PLEASE HELP!!!!!!

View previous topic View next topic Go down

PLEASE HELP!!!!!!

Post by jacko on 22nd May 2009, 10:03 pm

i m not quite sure if this is a virus but,

ive left my computer for a week in my families hands, and they have managed to do somthing to it in this short ammount of time. when i returned from my week away it seemed to be fine but, when i tried to use some anti virus eg. anti-malware, hijackthis i got an error 'runtime error 481 invalid picture'. thought to myself naaa ill fix it later and turned it off. when i tried to login it said in the startup screen 'the user profile failed to logon' the profile could not be loaded (something along the lines of that). i then booted in safe mode and the only anti-virus that worked was spybot S&D, that got somthing because then i could use other anti viruses, but they didnt pick anything up. now im not quite sure if this is a vista error or a virus that is stopping me from logging on, please help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:48 PM, on 5/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\config\systemprofile\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3392664824-2861944473-4057590763-1000.bak\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-3392664824-2861944473-4057590763-1000.bak\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3392664824-2861944473-4057590763-1000.bak\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m (User '?')
O4 - HKUS\S-1-5-21-3392664824-2861944473-4057590763-1000.bak\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H (User '?')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - S-1-5-21-3392664824-2861944473-4057590763-1000.bak Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User '?')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: SteamWatch - CL - C:\Program Files\SteamWatch\SteamWatch.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8862 bytes

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 22nd May 2009, 11:04 pm

this scan was done in safe mode with networking

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 22nd May 2009, 11:45 pm



2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 12:20 am

it says that trend micro is still open, but when i look in task managers processes it says that it isnt running?

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 12:28 am

Trendmicro AV shouldn't start in Safe mode , oh well please do the following:



  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 12:35 am

only 1 report/log opened it was the DDS.txt


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by SYSTEM at 10:33:07.62 on Sat 05/23/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2814.2317 [GMT 10:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\config\systemprofile\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRunOnce: []
mRunOnce: [GrpConv] grpconv -o
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\windows\system32\config\system~1\appdata\roaming\mozilla\firefox\profiles\qrtnd0q9.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-2-9 145424]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-2-9 809296]
S2 SteamWatch;SteamWatch;c:\program files\steamwatch\SteamWatch.exe [2009-2-11 18944]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-9 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-9 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-3-20 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-9 677128]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-2-9 256528]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-2-9 24944]
S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5pro\MARKFUN.W32 [2009-2-9 17912]

=============== Created Last 30 ================

2009-05-23 10:22 --ds---- C:\Combo-Fix
2009-05-22 18:49 --d----- c:\windows\system32\config\systemprofile\Tracing
2009-05-22 18:29 --d----- c:\windows\system32\config\system~1\appdata\roaming\Malwarebytes
2009-05-22 17:50 --d----- C:\MGtools
2009-05-22 17:07 --d----- c:\windows\system32\config\system~1\appdata\roaming\IObit
2009-05-17 12:00 --d----- c:\programdata\2DBoy
2009-05-17 12:00 --d----- c:\progra~2\2DBoy
2009-05-16 09:40 --d----- c:\windows\usgwmt
2009-05-14 19:40 --d----- c:\program files\SystemRequirementsLab
2009-05-14 18:38 281,504 a------- c:\windows\system32\drivers\atksgt.sys
2009-05-14 18:38 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-05-14 18:15 --d----- c:\program files\Deep Silver
2009-05-09 16:26 506,368 a------- c:\windows\system32\msxml.dll
2009-05-09 14:58 709 a------- c:\windows\system32\CommandDispatchers.xml
2009-05-09 14:58 1,349 a------- c:\windows\system32\cleaner-config.xml
2009-05-09 14:57 --d----- c:\windows\system32\ErrorLogs
2009-05-09 14:56 4 a------- c:\windows\system32\GVTunner.ref
2009-05-09 14:47 --d----- c:\windows\system32\config\system~1\appdata\roaming\Xfire
2009-05-09 13:56 -cd-h--- c:\programdata\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-05-09 13:56 -cd-h--- c:\progra~2\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-05-09 13:35 -cd-h--- c:\programdata\~0
2009-05-09 13:35 -cd-h--- c:\progra~2\~0
2009-05-09 13:26 -cd-h--- c:\programdata\~1
2009-05-09 13:26 -cd-h--- c:\progra~2\~1
2009-04-30 07:19 41,808 a------- c:\windows\system32\xfcodec.dll
2009-04-28 07:22 524,288 a--sh--- C:\ntuser.dat{6d7c2962-3371-11de-bb6e-001fd0ae6740}.TMContainer00000000000000000002.regtrans-ms
2009-04-28 07:22 524,288 a--sh--- C:\ntuser.dat{6d7c2962-3371-11de-bb6e-001fd0ae6740}.TMContainer00000000000000000001.regtrans-ms
2009-04-28 07:22 65,536 a--sh--- C:\ntuser.dat{6d7c2962-3371-11de-bb6e-001fd0ae6740}.TM.blf
2009-04-28 07:22 5,120 a---h--- C:\ntuser.dat.LOG1
2009-04-28 07:22 0 a---h--- C:\ntuser.dat.LOG2
2009-04-28 07:22 262,144 a------- C:\ntuser.dat

==================== Find3M ====================

2009-05-17 08:43 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-05-16 19:27 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-16 19:27 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-05-09 10:18 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-08 21:40 15,600 a------- c:\windows\gdrv.sys
2009-04-15 12:11 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-04-09 21:52 215,144 a------- c:\windows\patchw32.dll
2009-04-09 21:41 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-09 21:41 51,200 a------- c:\windows\inf\infpub.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 09:08 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-03 09:08 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-03 09:08 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-21 04:50 3,358,720 a------- c:\windows\system32\GPhotos.scr
2009-03-18 16:51 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 13:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 13:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 13:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-07 18:44 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-03 14:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 14:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 14:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-03 14:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 14:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 14:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 14:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 14:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 14:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 14:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 13:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 12:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-03 12:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-09 18:50 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 12:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:33:22.84 ===============

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 12:39 am

^^^^^^^^^^^^^^^
that scan was also in safe mode

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 12:43 am

Hello, can you try to rename Malwarebytes something else and performing a scan in safemode, something like Maalwrbytes.exe or anything.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 12:47 am

i can get malware to work no problem after S&D got 2 statcounters cookies

thats a quick scan

Malwarebytes' Anti-Malware 1.36
Database version: 2168
Windows 6.0.6001 Service Pack 1

5/23/2009 10:54:06 AM
mbam-log-2009-05-23 (10-54-06).txt

Scan type: Quick Scan
Objects scanned: 66825
Time elapsed: 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 12:56 am

Please run HijackThis,
  • Once opened, click on the Open the misc tool sectionbutton
  • A section will open with various options, please click on open process manager
  • Once there, find trend mirco (c:\program files\Trend Mirco) and highlight it, then click on the Kill Process button


Then try to run the above combofix instructions.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:04 am

its not running at all not even in the dll's

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 1:12 am

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:16 am

it has warned me that it may not work propley in safe mode, any thoughts?

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:18 am

there are also no check boxes in the report tab

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 1:25 am

Do you have internet connection?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:26 am

yep thats what i am using now safe mode with networking

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 1:30 am

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:34 am

windows security blocked the packets and the java failed

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:36 am

its blocked it because it couldent verify the publisher

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 1:45 am

Hello can you use normal mode at all?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 1:49 am

no, like i said in my first post when i try to boot into normal mode it says that 'the user profile service failed to logon
the user profile could not be loaded' (somthing along those lines)
and then it redirects me back to the user page, which only has mine; which u click on and the same thing happens

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 2:27 am

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by jacko on 23rd May 2009, 3:36 am

doesnt work because avenger wants to boot to normal and i cant log in Goofy

jacko
Novice
Novice

Posts Posts : 28
Joined Joined : 2008-12-07
OS OS : windows vista SP1 32 bit
Points Points : 29253
# Likes # Likes : 0

View user profile

Back to top Go down

Re: PLEASE HELP!!!!!!

Post by Origin on 23rd May 2009, 5:42 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum