Only Starts in Safemode /Better virus removal (Free?)

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Only Starts in Safemode /Better virus removal (Free?)

Post by MiguelOhara on Fri 11 Feb 2011, 8:37 am

First topic message reminder :

Ok I originally posted this in another forum but was told I should post here in 'Malware' so I'll recap w/ some of the original language:

Sup ppl,

I been using AVG and it's usually adequate but I've been attacked again and I don't see how good it is if viruses keep getting thru to where my system is disabled (my desktop only starts in safemode) I'm running XP so I kind of suspect since I'm running an older OS I'm more vulnerable to this sort of thing (advice) I'm not cheap, I'm broke so is there something that I can use to restore my computer? I'm on with safemode networking and I'll download what sounds good. I just installed SP3 and I've already tried
Correct Boot INI settings
Disabled system restore
Uninstalled/reinstalled AVG
Removed suspect programs

Having redirect issues as well

Some direction will be greatly appreciated

AFTER THAT I THINK I RID MYSELF OF THE VIRUS (it's been 48+ hrs no signs) I WAS GIVEN SOME CODE AND TOLD TO DOWNLOAD OTL BUT....

Trying to get OTL on my comp but cant:

Safemode w/ Networking not letting me go to GeekPolice for some reason, same thing with google search results (i think it has to do with the .net site extension)

Safemode not reading my USB Drive
Email won't allow me to send executable files

just a reminder my comp won't start regularly
Any other way I can get this file on the comp?

MiguelOhara

Newbie Surfer
Newbie Surfer

Posts : 29
Joined : 2011-02-06
Operating System : XP Service Pack 2

View user profile

Back to top Go down


Re: Only Starts in Safemode /Better virus removal (Free?)

Post by Belahzur on Wed 23 Feb 2011, 12:25 pm

Okay.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by MiguelOhara on Wed 23 Feb 2011, 1:23 pm

Ok the files I get from bleeping computer get error'd as corrupted files and won't run. I got a list of sites that are not affiliated with bleeping computer and my computer is redirecting every time I try to get this download, and its all made worse by my now non existent anti-virus since I was told to take it out by combofix....so thats pretty much where I'm stuck at now

MiguelOhara

Newbie Surfer
Newbie Surfer

Posts : 29
Joined : 2011-02-06
Operating System : XP Service Pack 2

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by MiguelOhara on Fri 25 Feb 2011, 8:54 am

It looks like its fixed!! The test was 'can it go to GeekPolice' (that was one of the sites this comp strangely wouldn't go to) the results are below I'm waiting for your response before I get all excited..


\ComboFix 11-02-24.01 - G Man 02/24/2011 16:32:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2816 [GMT -5:00]
Running from: c:\documents and settings\G Man\Desktop\commy.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\nDeOlMd06504
c:\documents and settings\All Users.WINDOWS\Application Data\nDeOlMd06504\nDeOlMd06504
c:\documents and settings\All Users.WINDOWS\Application Data\nDeOlMd06504\nDeOlMd06504.exe
c:\documents and settings\G Man\Application Data\Adobe\plugs
c:\documents and settings\G Man\Application Data\E7CB79EAF9F92DDFA867DB130E201239
c:\documents and settings\G Man\Application Data\E7CB79EAF9F92DDFA867DB130E201239\enemies-names.txt
c:\documents and settings\G Man\Application Data\E7CB79EAF9F92DDFA867DB130E201239\local.ini
c:\documents and settings\G Man\Local Settings\Application Data\{70207928-A5B3-4BAC-9399-F6DB4EA1EDD8}
c:\documents and settings\G Man\Local Settings\Application Data\{70207928-A5B3-4BAC-9399-F6DB4EA1EDD8}\chrome\content\_cfg.js
c:\documents and settings\G Man\Local Settings\Application Data\{70207928-A5B3-4BAC-9399-F6DB4EA1EDD8}\chrome\content\overlay.xul
c:\documents and settings\G Man\Local Settings\Application Data\{70207928-A5B3-4BAC-9399-F6DB4EA1EDD8}\install.rdf
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\whitesmoketoolbar
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\whitesmoketoolbar\exeArgs.xml
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\whitesmoketoolbar\setupCfg.xml
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\addins\addins
E:\AUTORUN.INF

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
.

2011-02-21 02:48 . 2011-02-21 03:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\jAaIbOf15405
2011-02-17 02:51 . 2011-02-02 18:48 2193408 ----a-r- C:\OTLPE.exe
2011-02-17 02:44 . 2011-02-17 02:44 -------- d-----w- C:\_OTL
2011-02-11 07:18 . 2011-02-11 07:18 -------- d-----w- c:\program files\Quick Web Player
2011-02-09 15:31 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-02-09 15:31 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-02-09 15:31 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-02-09 15:31 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-02-09 15:31 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2011-02-09 15:31 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-02-09 14:15 . 2011-02-09 14:15 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
2011-02-09 14:15 . 2011-02-09 14:15 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IECompatCache
2011-02-09 13:58 . 2011-02-09 14:00 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2011-02-09 07:10 . 2011-02-09 07:10 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-08 20:00 . 2011-02-08 20:10 -------- d-----w- c:\windows\system32\scripting
2011-02-08 20:00 . 2011-02-08 20:10 -------- d-----w- c:\windows\system32\bits
2011-02-08 20:00 . 2011-02-08 20:07 -------- d-----w- c:\windows\system32\en
2011-02-08 20:00 . 2011-02-08 20:00 -------- d-----w- c:\windows\l2schemas
2011-02-05 21:43 . 2011-01-18 19:48 144736 ----a-w- c:\windows\system32\RalinkGina.dll
2011-02-05 21:43 . 2010-10-07 16:54 2168160 ----a-w- c:\windows\system32\Scutum.dll
2011-02-05 21:43 . 2010-07-01 22:29 1607008 ----a-w- c:\windows\system32\RaCertMgr.dll
2011-02-05 21:43 . 2010-07-01 22:09 185696 ----a-w- c:\windows\system32\W32N55.dll
2011-02-05 21:43 . 2010-06-29 15:34 480608 ----a-w- c:\windows\system32\DiagFunc.dll
2011-02-05 21:43 . 2009-11-13 18:42 34080 ----a-w- c:\windows\system32\CTAAEI.dll
2011-02-05 21:43 . 2009-04-21 20:31 19072 ----a-w- c:\windows\system32\drivers\Scutum50.sys
2011-02-05 21:42 . 2011-02-05 21:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ralink Driver
2011-02-05 15:20 . 2011-02-05 15:39 -------- d-----w- c:\documents and settings\Administrator.COMPUTER-C74F72.000
2011-01-31 00:55 . 2011-01-31 00:55 -------- d-----w- c:\program files\Pando Networks
2011-01-29 13:44 . 2011-01-29 13:44 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
Code:
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG10\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Digidesign\Drivers\MMERefresh .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Netdrive\Netdrive .exe
c:\program files\QuickTime\qttask                                                                                                                                .exe
c:\windows\system32\CTHELPER .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2009-12-8 303104]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2010-9-10 114688]
Microsoft Office.lnk - e:\toolz\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-11-4 11474272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 17:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=Digi32.dll
"MIDI1"=diomidi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WhiteSmoke Writer 2010+.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WhiteSmoke Writer 2010+.lnk
backup=c:\windows\pss\WhiteSmoke Writer 2010+.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^G Man^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\G Man\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-11-02 16:30 2508104 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-05-17 18:19 136176 ----atw- c:\documents and settings\G Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Meebo Notifier]
2010-07-14 18:23 818888 ----a-w- c:\documents and settings\G Man\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Netdrive]
c:\program files\Netdrive\Netdrive.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Common Files\Java\Java Update\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ndsvc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdate"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\G Man\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/12/2009 1:53 PM 16400]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2/5/2011 4:43 PM 19072]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 4:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 4:34 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 4:34 PM 566296]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/12/2009 1:53 PM 97808]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [11/12/2009 1:53 PM 21648]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [11/12/2009 1:53 PM 21904]
S2 RaMediaServer;Ralink UPnP Media Server;c:\program files\RALINK\Common\RaMediaServer.exe [2/5/2011 4:43 PM 619872]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 4:34 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [11/12/2009 2:16 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 4:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 4:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 4:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 4:34 PM 566296]
S3 ndfs;ndfs;c:\program files\Netdrive\ndfs.sys [11/12/2008 1:03 PM 70656]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 8:01 PM 136176]
S4 ndsvc;NetDrive Service;c:\program files\Netdrive\ndsvc.exe [11/18/2008 2:33 PM 2543104]
.
Contents of the 'Scheduled Tasks' folder

2011-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 18:19]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 18:19]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1844823847-839522115-1003Core.job
- c:\documents and settings\G Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-17 18:19]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1844823847-839522115-1003UA.job
- c:\documents and settings\G Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-17 18:19]

2011-02-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-19 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\down_all.htm
IE: E&xport to Microsoft Excel - e:\toolz\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-AVS Video Editor 4_is1 - e:\$avg\AVSVideoEditor\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-02-24 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\jscript.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\RALINK\Common\RaRegistry.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\locator.exe
.
**************************************************************************
.
Completion time: 2011-02-24 16:50:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-24 21:50

Pre-Run: 36,425,592,832 bytes free
Post-Run: 36,378,390,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8B2D4445647CF25E669947B28519F40F

MiguelOhara

Newbie Surfer
Newbie Surfer

Posts : 29
Joined : 2011-02-06
Operating System : XP Service Pack 2

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by Belahzur on Fri 25 Feb 2011, 12:09 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    RenV::
    c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
    c:\program files\AVG\AVG10\avgtray .exe
    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\Digidesign\Drivers\MMERefresh .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\Netdrive\Netdrive .exe
    c:\program files\QuickTime\qttask                                                                                                                                .exe
    c:\windows\system32\CTHELPER .exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by MiguelOhara on Fri 25 Feb 2011, 1:26 pm

Here it is:

ComboFix 11-02-24.01 - G Man 02/24/2011 21:15:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2756 [GMT -5:00]
Running from: c:\documents and settings\G Man\Desktop\commy.exe
Command switches used :: c:\documents and settings\G Man\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2011-01-25 to 2011-02-25 )))))))))))))))))))))))))))))))
.

2011-02-21 02:48 . 2011-02-21 03:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\jAaIbOf15405
2011-02-17 02:51 . 2011-02-02 18:48 2193408 ----a-r- C:\OTLPE.exe
2011-02-17 02:44 . 2011-02-17 02:44 -------- d-----w- C:\_OTL
2011-02-11 07:18 . 2011-02-11 07:18 -------- d-----w- c:\program files\Quick Web Player
2011-02-09 15:31 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-02-09 15:31 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-02-09 15:31 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-02-09 15:31 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-02-09 15:31 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2011-02-09 15:31 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-02-09 14:15 . 2011-02-09 14:15 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
2011-02-09 14:15 . 2011-02-09 14:15 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IECompatCache
2011-02-09 13:58 . 2011-02-09 14:00 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2011-02-09 07:10 . 2011-02-09 07:10 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-08 20:00 . 2011-02-08 20:10 -------- d-----w- c:\windows\system32\scripting
2011-02-08 20:00 . 2011-02-08 20:10 -------- d-----w- c:\windows\system32\bits
2011-02-08 20:00 . 2011-02-08 20:07 -------- d-----w- c:\windows\system32\en
2011-02-08 20:00 . 2011-02-08 20:00 -------- d-----w- c:\windows\l2schemas
2011-02-05 21:43 . 2011-01-18 19:48 144736 ----a-w- c:\windows\system32\RalinkGina.dll
2011-02-05 21:43 . 2010-10-07 16:54 2168160 ----a-w- c:\windows\system32\Scutum.dll
2011-02-05 21:43 . 2010-07-01 22:29 1607008 ----a-w- c:\windows\system32\RaCertMgr.dll
2011-02-05 21:43 . 2010-07-01 22:09 185696 ----a-w- c:\windows\system32\W32N55.dll
2011-02-05 21:43 . 2010-06-29 15:34 480608 ----a-w- c:\windows\system32\DiagFunc.dll
2011-02-05 21:43 . 2009-11-13 18:42 34080 ----a-w- c:\windows\system32\CTAAEI.dll
2011-02-05 21:43 . 2009-04-21 20:31 19072 ----a-w- c:\windows\system32\drivers\Scutum50.sys
2011-02-05 21:42 . 2011-02-05 21:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ralink Driver
2011-02-05 15:20 . 2011-02-05 15:39 -------- d-----w- c:\documents and settings\Administrator.COMPUTER-C74F72.000
2011-01-31 00:55 . 2011-01-31 00:55 -------- d-----w- c:\program files\Pando Networks
2011-01-29 13:44 . 2011-01-29 13:44 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2009-12-8 303104]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2010-9-10 114688]
Microsoft Office.lnk - e:\toolz\Office10\OSA.EXE [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2009-11-4 11474272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 17:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=Digi32.dll
"MIDI1"=diomidi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WhiteSmoke Writer 2010+.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WhiteSmoke Writer 2010+.lnk
backup=c:\windows\pss\WhiteSmoke Writer 2010+.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^G Man^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\G Man\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-11-02 16:30 2508104 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-06-23 19:48 19456 ----a-w- c:\windows\system32\CTHELPER.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-05-17 18:19 136176 ----atw- c:\documents and settings\G Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Meebo Notifier]
2010-07-14 18:23 818888 ----a-w- c:\documents and settings\G Man\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Netdrive]
2008-11-18 19:17 3089408 ----a-w- c:\program files\Netdrive\Netdrive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ndsvc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdate"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\G Man\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/12/2009 1:53 PM 16400]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2/5/2011 4:43 PM 19072]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 4:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 4:34 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 4:34 PM 566296]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/12/2009 1:53 PM 97808]
R3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [11/12/2009 1:53 PM 21648]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [11/12/2009 1:53 PM 21904]
S2 RaMediaServer;Ralink UPnP Media Server;c:\program files\RALINK\Common\RaMediaServer.exe [2/5/2011 4:43 PM 619872]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 4:34 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [11/12/2009 2:16 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 4:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 4:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 4:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 4:34 PM 566296]
S3 ndfs;ndfs;c:\program files\Netdrive\ndfs.sys [11/12/2008 1:03 PM 70656]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 8:01 PM 136176]
S4 ndsvc;NetDrive Service;c:\program files\Netdrive\ndsvc.exe [11/18/2008 2:33 PM 2543104]
.
Contents of the 'Scheduled Tasks' folder

2011-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 18:19]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-02 18:19]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1844823847-839522115-1003Core.job
- c:\documents and settings\G Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-17 18:19]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1844823847-839522115-1003UA.job
- c:\documents and settings\G Man\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-17 18:19]

2011-02-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-19 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\down_all.htm
IE: E&xport to Microsoft Excel - e:\toolz\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-02-24 21:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-24 21:23:59
ComboFix-quarantined-files.txt 2011-02-25 02:23
ComboFix2.txt 2011-02-24 21:50

Pre-Run: 35,882,491,904 bytes free
Post-Run: 35,860,574,208 bytes free

- - End Of File - - 28F42B7433BFC7D40FECBD6847A63F3F

MiguelOhara

Newbie Surfer
Newbie Surfer

Posts : 29
Joined : 2011-02-06
Operating System : XP Service Pack 2

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by Belahzur on Sat 26 Feb 2011, 12:58 pm

Hello.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by MiguelOhara on Sun 27 Feb 2011, 2:47 am

I haven't restarted or anything since the scan has completed. I'm awaiting your response before I do that or install antivirus (as I've had to uninstall a few times for these scans) but everything looks good so far. here's the results:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=5f54543076430b44b448213d7086ae34
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 03:33:25
# local_time=2011-02-26 10:33:25 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 10784909 10784909 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=63897
# found=3
# cleaned=3
# scan_time=2431
C:\Qoobox\Quarantine\C\Documents and Settings\All
Users.WINDOWS\Application Data\nDeOlMd06504\nDeOlMd06504.exe.vir a
variant of Win32/Kryptik.LAA trojan (cleaned by deleting -
quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\G Man\Application
Data\E7CB79EAF9F92DDFA867DB130E201239\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen
application (cleaned by deleting -
quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\G Man\Application
Data\E7CB79EAF9F92DDFA867DB130E201239\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen
application (cleaned by deleting -
quarantined) 00000000000000000000000000000000 C

MiguelOhara

Newbie Surfer
Newbie Surfer

Posts : 29
Joined : 2011-02-06
Operating System : XP Service Pack 2

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by Belahzur on Sun 27 Feb 2011, 12:38 pm

Looks good, how is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by MiguelOhara on Tue 01 Mar 2011, 2:17 am

Everything looks good so far. I can't thank you enough, I wouldn't have come close to fixing this without your help. So should I stay with avg? I know I'll have to pay soon so should I just upgrade from the free ed at that time?

MiguelOhara

Newbie Surfer
Newbie Surfer

Posts : 29
Joined : 2011-02-06
Operating System : XP Service Pack 2

View user profile

Back to top Go down

Re: Only Starts in Safemode /Better virus removal (Free?)

Post by Sponsored content Today at 11:32 pm


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum