setup.exe has stoped working

View previous topic View next topic Go down

Solved setup.exe has stoped working

Post by declan on 28th March 2009, 3:48 pm

there are a number of problems that are affecting my computers
performance firstly i bought a game today to run on my computer but
when i go to install it comes up setup.exe not working second somthing
keeps hijacking my web browser its called yogo but every time i delete
it it just keeps coming back and the peromance is very poor on my
computer any help will be much appreciated

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 3:52 pm

Hello.
It's Yoog, it's commonly known to us malware fighters.

Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 3:59 pm

C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\PremierOpinion\pmropn.exe
C:\Windows\system32\wbem\unsecapp.exe
c:\PROGRA~1\CYBERL~1\SHARED~1\RICHVI~1.EXE
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [HUAWEI 3G Data Card MTS] C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [ygqawqg] "c:\users\dekoh\appdata\local\ygqawqg.exe" ygqawqg (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'aaron')
O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'MELZIE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - S-1-5-21-4069843678-2951840599-648089840-1001 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'aaron')
O4 - S-1-5-21-4069843678-2951840599-648089840-1001 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'aaron')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17AE8493-15BD-4C66-BEA9-9843D9383700}: NameServer = 4.2.2.4 4.2.2.3
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PremierOpinion - PremierOpinion - C:\Program Files\PremierOpinion\pmservice.exe

--
End of file - 13604 bytes

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 4:01 pm

thanks for your experties Smile also whats really bugging me is i bought a game today crysis warhead but when i go to install it just comes up with setup.exe has stoped working any help on this matter also???

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 4:04 pm

Hello. Could be your graphics card can't handle the game (I can play Call of Duty single player on mine, but not multiplayer)
Could be the game isn't ready for Vista. We'll see about that once the malware is gone.


  • Download combofix from here
    Link 1
    Link 2
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts.
    NOTE:
  • Tell Combofix NOT to download the recovery console(If prompted...).
  • Accept the End-User License Agreement.
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 4:16 pm

tryed to download but comes up u cannot rename combo fix as combo fix 1
please use another name preferbaly made up of alphanumeric characters?

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 4:20 pm

Hello. Malware is blocking it.

1 If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2 During the download, rename Combofix to Combo-Fix as follows:





3 It is important you rename Combofix during the download, but not after.
4 Please do not rename Combofix to other names, but only to the one indicated.
5 Close any open browsers.
6 Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 4:52 pm

ComboFix 09-03-27.02 - dekoh 2009-03-28 16:42:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.883 [GMT 0:00]
Running from: c:\users\dekoh\Pictures\2000-01 (Jan)\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\8e88d16c-9ca3-ade3-d6d7-a977b7733099.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 15:55 . 2009-03-28 15:55 d-------- c:\program files\Trend Micro
2009-03-28 11:22 . 2009-03-28 11:22 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-27 18:00 . 2009-03-27 18:00 d-------- c:\program files\Electronic Arts
2009-03-27 09:40 . 2009-03-27 09:40 d-------- c:\program files\Common Files\Windows Live
2009-03-26 15:28 . 2007-08-08 12:07 101,504 --a------ c:\windows\System32\drivers\ewusbmdm.sys
2009-03-26 15:28 . 2007-08-08 12:06 23,424 --a------ c:\windows\System32\drivers\ewdcsc.sys
2009-03-26 15:26 . 2009-03-26 15:26 d-------- c:\program files\Huawei technologies
2009-03-18 18:26 . 2008-12-16 03:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-18 18:26 . 2009-02-09 03:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-18 18:26 . 2008-11-27 04:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-18 18:26 . 2008-12-16 05:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-18 18:26 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-18 18:26 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 15:23 --------- d-----w c:\program files\REALTEK USB Wireless LAN Driver and Utility
2009-03-28 14:52 --------- d-----w c:\programdata\Google Updater
2009-03-28 14:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 11:14 --------- d-----w c:\programdata\Electronic Arts
2009-03-28 11:02 --------- d-----w c:\program files\PremierOpinion
2009-03-28 11:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-26 12:27 --------- d-----w c:\program files\Windows Mail
2009-02-27 03:00 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 17:13 --------- d-----w c:\program files\Google
2009-02-21 19:47 --------- d-----w c:\program files\Microsoft Games
2009-02-21 19:37 --------- d-----w c:\users\dekoh\AppData\Roaming\Microsoft Games
2009-02-21 19:37 --------- d-----w c:\programdata\Microsoft Games
2009-02-09 18:57 --------- d-----w c:\program files\Unity
2009-02-09 18:17 --------- d-----w c:\program files\Navilog1
2009-02-09 17:16 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-09 17:11 --------- d-----w c:\users\dekoh\AppData\Roaming\Malwarebytes
2009-02-09 17:11 --------- d-----w c:\programdata\Malwarebytes
2009-02-09 12:54 --------- d-----w c:\program files\Norton Security Scan
2009-02-08 21:03 --------- d-----w c:\programdata\Symantec
2009-02-07 11:23 --------- d-----w c:\program files\Norton PC Checkup
2009-02-06 17:56 --------- d-----w c:\program files\DivX
2009-02-06 17:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 17:29 --------- d-----w c:\programdata\NortonInstaller
2009-02-06 17:29 --------- d-----w c:\program files\NortonInstaller
2009-02-05 20:13 --------- d-----w c:\users\dekoh\AppData\Roaming\LimeWire
2009-02-05 20:06 85,664 ----a-w c:\windows\System32\eb54bdf7-09d3-6dd9-94cb-554adeb46fbb.exe
2009-02-05 20:06 48,278 ----a-w c:\windows\System32\yzkkvgqpspfo.exe
2009-02-05 14:53 --------- d-----w c:\users\dekoh\AppData\Roaming\Apple Computer
2009-02-04 14:09 695,808 ----a-w c:\windows\System32\nsc670F.dll
2009-02-03 20:50 --------- d---a-w c:\programdata\TEMP
2009-02-03 20:49 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-28 18:59 --------- d-----w c:\users\dekoh\AppData\Roaming\Unity
2009-01-28 11:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-28 11:56 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-28 11:56 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-28 11:56 --------- d-----w c:\program files\Symantec
2009-01-15 10:05 911,872 ----a-w c:\windows\System32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\System32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\System32\corpol.dll
2009-01-15 10:04 132,096 ----a-w c:\windows\System32\ieUnatt.exe
2009-01-15 10:04 109,568 ----a-w c:\windows\System32\PDMSetup.exe
2009-01-15 10:04 109,056 ----a-w c:\windows\System32\iesysprep.dll
2009-01-15 10:04 107,520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-01-15 10:04 107,008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-01-15 10:04 103,936 ----a-w c:\windows\System32\SetDepNx.exe
2009-01-15 10:03 72,704 ----a-w c:\windows\System32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\System32\iesetup.dll
2009-01-15 10:03 66,560 ----a-w c:\windows\System32\wextract.exe
2009-01-15 10:03 420,352 ----a-w c:\windows\System32\vbscript.dll
2009-01-15 10:02 169,472 ----a-w c:\windows\System32\iexpress.exe
2009-01-15 10:01 34,304 ----a-w c:\windows\System32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\System32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\System32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\System32\msls31.dll
2009-01-06 11:29 965,664 ----a-w c:\windows\System32\RtkPgExt.dll
2009-01-06 11:29 44,064 ----a-w c:\windows\System32\RtkCoInst.dll
2009-01-06 11:29 322,080 ----a-w c:\windows\System32\RtkApoApi.dll
2009-01-06 11:29 2,510,368 ----a-w c:\windows\System32\RtkAPO.dll
2009-01-06 11:29 109,088 ----a-w c:\windows\RTKAUDIOSERVICE.EXE
2008-08-11 16:21 1,523,200 ----a-w c:\users\dekoh\siw.exe
2008-07-23 20:31 174 --sha-w c:\program files\desktop.ini
2008-03-17 22:14 0 ----a-w c:\users\dekoh\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 4:52 pm

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [BU]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-10-18 2503976]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [BU]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"HUAWEI 3G Data Card MTS"="c:\program files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [2008-01-27 344064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-18 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{814EB14C-7903-4031-B896-1B9C57A07854}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{A90BDDDC-5761-43EE-9216-2A93980C4CFA}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2E40B13D-98D9-4F9A-B38E-D97160066FF8}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{E114D4C5-D823-44C1-BDA6-22CA059456FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A22E4FAB-A647-455A-B80D-96A2CCD65DFE}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E2DBD4FF-7901-4E81-A00C-8B61EA96B369}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{02BFC969-ABB3-4427-BB25-2DED38EFC458}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D163E1B4-7846-4F0C-AEDC-F0FFA9EE4BBA}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{02859E92-5035-4492-A244-8905F08B3103}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{71B94E50-65DC-457B-BFBC-285FE92CCCDF}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{9EDCB9F5-9B0C-4D3B-8E5F-247532E4400D}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{FAE29DD8-0E5E-43AB-A71D-0FABACC6CBF5}"= UDP:c:\program files\National Guard\Guard Shield\PRISM.exe:Guard Shield
"{A78FDA16-6E52-4194-9E36-E55B88C2BA2F}"= TCP:c:\program files\National Guard\Guard Shield\PRISM.exe:Guard Shield
"{366DFF61-CA72-441C-8D91-81617BF6999A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B16458A4-CE04-41DA-8CE4-9A3A4286B562}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{89F91027-587C-4875-B526-AC9F85B22CFF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CB67C61A-7AE2-4F19-BC0B-55C021187C9A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{F57D46CB-102D-4874-BED0-8750414DB050}c:\\team17\\worms2\\frontend.exe"= UDP:c:\team17\worms2\frontend.exe:Worms 2 Frontend
"UDP Query User{DB10813A-C731-4A32-9307-4F7AEC6AA5FA}c:\\team17\\worms2\\frontend.exe"= TCP:c:\team17\worms2\frontend.exe:Worms 2 Frontend
"{5E890977-C242-4FB7-B2FD-C2ACA411CE42}"= UDP:c:\windows\Temp\~os432A.tmp\ossproxy.exe:ossproxy.exe
"{702BD867-6888-4EFE-BE6F-842A497D08E0}"= UDP:c:\program files\PremierOpinion\pmropn.exe:pmropn.exe
"{C8672105-DEC6-4493-AD1C-3658FF2C1D54}"= TCP:c:\program files\PremierOpinion\pmropn.exe:pmropn.exe
"{2F3D22D1-EB05-4E5F-807F-61BEF26A563C}"= UDP:c:\windows\Temp\~osE688.tmp\ossproxy.exe:ossproxy.exe
"TCP Query User{E58BD9E1-6DF2-4789-9F4E-DDBB56AA9B69}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= UDP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"UDP Query User{68D2E9B2-F377-4493-8721-43AE1CD7E38D}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= TCP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"{0CEBB3AA-8A27-4F18-92AA-D8A022C54111}"= UDP:c:\program files\PremierOpinion\pmropn.exe:pmropn.exe
"{206EFD2B-7F7C-4EAA-AA51-1FF3F44C35A3}"= TCP:c:\program files\PremierOpinion\pmropn.exe:pmropn.exe

R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [2008-03-20 15360]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 PremierOpinion;PremierOpinion;c:\program files\PremierOpinion\pmservice.exe [2009-02-05 45056]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2009-02-09 38496]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187.sys [2008-06-27 335872]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a22511f-1aae-11de-a9e0-001e900e2eca}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e3a-1a01-11de-8a74-0015afb9efc7}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e50-1a01-11de-8a74-0015afb9efc7}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e53-1a01-11de-8a74-001e900e2eca}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e55-1a01-11de-8a74-001e900e2eca}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-03-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-27 c:\windows\Tasks\HPCeeScheduleFordekoh.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-07-21 00:34]

2009-03-28 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2007-04-12 04:59]

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{270D32E9-1AD5-4851-93A1-DEB3A8D82C27}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 10:01]

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{2C61D359-04E2-4FBD-BE6D-AA063B2317FD}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 10:01]

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 4:52 pm

.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
TCP: {17AE8493-15BD-4C66-BEA9-9843D9383700} = 4.2.2.4 4.2.2.3
FF - ProfilePath - c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 16:46:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-28 16:49:21
ComboFix-quarantined-files.txt 2009-03-28 16:49:19
ComboFix2.txt 2009-02-09 19:33:47

Pre-Run: 254,249,123,840 bytes free
Post-Run: 254,383,448,064 bytes free

240 --- E O F --- 2009-03-18 20:25:34

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 4:58 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.
Should you choose to remove them, but you are having trouble doing so, please let me know in your next post here and I will aid you.

If you choose to follow my recommendation then follow these instructions.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Limewire
  • Click on the Uninstall/Change button at the top.


Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
PremierOpinion

File::
c:\windows\System32\eb54bdf7-09d3-6dd9-94cb-554adeb46fbb.exe
c:\windows\System32\yzkkvgqpspfo.exe
c:\users\dekoh\appdata\local\ygqawqg.exe
c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\user.js
J:\AutoRun.exe

Folder::
C:\Program Files\Mywebsearch
C:\Program Files\LimeWire
c:\users\dekoh\AppData\Roaming\LimeWire
c:\program files\PremierOpinion

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D163E1B4-7846-4F0C-AEDC-F0FFA9EE4BBA}"=-
"{02859E92-5035-4492-A244-8905F08B3103}"=-
"{5E890977-C242-4FB7-B2FD-C2ACA411CE42}"=-
"{702BD867-6888-4EFE-BE6F-842A497D08E0}"=-
"{C8672105-DEC6-4493-AD1C-3658FF2C1D54}"=-
"{2F3D22D1-EB05-4E5F-807F-61BEF26A563C}"=-
"{0CEBB3AA-8A27-4F18-92AA-D8A022C54111}"=-
"{206EFD2B-7F7C-4EAA-AA51-1FF3F44C35A3}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a22511f-1aae-11de-a9e0-001e900e2eca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e3a-1a01-11de-8a74-0015afb9efc7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e50-1a01-11de-8a74-0015afb9efc7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e53-1a01-11de-8a74-001e900e2eca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e55-1a01-11de-8a74-001e900e2eca}]

Firefox::
FF - ProfilePath - c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www15.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www15.yoog.com/search.php?q=

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 5:19 pm

ComboFix 09-03-27.02 - dekoh 2009-03-28 17:08:25.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.749 [GMT 0:00]
Running from: c:\users\dekoh\Pictures\2000-01 (Jan)\ComboFix.exe
Command switches used :: c:\users\dekoh\Desktop\cfscript.txt
* Created a new restore point

FILE ::
c:\users\dekoh\appdata\local\ygqawqg.exe
c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\user.js
c:\windows\System32\eb54bdf7-09d3-6dd9-94cb-554adeb46fbb.exe
c:\windows\System32\yzkkvgqpspfo.exe
J:\AutoRun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\dekoh\AppData\Roaming\LimeWire
c:\users\dekoh\AppData\Roaming\LimeWire\.AppSpecialShare\Counter-Strike 1.6 + Half-Life.exe.torrent
c:\users\dekoh\AppData\Roaming\LimeWire\.AppSpecialShare\Counter-Strike 1.6 + Half-Life.exe.torrent.bak
c:\users\dekoh\AppData\Roaming\LimeWire\certificate\limewire.keystore
c:\users\dekoh\AppData\Roaming\LimeWire\createtimes.cache
c:\users\dekoh\AppData\Roaming\LimeWire\downloads.dat
c:\users\dekoh\AppData\Roaming\LimeWire\fileurns.bak
c:\users\dekoh\AppData\Roaming\LimeWire\fileurns.cache
c:\users\dekoh\AppData\Roaming\LimeWire\filters.props
c:\users\dekoh\AppData\Roaming\LimeWire\gnutella.net
c:\users\dekoh\AppData\Roaming\LimeWire\installation.props
c:\users\dekoh\AppData\Roaming\LimeWire\library.dat
c:\users\dekoh\AppData\Roaming\LimeWire\limewire.props
c:\users\dekoh\AppData\Roaming\LimeWire\mojito.props
c:\users\dekoh\AppData\Roaming\LimeWire\promotion\promodb.backup
c:\users\dekoh\AppData\Roaming\LimeWire\promotion\promodb.data
c:\users\dekoh\AppData\Roaming\LimeWire\promotion\promodb.properties
c:\users\dekoh\AppData\Roaming\LimeWire\promotion\promodb.script
c:\users\dekoh\AppData\Roaming\LimeWire\questions.props
c:\users\dekoh\AppData\Roaming\LimeWire\responses.cache
c:\users\dekoh\AppData\Roaming\LimeWire\simpp.xml
c:\users\dekoh\AppData\Roaming\LimeWire\spam.dat
c:\users\dekoh\AppData\Roaming\LimeWire\tables.props
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme.lwtp
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\01_star.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\02_star.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\03_star.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\04_star.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\05_star.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\chat.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\forward_dn.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\forward_up.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\kill.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\kill_on.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\pause_dn.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\pause_up.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\play_dn.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\play_up.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\question.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\rewind_dn.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\rewind_up.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\stop_dn.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\stop_up.gif
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\theme.txt
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\version.txt
c:\users\dekoh\AppData\Roaming\LimeWire\themes\windows_theme\warning.gif
c:\users\dekoh\AppData\Roaming\LimeWire\ttrees.cache
c:\users\dekoh\AppData\Roaming\LimeWire\ttroot.cache
c:\users\dekoh\AppData\Roaming\LimeWire\version.xml
c:\users\dekoh\AppData\Roaming\LimeWire\versions.props
c:\users\dekoh\AppData\Roaming\LimeWire\xml\data\application.sxml2
c:\users\dekoh\AppData\Roaming\LimeWire\xml\data\audio.sxml2
c:\users\dekoh\AppData\Roaming\LimeWire\xml\data\video.sxml2
c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\user.js
c:\windows\System32\eb54bdf7-09d3-6dd9-94cb-554adeb46fbb.exe
c:\windows\System32\yzkkvgqpspfo.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 5:20 pm

2009-03-28 15:55 . 2009-03-28 15:55 d-------- c:\program files\Trend Micro
2009-03-28 11:22 . 2009-03-28 11:22 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-27 18:00 . 2009-03-27 18:00 d-------- c:\program files\Electronic Arts
2009-03-27 09:40 . 2009-03-27 09:40 d-------- c:\program files\Common Files\Windows Live
2009-03-26 15:28 . 2007-08-08 12:07 101,504 --a------ c:\windows\System32\drivers\ewusbmdm.sys
2009-03-26 15:28 . 2007-08-08 12:06 23,424 --a------ c:\windows\System32\drivers\ewdcsc.sys
2009-03-26 15:26 . 2009-03-26 15:26 d-------- c:\program files\Huawei technologies
2009-03-18 18:26 . 2008-12-16 03:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-18 18:26 . 2009-02-09 03:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-18 18:26 . 2008-11-27 04:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-18 18:26 . 2008-12-16 05:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-18 18:26 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-18 18:26 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 15:23 --------- d-----w c:\program files\REALTEK USB Wireless LAN Driver and Utility
2009-03-28 14:52 --------- d-----w c:\programdata\Google Updater
2009-03-28 14:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 11:14 --------- d-----w c:\programdata\Electronic Arts
2009-03-28 11:02 --------- d-----w c:\program files\PremierOpinion
2009-03-28 11:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-26 12:27 --------- d-----w c:\program files\Windows Mail
2009-02-27 03:00 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 17:13 --------- d-----w c:\program files\Google
2009-02-21 19:47 --------- d-----w c:\program files\Microsoft Games
2009-02-21 19:37 --------- d-----w c:\users\dekoh\AppData\Roaming\Microsoft Games
2009-02-21 19:37 --------- d-----w c:\programdata\Microsoft Games
2009-02-09 18:57 --------- d-----w c:\program files\Unity
2009-02-09 18:17 --------- d-----w c:\program files\Navilog1
2009-02-09 17:16 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-09 17:11 --------- d-----w c:\users\dekoh\AppData\Roaming\Malwarebytes
2009-02-09 17:11 --------- d-----w c:\programdata\Malwarebytes
2009-02-09 12:54 --------- d-----w c:\program files\Norton Security Scan
2009-02-08 21:03 --------- d-----w c:\programdata\Symantec
2009-02-07 11:23 --------- d-----w c:\program files\Norton PC Checkup
2009-02-06 17:56 --------- d-----w c:\program files\DivX
2009-02-06 17:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 17:29 --------- d-----w c:\programdata\NortonInstaller
2009-02-06 17:29 --------- d-----w c:\program files\NortonInstaller
2009-02-05 14:53 --------- d-----w c:\users\dekoh\AppData\Roaming\Apple Computer
2009-02-04 14:09 695,808 ----a-w c:\windows\System32\nsc670F.dll
2009-02-03 20:50 --------- d---a-w c:\programdata\TEMP
2009-02-03 20:49 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-28 18:59 --------- d-----w c:\users\dekoh\AppData\Roaming\Unity
2009-01-28 11:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-28 11:56 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-28 11:56 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-28 11:56 --------- d-----w c:\program files\Symantec
2009-01-15 10:05 911,872 ----a-w c:\windows\System32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\System32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\System32\corpol.dll
2009-01-15 10:04 132,096 ----a-w c:\windows\System32\ieUnatt.exe
2009-01-15 10:04 109,568 ----a-w c:\windows\System32\PDMSetup.exe
2009-01-15 10:04 109,056 ----a-w c:\windows\System32\iesysprep.dll
2009-01-15 10:04 107,520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-01-15 10:04 107,008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-01-15 10:04 103,936 ----a-w c:\windows\System32\SetDepNx.exe
2009-01-15 10:03 72,704 ----a-w c:\windows\System32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\System32\iesetup.dll
2009-01-15 10:03 66,560 ----a-w c:\windows\System32\wextract.exe
2009-01-15 10:03 420,352 ----a-w c:\windows\System32\vbscript.dll
2009-01-15 10:02 169,472 ----a-w c:\windows\System32\iexpress.exe
2009-01-15 10:01 34,304 ----a-w c:\windows\System32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\System32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\System32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\System32\msls31.dll
2009-01-06 11:29 965,664 ----a-w c:\windows\System32\RtkPgExt.dll
2009-01-06 11:29 44,064 ----a-w c:\windows\System32\RtkCoInst.dll
2009-01-06 11:29 322,080 ----a-w c:\windows\System32\RtkApoApi.dll
2009-01-06 11:29 2,510,368 ----a-w c:\windows\System32\RtkAPO.dll
2009-01-06 11:29 109,088 ----a-w c:\windows\RTKAUDIOSERVICE.EXE
2008-08-11 16:21 1,523,200 ----a-w c:\users\dekoh\siw.exe
2008-07-23 20:31 174 --sha-w c:\program files\desktop.ini
2008-03-17 22:14 0 ----a-w c:\users\dekoh\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-28_16.46.55.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-28 11:29:41 133,888 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-03-28 17:10:34 133,968 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-03-28 16:12:10 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-28 17:12:02 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-28 17:12:02 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-03-28 11:34:04 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-28 17:12:02 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-28 17:12:02 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-03-28 16:38:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-28 17:06:59 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-28 16:38:00 81,920 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-28 17:06:59 81,920 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-28 16:38:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-28 17:06:59 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [BU]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-10-18 2503976]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [BU]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"HUAWEI 3G Data Card MTS"="c:\program files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [2008-01-27 344064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-18 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 c:\windows\RtHDVCpl.exe]

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 5:20 pm

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{814EB14C-7903-4031-B896-1B9C57A07854}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{A90BDDDC-5761-43EE-9216-2A93980C4CFA}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2E40B13D-98D9-4F9A-B38E-D97160066FF8}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{E114D4C5-D823-44C1-BDA6-22CA059456FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A22E4FAB-A647-455A-B80D-96A2CCD65DFE}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E2DBD4FF-7901-4E81-A00C-8B61EA96B369}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{02BFC969-ABB3-4427-BB25-2DED38EFC458}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{71B94E50-65DC-457B-BFBC-285FE92CCCDF}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{9EDCB9F5-9B0C-4D3B-8E5F-247532E4400D}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{FAE29DD8-0E5E-43AB-A71D-0FABACC6CBF5}"= UDP:c:\program files\National Guard\Guard Shield\PRISM.exe:Guard Shield
"{A78FDA16-6E52-4194-9E36-E55B88C2BA2F}"= TCP:c:\program files\National Guard\Guard Shield\PRISM.exe:Guard Shield
"{366DFF61-CA72-441C-8D91-81617BF6999A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B16458A4-CE04-41DA-8CE4-9A3A4286B562}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{89F91027-587C-4875-B526-AC9F85B22CFF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CB67C61A-7AE2-4F19-BC0B-55C021187C9A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{F57D46CB-102D-4874-BED0-8750414DB050}c:\\team17\\worms2\\frontend.exe"= UDP:c:\team17\worms2\frontend.exe:Worms 2 Frontend
"UDP Query User{DB10813A-C731-4A32-9307-4F7AEC6AA5FA}c:\\team17\\worms2\\frontend.exe"= TCP:c:\team17\worms2\frontend.exe:Worms 2 Frontend
"TCP Query User{E58BD9E1-6DF2-4789-9F4E-DDBB56AA9B69}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= UDP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"UDP Query User{68D2E9B2-F377-4493-8721-43AE1CD7E38D}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= TCP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"TCP Query User{0FCE698D-19A2-4E92-83A9-73E1FA9D63B9}c:\\program files\\premieropinion\\pmropn.exe"= UDP:c:\program files\premieropinion\pmropn.exe:pmropn.exe
"UDP Query User{E2315B30-A537-44E4-9C40-1E43C90979A0}c:\\program files\\premieropinion\\pmropn.exe"= TCP:c:\program files\premieropinion\pmropn.exe:pmropn.exe

R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [2008-03-20 15360]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 PremierOpinion;PremierOpinion;c:\program files\PremierOpinion\pmservice.exe [2009-02-05 45056]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2009-02-09 38496]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187.sys [2008-06-27 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-03-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-27 c:\windows\Tasks\HPCeeScheduleFordekoh.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-07-21 00:34]

2009-03-28 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2007-04-12 04:59]

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{270D32E9-1AD5-4851-93A1-DEB3A8D82C27}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 10:01]

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{2C61D359-04E2-4FBD-BE6D-AA063B2317FD}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 10:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
TCP: {17AE8493-15BD-4C66-BEA9-9843D9383700} = 4.2.2.3 4.2.2.4
FF - ProfilePath - c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 17:12:05
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\dekoh\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\schtasks.exe
c:\windows\ehome\ehmsas.exe
c:\program files\PremierOpinion\pmropn.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\jusched.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\progra~1\CYBERL~1\SHARED~1\RICHVI~1.EXE
c:\hp\KBD\kbd.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-03-28 17:16:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 17:16:33
ComboFix2.txt 2009-03-28 16:49:22
ComboFix3.txt 2009-02-09 19:33:47

Pre-Run: 256,302,018,560 bytes free
Post-Run: 256,702,537,728 bytes free

315 --- E O F --- 2009-03-18 20:25:34

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 5:35 pm

Hello.
Nearly there now.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
PremierOpinion

Folder::
c:\program files\PremierOpinion

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0FCE698D-19A2-4E92-83A9-73E1FA9D63B9}c:\\program files\\premieropinion\\pmropn.exe"=-
"UDP Query User{E2315B30-A537-44E4-9C40-1E43C90979A0}c:\\program files\\premieropinion\\pmropn.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 5:58 pm

ComboFix 09-03-27.02 - dekoh 2009-03-28 17:42:44.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.856 [GMT 0:00]
Running from: c:\users\dekoh\Pictures\2000-01 (Jan)\ComboFix.exe
Command switches used :: c:\users\dekoh\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PremierOpinion
c:\program files\PremierOpinion\components\pmxg.dll
c:\program files\PremierOpinion\install.rdf
c:\program files\PremierOpinion\pmls.dll
c:\program files\PremierOpinion\pmoci.bin
c:\program files\PremierOpinion\pmph.dll
c:\program files\PremierOpinion\pmropn.exe
c:\program files\PremierOpinion\pmservice.exe
c:\program files\PremierOpinion\pmxf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PremierOpinion


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 15:55 . 2009-03-28 15:55 d-------- c:\program files\Trend Micro
2009-03-28 11:22 . 2009-03-28 11:22 d-------- c:\program files\Microsoft Windows OneCare Live
2009-03-27 18:00 . 2009-03-27 18:00 d-------- c:\program files\Electronic Arts
2009-03-27 09:40 . 2009-03-27 09:40 d-------- c:\program files\Common Files\Windows Live
2009-03-26 15:28 . 2007-08-08 12:07 101,504 --a------ c:\windows\System32\drivers\ewusbmdm.sys
2009-03-26 15:28 . 2007-08-08 12:06 23,424 --a------ c:\windows\System32\drivers\ewdcsc.sys
2009-03-26 15:26 . 2009-03-26 15:26 d-------- c:\program files\Huawei technologies
2009-03-18 18:26 . 2008-12-16 03:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-18 18:26 . 2009-02-09 03:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-18 18:26 . 2008-11-27 04:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-18 18:26 . 2008-12-16 05:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-18 18:26 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-18 18:26 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\dxmasf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 15:23 --------- d-----w c:\program files\REALTEK USB Wireless LAN Driver and Utility
2009-03-28 14:52 --------- d-----w c:\programdata\Google Updater
2009-03-28 14:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 11:14 --------- d-----w c:\programdata\Electronic Arts
2009-03-28 11:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-26 12:27 --------- d-----w c:\program files\Windows Mail
2009-02-28 11:55 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 17:13 --------- d-----w c:\program files\Google
2009-02-21 19:47 --------- d-----w c:\program files\Microsoft Games
2009-02-21 19:37 --------- d-----w c:\users\dekoh\AppData\Roaming\Microsoft Games
2009-02-21 19:37 --------- d-----w c:\programdata\Microsoft Games
2009-02-09 18:57 --------- d-----w c:\program files\Unity
2009-02-09 18:17 --------- d-----w c:\program files\Navilog1
2009-02-09 17:16 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-09 17:11 --------- d-----w c:\users\dekoh\AppData\Roaming\Malwarebytes
2009-02-09 17:11 --------- d-----w c:\programdata\Malwarebytes
2009-02-09 12:54 --------- d-----w c:\program files\Norton Security Scan
2009-02-08 21:03 --------- d-----w c:\programdata\Symantec
2009-02-07 11:23 --------- d-----w c:\program files\Norton PC Checkup
2009-02-06 17:56 --------- d-----w c:\program files\DivX
2009-02-06 17:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 17:29 --------- d-----w c:\programdata\NortonInstaller
2009-02-06 17:29 --------- d-----w c:\program files\NortonInstaller
2009-02-05 14:53 --------- d-----w c:\users\dekoh\AppData\Roaming\Apple Computer
2009-02-04 14:09 695,808 ----a-w c:\windows\System32\nsc670F.dll
2009-02-03 20:50 --------- d---a-w c:\programdata\TEMP
2009-02-03 20:49 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-28 18:59 --------- d-----w c:\users\dekoh\AppData\Roaming\Unity
2009-01-28 11:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-28 11:56 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-28 11:56 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-28 11:56 --------- d-----w c:\program files\Symantec
2009-01-15 10:05 911,872 ----a-w c:\windows\System32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\System32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\System32\corpol.dll
2009-01-15 10:04 132,096 ----a-w c:\windows\System32\ieUnatt.exe
2009-01-15 10:04 109,568 ----a-w c:\windows\System32\PDMSetup.exe
2009-01-15 10:04 109,056 ----a-w c:\windows\System32\iesysprep.dll
2009-01-15 10:04 107,520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-01-15 10:04 107,008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-01-15 10:04 103,936 ----a-w c:\windows\System32\SetDepNx.exe
2009-01-15 10:03 72,704 ----a-w c:\windows\System32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\System32\iesetup.dll
2009-01-15 10:03 66,560 ----a-w c:\windows\System32\wextract.exe
2009-01-15 10:03 420,352 ----a-w c:\windows\System32\vbscript.dll
2009-01-15 10:02 169,472 ----a-w c:\windows\System32\iexpress.exe
2009-01-15 10:01 34,304 ----a-w c:\windows\System32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\System32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\System32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\System32\msls31.dll
2009-01-06 11:29 965,664 ----a-w c:\windows\System32\RtkPgExt.dll
2009-01-06 11:29 44,064 ----a-w c:\windows\System32\RtkCoInst.dll
2009-01-06 11:29 322,080 ----a-w c:\windows\System32\RtkApoApi.dll
2009-01-06 11:29 2,510,368 ----a-w c:\windows\System32\RtkAPO.dll
2009-01-06 11:29 109,088 ----a-w c:\windows\RTKAUDIOSERVICE.EXE
2008-08-11 16:21 1,523,200 ----a-w c:\users\dekoh\siw.exe
2008-07-23 20:31 174 --sha-w c:\program files\desktop.ini
2008-03-17 22:14 0 ----a-w c:\users\dekoh\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-28_16.46.55.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-28 11:29:41 133,888 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-03-28 17:44:47 134,048 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-03-28 16:12:10 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-28 17:46:04 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-28 17:46:04 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-03-28 11:34:04 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-28 17:46:04 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-28 17:46:04 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-03-28 16:38:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-28 17:35:18 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-28 16:38:00 81,920 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-28 17:35:18 81,920 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-28 16:38:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-28 17:35:18 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-28 11:36:49 105,448 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-28 17:17:25 105,448 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-28 11:36:49 599,942 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-28 17:17:25 599,942 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-28 11:35:00 13,598 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4069843678-2951840599-648089840-1000_UserData.bin
+ 2009-03-28 17:13:34 13,718 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4069843678-2951840599-648089840-1000_UserData.bin
- 2009-03-28 11:34:59 68,396 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-28 17:13:34 68,582 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-28 03:47:13 3,460 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-28 17:44:47 3,562 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-03-28 11:34:57 67,504 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-28 17:13:34 67,632 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 5:59 pm

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [BU]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-10-18 2503976]
"Uniblue RegistryBooster 2"="c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe" [BU]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"HUAWEI 3G Data Card MTS"="c:\program files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [2008-01-27 344064]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-18 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [BU]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{814EB14C-7903-4031-B896-1B9C57A07854}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{A90BDDDC-5761-43EE-9216-2A93980C4CFA}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2E40B13D-98D9-4F9A-B38E-D97160066FF8}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{E114D4C5-D823-44C1-BDA6-22CA059456FF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A22E4FAB-A647-455A-B80D-96A2CCD65DFE}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E2DBD4FF-7901-4E81-A00C-8B61EA96B369}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{02BFC969-ABB3-4427-BB25-2DED38EFC458}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{71B94E50-65DC-457B-BFBC-285FE92CCCDF}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{9EDCB9F5-9B0C-4D3B-8E5F-247532E4400D}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{FAE29DD8-0E5E-43AB-A71D-0FABACC6CBF5}"= UDP:c:\program files\National Guard\Guard Shield\PRISM.exe:Guard Shield
"{A78FDA16-6E52-4194-9E36-E55B88C2BA2F}"= TCP:c:\program files\National Guard\Guard Shield\PRISM.exe:Guard Shield
"{366DFF61-CA72-441C-8D91-81617BF6999A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B16458A4-CE04-41DA-8CE4-9A3A4286B562}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{89F91027-587C-4875-B526-AC9F85B22CFF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CB67C61A-7AE2-4F19-BC0B-55C021187C9A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{F57D46CB-102D-4874-BED0-8750414DB050}c:\\team17\\worms2\\frontend.exe"= UDP:c:\team17\worms2\frontend.exe:Worms 2 Frontend
"UDP Query User{DB10813A-C731-4A32-9307-4F7AEC6AA5FA}c:\\team17\\worms2\\frontend.exe"= TCP:c:\team17\worms2\frontend.exe:Worms 2 Frontend
"TCP Query User{E58BD9E1-6DF2-4789-9F4E-DDBB56AA9B69}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= UDP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"UDP Query User{68D2E9B2-F377-4493-8721-43AE1CD7E38D}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= TCP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem

R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [2008-03-20 15360]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [2009-02-09 38496]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187.sys [2008-06-27 335872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ddb8e50-1a01-11de-8a74-0015afb9efc7}]
\shell\AutoRun\command - J:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-03-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-27 c:\windows\Tasks\HPCeeScheduleFordekoh.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-07-21 00:34]

2009-03-28 c:\windows\Tasks\RtlVistaStart.job
- c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2007-04-12 04:59]

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{270D32E9-1AD5-4851-93A1-DEB3A8D82C27}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 10:01]

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{2C61D359-04E2-4FBD-BE6D-AA063B2317FD}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 10:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
TCP: {17AE8493-15BD-4C66-BEA9-9843D9383700} = 4.2.2.4 4.2.2.3
FF - ProfilePath - c:\users\dekoh\AppData\Roaming\Mozilla\Firefox\Profiles\ndzzkyjv.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 17:46:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\wbem\unsecapp.exe
c:\combofix\hidec.exe
c:\windows\System32\schtasks.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\jusched.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\CYBERL~1\SHARED~1\RICHVI~1.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\hp\KBD\kbd.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\combofix\Catchme.tmp
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-03-28 17:52:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 17:51:27
ComboFix2.txt 2009-03-28 17:16:45
ComboFix3.txt 2009-03-28 16:49:22
ComboFix4.txt 2009-02-09 19:33:47

Pre-Run: 256,009,633,792 bytes free
Post-Run: 256,231,092,224 bytes free

273 --- E O F --- 2009-03-18 20:25:34

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 6:02 pm

Hello.
The malware should be gone now, I just want to see what's installed on here.

  • Open HijackThis
  • Click "Open the Misc Tools section"
  • Click "Open Uninstall Manager"
  • Click "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 6:48 pm

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
Timestamp: Sat, 28 Mar 2009 18:47:53 UTC


Message: Not implemented

Line: 90
Char: 1
Code: 0
URI: http://www.geekpolice.net/-h17.htm


Message: 'document.getElementById(...)' is null or not an object
Line: 63
Char: 1
Code: 0
URI: http://www.geekpolice.net/-h19.htm


Message: HTML Parsing Error: Unable to modify the parent container element before the child element is closed (KB927917)
Line: 0
Char: 0
Code: 0
URI: http://www.geekpolice.net/operating-systems-f20/setupexe-has-stoped-working-t7812-15.htm

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 6:49 pm

3 USB Modem
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player 11
AGEIA PhysX v7.01.12
AOL Toolbar 5.0
Apple Mobile Device Support
Apple Software Update
Bonjour
Compatibility Pack for the 2007 Office system
Contextual Tool Snappyads
CyberLink DVD Suite Deluxe
EA Download Manager
Enhanced Multimedia Keyboard Solution
Favorit
GearDrvs
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP Games
HP My Display
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
iTunes
Java(TM) SE Runtime Environment 6 Update 1
LabelPrint
LightScribe System Software 1.10.16.1
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Halo Trial
Microsoft Office Home and Student 60 day trial
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 6.1
Navilog1 3.7.2
neroxml
Norton PC Checkup
Norton Security Scan
NVIDIA Drivers
Performance Dashboard Snappyads
Power2Go
PowerDirector
PremierOpinion
Python 2.5
QuickTime
Realtek High Definition Audio Driver
REALTEK USB Wireless LAN Driver and Utility
SDK
Shockwave
Smart Menus (Windows Live Toolbar)
Spelling Dictionaries Support For Adobe Reader 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 6:51 pm

after this could u see why vista wont let me install crysis warhead cause my girlfriend has a very basic laptop and it works fine on that and my computer is newly bought with good graphics card???thanks for your help:)

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 6:58 pm

Hello. Yep, we'll have a look at the installing issue once you have done everything in this post, because the malware should be gone now.

Lets wrap this up.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines: (if present)


    O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [ygqawqg] "c:\users\dekoh\appdata\local\ygqawqg.exe" ygqawqg (User 'aaron')
    O4 - HKUS\S-1-5-21-4069843678-2951840599-648089840-1001\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'aaron')
    O4 - S-1-5-21-4069843678-2951840599-648089840-1001 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'aaron')
    O4 - S-1-5-21-4069843678-2951840599-648089840-1001 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'aaron')


  • Press "Fix Checked"
  • Close Hijack This.

We have to remove and update a few things now.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    Adobe Reader 8.1.3
    Java(TM) SE Runtime Environment 6 Update 1

  • Click on the Uninstall/Change button at the top.

Then download and install Adobe Reader version 9.1 from here:
http://get.adobe.com/uk/reader/

Now update Java.

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  • Select the first option where it says "This release includes the highly anticipated...".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe that you downloaded to install the newest version.


You are running Firefox 3.0.1, please download and install Firefox version 3.0.8 from here:
http://www.mozilla-europe.org/en/firefox/

Let me know how the machine is running once you have done that.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 7:06 pm

iv checked and double checked none of the above are in hijacked followed instucktions word for word

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 7:09 pm

Okay, that means Combofix removed them for us. I was just making sure. Smile
Do the rest of the instructions and post back once you've done them.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 7:28 pm

just waiting for everything to download:)

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 7:43 pm

while im waiting for everything to download do u wanna see why crysis warhead wont install???

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 7:46 pm

Okay. Smile

Does it give you an error/reason why or does it just say it's stopped working when you run it?


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 7:53 pm

this is what comes up when i press install (if u started program continue
setup.exe
macrovision corporation
c:\program files\realtek usb wireless lan driver and utilty\setup.exe

but i dont know what realtek usb wireless lan has got to do with it thats so i can get the internet should have anything to do with the game

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 8:02 pm

Well it does and it doesn't.
The game might have built in software that allows you to play online with other people.
But regardless of that, it should still install fine.

I'll ask a colleague to drop by here, see if he can figure this out.
Can I ask now though, has the Yoog hijacker gone?


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 8:09 pm

yeah thanks thats been bugging me for a while theres no sign of it the only problem i have not had on my computer is liaseing with geekpolice i will reccomend to ALL MY FRIENDS UV BEEN A GREAT HELP Smile

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by declan on 28th March 2009, 8:10 pm

when u speak to ur mates could u report back to this forum thanks alot Smile

declan
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-03-28
OS OS : windows vista
Points Points : 28157
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: setup.exe has stoped working

Post by Belahzur on 28th March 2009, 8:21 pm

Yes, he'll get the URL when I see him online soon.
Glad to hear Yoog is gone. Lets uninstall Combofix.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.


@RealBelahzur - [Prework] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum