D22021}\RP4\A0000693.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3FAB122E-C061-4E9C-B2E1-422E57D22021}\RP4\A0000700.exe (Trojan.Banker) -> Quarantined and deleted successfully.

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by Belahzur on 8th March 2010, 6:49 pm

Hello.

Don't worry about that, just infected restore point.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: removed antivirus soft demo virus, now locking up

Post by mattk25 on 9th March 2010, 9:15 pm

seems to be back to normal.
i have downloaded and installed the above software - hopefully that will prevent it from happening again.

thanks a million for your help!
i would have had to reinstall windows if it weren't for your help

mattk25
Novice
Novice

Posts Posts : 18
Joined Joined : 2010-03-03
OS OS : windows xp
Points Points : 24978
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum