Results 1 to 8 of 8

Thread: Can't access D. Please help

  1. #1
    Member
    Join Date
    Jun 2007
    Location
    Bremerton, WA
    Posts
    65

    Unhappy Can't access D. Please help

    Hi! I can't access my D partition. Something about Nach.exe failed to launch properly. (I also get a lot of W32 sality.exe notices from avira)

    As per instructions:

    DDS Log


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 13:48:12 on 2012-08-08
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1389 [GMT 8:00]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    uStart Page = hxxp://isearch.avg.com/?cid={27A7BF03-50DE-4354-BCB4-570885332535}&mid=d7f81526be6547d0b7a331820866425c-35451f1d45163f0c20603419bb2c6951b1ddc250&lang=en&ds=ft011&pr=sa&d=2012-07-02 14:20:09&v=11.1.0.12&sap=hp
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = 127.0.0.1
    uInternet Settings,ProxyServer = 127.0.0.1:9666
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: I Want This: {11111111-1111-1111-1111-110011221158} - c:\program files\i want this\I Want This.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 202.78.97.41 210.4.2.61
    TCP: Interfaces\{8DCCA34D-CF01-4FD4-BA94-267FC5347312} : DhcpNameServer = 202.78.97.41 210.4.2.61
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2012-8-8 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-8-8 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2012-8-8 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-8-8 55656]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-5-7 1390976]
    S3 aic32p;aic32p;\??\c:\windows\system32\drivers\kmphn.sys --> c:\windows\system32\drivers\kmphn.sys [?]
    S3 amsint32;amsint32;\??\c:\windows\system32\drivers\kmphn.sys --> c:\windows\system32\drivers\kmphn.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-8 40776]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-11-29 18432]
    S3 Tq_91Assistant;Tq_91Assistant;c:\program files\netdragon\91 mobile\iphone\Tq_91Assistant.sys [2012-3-1 14248]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-9 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-9 136176]
    S4 SkypeUpdate;Skype Updater;"c:\program files\skype\updater\updater.exe" --> c:\program files\skype\updater\Updater.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-08-08 04:52:32 -------- d-----w- c:\windows\system32\XPSViewer
    2012-08-08 04:52:15 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2012-08-08 04:52:08 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2012-08-08 04:52:08 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2012-08-08 04:52:08 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2012-08-08 04:52:08 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2012-08-08 04:52:08 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2012-08-08 04:52:08 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2012-08-08 04:52:08 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2012-08-08 04:52:08 117760 ------w- c:\windows\system32\prntvpt.dll
    2012-08-08 04:49:36 -------- d-----w- c:\program files\MSXML 6.0
    2012-08-08 04:02:49 -------- d-----w- c:\program files\Trend Micro
    2012-08-08 03:58:27 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2012-08-08 03:58:21 -------- d-----w- c:\program files\Avira
    2012-08-08 03:58:21 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2012-08-08 02:33:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-08-06 02:56:40 160768 --sh--r- C:\wsxonf.exe
    2012-08-03 06:35:57 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL
    2012-08-03 06:35:04 -------- d-----w- c:\program files\Canon
    2012-07-18 00:58:43 -------- d-----w- C:\Data
    .
    ==================== Find3M ====================
    .
    2012-06-01 08:01:28 249856 ------w- c:\windows\Setup1.exe
    2012-06-01 08:01:26 73216 ----a-w- c:\windows\ST6UNST.EXE
    .
    ============= FINISH: 13:48:37.90 ===============

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-08 15:21:07
    -----------------------------
    15:21:07.671 OS Version: Windows 5.1.2600 Service Pack 2
    15:21:07.671 Number of processors: 2 586 0x170A
    15:21:07.671 ComputerName: LEGAL-SON-ANGEL UserName: Administrator
    15:21:07.906 Initialize success
    15:21:23.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
    15:21:23.203 Disk 0 Vendor: ST3250318AS CC38 Size: 238475MB BusType: 3
    15:21:23.218 Disk 0 MBR read successfully
    15:21:23.218 Disk 0 MBR scan
    15:21:23.218 Disk 0 Windows XP default MBR code
    15:21:23.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51199 MB offset 63
    15:21:23.234 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 187273 MB offset 104856255
    15:21:23.234 Disk 0 scanning sectors +488392065
    15:21:23.296 Disk 0 scanning C:\WINDOWS\system32\drivers
    15:21:27.437 Service scanning
    15:21:34.703 Modules scanning
    15:21:39.281 Disk 0 trace - called modules:
    15:21:39.281 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    15:21:39.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a905ab8]
    15:21:39.296 3 CLASSPNP.SYS[b80e905b] -> nt!IofCallDriver -> \Device\00000069[0x8a984030]
    15:21:39.296 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a90cd98]
    15:21:39.296 Scan finished successfully
    15:21:45.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    15:21:45.921 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
    Last edited by tashi; 2012-08-08 at 16:00. Reason: Merged two posts

  2. #2
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Welcome


    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


    If your infected with Sality, just want you to know its uncleanable.



    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the button.
    14. Push
    Please make sure you include the following items in your next post:
    The log that was produced after running ESET Online Scanner.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Member
    Join Date
    Jun 2007
    Location
    Bremerton, WA
    Posts
    65

    Default

    Hi Ken. Thanks so much for the prompt response. I can't seem to get on the eset website... Is there any other way I can get that scanner?

  4. #4
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Give these a shot

    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please





    Please run Trend Micro House Call
    • Click Scan now. It's free!
    • Read and put a Check next to Yes I accept the terms of use.
    • Click the Launching HouseCall>> button.
    • Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
    • You may receive a prompt to install the ActiveX, click install.
    • If you are taken back to the main page, click Launching HouseCall>> button again.
    • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
    • Please be patient while it installs, updates, and scans your system.
    • Once the scan is complete, it will take you to the summary page.
    • Under Cleanup options, choose clean all detected infections automatically.
    • Click the Clean now>> button.
    • If anything was found you may be prompted to run the scan again, you can just close the browser window.
    • When the scan is finished, please restart your computer.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Member
    Join Date
    Jun 2007
    Location
    Bremerton, WA
    Posts
    65

    Default

    Thank you! Here is the Malwarebyes log


    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.15.09

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: LEGAL-SON-ANGEL [administrator]

    8/16/2012 9:31:25 AM
    mbam-log-2012-08-16 (09-31-25).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 283508
    Time elapsed: 9 minute(s), 37 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 39
    HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\Interface\{55555555-5555-5555-5555-550055225558} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.BHO.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CLSID\{22222222-2222-2222-2222-220022222258} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.Sandbox.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.Sandbox (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CLSID\{33333333-3333-3333-3333-330033223358} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.FBApi.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.FBApi (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.BHO (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0002258.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
    HKCU\Software\Cr_Installer\2258 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\I WANT THIS (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKCR\Interface\{55555555-5555-5555-5555-550055225558} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.

    Registry Values Detected: 4
    HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 1eadf05341467a78d513529c148556b2 -> Quarantined and deleted successfully.
    HKCU\Software\I Want This|HelperRunningVersion (PUP.GamesPlayLab) -> Data: 149 -> Quarantined and deleted successfully.
    HKCU\Software\InstalledBrowserExtensions\215 Apps|2258 (PUP.CrossFire.SA) -> Data: I Want This -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This|Publisher (Adware.GamePlayLab) -> Data: 215 Apps -> Quarantined and deleted successfully.

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 3
    C:\Program Files\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Application Data\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Application Data\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.

    Files Detected: 8
    C:\wsxonf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\I Want This\I Want This.ini (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Program Files\I Want This\I Want This.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Program Files\I Want This\I Want This.ico (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Program Files\I Want This\I Want ThisGui.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Program Files\I Want This\I Want ThisInstaller.log (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Program Files\I Want This\Uninstall.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Application Data\I Want This\Chrome\I Want This.crx (Adware.GamePlayLab) -> Quarantined and deleted successfully.

    (end)

  6. #6
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Where you able to run Housecall ?


    Sality falls into the same mold as Virut, there a file infector virus, they infect all .exe files on your system, its best to be sure its gone to just reformat and reinstall windows and be done with it.


    For more information on Virut and Sality, and why you need to reformat, have a read of miekiemoes blog

    Read it here
    .

    There are a couple of tools to help with Sality, you can give them a try but I believe that there just a band aid.

    http://free.avg.com/ww-en/remove-sality.tpl-mcr8

    http://support.kaspe...alitykiller.zip


    This is also what your up against
    http://blog.teesupport.com/solved-ne...-removal-tips/


    Let me know how it went and if you need help with reinstalling windows I can link you to a good windows forum for help
    Last edited by ken545; 2012-08-16 at 14:22.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Member
    Join Date
    Jun 2007
    Location
    Bremerton, WA
    Posts
    65

    Unhappy

    Yes I ran it. Thanks for your time. So reformatting is the only way? Ok...

  8. #8
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    What did you run, housecall, if so post the log. Where you able to run the Sality tools ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •