Infection will not allow Spybot or HJT to run

Status
Not open for further replies.
Looks like that file is ok so lets not worry about it.

Lets do one last scan and see if it finds anything that we may have missed.

Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
evening, last work nite....
did as directed the below was at the start up of the scan
thought you might need to see it.
posted log
did not check "delete quarantined" box

HR

Warning: in_array() [function.in-array]: Wrong datatype for second argument in /home/httpd/vhosts/www.eset.eu/buxus/includes/generate_functions.php(96) : eval()'d code(1396) : eval()'d code on line 17






ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=f3f4ea1f6737e14998f3fee40a88c61c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-23 10:23:15
# local_time=2009-09-23 06:23:15 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# scanned=37584
# found=7
# cleaned=7
# scan_time=977
C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\updates\3e9a384994003e6daed892e3f8d7c957\3e9a384994003e6daed892e3f8d7c957 Win32/Adware.DriverRobot application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\updates\3e9a384994003e6daed892e3f8d7c957\DriverRobot_Setup.exe Win32/Adware.DriverRobot application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Driver Robot\1.1.0.3\DriverRobot.exe Win32/Adware.DriverRobot application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP104\A0019679.dll a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP105\A0020271.exe Win32/Adware.DriverRobot application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP105\A0020272.exe Win32/Adware.DriverRobot application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
 
Hi,

DriverRobot appears to be a rogue program, all the rest where Combofix backups and bad files in your system restore.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

  • Right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

  • Right-click My Computer.
  • ClickProperties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore on all Drives.
  • Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

  • Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial <-- If you need it



We will clean out Qoobox when were done. How are things running now ?
 
HI Ken,
Well Thanks to you Everything is working just fine..
Even the strange 2nd blank IE window that was opening is gone.:eek:
all that's left is to get S&D running...am waiting for that support team to answer.
and have all my Icons in the icon tray:banana:

Followed the restore instructions and just made the :New Clean Restore " point.

Have not yet installed SP3 but will do after we are done.

Should I run ESET again and have it delete quarantine file this time.???

HR
 
Great, yes you can run ESET and remove those files.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
:thanks::thanks::thanks::wav:

Again I don't know what would have happen without your help:crowned:
You guys are doing a great job for us poor slobs who get in trouble.
For sure I will Donate on payday:present:

Still working with spybotsandra:angel:
trying to get rid of the infected spybot files.


Ran Combofix /u and all is gone...

Ran ESET and had 0 infected:band:

Boot up is faster that it's been for a long time:banana:

No more to do here...Hope i never have to came back.....;)

Thanks again

HR = Ed
 
Thats great, glad things are well :bigthumb:

Why don't you open up Spybot and at the top click on Mode > Advanced Mode, then Recovery and you can purge all the bad stuff that Spybot removed.

Take Care,

Ken
 
This is what I told her

ARCHellraiser said:
some other things you should know

* removed application S&D by control panel "add & remove Programs"
it said could not remove all files.

*Checked properties of each file have 'Read only" and "Hidden" checked and
Hidden is Grayed out. If I uncheck the "read only" box and hit apply i get this error.
"An Error occurred applying attributes to this file Access is Denied" same for the folder "Skybot -Search and Destroy

*verified folder options "show hidden files" is checked

The malware that had (been removed) infected my system Changed and locked these files so i cound not run this program..

* when you click on theSpybotSD.exe you get this error:
"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

So how do we fix what the nasty little Bug did..:flame:
Click to expand...

THIS IS WHAT SHE SAID THIS MORNIGN:confused:


spybotsandra said:
Hello,

I am sorry, but then I do not think that your system is clean.
Did you try to download a fresh installation of Spybot and copy it over the existing file?

Best regards
Sandra
Team Spybot
Click to expand...

I did not try to install a new S&D because then I will have 3 infected files
that cannot be overwritten so install will fail....( i think)

just trying to do the right thing

HR
 
Hi,

Do this

Download Dr.Web CureIt to the desktop:
  • Doubleclick the drweb-cureit icon to start the program.
  • press start
  • Allow the program to run the initial express scan
  • This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
    Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  • Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
  • Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
  • During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.

    • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
  • Once the scan is complete, on the menu bar, click file and choose report list.
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Close Dr.Web Cureit.
  • Please post the Dr.Web.txt report in your next reply
 
Morning Ken,
When you said would take several hours U were not kidding..

Here is the log
did not delete them so we could decide

I know VNC it's a program I used 1 time for work for to View remote servers.
Don't need it any more.

THE 3 spyboy S&D files are still there and I still cannot delete them and one of them is "spybotSD.exe:thud:

That bug did a good job..

please advise

HR


iwapi.chm\DLLGeneral.html;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK\iwapi.chm;Modification of BAT.Wed.4730;;
iwapi.chm;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK;Container contains infected objects;Moved.;
vncviewer.exe;C:\Program Files\UltraVNC;Program.RemoteAdmin.37;;
vnc-4.0-x86_win32.exe\data002;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data003;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data004;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data006;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe;C:\Work\Files that need coped\VNC_4\Server and Viewer;Archive contains infected objects;Moved.;
vnc-4.0-x86_win32_viewer.exe;C:\Work\Files that need coped\VNC_4\Viewer Only;Program.RemoteAdmin;;
UltraVNC-102-Setup.exe\data014;C:\Work\Ultra VNC\UltraVNC-102-Setup.exe;Program.RemoteAdmin.37;;
UltraVNC-102-Setup.exe;C:\Work\Ultra VNC;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe\data005;C:\Work\VNC 4_1_2\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
vnc-4_1_2-x86_win32.exe;C:\Work\VNC 4_1_2;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32_viewer.exe;C:\Work\VNC 4_1_2;Program.RemoteAdmin.51;;
 
Lets let Combofix remove it

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::


Code: 
Folder::
C:\Program Files\Spybot - Search & Destroy

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Morniong
had run Combofix /u as instructed but NP
downloaded and followed below..


THEY ARE GONE:bigthumb::bigthumb:
See log:
anything else you see in the log??

other wise I think were are good

should i remove remove combfix as before?

HR


ComboFix 09-09-25.01 - Administrator 09/26/2009 11:05.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.671 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\advcheck.dll
c:\program files\Spybot - Search & Destroy\HGCWMZUHVHYHRVH.scr
c:\program files\Spybot - Search & Destroy\SpybotSD.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-19 04:05 . 2009-09-19 04:05 -------- d-----w- c:\program files\ERUNT
2009-09-17 04:13 . 2009-09-22 01:23 -------- d--h--w- c:\windows\PIF
2009-09-08 03:32 . 2009-09-08 03:32 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-09-06 00:03 . 2004-08-04 04:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-06 00:03 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-02 21:30 . 2009-09-04 03:55 -------- d-----w- C:\Fraps
2009-09-02 15:39 . 2009-09-08 03:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-09-02 15:33 . 2009-09-02 15:33 -------- d-----w- c:\windows\system32\URTTEMP
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\windows\system32\windows media
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\program files\Windows Media Components
2009-08-29 15:12 . 2009-08-29 15:12 0 ----a-w- c:\windows\nsreg.dat
2009-08-29 15:12 . 2009-08-29 15:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-29 11:19 . 2009-08-29 11:19 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-08-28 02:54 . 2009-08-28 02:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-28 02:28 . 2004-08-04 03:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-28 02:28 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-28 00:39 . 2009-08-28 00:39 1329709 ----a-w- c:\windows\Recorder.reg
2009-08-28 00:38 . 2009-08-28 00:38 -------- d-----w- c:\program files\Common Files\Fellowes
2009-08-28 00:37 . 2009-08-28 00:38 -------- d-----w- c:\program files\Pinnacle
2009-08-28 00:23 . 1997-12-23 01:02 23936 ----a-w- c:\windows\system32\drivers\aspi32.sys
2009-08-28 00:23 . 1997-12-23 00:23 5600 ----a-w- c:\windows\system\winaspi.dll
2009-08-28 00:23 . 1997-12-23 00:23 4672 ----a-w- c:\windows\system\wowpost.exe
2009-08-28 00:23 . 1997-12-23 00:23 48128 ----a-w- c:\windows\system32\wnaspi32.dll
2009-08-28 00:23 . 1999-07-07 21:32 138240 ----a-w- c:\windows\system32\Viasetup.dll
2009-08-28 00:23 . 1999-06-29 21:15 25264 ----a-w- c:\windows\system32\ivimci.drv
2009-08-28 00:23 . 1999-08-23 03:00 884736 ----a-w- c:\windows\system32\ivimci32.dll
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 07:42 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-26 07:40 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live
2009-09-23 22:03 . 2009-09-23 22:03 -------- d-----w- c:\program files\ESET
2009-09-23 05:47 . 2009-08-12 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-09-23 03:30 . 2009-08-12 03:42 -------- d-----w- c:\program files\Xfire
2009-09-23 00:54 . 2009-09-23 00:54 -------- d-----w- c:\program files\Gadwin Systems
2009-09-23 00:31 . 2009-08-17 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 22:42 . 2009-08-22 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-09-22 22:19 . 2009-08-22 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-22 14:51 . 2009-09-19 04:09 -------- d-----w- c:\program files\Trend Micro
2009-09-22 10:14 . 2009-09-22 10:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 06:32 . 2009-08-19 03:12 -------- d-----w- c:\program files\Driver Robot
2009-09-10 18:54 . 2009-09-22 10:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-22 10:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 12:24 . 2007-04-30 20:03 28368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 12:24 . 2009-08-12 03:31 -------- d-----w- c:\program files\Microsoft
2009-08-28 05:11 . 2009-08-14 06:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-08-28 05:11 . 2009-08-14 06:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-08-28 05:11 . 2009-08-14 06:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-08-28 00:27 . 2007-04-30 21:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2009-08-25 05:05 . 2007-04-30 21:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-23 02:10 . 2007-04-30 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-22 15:31 . 2009-08-22 15:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----r- c:\program files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Common Files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\teamspeak2
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-08-22 02:34 . 2009-08-22 02:33 -------- d-----w- c:\program files\Good_Fox
2009-08-22 00:49 . 2009-08-22 00:49 -------- d-----w- c:\program files\Fox
2009-08-20 00:51 . 2009-08-20 00:50 -------- d-----w- c:\program files\Realtek AC97
2009-08-19 03:12 . 2009-08-19 03:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Blitware
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Logitech
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-14 19:40 . 2009-08-14 15:50 -------- d-----w- c:\program files\ATI Technologies
2009-08-14 19:14 . 2009-08-14 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-08-14 18:37 . 2009-08-14 18:37 -------- d-----w- c:\program files\directx
2009-08-14 15:53 . 2009-08-14 15:53 -------- d-----w- c:\documents and settings\roth\Application Data\ATI
2009-08-14 05:11 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-14 05:10 . 2009-08-14 05:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-14 05:06 . 2007-04-30 19:46 16168 ----a-w- c:\documents and settings\roth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 03:43 . 2009-08-12 03:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-08-12 03:30 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-12 03:14 . 2009-08-12 03:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-12 03:10 . 2009-08-12 03:10 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-12 02:38 . 2009-08-12 02:38 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 10:30 . 2009-08-09 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-08-09 10:30 . 2009-08-09 10:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-08-06 02:48 . 2009-08-14 05:11 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:11 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-08-29 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 18:55 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 04:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:15 . 2009-07-10 16:15 306544 ----a-w- c:\windows\WLXPGSS.SCR
.

------- Sigcheck -------

[-] 2005-12-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2009-06-25 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - c:\program files\Microsoft Broadband Networking\MSBNTray.exe [2002-8-6 151552]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 4:36 PM 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 12:12 PM 187392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/14/2009 1:11 AM 54752]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 6:33 PM 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 8:44 AM 6016]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
.
Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.0.9.13\DriverRobot.exe [2009-08-19 13:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-26 11:08
ComboFix-quarantined-files.txt 2009-09-26 15:07
ComboFix2.txt 2009-09-22 14:45

Pre-Run: 59,078,516,736 bytes free
Post-Run: 59,057,725,440 bytes free

214
 
just a last FYI

I was getting that 2nd blank window every time I started IE
after removing with Combofix /u the second white window
stopped poping up...:D:

HR
 
Morning Ken,
Don't mean to be a bother but when I was cleaning up all the files
we had mad and clearing up my desktop I ran into a file hiding in my download folder.... that cannot be moved,renamed or deleted


HijackThis.exe 393KB appliaction created 9-19-09 12:21 am

about the time this all started.

I have spybot , spyblater and malwarebytes running

when i try to do anything to it I get the error.

see attached

just trying to be safe

HR
 
Hi,

HJT is a safe program, its what we use to analyze whats running on your system.

What is the complete path to the file

Example: C:\downloads ???
 
Status
Not open for further replies.
Back
Top