Windows Repair

View previous topic View next topic Go down

Windows Repair

Post by GMan316 on Sat Apr 09, 2011 5:45 am

Hi my uncle's comp seems to be infected with a program called "windows repair." I've tried to remove the program using the tutorial from bleepingcomputer ([You must be registered and logged in to see this link.]) but to no avail. I was able to run the rkill program to stop the "windows repair" program, but every time I tried to run malwarebytes I got this error:

An error has occured. Please report this code to our support team.
PROGRAM_ERROR_MISSING_FILE (2, 0, mbamcore.dll)
The system cannot find the file specified

As well as

RUN TIME ERROR '53':
FILE NOT FOUND: MBAMCORE

ACCESS DENIED

The LOG I got from the rkill program is:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/08/2011 at 21:16:31.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Alan\Desktop\Rkill stuff\iExplore.exe
C:\WINDOWS\regedit.exe


Rkill completed on 04/08/2011 at 21:16:35.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/08/2011 at 21:28:54.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\JmpyxPEOWqPO.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\WINDOWS\system32\grpconv.exe


Rkill completed on 04/08/2011 at 21:29:00.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/08/2011 at 21:37:55.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\JmpyxPEOWqPO.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\WINDOWS\system32\grpconv.exe


Rkill completed on 04/08/2011 at 21:37:59.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/08/2011 at 21:42:48.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\JmpyxPEOWqPO.exe
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\WINDOWS\system32\grpconv.exe


Rkill completed on 04/08/2011 at 21:42:52.


I also tried to run combofix, but every time it finishes the screen is blank and the log isn't posted. Which leads me to believe the program never finishes. It always gets to the "Combo fix is finishing and preparing log file" yet when it closes, I just get a black screen with no icons and just the mouse cursor. I can see that it's trying to and or deleting the windows repair file because I can see it do so in the process but I'm afraid the program just doesn't quite finish. When I reboot the computer the windows repair program is still intact.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Sat Apr 09, 2011 9:56 pm

Hi,

ComboFix should not be run without the guidance of a helper!

It is a powerful tool and is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular use.

See ComboFix's [You must be registered and logged in to see this link.]

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please refer to this thread for more information on why you shouldn't use ComboFix without supervision of a trained expert: [You must be registered and logged in to see this link.]
====

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Sun Apr 10, 2011 9:22 pm

Here is the OTL log:

OTL logfile created on: 4/10/2011 2:16:27 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 415.00 Mb Available Physical Memory | 81.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 218.58 Gb Free Space | 93.86% Space Free | Partition Type: NTFS
Drive J: | 14.91 Gb Total Space | 13.13 Gb Free Space | 88.07% Space Free | Partition Type: NTFS

Computer Name: HP_DOWNSTAIRS | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/10 14:14:19 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2008/04/13 21:42:20 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/04/10 14:14:19 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (SCardSvr)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/03/19 08:10:07 | 000,269,480 | -H-- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/11/04 06:14:16 | 000,135,336 | -H-- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/01/15 05:49:20 | 000,227,232 | -H-- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)


========== Driver Services (SafeList) ==========

DRV - [2011/03/19 08:10:09 | 000,137,656 | -H-- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/20 18:09:00 | 000,038,224 | -H-- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/11/23 15:59:09 | 000,061,960 | -H-- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:19 | 000,011,608 | -H-- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | -H-- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/13 15:05:40 | 000,020,992 | -H-- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/11/24 22:19:00 | 000,872,960 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/07/06 16:59:44 | 002,185,408 | -H-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/06/29 10:07:18 | 001,268,204 | -H-- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin
FF - HKLM\software\mozilla\Firefox\extensions\\offerboxffx@offerbox.com: C:\Program Files\OfferBox\offerboxffx@offerbox.com
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/25 19:25:58 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/25 19:25:58 | 000,000,000 | -H-D | M]

[2011/03/27 16:46:50 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/25 17:04:38 | 000,000,000 | -H-D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/07/12 09:33:56 | 000,012,800 | -H-- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
[2011/03/11 17:53:34 | 000,001,919 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/04/08 22:12:42 | 000,000,027 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\piudd.exe (OptSystems)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/17 00:51:29 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/10 14:16:04 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/08 22:12:41 | 000,000,000 | -H-D | C] -- C:\WINDOWS\temp
[2011/04/08 22:10:17 | 000,000,000 | -H-D | C] -- C:\ComboFix
[2011/04/08 22:08:49 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Desktop\anti spyware stuff
[2011/04/08 22:02:36 | 007,734,240 | -H-- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2011/04/08 22:02:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Desktop\Rkill stuff
[2011/04/08 21:43:41 | 000,020,952 | -H-- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/27 17:52:40 | 000,546,816 | -H-- | C] (TFTC) -- C:\Documents and Settings\All Users\Application Data\JmpyxPEOWqPO.exe
[2011/03/22 22:39:20 | 000,212,480 | -H-- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/22 22:39:20 | 000,161,792 | -H-- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/22 22:39:20 | 000,136,704 | -H-- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/22 22:39:20 | 000,031,232 | -H-- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/20 14:47:04 | 000,000,000 | -H-D | C] -- C:\spoolerlogs
[2011/03/12 02:29:03 | 000,000,000 | -H-D | C] -- C:\2858b8489f10d4c43e
[2011/03/11 18:41:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2011/03/11 18:41:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2011/03/11 17:57:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/10 14:14:19 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/10 14:12:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/08 22:12:42 | 000,000,027 | -H-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/08 21:57:57 | 000,467,968 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\18407220.exe
[2011/04/08 21:03:11 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/08 20:21:57 | 007,734,240 | -H-- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2011/04/03 00:27:04 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\18407220
[2011/04/03 00:01:42 | 004,312,600 | RH-- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/03/27 17:55:07 | 000,000,136 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~21618484r
[2011/03/27 17:55:07 | 000,000,096 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~21618484
[2011/03/27 17:54:49 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\21618484
[2011/03/27 17:52:38 | 000,546,816 | -H-- | M] (TFTC) -- C:\Documents and Settings\All Users\Application Data\JmpyxPEOWqPO.exe
[2011/03/25 15:52:48 | 000,002,265 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/03/22 22:38:00 | 000,000,437 | RHS- | M] () -- C:\boot.ini
[2011/03/22 22:33:57 | 000,009,608 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
[2011/03/19 08:11:49 | 000,012,200 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3050008006
[2011/03/19 08:10:09 | 000,137,656 | -H-- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/03/14 15:19:49 | 000,311,604 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/14 15:19:49 | 000,039,992 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/12 14:07:22 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/11 17:44:04 | 000,000,321 | -H-- | M] () -- C:\Boot.bak
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/08 22:08:49 | 004,312,600 | RH-- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/04/08 21:57:57 | 000,467,968 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\18407220.exe
[2011/04/03 00:27:04 | 000,000,336 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\18407220
[2011/03/27 17:55:07 | 000,000,136 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~21618484r
[2011/03/27 17:55:06 | 000,000,096 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~21618484
[2011/03/27 17:54:49 | 000,000,336 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\21618484
[2011/03/22 22:39:20 | 000,256,512 | -H-- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/22 22:39:20 | 000,098,816 | -H-- | C] () -- C:\WINDOWS\sed.exe
[2011/03/22 22:39:20 | 000,089,088 | -H-- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/22 22:39:20 | 000,080,412 | -H-- | C] () -- C:\WINDOWS\grep.exe
[2011/03/22 22:39:20 | 000,068,096 | -H-- | C] () -- C:\WINDOWS\zip.exe
[2011/03/19 13:17:50 | 000,009,608 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
[2011/03/19 08:11:49 | 000,012,200 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\3050008006
[2011/03/11 17:57:33 | 000,000,321 | -H-- | C] () -- C:\Boot.bak
[2011/03/11 17:57:30 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/10 02:46:15 | 000,001,084 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\2683899908
[2011/03/10 02:46:15 | 000,001,084 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2683899908
[2011/03/08 16:43:38 | 000,012,262 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\3050008006
[2011/03/08 16:43:38 | 000,012,200 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3050008006
[2011/03/06 22:40:07 | 000,040,960 | -H-- | C] () -- C:\WINDOWS\System32\brsztuz2.default.dat
[2011/03/06 01:28:15 | 000,011,036 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\1380560618
[2011/03/06 01:28:15 | 000,011,036 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1380560618
[2011/02/25 17:05:58 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/02/19 15:24:48 | 000,011,168 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\84yq2p62bw5271eo5x505745y7565180202o5sil
[2011/02/18 17:19:32 | 000,000,173 | -H-- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/01/19 19:12:00 | 000,000,120 | -H-- | C] () -- C:\WINDOWS\Rqabe.dat
[2011/01/19 19:12:00 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\Amexefozujecazu.bin
[2010/08/17 16:52:56 | 000,103,535 | -H-- | C] () -- C:\WINDOWS\hpoins04.dat
[2010/08/17 16:52:56 | 000,017,176 | -H-- | C] () -- C:\WINDOWS\hpomdl04.dat
[2010/08/17 08:40:28 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/08/17 08:39:18 | 000,110,192 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/17 01:29:33 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2010/08/17 01:15:54 | 000,516,096 | -H-- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2010/08/17 01:03:14 | 000,156,160 | -H-- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/08/17 01:00:21 | 000,001,324 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/17 00:57:55 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2010/08/17 00:53:38 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/17 00:48:41 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/13 21:55:28 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/12/30 23:57:08 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 04:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 04:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 04:00:00 | 000,311,604 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 04:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 04:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 04:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 04:00:00 | 000,039,992 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 04:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 04:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 04:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >


GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Sun Apr 10, 2011 9:22 pm

Here is the extras log:

OTL Extras logfile created on: 4/10/2011 2:16:27 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 415.00 Mb Available Physical Memory | 81.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 218.58 Gb Free Space | 93.86% Space Free | Partition Type: NTFS
Drive J: | 14.91 Gb Total Space | 13.13 Gb Free Space | 88.07% Space Free | Partition Type: NTFS

Computer Name: HP_DOWNSTAIRS | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A29549FD-65F3-440C-A552-6B8114CF319D}" = Skype Toolbars
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"HP Photo & Imaging" = HP Image Zone 4.2
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"MSNINST" = MSN
"Savings Bond Wizard" = Savings Bond Wizard
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/11/2011 2:28:50 PM | Computer Name = HP_DOWNSTAIRS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: The connection with the server was terminated abnormally

Error - 3/11/2011 2:28:50 PM | Computer Name = HP_DOWNSTAIRS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: This network connection does not exist.

Error - 3/11/2011 2:41:05 PM | Computer Name = HP_DOWNSTAIRS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: The connection with the server was terminated abnormally

Error - 3/11/2011 2:41:05 PM | Computer Name = HP_DOWNSTAIRS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: This network connection does not exist.

Error - 3/11/2011 2:42:33 PM | Computer Name = HP_DOWNSTAIRS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: The connection with the server was terminated abnormally

Error - 3/11/2011 2:42:33 PM | Computer Name = HP_DOWNSTAIRS | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: This network connection does not exist.

Error - 3/11/2011 9:03:53 PM | Computer Name = HP_DOWNSTAIRS | Source = Winlogon | ID = 1015
Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
status code c0000005. The machine must now be restarted.

Error - 3/23/2011 1:34:07 AM | Computer Name = HP_DOWNSTAIRS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 0.0.0.0, faulting module
iexplore.exe, version 0.0.0.0, fault address 0x0008d560.

Error - 3/26/2011 3:58:40 AM | Computer Name = HP_DOWNSTAIRS | Source = Winlogon | ID = 1015
Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with
status code c0000005. The machine must now be restarted.

Error - 3/28/2011 3:13:18 PM | Computer Name = HP_DOWNSTAIRS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 4/3/2011 3:33:42 AM | Computer Name = HP_DOWNSTAIRS | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5

Error - 4/3/2011 3:33:42 AM | Computer Name = HP_DOWNSTAIRS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip

Error - 4/3/2011 3:33:42 AM | Computer Name = HP_DOWNSTAIRS | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5

Error - 4/3/2011 3:44:46 AM | Computer Name = HP_DOWNSTAIRS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/3/2011 3:45:40 AM | Computer Name = HP_DOWNSTAIRS | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4/3/2011 3:45:40 AM | Computer Name = HP_DOWNSTAIRS | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5

Error - 4/7/2011 9:45:24 PM | Computer Name = HP_DOWNSTAIRS | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4/7/2011 9:45:28 PM | Computer Name = HP_DOWNSTAIRS | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5

Error - 4/9/2011 12:03:25 AM | Computer Name = HP_DOWNSTAIRS | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 4/9/2011 12:03:25 AM | Computer Name = HP_DOWNSTAIRS | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5


< End of report >

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Sun Apr 10, 2011 9:53 pm

Have you tried reinstalling Malwarebytes Anti-Malware? That usually does the trick for this error

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Sun Apr 10, 2011 10:02 pm

[You must be registered and logged in to see this link.] wrote:Have you tried reinstalling Malwarebytes Anti-Malware? That usually does the trick for this error

Yes, when I try to reinstall malwarebytes I get the same error. The machine already has malwarebytes on it because I've used it in the past.

When I try to remove malware bytes in the add/remove program I get this error:


Internal Error: Cannot find utCompiledCode record for thsi version of the uninstaller

When I try to just install using the installer again, I get the same error I get from my first post.

I can't run any programs, when I go to start menu > programs, it shows up as empty. When I try to click on the installer again it says the system needs to be restarted for malwarebytes to finish installing.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Sun Apr 10, 2011 10:53 pm

Hi,

Try uninstalling via Revo Uninstaller like so:

Please download Revo Uninstall from here: [You must be registered and logged in to see this link.]

  1. Download and run the setup file for Revo Uninstaller.
  2. Once setup, run Revo Uninstaller.
  3. Select the following item for removal by clicking on it once.

    Malwarebytes Anti Malware

  4. Then hit the "Uninstall" button at the top.
  5. Close Revo Uninstaller.

===========

This tool will unhide everything that has been hidden


  • Please download and run [You must be registered and logged in to see this link.] by Grinler.
  • Once finished let me know if anything has changed

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Mon Apr 11, 2011 1:05 am

Should I reinstall Malwarebytes now?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Mon Apr 11, 2011 1:11 am

Should I reinstall Malwarebytes now?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Mon Apr 11, 2011 3:53 am

Yes please

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Mon Apr 11, 2011 4:04 am

[You must be registered and logged in to see this link.] wrote:Yes please

I was able to install malware bytes, ran quick scan and rebooted. I forgot to copy and paste the log though. Where would the actual log be located in?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Mon Apr 11, 2011 4:16 am

Upon restart the "windows repair" program appears to be gone. The initial scan found 3 threats that I removed. I updated malwarebytes and ran the scan again and this time it found 9 threats and I removed those as well.

The 2nd scan appears to have done it. Is there anything else that I need to do? And what kind of programs should I get to prevent this kind of things from happening again.

Thanks.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Mon Apr 11, 2011 7:08 pm

Hi,

The log can be found when opening Malwarebytes. Just click over to the Logs tab and it will be sorted by date. I will need that log for review

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Tue Apr 12, 2011 2:32 am

Here is the log file:

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6329

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/10/2011 9:13:07 PM
mbam-log-2011-04-10 (21-13-07).txt

Scan type: Quick scan
Objects scanned: 146034
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\whitesmoketoolbar (PUP.Whitesmoke) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\whitesmoketoolbar (PUP.Whitesmoke) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JmpyxPEOWqPO (Trojan.Downloader) -> Value: JmpyxPEOWqPO -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\jmpyxpeowqpo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\18407220.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\null0.7575565405845076.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\start menu\Programs\Startup\piudd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\default user\start menu\Programs\Startup\piudd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Tue Apr 12, 2011 2:34 am

When I left the computer last night, it seemed fine. I even went on firefox and printed some stuff out. However when I came back this morning the "windows repair" was back again. My aunt said she just left the computer on and tried to use firefox and it came back.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Tue Apr 12, 2011 3:11 am

Can you try running ComboFix again please?

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Tue Apr 12, 2011 3:26 am

[You must be registered and logged in to see this link.] wrote:Can you try running ComboFix again please?

In safe mode?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Windows Repair

Post by Crush on Tue Apr 12, 2011 6:51 am

Normal mode if you can Smile

Crush
Master
Master

Status :
Online
Offline

Posts : 3889
Joined : 2010-01-27
Gender : Male

View user profile

Back to top Go down

Re: Windows Repair

Post by GMan316 on Mon Apr 18, 2011 6:27 am

[You must be registered and logged in to see this link.] wrote:Normal mode if you can Smile

Sorry for the late reply, I don't have access to this particular machine (my aunt's) on a consistent basis.

I ran it in normal mode and it seemed to have finished. However I didn't get a log file. It got to the screen that said, "Almost done... This window will close in a short while. Please wait a few seconds for the report log to pop up"

That screen closed but no report popped up. It was just a black screen with the mouse cursor. I gave it like 3 mins and then rebooted. When I rebooted the program appeared to have been removed. I was able to run firefox, but the icons were still hidden. So I used the unhide tool that you mentioned earlier and got the icons back.

Do you want me to run combofix again to produce a log file? Is there anything else I should run to make sure its gone? And what programs should I get to prevent infections such as these? I dl'ed avira anti virus for them, but that's pretty much it.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum