1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't run virus/spyware/adware scans, Firefox, IE, etc.

Discussion in 'Windows - Virus and spyware problems' started by SinRama, Aug 30, 2009.

  1. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    I've delted all the gey******** files, managed to do that Saturday. Looks like it's something else. With running the script, don't you use cscript, as the FAQ on the Silent Running site says? Avenger, is that something else?

    I found a file in D:\WINDOWS\system32, called qmgr.dll. I looked back at the first Combo-Fix scan I did last Thurssday. It didn't finish, closed after 30secs or so, but it did post the following log:

    ComboFix 09-09-09.04 - mig 10/09/2009 19:06.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.243 [GMT 9:00]
    Running from: c:\combo-fix\Combo-Fix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\recycler\S-1-5-21-1659004503-796845957-725345543-1003
    c:\recycler\S-1-5-21-854245398-1935655697-1801674531-1003
    C:\smp.bat
    c:\windows\atualmenteo.dll
    c:\windows\iexplorer.exe
    c:\windows\system\KEYBOARD1.DRV

    c:\windows\system32\qmgr.dll . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
    .

    2009-09-10 09:08 . 2009-09-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-09-10 09:08 . 2009-09-10 09:09 -------- d-----w- C:\warhor
    2009-09-10 09:08 . 2009-09-10 09:08 -------- d-----w- c:\documents and settings\mig\Application Data\SUPERAntiSpyware.com
    2009-09-10 09:04 . 2009-09-10 09:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-09-10 04:36 . 2009-09-10 04:36 -------- d-----w- c:\documents and settings\mig\Application Data\Malwarebytes
    2009-09-10 04:36 . 2009-08-03 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 04:36 . 2009-09-10 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-10 04:36 . 2009-08-03 04:36 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-10 04:35 . 2009-09-10 09:07 -------- d-----w- C:\heyho
    2009-09-08 12:37 . 2002-08-28 16:32 56832 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]
    "SUPERAntiSpyware"="c:\warhor\warhor\SUPERAntiSpyware.exe" [2009-09-04 1994480]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\warhor\warhor\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 06:21 548352 ----a-w- c:\warhor\warhor\SASWINLO.dll

    R1 SASDIFSV;SASDIFSV;c:\warhor\warhor\sasdifsv.sys [4/09/2009 2:50 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\warhor\warhor\SASKUTIL.SYS [4/09/2009 2:49 PM 74480]
    R3 SASENUM;SASENUM;c:\warhor\warhor\SASENUM.SYS [4/09/2009 2:50 PM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ALG
    *NewlyCreated* - IPNAT
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.westnet.com.au/
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    TCP: {8C037449-ED60-44E7-987E-C2AE22790ED3} = 203.21.20.20,203.10.1.9
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-10 19:10
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\System32\ODBC32.dll
    c:\warhor\warhor\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(728)
    c:\windows\System32\dssenh.dll

    - - - - - - - > 'explorer.exe'(956)
    c:\windows\System32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-10 19:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-10 10:11

    Pre-Run: 231,311,360 bytes free
    Post-Run: 210,669,568 bytes free

    93



    It says that qmgr.dll is infected. I tried deleting it, can't and will try in safemode. Is it better to startup in Safemode or Safemode with Networking?
     
    Last edited: Sep 13, 2009
  2. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Run GMER again 1 check box at a time and paste here. See how far you can get with it now. And The Avenger is something else than SilentRunners

    Wish we could chat faster like through messenger so we could try to figure this out faster.
     
  3. scorpNZ

    scorpNZ Active member

    Joined:
    Mar 23, 2005
    Messages:
    4,266
    Likes Received:
    63
    Trophy Points:
    78
    There are plenty of posts by others who needed help that 2oldgeek helped fix,find any of those threads will give you some idea of how to go about at least getting your comp to a usable standard.


    below is a link for a free live cd that is for fixing virus infected computers,i have never used it however PCMech recommends it so it's safe to assume it's legit

    http://www.freedrweb.com/cureit/?lng=en

    Personally i'd save any data & reformat,if you can't boot or the virus makes things awkward then place the hdd in an external housing & get any data you need that way,coz you'll more than likely find once infected & even if you repair it,things just won't work the same.

    Next some freebies so it don't happen again unless your stupid,these 3 should solve any future problems,unless you install crap without scanning it first,all three are free & realtime scanners

    Spywareterminater with HIPS enabled
    Avast antivirus
    comodo firewall

     
  4. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    I had searched the forum here and none of the information on the other few threads about the same sort of infection worked for me. Malwarebytes' Anti-Malware looked like it would work, but like the other programs explained,it too didn't scan and then was inaccessible.

    Chances are I will do a reinstall of XP, because the little issues left on my computer (like not being able to unblock IE, ComboFix and still not being able to scan with AVG Free Antivirus)

     
  5. scorpNZ

    scorpNZ Active member

    Joined:
    Mar 23, 2005
    Messages:
    4,266
    Likes Received:
    63
    Trophy Points:
    78
    Another way to retrieve data if an external housing & another computer are unavailable is to install linux to any free space,something like ubuntu as it can install automatically for you,it's free as is kubuntu & puppy linux there are many other free linux OS's available,all can be viewed at distro watch
     
  6. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    I am busy with work as well as family, but really spending all of my spare time here (got a pretty bad headache after a week on this).


    First GMer scan - System

    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-09-14 17:34:52
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF6908FC0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF6905C80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF6920170]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF6909580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF691D900]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF691DB10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF6921B10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF6909670]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF6906210]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF69209F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF69207A0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF691D280]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF6920F10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF6920F90]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF6906070]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF691F180]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF691EF40]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF69216F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF6921150]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF6908BE0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF6921540]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF6909190]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF6906440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF69204E0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF691E200]
    SSDT \??\D:\Download Programs\Downloadcom programs\SUPERAntiSpyware\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE19C0B0]

    ---- EOF - GMER 1.0.15 ----




    Next - Section

    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-09-14 18:03:32
    Windows 5.1.2600 Service Pack 2


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [80, 95, 90, F6, 00, D9, 91, ...]
    .text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 7 Bytes [0F, 92, F6, 90, 0F, 92, F6] {SETB DH; NOP ; SETB DH}
    ? srescan.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text D:\Program Files\MSN Messenger\MsnMsgr.Exe[1888] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 D:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----




    Next - IAT/EAT

    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-09-14 19:05:21
    Windows 5.1.2600 Service Pack 2


    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F6926B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F6906980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F69068D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F6906A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F69065E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0133BCA0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0133BC50
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01337EA0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01339100
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0133AA10
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01339370
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01339180
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0133A010
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0133B950
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0133B990
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0133BD30
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0133B810
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0133A970
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01339930
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013392E0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01339660
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0133C2B0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0133A360
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0133A7D0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0133AE90
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0133AC20
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0133AE10
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0133B2F0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0133B000
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01339250
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013397E0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0133BA70
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0133AD60
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0133A910
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0133A790
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0133AB20
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0133BD50
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0133AB60
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0133BFF0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0133BF90
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0133C1E0
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0133C280
    IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0133C0B0

    ---- EOF - GMER 1.0.15 ----




    Next - Devices

    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-09-14 19:06:27
    Windows 5.1.2600 Service Pack 2


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----




    Next - Modules

    NOTHING



    Next - Processes

    NOTHING




    Next - Threads

    NOTHING




    Next - Libraries

    NOTHING




    Next - Services

    NOTHING



    Next - Registry

    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-09-14 19:16:02
    Windows 5.1.2600 Service Pack 2


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

    ---- EOF - GMER 1.0.15 ----




    Next - Files (AFTER A LONG, 8 HOUR SCAN)

    NOTHING





    Also, the following documents/files appeared on my D:\ drive (the largest partition and the one that is infected and I always use)
    - $AVG8.VAULT$ (I am sure this is related to AVG Free Antivirus, but never appeared there before)
    - 32788R22FWJFW (This has to do with Combo-Fix,so maybe that's to be expected
    - Avenger (this document appeared after the first time I used Malwarebytes' Anti-Malware and it is empty, nothing in it at all, even hidden files)
    - WUTemp (Also appeared Thursday)
    - Qoobox (Appeared yesterday morning)
    - Bug.txt (Looks like related to Combo-Fix and the first scan with it)
    - Start_ (Windows NT Command Script according to properties)(Created Thursday, Modified last night so about 24 hours ago)(size 322bytes,so very small)

    Also, I can no longer connect to peers properly with utorrent. I have forwarded the port well and since Friday, utorrent says that I have a port forwarding problem. It has to be the infection that has changed something, as I use a program called PFPortChecker and it tells you whether the port is in fact properly forwarded



    Also, do you know how to save and copy Firefox bookmarks, where the bookmarks file or folder is located. I need this so I can copy that to another hard drive so I can then place back in firefox after reinstalling XP, which I'll be ding tonight, in about eight hours or so


     
    Last edited: Sep 14, 2009
  7. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    That's weird that it came up as NOTHING for a few scans, like Processes/services.

    Anyways does it let you download/save a fresh copy of Hijackthis? IF you can get that scan you can probably fix most the problems.

    Also did you ever delete the folders C:\Warhor and C:\Heyho?

    Would be horrible to reformat after getting rid of most of the malware already.

    But bookmarks for firefox I believe are:

    C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\PROFILENAME\Bookmarks.html



    NEXT:

    To get Internet Explorer working do that Security Tab permissions thing in the main folder where Internet Explorer is stored.

    C:\Program Files\Internet Explorer\Iexplore.exe

    Right click properties, security tab, edit, Uncheck the Deny Access under Everyone, and set full control to your user name.

    Click OK, click advanced, owner tab, edit, click your name, click apply, ok.

    But probably shouldn't launch it right away in case it takes you to the site that gave you the Malware in the first place.


    If you still can't run Hijackthis. Get a list of services by a screenshot or something so we can see if any are malicious and should be disabled.

    To access services:

    Click start > Run > type services.msc, press enter.


    If we figure out which ones to disable, if any, then it might let you run scans that show details of the malware files so you can remove it completely.
     
    Last edited: Sep 15, 2009
  8. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16


    I downloaded and installed HiJackThis this morning,under a different name, and it scanned completely. The log is below:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:22:51 AM, on 16/09/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    D:\WINDOWS\System32\svchost.exe
    D:\PROGRA~1\AVG\AVG8\avgrsx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\WgaTray.exe
    D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    D:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    D:\PROGRA~1\AVG\AVG8\avgtray.exe
    D:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    D:\Program Files\MSN Messenger\MsnMsgr.Exe
    D:\Registry Mechanic\RegMech.exe
    D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    D:\Download Programs\Downloadcom programs\Taskbar shuffle\Taskbar Shuffle\taskbarshuffle.exe
    D:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\Download Programs\Firefox\Mozilla Firefox\firefox.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\system32\ntvdm.exe
    D:\PROGRA~1\AVG\AVG8\avgnsx.exe
    D:\Program Files\AVG\AVG8\avgupd.exe
    D:\Download Programs\Downloadcom programs\HoHo\HoHo\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.westnet.com.au/
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - D:\Program Files\AskBarDis\bar\bin\askBar1.dll
    O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Download Programs\Downloadcom programs\KeyScrambler\KeyScrambler\KeyScramblerIE.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - D:\Program Files\AskBarDis\bar\bin\askBar1.dll
    O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] D:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] D:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [SetDefPrt] D:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter3] D:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 9.0 Only\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Download Programs\Downloadcom programs\ZoneAlarm 8.0.065\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RegistryMechanic] D:\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Taskbar Shuffle] D:\Download Programs\Downloadcom programs\Taskbar shuffle\Taskbar Shuffle\taskbarshuffle.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [RegistryMechanic] D:\Registry Mechanic\RegMech.exe /H (User '?')
    O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
    O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [Taskbar Shuffle] D:\Download Programs\Downloadcom programs\Taskbar shuffle\Taskbar Shuffle\taskbarshuffle.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-21-1659004503-796845957-725345543-1003 Startup: Acrobat Assistant.lnk = F:\Adobe\Adobe Acrobat 6\Adobe Acrobat 6.0 Professional\Acrobat 6.0\Distillr\acrotray.exe (User '?')
    O4 - S-1-5-21-1659004503-796845957-725345543-1003 Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
    O4 - S-1-5-21-1659004503-796845957-725345543-1003 Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE (User '?')
    O4 - Startup: Acrobat Assistant.lnk = F:\Adobe\Adobe Acrobat 6\Adobe Acrobat 6.0 Professional\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Clean Traces - D:\Download Programs\Download Accelerator\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - D:\Download Programs\Download Accelerator\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\Download Programs\Download Accelerator\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\Download Programs\Downloadcom programs\KeyScrambler\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\Download Programs\Downloadcom programs\KeyScrambler\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1195576713921
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFF8A205-FEDC-457C-B0BE-77D5922B9C8E}: NameServer = 203.21.20.20,203.10.1.9
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - Winlogon Notify: !SASWinLogon - D:\Download Programs\Downloadcom programs\SUPERAntiSpyware\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Windows Display Manager (Windows Display Driver Manager) - Unknown owner - D:\Program Files\Common Files\System\Nvcpl.exe (file missing)

    --
    End of file - 10388 bytes



    Also, I'm not able to delete the other HiJackThis "install" .exe file, the first HiJackThis I got a week ago. It says access is denied,so I can't use it or delete it.


    But bookmarks for firefox I believe are:

    C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\PROFILENAME\Bookmarks.html


    NEXT:

    To get Internet Explorer working do that Security Tab permissions thing in the main folder where Internet Explorer is stored.

    C:\Program Files\Internet Explorer\Iexplore.exe

    Right click properties, security tab, edit, Uncheck the Deny Access under Everyone, and set full control to your user name.

    Click OK, click advanced, owner tab, edit, click your name, click apply, ok.


    As for firefox bookmarks, the Bookmarks.html file opens in firefox and takes me to a help site for using firefox. Alternatively it can be open in notepad, but it is not really readable. If I copy that file to another hardrive and then place it in the same folder after I reinstall XP Pro and then firefox, would that then make all the bookmarks appear in firefox again?

    As for unblocking IE - I right click the Internet Explorer.exe file, but there is no "Security Tab". What there is is "General", "Program", "Font", "Memory", "Misc", "Screen" and "Compatibility". Unlike with the other programs I could unblock,there is no selection allowing me to unblock, so I am unable to do anything.

    Also, and still the most baffling and irritating of all the problems left, is the fact that my router seems to have been affected as well. utorrent says that the ports I forwarded (over a month ago and everything was well) are not available or forwarded properly.I checke my router settings and all is well and the same as before. I am not using a firewall either right now, so not sure what is going on there.


    If you can please have a look at the problems I still have and the HiJackThis log and see if you can help, it would be much appreciated.

    Thanks heaps for your help, it is real nice of you, but it does look like the only safe way is to reinstall XP Pro


     
  9. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    My last idea is to try using Dr Web Cureit. Scan for problems and see what happens. Also scan using Registry Mechanic which is on your computer to see if that can repair any problems. And then run Combofix again.

    I am sorry your computer still has some problems, but if you have the data backed up and Windows Installation Disks, I would reformat Windows as a safer choice, Though it looks like most of it is gone already.

    Is Iexplore.exe using the extension .exe?

    Are any newly installed programs still being blocked? You can repair internet explorer and remove any other access denied files and get them again.

    Any other problems other than access denied errors and Utorrent problems? You may have got the Malware from a torrent file in the first place.

    Good luck and post back what you end up doing, log scans if you ran them all again, etc.

    In Internet explorer it shows you have toolbars Browser Helper Objects. They are not malicious, but if you don't use them you won't need them installed and can remove them with uninstall manager and cleanup any remaining files using hijackthis.
     
    Last edited: Sep 16, 2009
  10. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    Thanks a heap, very much appreciated. I will reinstall XP tomorrow. This forum really does have some knowledgeable people and that makes solving problems so much easier


     
  11. Taypho

    Taypho Member

    Joined:
    Dec 1, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Windows Vista Home Premuim SP1
    Memory 2.50 GB
    32 Bit Operating System
    Intel Core 1.86 GHz

    Just looking for some advice basically.
    I have noticed some strange behaviour from my PC lately as it has started running very slow at times and this really is the first time this has happened since I bought the system back in 2007 I have also opened the pc and hoovered all the dust away but this hasn't really improved things and very recently my keyboard has altered as in my @ symbol has to be made by holding shift + 2 and it was never like this before which leads me to believe I have some sort of virus and so does the fact that on some websites the text appears bold in places and normal in others which is clearly not normal behaviour, I have performed a scan and given a log below only I don't understand it and can't work out if there is anything suspicious.
    I appreciate any help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:24:13, on 01/12/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\NetLimiter 2 Pro\NLClient.exe
    C:\Program Files\Intel\LDCM\Bin\LDCMSync.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\O2\bin\sprtcmd.exe
    C:\Program Files\NoAdware\NoAdware5.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\RelevantKnowledge\rlvknlg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Vuze\Azureus.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [LDCMSync] C:\Program Files\Intel\LDCM\Bin\LDCMSync.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware\NoAdware5.exe" :Min:
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O13 - Gopher Prefix:
    O15 - Trusted Zone: http://*.broadband.o2.co.uk
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Intel Bootstrap Agent - Intel Corporation - C:\Program Files\Intel\BootStrap Agent\Bsa.exe
    O23 - Service: Intel CI Manager - Intel(R) Corporation - C:\Program Files\Intel\LDCM\ci\cimgr\CiMgrLdr.exe
    O23 - Service: Intel IIDS - Intel(R) Corporation - C:\Program Files\Intel\LDCM\bin\IIDS.exe
    O23 - Service: Intel SSM - Intel(R) Corporation - C:\Program Files\Intel\LDCM\bin\ssm.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: RelevantKnowledge - TMRG, Inc. - C:\Program Files\RelevantKnowledge\rlservice.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
    O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
    O23 - Service: win32sl - Smart Technology Enablers - C:\Program Files\Intel\DMI\BIN\WIN32SL.EXE

    --
    End of file - 7351 bytes

    I have not deleted anything from this scan as I wanted a knowledgeable opinion first.

    Thankyou.
     

Share This Page