WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Cant run anti-virus

2 posters

descriptionCant run anti-virus EmptyCant run anti-virus3rd October 2009, 12:33 am

more_horiz
Wifes comp has a program called b.exe that keeps running and trying to access the internet. Has also disabled the task manager and wont let any anti-virus run. I had help before with my comp, so i ran system look to see if anything should be deleted. here it is....

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:28 on 02/10/2009 by Heather (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\Windows\System32\scecli.dll --a--- 177152 bytes [02:24 21/01/2008] [02:24 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [02:24 21/01/2008] [02:24 21/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9

Searching for "netlogon.dll"
C:\Windows\System32\netlogon.dll --a--- 592384 bytes [02:24 21/01/2008] [02:24 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [02:24 21/01/2008] [02:24 21/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F

Searching for "eventlog.dll"
C:\Program Files\CyberLink\PowerDirector\EventLog.dll ------ 7216 bytes [04:34 18/05/2007] [04:34 18/05/2007] C2A279A458A06DE2C83D842AA042B5A8

-=End Of File=-

descriptionCant run anti-virus EmptyRe: Cant run anti-virus3rd October 2009, 1:37 am

more_horiz
Hi

Please download ComboFixCant run anti-virus Combofix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:

Cant run anti-virus Cf110
Cant run anti-virus Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

Cant run anti-virus Cf410
Cant run anti-virus Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

descriptionCant run anti-virus EmptyRe: Cant run anti-virus3rd October 2009, 2:53 am

more_horiz
ComboFix 09-10-01.05 - whos the b**** now 10/02/2009 22:19.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.608 [GMT -4:00]
Running from: c:\documents and settings\whos the b**** now\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - system32: deleted 40 bytes in 1 streams.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
/wow section - STAGE 10
Access is denied.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1259416312
c:\documents and settings\whos the b**** now\Application Data\inst.exe
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000006
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000011
c:\recycler\NPROTECT\00000012
c:\recycler\NPROTECT\00000013
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000019.DAT
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029.DAT
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000040
c:\recycler\NPROTECT\00000041
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065

descriptionCant run anti-virus EmptyRe: Cant run anti-virus3rd October 2009, 2:53 am

more_horiz
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000075
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000078
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000081
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000106
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000122
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000127
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000129
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000133
c:\recycler\NPROTECT\00000134
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148.dat
c:\recycler\NPROTECT\00000149.dat
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000161.dat
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164.bat
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000182
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000188
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000190
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000194
c:\recycler\NPROTECT\00000195
c:\recycler\NPROTECT\00000196
c:\recycler\NPROTECT\00000197
c:\recycler\NPROTECT\00000198
c:\recycler\NPROTECT\00000199
c:\recycler\NPROTECT\00000200
c:\recycler\NPROTECT\00000201
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\00000203
c:\recycler\NPROTECT\00000204
c:\recycler\NPROTECT\00000205
c:\recycler\NPROTECT\00000206
c:\recycler\NPROTECT\00000207
c:\recycler\NPROTECT\00000208
c:\recycler\NPROTECT\00000209
c:\recycler\NPROTECT\00000210
c:\recycler\NPROTECT\00000211
c:\recycler\NPROTECT\00000212
c:\recycler\NPROTECT\00000213
c:\recycler\NPROTECT\00000214
c:\recycler\NPROTECT\00000216
c:\recycler\NPROTECT\00000217
c:\recycler\NPROTECT\00000218
c:\recycler\NPROTECT\00000219
c:\recycler\NPROTECT\00000222
c:\recycler\NPROTECT\00000225
c:\recycler\NPROTECT\00000226
c:\recycler\NPROTECT\00000227
c:\recycler\NPROTECT\00000228
c:\recycler\NPROTECT\00000229
c:\recycler\NPROTECT\00000230
c:\recycler\NPROTECT\00000231
c:\recycler\NPROTECT\00000232.dat
c:\recycler\NPROTECT\00000233
c:\recycler\NPROTECT\00000235
c:\recycler\NPROTECT\00000236
c:\recycler\NPROTECT\00000237
c:\recycler\NPROTECT\00000238
c:\recycler\NPROTECT\00000239.bad
c:\recycler\NPROTECT\00000240
c:\recycler\NPROTECT\00000241
c:\recycler\NPROTECT\00000242
c:\recycler\NPROTECT\00000243
c:\recycler\NPROTECT\00000244
c:\recycler\NPROTECT\00000250
c:\recycler\NPROTECT\00000252.md5
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000021_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\mndisk.sys
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmgnvwefnf
-------\Legacy_MNDISK
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_ZUMIESEARCH_SERVICE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmgnvwefnf
-------\Service_mndisk
-------\Service_MyWebSearchService
-------\Service_ZumieSearch Service

descriptionCant run anti-virus EmptyRe: Cant run anti-virus3rd October 2009, 2:54 am

more_horiz
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-09-23 02:32 . 2009-09-23 02:32 -------- d-----w- c:\documents and settings\whos the b**** now\WINDOWS
2009-09-15 02:28 . 2009-09-15 02:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-14 19:45 . 2009-09-14 19:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-03 19:07 . 2009-09-03 19:07 30720 ----a-w- c:\windows\system32\7EE983E52D57964A.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 00:54 . 2009-08-16 16:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 20:23 . 2003-12-03 15:57 -------- d-----w- c:\program files\Steam
2009-09-23 03:13 . 2006-12-19 00:31 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-15 21:37 . 2009-08-21 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-12 03:24 . 2009-06-02 21:58 -------- d-----w- c:\program files\uTorrent
2009-09-10 18:54 . 2009-08-19 01:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 01:32 . 2009-08-08 02:00 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Vso
2009-09-09 07:20 . 2009-07-15 00:55 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\uTorrent
2009-09-03 01:38 . 2009-09-03 01:38 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\AdobeUM
2009-09-02 15:39 . 2009-09-02 15:39 43008 ----a-w- c:\windows\system32\lupgh.dll
2009-08-23 16:43 . 2009-08-23 15:05 53760 ----a-w- c:\windows\system32\drivers\WZSZXserv.sys
2009-08-23 01:06 . 2009-08-23 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-08-23 01:02 . 2009-08-23 01:02 -------- d-----w- c:\program files\SlySoft
2009-08-23 00:57 . 2009-08-23 00:57 -------- d-----w- c:\program files\Plato DVD to AVI Converter
2009-08-22 20:26 . 2009-08-22 20:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-22 20:26 . 2009-08-22 20:26 -------- d-----w- c:\program files\Zone Labs
2009-08-21 20:57 . 2009-08-21 20:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-21 20:57 . 2009-08-21 20:57 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-21 20:57 . 2009-08-21 20:57 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-21 20:57 . 2009-08-21 20:57 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 20:57 . 2009-08-21 20:57 -------- d-----w- c:\program files\AVG
2009-08-21 20:48 . 2007-04-06 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-21 20:28 . 2009-08-21 20:28 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\AVG8
2009-08-21 18:52 . 2009-08-15 02:50 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-19 20:51 . 2009-08-19 20:52 389120 ----a-w- c:\windows\system32\CF7512.exe
2009-08-19 20:48 . 2009-08-19 20:49 389120 ----a-w- c:\windows\system32\CF6937.exe
2009-08-19 20:45 . 2009-08-19 20:45 389120 ----a-w- c:\windows\system32\CF6238.exe
2009-08-19 20:35 . 2009-08-19 20:36 389120 ----a-w- c:\windows\system32\CF4364.exe
2009-08-19 20:33 . 2009-08-19 20:33 389120 ----a-w- c:\windows\system32\CF3877.exe
2009-08-19 20:32 . 2009-08-19 20:32 389120 ----a-w- c:\windows\system32\CF3655.exe
2009-08-19 20:30 . 2009-08-19 20:31 389120 ----a-w- c:\windows\system32\CF3404.exe
2009-08-19 20:26 . 2009-08-19 20:26 389120 ----a-w- c:\windows\system32\CF2535.exe
2009-08-19 20:13 . 2009-08-19 20:13 389120 ----a-w- c:\windows\system32\CF1.exe
2009-08-19 20:02 . 2009-08-19 20:03 389120 ----a-w- c:\windows\system32\CF30656.exe
2009-08-19 20:01 . 2009-08-19 20:01 389120 ----a-w- c:\windows\system32\CF30310.exe
2009-08-19 19:59 . 2009-08-19 19:59 389120 ----a-w- c:\windows\system32\CF30013.exe
2009-08-19 19:55 . 2009-08-19 19:55 389120 ----a-w- c:\windows\system32\CF29271.exe
2009-08-19 19:54 . 2009-08-19 19:55 389120 ----a-w- c:\windows\system32\CF29124.exe
2009-08-19 19:51 . 2009-08-19 19:52 389120 ----a-w- c:\windows\system32\CF28530.exe
2009-08-19 19:50 . 2009-08-19 19:50 389120 ----a-w- c:\windows\system32\CF28239.exe
2009-08-19 13:52 . 2003-12-03 01:50 -------- d-----w- c:\program files\Trend Micro
2009-08-19 13:49 . 2009-08-19 13:49 389120 ----a-w- c:\windows\system32\CF23033.exe
2009-08-19 13:26 . 2009-08-19 13:26 389120 ----a-w- c:\windows\system32\CF18543.exe
2009-08-19 13:25 . 2009-08-19 13:25 389120 ----a-w- c:\windows\system32\CF18341.exe
2009-08-19 13:23 . 2009-08-19 13:24 389120 ----a-w- c:\windows\system32\CF18037.exe
2009-08-19 12:47 . 2009-08-19 12:47 389120 ----a-w- c:\windows\system32\CF10830.exe
2009-08-19 12:44 . 2009-08-19 12:44 389120 ----a-w- c:\windows\system32\CF10222.exe
2009-08-19 03:54 . 2009-08-19 03:55 389120 ----a-w- c:\windows\system32\CF4805.exe
2009-08-19 03:41 . 2009-08-19 03:41 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Malwarebytes
2009-08-19 02:18 . 2009-08-19 02:19 389120 ----a-w- c:\windows\system32\CF18796.exe
2009-08-19 02:18 . 2009-08-19 02:18 389120 ----a-w- c:\windows\system32\CF18662.exe
2009-08-19 02:05 . 2009-08-19 02:05 389120 ----a-w- c:\windows\system32\CF16229.exe
2009-08-19 01:41 . 2009-08-19 01:41 389120 ----a-w- c:\windows\system32\CF11429.exe
2009-08-16 16:23 . 2009-08-16 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 02:35 . 2004-01-28 15:26 -------- d-----w- c:\program files\Yahoo!
2009-08-16 02:20 . 2008-03-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-15 02:51 . 2009-08-15 02:51 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\AVS4YOU
2009-08-13 07:04 . 2007-09-21 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-11 03:48 . 2009-08-11 03:48 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Media Player Classic
2009-08-08 16:31 . 2009-08-08 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-08-08 02:00 . 2009-08-08 02:00 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-08 02:00 . 2009-08-08 02:00 47360 ----a-w- c:\documents and settings\whos the b**** now\Application Data\pcouffin.sys
2009-08-08 02:00 . 2009-08-08 02:00 -------- d-----w- c:\program files\VSO
2009-08-08 01:15 . 2009-08-08 01:15 -------- d-----w- c:\documents and settings\whos the b**** now\Application Data\Ahead
2009-08-05 18:01 . 2009-08-05 18:01 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-08-05 16:20 . 2009-06-24 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab
2009-08-05 09:01 . 2005-12-30 16:08 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-08-19 01:51 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 16:04 . 2009-07-11 15:18 78200 ----a-w- c:\documents and settings\whos the b**** now\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-07-24 15:13 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-07-24 15:13 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-07-24 15:13 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2009-07-24 15:13 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:54 . 2007-03-28 05:37 485920 -c--a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2006-10-22 16:22 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-07-14 18:54 . 2006-10-22 16:22 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 18:54 . 2006-10-22 16:22 5842816 ----a-w- c:\windows\system32\nv4_disp.dll
2009-07-14 18:54 . 2006-10-22 16:22 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-07-14 18:54 . 2006-10-22 16:22 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-14 18:54 . 2006-10-22 16:22 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-07-14 17:35 . 2009-07-14 17:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 17:35 . 2009-07-14 17:35 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-07-14 17:35 . 2009-07-14 17:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-07-14 17:35 . 2009-07-14 17:35 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-07-14 17:34 . 2009-07-14 17:34 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 17:34 . 2009-07-14 17:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-07-14 17:34 . 2009-07-14 17:34 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-07-14 17:34 . 2009-07-14 17:34 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-07-14 17:34 . 2009-07-14 17:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-07-14 17:34 . 2009-07-14 17:34 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-07-14 17:34 . 2009-07-14 17:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 17:34 . 2009-07-14 17:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-07-14 17:34 . 2009-07-14 17:34 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-07-14 03:43 . 2004-04-06 11:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 22:18 . 2009-05-08 06:48 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-10 11:01 . 2007-03-28 05:24 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-13 16:27 . 2006-02-09 18:04 5632 -csha-w- c:\program files\Thumbs.db
2000-06-05 21:47 . 2007-09-17 07:05 32768 -c--a-w- c:\program files\mozilla firefox\plugins\AppSub32.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

c:\windows\system32\eventlog.dll ... is missing !!
c:\windows\system32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"7EE983E52D57964A"="c:\windows\system32\7EE983E52D57964A.exe" [2009-09-03 30720]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 20:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote Table Of Contents.onetoc2]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2
backup=c:\windows\pss\OneNote Table Of Contents.onetoc2Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bongreaper\\counter-strike\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bongreaper\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\mIRC2\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5100:TCP"= 5100:TCP:*:Disabled:webcam.yahoo.com
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/21/2009 4:57 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/21/2009 4:57 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/21/2009 4:57 PM 297752]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [1/19/2006 2:18 PM 135168]
S1 65ef9f3e;65ef9f3e;c:\windows\system32\drivers\65ef9f3e.sys --> c:\windows\system32\drivers\65ef9f3e.sys [?]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [7/10/2009 6:12 PM 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [7/10/2009 6:12 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [7/10/2009 6:19 PM 79360]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [7/10/2009 6:12 PM 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [7/10/2009 6:12 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [7/10/2009 6:12 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [7/10/2009 6:12 PM 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [7/10/2009 6:12 PM 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [7/10/2009 6:12 PM 566296]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5445BE81-B796-11D2-B931-002018654E2E} - hxxp://support.cengage.com/system/web/view/live/messaging/ie/SecMgr.cab
FF - ProfilePath - c:\documents and settings\whos the b**** now\Application Data\Mozilla\Firefox\Profiles\t38hce12.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

descriptionCant run anti-virus EmptyRe: Cant run anti-virus3rd October 2009, 2:54 am

more_horiz
---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -

BHO-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 22:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&??????\??? ??? ???\???\???????????5?B~e?B~\???\???????P?`??????C@?\???\??????s????\??????s\????&??A??s?&???C@?x???`|?w\?????@

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-746137067-1343024091-1010\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(896)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-03 22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-03 02:39

Pre-Run: 10,223,755,264 bytes free
Post-Run: 10,235,547,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

561 --- E O F --- 2009-10-03 02:36

descriptionCant run anti-virus EmptyRe: Cant run anti-virus3rd October 2009, 8:40 am

more_horiz
Hi

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\lupgh.dll
    c:\windows\system32\7EE983E52D57964A.exe

    Folder::
    c:\documents and settings\All Users\Application Data\vsosdk

    FCopy::
    c:\windows\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
    c:\windows\ServicePackFiles\i386\ctfmon.exe | c:\windows\system32\ctfmon.exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    Cant run anti-virus Cf010

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please download SpiderKill and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


==

Please include the SpiderKill and ComboFix log in your next reply.

descriptionCant run anti-virus EmptyRe: Cant run anti-virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum