PDA

View Full Version : Can't access D. Please help



amanyeah
2012-08-08, 08:58
Hi! I can't access my D partition. Something about Nach.exe failed to launch properly. (I also get a lot of W32 sality.exe notices from avira)

As per instructions:

DDS Log


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:48:12 on 2012-08-08
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1389 [GMT 8:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uStart Page = hxxp://isearch.avg.com/?cid={27A7BF03-50DE-4354-BCB4-570885332535}&mid=d7f81526be6547d0b7a331820866425c-35451f1d45163f0c20603419bb2c6951b1ddc250&lang=en&ds=ft011&pr=sa&d=2012-07-02 14:20:09&v=11.1.0.12&sap=hp
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = 127.0.0.1:9666
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: I Want This: {11111111-1111-1111-1111-110011221158} - c:\program files\i want this\I Want This.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 202.78.97.41 210.4.2.61
TCP: Interfaces\{8DCCA34D-CF01-4FD4-BA94-267FC5347312} : DhcpNameServer = 202.78.97.41 210.4.2.61
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2012-8-8 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-8-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2012-8-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-8-8 55656]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-5-7 1390976]
S3 aic32p;aic32p;\??\c:\windows\system32\drivers\kmphn.sys --> c:\windows\system32\drivers\kmphn.sys [?]
S3 amsint32;amsint32;\??\c:\windows\system32\drivers\kmphn.sys --> c:\windows\system32\drivers\kmphn.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-8 40776]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-11-29 18432]
S3 Tq_91Assistant;Tq_91Assistant;c:\program files\netdragon\91 mobile\iphone\Tq_91Assistant.sys [2012-3-1 14248]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-9 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-9 136176]
S4 SkypeUpdate;Skype Updater;"c:\program files\skype\updater\updater.exe" --> c:\program files\skype\updater\Updater.exe [?]
.
=============== Created Last 30 ================
.
2012-08-08 04:52:32 -------- d-----w- c:\windows\system32\XPSViewer
2012-08-08 04:52:15 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-08-08 04:52:08 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-08-08 04:52:08 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-08-08 04:52:08 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-08-08 04:52:08 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-08-08 04:52:08 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-08-08 04:52:08 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-08-08 04:52:08 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-08-08 04:52:08 117760 ------w- c:\windows\system32\prntvpt.dll
2012-08-08 04:49:36 -------- d-----w- c:\program files\MSXML 6.0
2012-08-08 04:02:49 -------- d-----w- c:\program files\Trend Micro
2012-08-08 03:58:27 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-08-08 03:58:21 -------- d-----w- c:\program files\Avira
2012-08-08 03:58:21 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-08-08 02:33:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-08-06 02:56:40 160768 --sh--r- C:\wsxonf.exe
2012-08-03 06:35:57 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL
2012-08-03 06:35:04 -------- d-----w- c:\program files\Canon
2012-07-18 00:58:43 -------- d-----w- C:\Data
.
==================== Find3M ====================
.
2012-06-01 08:01:28 249856 ------w- c:\windows\Setup1.exe
2012-06-01 08:01:26 73216 ----a-w- c:\windows\ST6UNST.EXE
.
============= FINISH: 13:48:37.90 ===============

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-08 15:21:07
-----------------------------
15:21:07.671 OS Version: Windows 5.1.2600 Service Pack 2
15:21:07.671 Number of processors: 2 586 0x170A
15:21:07.671 ComputerName: LEGAL-SON-ANGEL UserName: Administrator
15:21:07.906 Initialize success
15:21:23.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
15:21:23.203 Disk 0 Vendor: ST3250318AS CC38 Size: 238475MB BusType: 3
15:21:23.218 Disk 0 MBR read successfully
15:21:23.218 Disk 0 MBR scan
15:21:23.218 Disk 0 Windows XP default MBR code
15:21:23.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51199 MB offset 63
15:21:23.234 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 187273 MB offset 104856255
15:21:23.234 Disk 0 scanning sectors +488392065
15:21:23.296 Disk 0 scanning C:\WINDOWS\system32\drivers
15:21:27.437 Service scanning
15:21:34.703 Modules scanning
15:21:39.281 Disk 0 trace - called modules:
15:21:39.281 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:21:39.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a905ab8]
15:21:39.296 3 CLASSPNP.SYS[b80e905b] -> nt!IofCallDriver -> \Device\00000069[0x8a984030]
15:21:39.296 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a90cd98]
15:21:39.296 Scan finished successfully
15:21:45.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
15:21:45.921 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

ken545
2012-08-11, 19:52
Welcome


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


If your infected with Sality, just want you to know its uncleanable.



ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

amanyeah
2012-08-13, 03:15
Hi Ken. Thanks so much for the prompt response. I can't seem to get on the eset website... Is there any other way I can get that scanner?

ken545
2012-08-13, 11:07
Give these a shot

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please





Please run Trend Micro House Call (http://housecall.trendmicro.com/)
Click Scan now. It's free!
Read and put a Check next to Yes I accept the terms of use.
Click the Launching HouseCall>> button.
Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
You may receive a prompt to install the ActiveX, click install.
If you are taken back to the main page, click Launching HouseCall>> button again.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.
When the scan is finished, please restart your computer.

amanyeah
2012-08-16, 05:08
Thank you! Here is the Malwarebyes log


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.15.09

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: LEGAL-SON-ANGEL [administrator]

8/16/2012 9:31:25 AM
mbam-log-2012-08-16 (09-31-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 283508
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 39
HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055225558} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{22222222-2222-2222-2222-220022222258} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{33333333-3333-3333-3333-330033223358} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\2258 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\I WANT THIS (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055225558} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 1eadf05341467a78d513529c148556b2 -> Quarantined and deleted successfully.
HKCU\Software\I Want This|HelperRunningVersion (PUP.GamesPlayLab) -> Data: 149 -> Quarantined and deleted successfully.
HKCU\Software\InstalledBrowserExtensions\215 Apps|2258 (PUP.CrossFire.SA) -> Data: I Want This -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This|Publisher (Adware.GamePlayLab) -> Data: 215 Apps -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 3
C:\Program Files\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Files Detected: 8
C:\wsxonf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want This.ini (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want This.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want This.ico (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want ThisGui.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want ThisInstaller.log (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\Uninstall.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\I Want This\Chrome\I Want This.crx (Adware.GamePlayLab) -> Quarantined and deleted successfully.

(end)

ken545
2012-08-16, 11:18
Where you able to run Housecall ?


Sality falls into the same mold as Virut, there a file infector virus, they infect all .exe files on your system, its best to be sure its gone to just reformat and reinstall windows and be done with it.


For more information on Virut and Sality, and why you need to reformat, have a read of miekiemoes blog

Read it here (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html).

There are a couple of tools to help with Sality, you can give them a try but I believe that there just a band aid.

http://free.avg.com/ww-en/remove-sality.tpl-mcr8

http://support.kaspe...alitykiller.zip


This is also what your up against
http://blog.teesupport.com/solved-need-help-to-remove-pup-crossfire-sa-infection-safely-and-absolutely-useful-removal-tips/


Let me know how it went and if you need help with reinstalling windows I can link you to a good windows forum for help

amanyeah
2012-08-17, 04:18
Yes I ran it. Thanks for your time. So reformatting is the only way? Ok...

ken545
2012-08-17, 04:25
What did you run, housecall, if so post the log. Where you able to run the Sality tools ?