Page 1 of 10 12345 ... LastLast
Results 1 to 10 of 93

Thread: virus stops virus scan at windows folder

  1. #1
    Member
    Join Date
    May 2010
    Posts
    49

    Default virus stops virus scan at windows folder

    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Jarvis Family at 14:28:22.51 on Mon 05/31/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.facebook.com/home.php?#!/?sk=messages&tid=1246764423057
    uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/go.php?verb=register-home&lang=eng
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: MyWay Search Assistant BHO: {04079851-5845-4dea-848c-3ecd647aa554} - c:\program files\myway\srchastt\1.bin\MYSRCHAS.DLL
    BHO: myBar BHO: {0494d0d1-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
    TB: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
    TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
    TB: My &Search Bar: {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_bho.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ATI Remote Control] "c:\program files\ati multimedia\remctrl\ATIX10.exe"
    uRun: [<NO NAME>]
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SetDefaultMIDI] MIDIDef.exe
    uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [TkBellExe] c:\program files\realmedia\update_ob\evntsvc.exe -osboot
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
    mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [InetCntrl] c:\windows\system32\inetcntrl\InetCntrl.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [SelectRebates] c:\program files\selectrebates\SelectRebates.exe
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [HP DLA] "c:\program files\hp dla\dlatray.exe" /t
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [HP CD-DVD] c:\program files\hp cd-dvd\umbrella\hpcdtray.exe
    mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
    mRun: [cubgssxh] c:\documents and settings\jarvis family\local settings\application data\scvhkxslb\mlafwwdtssd.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\jarvis family\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\skywat~1.lnk - c:\program files\common files\skywatch13\TrueWeather.exe
    IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
    LSP: InetCntrl0012.dll
    Trusted Zone: aol.com\free
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230875329609
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 1.74.125.127.100 www.bing.com
    Hosts: 2.74.125.127.100 bing.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\jarvis~1\applic~1\mozilla\firefox\profiles\rew9tmxd.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
    FF - prefs.js: keyword.URL - hxxp://wstb.search.imgag.com/?c=&sbs=1&sc=&f=web&vernum=3.1.3.7504&uid=&did={f8d4a70c-98e2-4081-901d-01bf93043ede}&q=
    FF - component: c:\documents and settings\jarvis family\application data\mozilla\firefox\profiles\rew9tmxd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
    FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
    FF - plugin: c:\documents and settings\jarvis family\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\jarvis family\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\jarvis family\application data\move networks\plugins\npqmp071500000347.dll
    FF - plugin: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\nprpverplug.dll
    FF - plugin: c:\program files\musicnotes\npmusicn.dll
    FF - plugin: c:\program files\musicnotes\NPSibelius.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2010-05-23 21:25:07 0 d-----w- c:\program files\CCleaner
    2010-05-16 01:12:37 0 d-----w- C:\824c44ed3d90af577e91b5
    2010-05-15 21:24:00 0 d-----w- c:\windows\system32\wbem\Repository
    2010-05-12 18:13:55 0 d-----w- c:\program files\FunWebProducts
    2010-05-02 22:21:14 1568 ----a-w- c:\documents and settings\jarvis family\.recently-used.xbel

    ==================== Find3M ====================

    2010-04-16 20:59:05 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpe4F9.dll
    2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
    2008-09-17 00:08:50 65686 ----a-w- c:\program files\Photoshop CS4 Read Me.pdf
    2008-09-11 16:49:26 108336 ----a-w- c:\program files\Photoshop CS4 — Lisez-moi.pdf
    2008-09-11 16:47:50 103148 ----a-w- c:\program files\Léame de Photoshop CS4.pdf

    ============= FINISH: 14:28:47.00 ===============

  2. #2
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Hello JarJar and welcome to the forums. Sorry for the delay in getting to your post.

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Please include the C:\ComboFix.txt in your next reply for further review.

    Please also run and post new DDS logs for review, and let me know how it's running.
    IndiGenus

  3. #3
    Member
    Join Date
    May 2010
    Posts
    49

    Default Combofix link

    I cannot link to the combofix link you gave me. Is there another place? Can't even get to bleepingcomputer website. computer shuts down every 5 minutes.

  4. #4
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Do you have another PC you can download it on, then copy it over with a flash drive or CD/DVD?
    IndiGenus

  5. #5
    Member
    Join Date
    May 2010
    Posts
    49

    Default

    I will get use a flash drive to hopefully load it. ports and DVD player are getting old and don't always work. :(

  6. #6
    Member
    Join Date
    May 2010
    Posts
    49

    Default combofix link is gone

    I finally got bleeping computer and combofix is not there anymore, or at least not where that link takes you.

  7. #7
    Member
    Join Date
    May 2010
    Posts
    49

    Default combofix.exe

    I even search all their executables and there was no combofix.exe I found it on other websites, just not sure where a safe place to get it is.

  8. #8
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    If you are trying to do this on the infected PC, the Malware is probably blocking you. Here are the direct links. But you may need to get there on a clean PC. Then copy the .exe file over.

    http://www.forospyware.com/sUBs/ComboFix.exe
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    IndiGenus

  9. #9
    Member
    Join Date
    May 2010
    Posts
    49

    Default AFA Filter

    Here's another twist. I uninstalled my AFA internet filter because I was only able to be on for about 5 minutes at a time and part of that time was spent restarting my filter so I could use the internet. So after I uninstalled the filter the computer didn't shut down on it's own except for a couple times. (Believe me, that's nothing when the thing had been shutting down every 5 minutes.) I was able to run the whole AVAST scan and it found nothing. So then I downloaded Spybot and ran it and it cleaned up a bunch of things but told me I had 2 things left it needed to clean up when the computer restarted. I was doing all of this in safe mode until I downloaded Spybot. I was sure it was a virus so was surprised that AVAST found nothing. Spybot never got through the 2nd scan though. It was late and I just shut down the computer. Should I still try to use combofix if I can?

  10. #10
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default Please follow the instructions as given

    I was sure it was a virus so was surprised that AVAST found nothing.
    That doesn't mean anything. If a rootkit is present Avast, or most any AV, will see nothing.

    Unless absolutely needed please don't make any other system changes while we're trying to clean this. That's like hitting a moving target for me as I can't see what's going on. If you're not able to follow the instructions given, then report back as to what happened and why.

    So the answer is still yes, please run combofix and post the log.
    IndiGenus

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •