View Full Version : Spybot, Malwarebytes, Hackthis & GMER won't run
cmstueber
2009-09-08, 23:23
A friend of mine called me a few days ago to look at his computer. His desktop icons and taskbar were all missing. Upon hitting ctrl+alt+del and looking at his running process, I noticed that explorer.exe was missing.
I then opened a command prompt, went to the windows directory and entered explorer.exe to get explorerer to run. I was greeted with a message saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item".
I then entered a cacls command at the prompt (cacls explorer.exe /p david:f)and then was able get explorer running again. However, right clicking on the desktop makes the destop/taskbar disappear. Trying to open the control panel makes it disappear also.
I then installed Spybot from a thumbdrive. Spybot installed but would not run past the initial loading in process. As soon as a scan started, it would crash to the desktop.
I then installed Malwarebytes' Anti-Malware. It started to scan the first time but crashed to the desktop after a few seconds. Any further attempt to run it result in the "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" message. Issuing a cacls command for the .exe of this program does not seem to help.
My friends kids attempted to fix this also and I see combo fix on the desktop but I do not see an installation of it on the C: drive.
I installed Hijackthis to get a log file. It starts the scan but crashes to the desktop after getting almost complete. After running it once, I cannot access it again without getting a "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" message. Issuing a cacls command from a cmd prompt does allow me to use it again however.
I installed gmer to get a log file to post. Again, much like Hijackthis, it starts the scan and runs for about ten minutes then crashes to the desktop. It will not run again without generating a "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" message. Issuing a cacls command from a cmd prompt does allow it to run again but it still crashes to the desktop.
Here is a list of process that are running on the machine at bootup:
mscipevc.exe
wmiapise.exe
wdfmgr.exe
svchost.exe (7 times)
spoolsv.exe
lsass.exe
winlogon.exe
csrss.exe
TeaTimer.exe
taskmgr.exe
chcp.com
explorer.exe
System
System Idle Process
When I first got the computer to my house to attempt to fix it, I tried to boot into safe mode. Safe mode would not work. I had to modify the computers registry to get safe mode to work again. However, running any of the above programs in safe mode still produces the same results.
If I boot off of a Windows XP cd and start the repair console, I have two options to work in: One is called MiniNT, the other is Windows XP Home.
The computer runs Windows XP Home with SP2 installed.
Computer details:
Gateway 507 GR
Pentium 4 w/ HT @ 3 Ghz
800 Mhz FS, 512 MB Ram
Thanks for any help!
I was able to get a Rootrepeal log to run. Here it is:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 14:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\david\LOCALS~1\Temp\aujasnkj.sys
Address: 0xA960D000 Size: 84352 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA1FF000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B70000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9926000 Size: 49152 File Visible: No Signed: -
Status: -
Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF8966000 Size: 20480 File Visible: No Signed: -
Status: -
Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xAA3AE000 Size: 61440 File Visible: No Signed: -
Status: -
Hidden Services
-------------------
Service Name: kbiwkmethoehfl
Image Path: C:\WINDOWS\system32\drivers\kbiwkmnsdpmqss.sys
==EOF==
=======================
Edit
Because you added a post to your own topic, it would have appeared to volunteer analysts that you were already being assisted as they look for topics with no response.
If you still need help,
The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)
Hello cmstueber
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Your infected with a nasty rootkit :sad:
See if you can get this to run.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
cmstueber
2009-09-15, 01:50
Thanks for the reply.
I ran exeHelper and got this from the log:
exeHelper by Raktor - 09
Build 20090914
Run at 16:47:59 on 09/14/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Found file C:\WINDOWS\system32\cru629.dat
Deleting file C:\WINDOWS\system32\cru629.dat
Found file C:\WINDOWS\cru629.dat
Deleting file C:\WINDOWS\cru629.dat
Resetting filetype association for .exe
Resetting filetype association for .com
--Finished--
Hi cmstueber,
Glad we didn't lose you, the forums if your not used to them can get a bit confusing, but where on the same page now :)
exehelper reset all your permissions so most programs should run.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
cmstueber
2009-09-15, 02:31
I downloaded and installed a new Malwarebytes' Anti-Malware. I was able to get to the screen to start a scan but after running a few seconds, it crashed to the desktop and I cannot find a log.
Same for hijackthis.
Once I run both programs and they crash, I cannot open them again without first using a cacls command to give the user permissions to to use them.
First do this, but dont run anything yet, just download Inherit to your desktop
Download Inherit (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and save it to your desk top
Now download combofix and rename it , download it to your desktop and then use your mouse to drag and drop Combofix it into Inherit and then run Combofix
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
cmstueber
2009-09-15, 03:32
Thank you so much! Combo fix is now running.
One question: This is a friends computer and I have it at my house. His network was setup for DHCP but my network uses fixed network addresses and I can not get into the control panel on the infected computer to change the settings. Because of this, I can not get combofix to download and install the Recovery Console. Is there a place I can download and install it from a thumb drive?
Thanks again!
cmstueber
2009-09-15, 04:04
Here is the log from ComboFix. NOTE: I tried to shut off Avast scanning. But there was nothing running in the processes nor anything in the tasktray that related to this program. Maybe a false positive?
ComboFix 09-09-14.02 - david 09/14/2009 18:26.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.288 [GMT -7:00]
Running from: c:\documents and settings\david\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1296 [VPS 090828-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\-1062911282
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\55.tmp
C:\ekxfnpkm.exe
C:\kvhwftjn.exe
C:\lcbckjms.exe
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\Common Files\Yazzle1552OinAdmin.exe
c:\program files\QdrDrive
c:\program files\QdrModule
c:\recycler\S-1-5-21-3711191419-3918773910-1135142375-1003
C:\sdlb.exe
C:\svfp.exe
c:\windows\BMc39671fd.txt
c:\windows\BMc39671fd.xml
c:\windows\cookies.ini
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\pskt.ini
c:\windows\system32\aeipybdu.ini
c:\windows\system32\agphhola.ini
c:\windows\system32\ahfeqqcj.ini
c:\windows\system32\aohaylii.ini
c:\windows\system32\asrhjadu.ini
c:\windows\system32\byvuhrdf.ini
c:\windows\system32\drivers\kbiwkmnsdpmqss.sys
c:\windows\system32\drnojhbj.ini
c:\windows\system32\drtkkxwt.ini
c:\windows\system32\duslqhgs.ini
c:\windows\system32\ftlauvbm.ini
c:\windows\system32\fvpwlobn.ini
c:\windows\system32\geqhwhmx.ini
c:\windows\system32\griurhho.ini
c:\windows\system32\gvdcchuo.ini
c:\windows\system32\haaoxihs.ini
c:\windows\system32\ilnqmwew.ini
c:\windows\system32\intel64.exe
c:\windows\system32\iqfnosup.ini
c:\windows\system32\jvgnogou.ini
c:\windows\system32\jxvpiadd.ini
c:\windows\system32\jyuscbvc.ini
c:\windows\system32\kbiwkmctvwmixf.dat
c:\windows\system32\kbiwkmdeqrxbes.dll
c:\windows\system32\kbiwkmnoenxlvd.dll
c:\windows\system32\kbiwkmsngvpxuf.dat
c:\windows\system32\kdxhldqh.ini
c:\windows\system32\krjrlhsk.ini
c:\windows\system32\ltntlman.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\midayqio.ini
c:\windows\system32\nafeemnn.ini
c:\windows\system32\nfhsanye.ini
c:\windows\system32\ntustewf.ini
c:\windows\system32\opwsxafn.ini
c:\windows\system32\ppbliosk.ini
c:\windows\system32\qkucfpsa.ini
c:\windows\system32\qsvbddts.ini
c:\windows\system32\rvghxdos.ini
c:\windows\system32\sfatqbnx.ini
c:\windows\system32\sfxlkpfw.ini
c:\windows\system32\terrapof32
c:\windows\system32\terrapof32\efwef23.gds
c:\windows\system32\terrapof32\g45hged.gdp
c:\windows\system32\vfnwathh.ini
c:\windows\system32\vidrgocy.ini
c:\windows\system32\vsndvqtd.ini
c:\windows\system32\wxvihdxu.ini
c:\windows\system32\xboksmxa.ini
c:\windows\system32\xwdgybek.ini
c:\windows\system32\ycbawsbs.ini
c:\windows\system32\yudtxocc.ini
C:\yihw.exe
D:\Autorun.inf
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_kbiwkmethoehfl
-------\Legacy_kbiwkmethoehfl
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-15 00:27 . 2009-09-15 01:10 -------- dc----w- C:\32788R22FWJFW
2009-09-15 00:23 . 2009-09-15 00:23 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-08-30 21:47 . 2009-08-30 21:47 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-30 21:47 . 2009-08-30 21:47 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-30 21:47 . 2009-08-30 21:47 2 --shatr- c:\windows\winstart.bat
2009-08-30 21:46 . 2009-08-30 22:35 -------- d-----w- c:\program files\UnHackMe
2009-08-30 21:36 . 2009-08-30 21:36 -------- dc----w- c:\documents and settings\Administrator.YOUR-B497934EB7\Application Data\Malwarebytes
2009-08-30 21:35 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 21:35 . 2009-09-15 00:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 21:35 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 21:35 . 2009-08-30 21:35 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 17:32 . 2004-08-04 07:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-08-30 17:32 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-08-30 17:32 . 2004-08-04 05:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-08-30 17:32 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-08-29 14:45 . 2009-08-29 14:45 2855 ----a-w- c:\windows\explorer.PIF
2009-08-29 14:43 . 2001-08-17 20:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2009-08-29 14:42 . 2001-08-17 20:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2009-08-29 14:41 . 2001-08-18 05:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-08-29 14:40 . 2001-08-17 19:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-08-29 14:39 . 2001-08-17 19:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2009-08-29 14:38 . 2001-08-17 20:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2009-08-29 14:37 . 2001-07-21 21:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-08-29 14:36 . 2001-08-17 21:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2009-08-29 14:35 . 2001-08-17 20:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-08-29 14:34 . 2001-08-17 21:04 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2009-08-29 14:33 . 2001-08-17 21:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-08-29 14:32 . 2001-08-17 19:50 27936 -c--a-w- c:\windows\system32\dllcache\n9i3d.sys
2009-08-29 14:31 . 2004-08-04 06:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-08-29 14:30 . 2001-08-17 19:12 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2009-08-29 14:29 . 2001-08-17 21:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys
2009-08-29 14:28 . 2001-08-18 05:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-08-29 14:27 . 2001-08-17 20:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-08-29 14:26 . 2001-08-18 05:36 34816 -c--a-w- c:\windows\system32\dllcache\esuimg.dll
2009-08-29 14:25 . 2001-08-17 20:47 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2009-08-29 14:24 . 2001-08-17 19:19 72832 -c--a-w- c:\windows\system32\dllcache\cwbwdm.sys
2009-08-29 14:23 . 2001-08-18 05:36 9728 -c--a-w- c:\windows\system32\dllcache\brserif.dll
2009-08-29 14:22 . 2004-08-04 05:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2009-08-29 14:18 . 2009-08-30 18:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 14:18 . 2009-08-29 14:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 18:50 . 2009-08-27 18:50 87040 ----a-w- c:\windows\system32\wmiapise.exe
2009-08-27 18:47 . 2009-08-27 18:47 705 -c--a-w- C:\qbuf.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 03:46 . 2009-06-16 20:29 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-08-28 03:44 . 2009-06-16 20:29 -------- d-----w- c:\program files\DNA
2009-08-27 18:41 . 2006-03-28 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-27 01:08 . 2006-02-25 14:36 1360 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-08-05 09:11 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-26 16:12 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-26 16:12 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-08-26 16:12 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-26 16:12 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-26 16:12 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-26 16:12 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-08-26 16:11 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-26 16:11 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-26 16:11 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\david\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\david\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"PrismXL"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144371325\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144371325\\ee\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3646:TCP"= 3646:TCP:File Sharing
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/23/2008 11:33 AM 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/23/2008 11:33 AM 20560]
S2 WMIAPISE;Windows Management Instrumentation Service Extension;c:\windows\system32\wmiapise.exe [8/27/2009 11:50 AM 87040]
S3 kwkxusb;Kyocera Wireless USB CDMA Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [4/29/2006 4:56 PM 29952]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/30/2009 2:47 PM 32290]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2/25/2006 7:56 PM 79616]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/16/2008 1:32 PM 24652]
.
Contents of the 'Scheduled Tasks' folder
2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2006-02-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
.
- - - - ORPHANS REMOVED - - - -
Notify-opnmmkj - opnmmkj.dll
SafeBoot-sglfb.sys
SafeBoot-tga.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 18:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\temp\mscipevc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-15 18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 01:39
Pre-Run: 159,557,652,480 bytes free
Post-Run: 161,449,234,432 bytes free
256 --- E O F --- 2009-08-26 10:00
cmstueber
2009-09-15, 04:14
Here's the log from hijackthis which now runs!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:15 PM, on 9/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\mscipevc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Temp\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\david\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe" (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [Cpue] "C:\DOCUME~1\Owner\MYDOCU~1\WNSXS~1\nopdb.exe" -vt yazb (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe" (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User 'Owner')
O4 - HKUS\S-1-5-21-1565126480-2635846374-2474710310-500\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe (User 'Administrator')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Management Instrumentation Service Extension (WMIAPISE) - Unknown owner - C:\WINDOWS\System32\wmiapise.exe
--
End of file - 6558 bytes
cmstueber
2009-09-15, 06:17
Everything is kind of back to normal.
Now a lot of control panel items give me a access denied error. Here is the error: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"
I logged into safe mode, then into the admin account but that is also locked out of most of the control panel items. At least using them doesn't kill explorer. So progress has been made.
Thank you so much!
Good Morning,
This is most likely how this computer got infected, using File Sharing Programs, your friend has been downloading files from Limewire, and a couple of the torrents
Read this please
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Whether you uninstall them is up to you and your friend, but if he gets infected a second time using them help on this forum will be denied.
Since things are working now, run Malwarebytes and post the report. I also need to look over your Combofix log and make sure there is nothing we missed.
cmstueber
2009-09-15, 15:36
Log from Malwarebytes scan:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
9/15/2009 6:31:06 AM
mbam-log-2009-09-15 (06-31-06).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 159416
Time elapsed: 21 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I will remove Limewire and BitTorrent once I can get back into the add/remove programs in the control panel.
Any thoughts on the Permissions issue in the control panel and elsewhere? I have been doing searches for it on google but have yet to come across anything that helped resolve the issue.
Thank you!
cmstueber
2009-09-15, 16:37
I installed the Recovery Console from a XP disc and re-ran ComboFix.
Here is the new log:
ComboFix 09-09-14.02 - Administrator 09/15/2009 7:26.3.2 - NTFSx86 NETWORK
Running from: c:\documents and settings\Administrator.YOUR-B497934EB7\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1296 [VPS 090828-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-15 05:09 . 2009-09-15 05:10 -------- d-----w- c:\windows\system32\NtmsData
2009-09-15 00:23 . 2009-09-15 00:23 -------- d-----w- c:\documents and settings\david\Application Data\Malwarebytes
2009-08-30 21:47 . 2009-08-30 21:47 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-30 21:47 . 2009-08-30 21:47 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-30 21:47 . 2009-08-30 21:47 2 --shatr- c:\windows\winstart.bat
2009-08-30 21:46 . 2009-08-30 22:35 -------- d-----w- c:\program files\UnHackMe
2009-08-30 21:36 . 2009-08-30 21:36 -------- dc----w- c:\documents and settings\Administrator.YOUR-B497934EB7\Application Data\Malwarebytes
2009-08-30 21:35 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 21:35 . 2009-09-15 04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 21:35 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 21:35 . 2009-08-30 21:35 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 17:32 . 2004-08-04 07:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-08-30 17:32 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-08-30 17:32 . 2004-08-04 05:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-08-30 17:32 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-08-29 14:45 . 2009-08-29 14:45 2855 ----a-w- c:\windows\explorer.PIF
2009-08-29 14:43 . 2001-08-17 20:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2009-08-29 14:42 . 2001-08-17 20:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2009-08-29 14:41 . 2001-08-18 05:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-08-29 14:40 . 2001-08-17 19:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-08-29 14:39 . 2001-08-17 19:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2009-08-29 14:38 . 2001-08-17 20:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2009-08-29 14:37 . 2001-07-21 21:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-08-29 14:36 . 2001-08-17 21:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2009-08-29 14:35 . 2001-08-17 20:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-08-29 14:34 . 2001-08-17 21:04 173696 -c--a-w- c:\windows\system32\dllcache\philcam2.sys
2009-08-29 14:33 . 2001-08-17 21:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2009-08-29 14:32 . 2001-08-17 19:50 27936 -c--a-w- c:\windows\system32\dllcache\n9i3d.sys
2009-08-29 14:31 . 2004-08-04 06:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-08-29 14:30 . 2001-08-17 19:12 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2009-08-29 14:29 . 2001-08-17 21:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys
2009-08-29 14:28 . 2001-08-18 05:36 9759 -c--a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-08-29 14:27 . 2001-08-17 20:51 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2009-08-29 14:26 . 2001-08-18 05:36 34816 -c--a-w- c:\windows\system32\dllcache\esuimg.dll
2009-08-29 14:25 . 2001-08-17 20:47 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2009-08-29 14:24 . 2001-08-17 19:19 72832 -c--a-w- c:\windows\system32\dllcache\cwbwdm.sys
2009-08-29 14:23 . 2001-08-18 05:36 9728 -c--a-w- c:\windows\system32\dllcache\brserif.dll
2009-08-29 14:22 . 2004-08-04 05:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2009-08-29 14:18 . 2009-08-30 18:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 14:18 . 2009-08-29 14:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 18:50 . 2009-08-27 18:50 87040 ----a-w- c:\windows\system32\wmiapise.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 03:46 . 2009-06-16 20:29 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-08-28 03:44 . 2009-06-16 20:29 -------- d-----w- c:\program files\DNA
2009-08-27 18:41 . 2006-03-28 22:27 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-27 01:08 . 2006-02-25 14:36 1360 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-08-05 09:11 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-26 16:12 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-26 16:12 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2004-08-26 16:12 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-26 16:12 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-26 16:12 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-26 16:12 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 2004-08-26 16:11 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-26 16:11 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:34 . 2004-08-26 16:11 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-15_01.36.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 10:54 . 2009-09-15 13:33 215264 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\david\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\david\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"PrismXL"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144371325\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144371325\\ee\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3646:TCP"= 3646:TCP:File Sharing
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection; [x]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
R2 WMIAPISE;Windows Management Instrumentation Service Extension;c:\windows\System32\wmiapise.exe [2009-08-27 87040]
R3 kwkxusb;Kyocera Wireless USB CDMA Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2004-10-19 29952]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-08-30 32290]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\DRIVERS\rt2500usb.sys [2004-05-07 79616]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
.
Contents of the 'Scheduled Tasks' folder
2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2006-02-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gatewaybiz.com/
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-UnHackMe Monitor - c:\program files\UnHackMe\hackmon.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 07:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-09-15 7:31
ComboFix-quarantined-files.txt 2009-09-15 14:31
ComboFix2.txt 2009-09-15 05:34
ComboFix3.txt 2009-09-15 01:39
Pre-Run: 161,928,151,040 bytes free
Post-Run: 161,918,001,152 bytes free
165 --- E O F --- 2009-08-26 10:00
Hi,
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.
You may have some windows issues on this computer, Combofix found this.
Cryptography Services Error
Along with the other issues your having I would suggest posting here for help as this forum is just for malware removal.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html) <-- Our Sister Site
In the meantime, run this free Online Virus scanner and post the log along with a new HJT log please
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
cmstueber
2009-09-15, 18:57
When I try to access add/remove programs in the control panel I get a "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" message, same for most things in the control panel.
I will try to access the internet by bypassing the routers in the network and plugging in directly to the cable modem.
cmstueber
2009-09-15, 20:10
Logfile from Hijackthis after EST scanner run:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:06 AM, on 9/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wmiapise.exe
C:\WINDOWS\TEMP\mscipevc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\david\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Management Instrumentation Service Extension (WMIAPISE) - Unknown owner - C:\WINDOWS\System32\wmiapise.exe (file missing)
--
End of file - 5584 bytes
EST Scan Log File:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=0ad711252fc21b4b8b0b7ccd558037a1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-15 05:59:20
# local_time=2009-09-15 10:59:20 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 21 100 91 450966562500
# scanned=57485
# found=48
# cleaned=48
# scan_time=1250
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.ADM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\sdlb.exe.vir Win32/Spy.Zbot.JF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Win32/TrojanDownloader.PurityScan.EG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\aeipybdu.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\agphhola.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ahfeqqcj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\aohaylii.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\asrhjadu.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\byvuhrdf.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drnojhbj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drtkkxwt.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\duslqhgs.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ftlauvbm.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\fvpwlobn.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\geqhwhmx.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\griurhho.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\gvdcchuo.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\haaoxihs.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ilnqmwew.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\iqfnosup.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jvgnogou.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jxvpiadd.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\jyuscbvc.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\kdxhldqh.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\krjrlhsk.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ltntlman.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\midayqio.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\nafeemnn.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\nfhsanye.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ntustewf.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\opwsxafn.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ppbliosk.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\qkucfpsa.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\qsvbddts.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\rvghxdos.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sfatqbnx.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxlkpfw.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\vfnwathh.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\vidrgocy.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\vsndvqtd.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wxvihdxu.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\xboksmxa.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\xwdgybek.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ycbawsbs.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\yudtxocc.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\wmiapise.exe Win32/IRCBot.NAV trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20090829-090057.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\temp\mscipevc.exe Win32/IRCBot.NAV trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
Also, I did post on the windows boards you suggested regarding the other issues.
Thank you so much for your help!
Hi,
I saw you post at WTT, your in good hands with Doug.
Most of what ESET found where backups from what Combofix removed plus about 3 more items.
Your Windows Operating System is very outdated along with your IE browser. You need to Open IE and go to Tools> Windows Updates and download and install all critical updates including Service Pack 3 and Internet Explorer 8
Your Java is most likely out dated also. If you can't access Add Remove Programs in the Control Panel than hold off on this until Doug gets you up to snuff.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
Java SE Runtime Environment (JRE)JRE 6 Update 16 <--The wording is confusing but this is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
Malwarebytes <-- Yours to keep , check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.