Problems with first steps - Page 2

Vesh Wolf · 03-19-2009, 12:26 PM

Ok, I've started the scan, but it's going very slow. I just wanted to post in here so you know I'm working on what you asked, just in case it doesn't finish before the 24 hour mark.

Vesh Wolf · 03-19-2009, 09:04 PM

Ok, here is the result of that scan.

10980281.FIL.OLD;C:\$VAULT$.AVG;Trojan.MulDrop.8705;Deleted.;
42192468.FIL.OLD;C:\$VAULT$.AVG;Trojan.PWS.LDPinch.3651;Deleted.;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\HP_Administrator\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\HP_Administrator\Desktop;Container contains infected objects;Moved.;
xampp-win32-1.6.7-installer.exe\data220;C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Utilities\xampp-win32-1.6.7-installer.exe;Program.PrcView.3725;;
xampp-win32-1.6.7-installer.exe;C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Utilities;Archive contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach;Archive contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach;Archive contains infected objects;Moved.;
A0333759.OLD;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Trojan.MulDrop.8705;Deleted.;
A0333760.OLD;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Trojan.PWS.LDPinch.3651;Deleted.;
A0333762.exe\data220;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008\A0333762.exe;Program.PrcView.3725;;
A0333762.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Archive contains infected objects;Moved.;
A0333763.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008\A0333763.exe;Adware.Gdown;;
A0333763.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Archive contains infected objects;Moved.;
A0333764.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008\A0333764.exe;Adware.Gdown;;
A0333764.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Archive contains infected objects;Moved.;
pv.exe;C:\xampp\apache\bin;Program.PrcView.3725;;
xampp-win32-1.6.5-installer(2).exe\data207;F:\My Downloads\DOWNLOADS\Installation Proggies\Utility Programs\xampp-win32-1.6.5-installer(2).exe;Program.PrcView.3725;;
xampp-win32-1.6.5-installer(2).exe;F:\My Downloads\DOWNLOADS\Installation Proggies\Utility Programs;Archive contains infected objects;Moved.;
keygen1.exe;F:\My Downloads\DOWNLOADS\Installation Proggies\Games\ElfBowlingInsult\Reflexive Arcade Games Universal Keygen;Trojan.DownLoad.25562;Deleted.;
1Click DVD Copy 5.0.2.1 Patch.exe;F:\My Downloads\DOWNLOADS\Installation Proggies\Audio-Video\1Click DVD Copy 5.0.2.1;Tool.ASEye.2;;

I hope this is all you needed. :)

Billy O'Neal · 03-19-2009, 09:31 PM

Still getting spoolsv errors?

Billy3

Vesh Wolf · 03-19-2009, 10:43 PM

Unfortunately yes. It occurs 3 times during startup; that's the only time though
and now my PowerArchiver program isn't working. I did a clean uninstall and reinstall and it won't come up. It shows up in the task manager under services that's it's running but it never comes up when i click open

Billy O'Neal · 03-21-2009, 05:50 AM

What scan program is running in the background here -> http://www.techsupportforum.com/2028632-post19.html ?

Billy3

Vesh Wolf · 03-21-2009, 08:14 PM

It's a rootkiller program called Partizan always runs at the very start of my pc booting up; however I have deleted that program since the screencap was taken and I have rebooted twice and so far (eyes, fingers and toes crossed here) I have not encountered the spoolsv error messages but am still unable to access my Powerarchiver program.

Billy O'Neal · 03-22-2009, 05:16 PM

Hello, Vesh Wolf

Quote:

It's a rootkiller program called Partizan always runs at the very start of my pc booting up; however I have deleted that program since the screencap was taken and I have rebooted twice and so far (eyes, fingers and toes crossed here) I have not encountered the spoolsv error messages

That explains the broken BootExecute keys we had earlier :P

Quote:

but am still unable to access my Powerarchiver program.

Quote:

It shows up in the task manager under services that's it's running but it never comes up when i click open

How are you starting it? Double clicking on an archive, or by going to it on the start menu? How long has the issue occured?

Billy3

Vesh Wolf · 03-22-2009, 07:24 PM

I double-click on the powerarchiver program and wait, and wait, and wait..lol it never comes up, but as I stated earlier, the program shows up in the task manager it's memory useage.

Billy O'Neal · 03-22-2009, 07:52 PM

Quote:

I double-click on the powerarchiver program and wait, and wait, and wait..lol it never comes up, but as I stated earlier, the program shows up in the task manager it's memory useage.

Hmm.. without an error message or something of the kind it's difficult to know what's going on.

What happens if you double click on a ZIP?

What version of power archiver are you using?

Billy3

Vesh Wolf · 03-23-2009, 07:23 AM

When I click on a zip file, I get the same thing, shows up in task manager, but file never opens up. I am using PowerArchiver 2009

Billy O'Neal · 03-23-2009, 02:15 PM

Please try downloading the 2010 version from here and see if that helps-> http://dl.powerarchiver.com/2010/powarc1150b1.exe

Billy3

Vesh Wolf · 03-24-2009, 10:41 PM

I have the newest version, and I also have paid for it. I am not sure why, but it still will not let me open the program, nor will it open a file by double clicking on it.

Billy O'Neal · 03-25-2009, 07:01 PM

Alright... please download a brand new copy of ComboFix and try that once more please.

Billy O'Neal · 03-31-2009, 01:30 PM

Hello, Vesh Wolf
Are you still here?

Billy3

Vesh Wolf · 03-31-2009, 11:56 PM

Sorry for the delay, real life situation. Ok, I downloaded the Powerarchiver2010, did the same thing. so did a complete uninstall of the 2010 and re-installed the 2009 version and still the same thing; shows up in the taskmanager as running under processes, yet never comes up. i double click on the program itself nothing; I double click on a zippef folder; once again nothing. any ideas?

Billy O'Neal · 04-01-2009, 08:43 PM

Hello, Vesh Wolf
Alright.. either I missed something or there's something hiding -- or -- this isn't a malware issue. I want to get a set of new logs to check once more as the other ones are out of date by now.

We need to create an OTListIt2 Report

Please download OTListIt2 from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

We need to scan for Rootkits with GMER

Please download GMER from one of the following mirrors:
Close any and all open programs, as this process may crash your computer.
Unzip the downloaded file to your desktop.
Double click on your desktop.
Allow the gmer.sys driver to load if asked.
You may see this window. If you do, click No.
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

In your next reply, please include the following:
OTListIt.txt

Extra.txt

GMER's Log

Billy3

Vesh Wolf · 04-04-2009, 12:19 AM

Just as an update... I've attempted to run the GMER several times, and it's always interrupted by one crash or another which disables Me from saving. I'm attempting to run it in safe mode, although I'm not sure that will actually help or not. Also, I never got an extras report to open with the OTListit. As soon as I get the GMER scan finished, I'll post what I do have.

Billy O'Neal · 04-04-2009, 03:53 PM

Hello, Vesh Wolf
Please try running RootRepeal instead of GMER :)

We Need to check for Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop:
- RootRepeal
Extract RootRepeal.exe from the zip archive.
Open on your desktop.
Click the tab.
Click the button.
Check all six boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

In your next reply, please include the following:
RootRepeal Log

Billy3

Vesh Wolf · 04-04-2009, 05:50 PM

Log is attatched

Also, the power archiver has started working, and I have no idea why, but I dont trust it after it stopping just as suddenly as it started.

Billy O'Neal · 04-04-2009, 11:33 PM

Hello :)

Quote:

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768eb30

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768e6f0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768e470

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768ec50

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768e990

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768e8d0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf768ed60

Appears to be a Sygate component -> http://www.file.net/process/wpsdrvnt.sys.html

Please uninstall Sygate Personal Firewall. Then see if GMER and PowerArchiver work :)

Thanks and good luck!

Billy3

03-19-2009, 12:26 PM	#21 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps Ok, I've started the scan, but it's going very slow. I just wanted to post in here so you know I'm working on what you asked, just in case it doesn't finish before the 24 hour mark.

03-19-2009, 09:04 PM	#22 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps Ok, here is the result of that scan. 10980281.FIL.OLD;C:\$VAULT$.AVG;Trojan.MulDrop.8705;Deleted.; 42192468.FIL.OLD;C:\$VAULT$.AVG;Trojan.PWS.LDPinch.3651;Deleted.; ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\HP_Administrator\Desktop;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\HP_Administrator\Desktop;Container contains infected objects;Moved.; xampp-win32-1.6.7-installer.exe\data220;C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Utilities\xampp-win32-1.6.7-installer.exe;Program.PrcView.3725;; xampp-win32-1.6.7-installer.exe;C:\Documents and Settings\HP_Administrator\Desktop\SHORTCUTS\Utilities;Archive contains infected objects;Moved.; aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach\aolcinst.exe;Adware.Gdown;; aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach;Archive contains infected objects;Moved.; aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach\aolcinst.exe;Adware.Gdown;; aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach;Archive contains infected objects;Moved.; A0333759.OLD;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Trojan.MulDrop.8705;Deleted.; A0333760.OLD;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Trojan.PWS.LDPinch.3651;Deleted.; A0333762.exe\data220;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008\A0333762.exe;Program.PrcView.3725;; A0333762.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Archive contains infected objects;Moved.; A0333763.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008\A0333763.exe;Adware.Gdown;; A0333763.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Archive contains infected objects;Moved.; A0333764.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008\A0333764.exe;Adware.Gdown;; A0333764.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1008;Archive contains infected objects;Moved.; pv.exe;C:\xampp\apache\bin;Program.PrcView.3725;; xampp-win32-1.6.5-installer(2).exe\data207;F:\My Downloads\DOWNLOADS\Installation Proggies\Utility Programs\xampp-win32-1.6.5-installer(2).exe;Program.PrcView.3725;; xampp-win32-1.6.5-installer(2).exe;F:\My Downloads\DOWNLOADS\Installation Proggies\Utility Programs;Archive contains infected objects;Moved.; keygen1.exe;F:\My Downloads\DOWNLOADS\Installation Proggies\Games\ElfBowlingInsult\Reflexive Arcade Games Universal Keygen;Trojan.DownLoad.25562;Deleted.; 1Click DVD Copy 5.0.2.1 Patch.exe;F:\My Downloads\DOWNLOADS\Installation Proggies\Audio-Video\1Click DVD Copy 5.0.2.1;Tool.ASEye.2;; I hope this is all you needed. :)

03-19-2009, 09:31 PM	#23 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps Still getting spoolsv errors? Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-19-2009, 10:43 PM	#24 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps Unfortunately yes. It occurs 3 times during startup; that's the only time though and now my PowerArchiver program isn't working. I did a clean uninstall and reinstall and it won't come up. It shows up in the task manager under services that's it's running but it never comes up when i click open

03-21-2009, 05:50 AM	#25 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps What scan program is running in the background here -> http://www.techsupportforum.com/2028632-post19.html ? Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-21-2009, 08:14 PM	#26 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps It's a rootkiller program called Partizan always runs at the very start of my pc booting up; however I have deleted that program since the screencap was taken and I have rebooted twice and so far (eyes, fingers and toes crossed here) I have not encountered the spoolsv error messages but am still unable to access my Powerarchiver program.

03-22-2009, 07:24 PM	#28 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps I double-click on the powerarchiver program and wait, and wait, and wait..lol it never comes up, but as I stated earlier, the program shows up in the task manager it's memory useage.

03-23-2009, 07:23 AM	#30 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps When I click on a zip file, I get the same thing, shows up in task manager, but file never opens up. I am using PowerArchiver 2009

03-23-2009, 02:15 PM	#31 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps Please try downloading the 2010 version from here and see if that helps-> http://dl.powerarchiver.com/2010/powarc1150b1.exe Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-24-2009, 10:41 PM	#32 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps I have the newest version, and I also have paid for it. I am not sure why, but it still will not let me open the program, nor will it open a file by double clicking on it.

03-25-2009, 07:01 PM	#33 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps Alright... please download a brand new copy of ComboFix and try that once more please. __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-31-2009, 01:30 PM	#34 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps Hello, Vesh Wolf Are you still here? Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-31-2009, 11:56 PM	#35 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps Sorry for the delay, real life situation. Ok, I downloaded the Powerarchiver2010, did the same thing. so did a complete uninstall of the 2010 and re-installed the 2009 version and still the same thing; shows up in the taskmanager as running under processes, yet never comes up. i double click on the program itself nothing; I double click on a zippef folder; once again nothing. any ideas?

04-01-2009, 08:43 PM	#36 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps Hello, Vesh Wolf Alright.. either I missed something or there's something hiding -- or -- this isn't a malware issue. I want to get a set of new logs to check once more as the other ones are out of date by now. We need to create an OTListIt2 Report Please download OTListIt2 from one of the following mirrors: This is THE Mirror Save it to your desktop. Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Push the button. Two reports will open, copy and paste them in a reply here: OTListIt.txt <-- Will be opened Extra.txt <-- Will be minimized We need to scan for Rootkits with GMER Please download GMER from one of the following mirrors: This is the Primary mirror This is a Secondary mirror This is a Secondary mirror Close any and all open programs, as this process may crash your computer. Unzip the downloaded file to your desktop. Double click on your desktop. Allow the gmer.sys driver to load if asked. You may see this window. If you do, click No. Click on and wait for the scan to finish. If you see a rootkit warning window, click OK. Push and save the logfile to your desktop. Copy and Paste the contents of that file in your next post. In your next reply, please include the following: OTListIt.txt Extra.txt GMER's Log Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

04-04-2009, 12:19 AM	#37 (permalink)
Vesh Wolf Registered User Join Date: Mar 2009 Posts: 20 OS: XP	Re: Problems with first steps Just as an update... I've attempted to run the GMER several times, and it's always interrupted by one crash or another which disables Me from saving. I'm attempting to run it in safe mode, although I'm not sure that will actually help or not. Also, I never got an extras report to open with the OTListit. As soon as I get the GMER scan finished, I'll post what I do have.

04-04-2009, 03:53 PM	#38 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with first steps Hello, Vesh Wolf Please try running RootRepeal instead of GMER :) We Need to check for Rootkits with RootRepeal Download RootRepeal from the following location and save it to your desktop: RootRepeal Extract RootRepeal.exe from the zip archive. Open on your desktop. Click the tab. Click the button. Check all six boxes: Push Ok Check the box for your main system drive (Usually C:), and press Ok. Allow RootRepeal to run a scan of your system. This may take some time. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please. In your next reply, please include the following: RootRepeal Log Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....