Win32 on XP

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

Win32 on XP

Post by brick on Wed 18 Aug 2010, 3:33 am

Our family computer [an XP] has recently have been slowing down, we ran ESET and found Win32 viruses on the computer, we removed them but it doesn't seem like it fixed anything. Is there anything you can do to help? We have Secunia, Avast, Cookienator, and Spyblaster on the computer.

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Wed 18 Aug 2010, 5:02 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Thu 19 Aug 2010, 3:01 am

here are the logs

ComboFix 10-08-17.04 - David and Marla 08/18/2010 11:30:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.261 [GMT -4:00]
Running from: c:\documents and settings\David and Marla\desktop\combo-fix.exe
Command switches used :: /killall
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David and Marla\Application Data\.#
c:\documents and settings\David and Marla\Application Data\.#\MBX@A94@3F3F70.###
c:\documents and settings\David and Marla\Application Data\.#\MBX@A94@3F3FA0.###
c:\documents and settings\David and Marla\Cookies\gicizo.db
c:\documents and settings\David and Marla\Cookies\ubif._dl
C:\NORTON~1.EXE
C:\restore
c:\windows\jestertb.dll
c:\windows\Tasks\jwjzywem.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY
-------\Service_$sys$DRMServer


((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-17 17:10 . 2010-08-17 17:12 -------- d-----w- c:\program files\QuickTime
2010-08-17 17:10 . 2010-08-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-19 23:42 . 2010-07-19 23:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 20:32 . 2008-12-24 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-17 13:32 . 2010-06-08 23:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-15 15:54 . 2009-04-01 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 15:54 . 2010-06-08 17:37 -------- d-----w- c:\program files\SpywareBlaster
2010-07-19 15:05 . 2008-10-22 12:56 -------- d-----w- c:\program files\Messenger Plus! Live
2010-07-13 15:08 . 2010-07-13 15:08 -------- d-----w- c:\program files\Teaching Textbooks
2010-07-07 16:58 . 2010-07-07 16:58 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Amazon
2010-07-07 16:57 . 2010-07-07 16:57 -------- d-----w- c:\program files\Amazon
2010-07-02 17:23 . 2009-01-24 18:10 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-02 17:20 . 2009-01-24 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 11:40 -------- d-----w- c:\program files\Yahoo!
2010-06-30 12:31 . 2005-12-13 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-07-13 15:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-05-23 17:36 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-05-23 17:38 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-05-23 17:38 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-05-23 17:38 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-05-23 17:38 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-05-23 17:38 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-05-23 17:38 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-05-23 17:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2005-12-13 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2005-12-13 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2005-12-13 16:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2005-12-13 16:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-11 17:24 . 2010-06-11 17:24 53632 ----a-w- c:\documents and settings\David and Marla\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-06-08 23:31 . 2010-06-08 23:31 61440 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c20da02-n\decora-sse.dll
2010-06-08 23:31 . 2010-06-08 23:31 12800 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c20da02-n\decora-d3d.dll
2010-06-08 23:31 . 2010-06-08 23:31 503808 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25673c6a-n\msvcp71.dll
2010-06-08 23:31 . 2010-06-08 23:31 499712 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25673c6a-n\jmc.dll
2010-06-08 23:31 . 2010-06-08 23:31 348160 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25673c6a-n\msvcr71.dll
2010-06-08 23:29 . 2010-06-08 23:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 23:25 . 2010-06-08 23:25 79488 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-08 23:25 . 2010-06-08 23:25 152576 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-23 17:44 . 2009-12-15 01:41 0 ----a-w- c:\documents and settings\David and Marla\Local Settings\Application Data\prvlcl.dat
2009-08-21 14:54 . 2009-08-21 14:54 18046 ----a-w- c:\program files\Common Files\quhuc.scr
2009-08-21 14:54 . 2009-08-21 14:54 16954 ----a-w- c:\program files\Common Files\ufusegiq.pif
2009-08-21 14:54 . 2009-08-21 14:54 12451 ----a-w- c:\program files\Common Files\qajaci.reg
2009-08-21 14:54 . 2009-08-21 14:54 10705 ----a-w- c:\program files\Common Files\enivofoky.lib
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookienator"="c:\program files\Cookienator\cookienator.exe" [2009-10-19 1333472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-09-13 46592]
"SiS Tray"="c:\windows\system32\sistray.EXE" [2006-03-09 262144]
"SiSPower"="SiSPower.dll" [2006-03-09 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\David and Marla\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\WINDOWS\\system32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmjswx.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/06/2004 10:11 AM 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/07/2004 3:57 AM 11904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/23/2010 1:38 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/23/2010 1:38 PM 17744]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [05/28/2010 7:04 AM 14896]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 16:53]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = localhost;
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\David and Marla\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SiS KHooker - c:\windows\system32\khooker.exe
HKLM-Run-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
AddRemove-Blue's Art Time Activities - c:\hegames\ArtTime\Uninst.isu
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\David and Marla\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-18 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3889389676-2448089655-718245918-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(744)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\lxdmcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\HPZipm12.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2010-08-18 11:58:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 15:58

Pre-Run: 13,539,303,424 bytes free
Post-Run: 13,763,870,720 bytes free

- - End Of File - - 7E055476C48AA24F354B3ACCE7A7F0D3

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Thu 19 Aug 2010, 5:27 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    http://www.GeekPolice.net/-f11/-t23363.htm

    Killall::

    Collect::
    c:\program files\Common Files\quhuc.scr
    c:\program files\Common Files\ufusegiq.pif
    c:\program files\Common Files\qajaci.reg
    c:\program files\Common Files\enivofoky.lib

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = localhost;

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Thu 19 Aug 2010, 7:21 am

here are the combo fix logs

ComboFix 10-08-17.04 - David and Marla 08/18/2010 15:28:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.232 [GMT -4:00]
Running from: c:\documents and settings\David and Marla\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\David and Marla\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\program files\Common Files\enivofoky.lib
file zipped: c:\program files\Common Files\qajaci.reg
file zipped: c:\program files\Common Files\quhuc.scr
file zipped: c:\program files\Common Files\ufusegiq.pif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\enivofoky.lib
c:\program files\Common Files\qajaci.reg
c:\program files\Common Files\quhuc.scr
c:\program files\Common Files\ufusegiq.pif

.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-17 17:10 . 2010-08-17 17:12 -------- d-----w- c:\program files\QuickTime
2010-08-17 17:10 . 2010-08-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-19 23:42 . 2010-07-19 23:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 20:32 . 2008-12-24 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-17 13:32 . 2010-06-08 23:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-15 15:54 . 2009-04-01 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 15:54 . 2010-06-08 17:37 -------- d-----w- c:\program files\SpywareBlaster
2010-07-19 15:05 . 2008-10-22 12:56 -------- d-----w- c:\program files\Messenger Plus! Live
2010-07-13 15:08 . 2010-07-13 15:08 -------- d-----w- c:\program files\Teaching Textbooks
2010-07-07 16:58 . 2010-07-07 16:58 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Amazon
2010-07-07 16:57 . 2010-07-07 16:57 -------- d-----w- c:\program files\Amazon
2010-07-02 17:23 . 2009-01-24 18:10 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-02 17:20 . 2009-01-24 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 11:40 -------- d-----w- c:\program files\Yahoo!
2010-06-30 12:31 . 2005-12-13 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-07-13 15:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-05-23 17:36 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-05-23 17:38 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-05-23 17:38 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-05-23 17:38 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-05-23 17:38 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-05-23 17:38 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-05-23 17:38 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-05-23 17:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2005-12-13 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2005-12-13 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2005-12-13 16:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2005-12-13 16:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 23:29 . 2010-06-08 23:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-23 17:44 . 2009-12-15 01:41 0 ----a-w- c:\documents and settings\David and Marla\Local Settings\Application Data\prvlcl.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookienator"="c:\program files\Cookienator\cookienator.exe" [2009-10-19 1333472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-09-13 46592]
"SiS Tray"="c:\windows\system32\sistray.EXE" [2006-03-09 262144]
"SiSPower"="SiSPower.dll" [2006-03-09 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\David and Marla\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\WINDOWS\\system32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmjswx.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/06/2004 10:11 AM 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/07/2004 3:57 AM 11904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/23/2010 1:38 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/23/2010 1:38 PM 17744]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [05/28/2010 7:04 AM 14896]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 16:53]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\David and Marla\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-18 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3889389676-2448089655-718245918-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\lxdmcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\System32\HPZipm12.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2010-08-18 16:05:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 20:05
ComboFix2.txt 2010-08-18 15:58

Pre-Run: 13,736,275,968 bytes free
Post-Run: 13,667,176,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8A44B38DBA5BCCC9DE8103F4E0F5A91E

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Thu 19 Aug 2010, 8:10 am

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Thu 19 Aug 2010, 8:36 am

here are the Malwarebytes logs

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4447

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/18/2010 5:34:10 PM
mbam-log-2010-08-18 (17-34-10).txt

Scan type: Quick scan
Objects scanned: 129024
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Thu 19 Aug 2010, 8:40 am

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
    Link 1
    Link 2
    Link 3

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Thu 19 Aug 2010, 9:53 am

here are the logs

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF79C8000 \WINDOWS\system32\KDCOM.DLL
0xF78D8000 \WINDOWS\system32\BOOTVID.dll
0xF7479000 ACPI.sys
0xF79CA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7468000 pci.sys
0xF74C8000 isapnp.sys
0xF7A90000 pciide.sys
0xF7748000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF74D8000 MountMgr.sys
0xF7449000 ftdisk.sys
0xF7750000 PartMgr.sys
0xF74E8000 VolSnap.sys
0xF7431000 atapi.sys
0xF74F8000 disk.sys
0xF7508000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7411000 fltmgr.sys
0xF73FF000 sr.sys
0xF73E8000 KSecDD.sys
0xF73D5000 WudfPf.sys
0xF7348000 Ntfs.sys
0xF731B000 NDIS.sys
0xF7518000 Combo-Fix.sys
0xF7758000 SISAGP.sys
0xF7301000 Mup.sys
0xF7760000 $sys$cor.sys
0xF7668000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF5EC5000 \SystemRoot\System32\DRIVERS\sisgrp.sys
0xF5EB1000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF796C000 \??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
0xF7678000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7688000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7698000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF5E8E000 \SystemRoot\System32\DRIVERS\ks.sys
0xF5DF0000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF5DCC000 \SystemRoot\system32\drivers\portcls.sys
0xF76A8000 \SystemRoot\system32\drivers\drmk.sys
0xF77F0000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF5DA8000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF77F8000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7800000 \SystemRoot\System32\DRIVERS\sisnic.sys
0xF7808000 \SystemRoot\System32\DRIVERS\DM9PCI5.SYS
0xF5D13000 \SystemRoot\System32\DRIVERS\ltmdmnt.sys
0xF7820000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7830000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF76B8000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7980000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF5CFF000 \SystemRoot\System32\DRIVERS\parport.sys
0xF76C8000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7840000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7AB8000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF76D8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF798C000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF5CE8000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF76E8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF76F8000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7860000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF5CD7000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7708000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7870000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7880000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7718000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7888000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79DA000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF5C79000 \SystemRoot\System32\DRIVERS\update.sys
0xF79A0000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7728000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7558000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79E0000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF78A8000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF79E4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7578000 \SystemRoot\system32\DRIVERS\DcCam.sys
0xF2C2F000 \SystemRoot\system32\DRIVERS\EXPORTIT.SYS
0xF7AD8000 \SystemRoot\System32\Drivers\Null.SYS
0xF78C8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78D0000 \SystemRoot\System32\drivers\vga.sys
0xF79EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7780000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7790000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6B85000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF2BFC000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF2BA3000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF5F95000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF2B55000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF2B2D000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF5F85000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF2B0B000 \SystemRoot\System32\drivers\afd.sys
0xF5F75000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF7964000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF5F55000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7970000 \SystemRoot\system32\drivers\srvkp.sys
0xF2A40000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7984000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF29D0000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF5F45000 \SystemRoot\System32\Drivers\Fips.SYS
0xF29A9000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF77B0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF5F25000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF2969000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6B95000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77D8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B44000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF293D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF7638000 \SystemRoot\system32\drivers\dcfs2k.sys
0xF5F15000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xF2811000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF268A000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF241D000 \SystemRoot\system32\drivers\wdmaud.sys
0xF25D2000 \SystemRoot\system32\drivers\sysaudio.sys
0xF220A000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7A10000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF20C3000 \SystemRoot\System32\DRIVERS\srv.sys
0xF204B000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xF1BB5000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7848000 \??\C:\DOCUME~1\DAVIDA~1\LOCALS~1\Temp\mbr.sys
0xF7878000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF7A50000 \SystemRoot\system32\DRIVERS\psi_mf.sys
0xF77D0000 \??\C:\combo-fix\catchme.sys
0xF7A4E000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF1812000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 32):
0 System Idle Process
4 System
484 C:\WINDOWS\system32\smss.exe
540 csrss.exe
568 C:\WINDOWS\system32\winlogon.exe
612 C:\WINDOWS\system32\services.exe
624 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\svchost.exe
832 svchost.exe
944 C:\WINDOWS\system32\svchost.exe
980 C:\WINDOWS\system32\svchost.exe
1112 svchost.exe
1132 svchost.exe
1300 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
196 C:\WINDOWS\system32\spoolsv.exe
1556 svchost.exe
1840 C:\Program Files\Java\jre6\bin\jqs.exe
776 C:\WINDOWS\system32\drivers\KodakCCS.exe
1580 C:\WINDOWS\system32\lxdmcoms.exe
1636 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1340 C:\WINDOWS\SOUNDMAN.EXE
1684 C:\WINDOWS\system32\HPZipm12.exe
1480 C:\WINDOWS\system32\sistray.exe
852 C:\WINDOWS\system32\ScsiAccess.EXE
1824 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
380 C:\WINDOWS\system32\svchost.exe
1380 C:\Program Files\Secunia\PSI\psi.exe
2200 C:\WINDOWS\system32\ctfmon.exe
2580 alg.exe
1704 C:\WINDOWS\explorer.exe
1976 C:\Program Files\Messenger\msmsgs.exe
3324 C:\Documents and Settings\David and Marla\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400EB-00CPF0, Rev: 06.04G06

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Fri 20 Aug 2010, 6:05 am

Fix using MBRCheck.exe

Run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:
  • How to use the Recovery Console
  • How to fix MBR in Windows XP and Vista


If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Fri 20 Aug 2010, 6:54 am

we are not getting the option for y or n. It pulls up the mbrcheck screen, a few lines and ends with "done!" press ENTER to exit.

thanks

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Fri 20 Aug 2010, 6:55 am

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Fri 20 Aug 2010, 7:24 am

here is it

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Fri 20 Aug 2010, 7:29 am

Please open Notepad and enter in the following:
@echo off
start remover.exe fix \.\PhysicalDrive0
exit
Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Fri 20 Aug 2010, 7:39 am

here it is

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Fri 20 Aug 2010, 7:43 am

How is your computer running at this point?


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Fri 20 Aug 2010, 7:54 am

still slow on start up. ( I used the restart command to test) Freezes up when trying to open firefox. But the switch from one screen to another seems somewhat faster.

brick

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Fri 20 Aug 2010, 7:26 pm

The MBR didn't get fixed correctly. We shall try this once more.

Please open Notepad and copy and paste the following:
@echo off
start remover.exe fix \.\PhysicalDrive0
exit
Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Sat 21 Aug 2010, 2:13 am

Here are the logs

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

CreateFile() ERROR 2
ERROR: Can't open physical disk device.

Done;
Press any key to quit...

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Sat 21 Aug 2010, 4:44 pm

Do you have an XP cd?

We need to do a data-safe recovery.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Sun 22 Aug 2010, 4:43 am

No, I am sorry we don't.

brick

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Sun 22 Aug 2010, 7:54 am

Download RC.ISO and save it somewhere you can find it.

Download MagicISO and install it.

Start MagicISO. When it asks you to register, just close that window...the
program should remain open. Click on "File" and then on "Open"...navigate to the RC.ISO file you downloaded, select it, and click "Open".

Click "File" on the toolbar and choose "Save As". Name the file RCplus and save it somewhere you can find it.

Put a blank CD-R disk in your CD burner and close the tray...when the AutoPlay window opens, close it.

Click "Tools" on the toolbar and choose "Burn CD/DVD with ISO". In the CD/DVD Image file area, click the little folder, navigate to the newly created
RCplus.iso image file, and click "Open". In the CD/DVD Writing Speed
drop-down menu, choose the top 8X setting. Format should have "Mode 1"
selected...if not, select it. Click on the "Burn It!" button.

Once this disk is burned, put it in the machine you're working on and restart. Boot to the CD and enter the Recovery Console.

When there, do this:

type in "fixmbr" and hit Enter.



Type 'y' if asked to, and allow it to do it's job.

Once it's done that and shows the next bit for another command, type "exit"

This will reboot your machine again, allow it to boot normally this time.

Once done, re-run Remover.exe and post a new log.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Sun 22 Aug 2010, 9:26 am

here it is

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by DragonMaster Jay on Sun 22 Aug 2010, 4:31 pm

Good.

How is the computer running now?


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Win32 on XP

Post by brick on Tue 24 Aug 2010, 12:47 am

Good Monday morning DragonMaster Jay,
I started up the computer this morning and it was even more slow than yesterday. I pulled up the window task manager and at the top of application was a program that looks like the windows messenger live icon, yet a little different with the title of 'xxx'. This is the same program that prompted us to run the eset scanner 2 weeks ago and thus finding a variety of win 32 virus. I gather this virus is back?
What do we do next?
Thanks for your continue help
*********
(note) after posting this I went back to desk top and it still wont open firefox browser. It is listed as non responsive. I also can not close the browser. After a while it finally closed and then I was able to end the "xxx" task as well. Clearly, something is going on....

brick

brick

Rookie Surfer
Rookie Surfer

Posts : 130
Joined : 2010-06-09
Operating System : xp

View user profile

Back to top Go down

Re: Win32 on XP

Post by Sponsored content Today at 2:53 pm


Sponsored content


Back to top Go down

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum