Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Error message: Generic Host for Win32 pops up randomly

This is a discussion on Error message: Generic Host for Win32 pops up randomly within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, This is my first post on this Forum. I am working on my cousins computer that had several problems:


 
 
Thread Tools Search this Thread
Old 12-30-2012, 05:50 PM   #1
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Hello,

This is my first post on this Forum. I am working on my cousins computer that had several problems:

1.) she filled her hard drive nearly full (less than a gig free space)
2.) computer had many virus and malware.

I have moved data and documents onto newly installed drive to free up primary drive for repair.

XP Home still would not function properly after running Malwarebytes and Spybot Search and Destroy 1.6.2 both applications were fully updated and (imunizations applied)

Computer was not responding and many errors were present.

I then performed a "repair" installation of XP home to establish functionality

I now am getting error message about generic host process for Win32 services...I welcome some help to remedy and see if this message is any possible malware still present or a windows error..

I also suspect there are some networking issues...had much trouble establishing conectivity though a newly installed copy of IE 8

I welcome your thoughts
Staywithit is offline  
Sponsored Links
Advertisement
 
Old 01-03-2013, 05:30 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-03-2013, 12:48 PM   #3
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Hi Chemist,

Thank you for replying to my post and for attempting to help with this situation.

I have done the steps you outlined and am now providing the logs you requested.

1.) I need to note some other issues since my post. There have been "freezes" that seemed video related (lines like a failed video card) then freeze of computer.
2.) I could not boot this morning....fan activity after power button but no post messages nor did monitor show activity whatsoever. to remedy i cleared cmos....and it booted ok...

Here is logs

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.10.2
Run by Debbie at 10:02:34 on 2013-01-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -8:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: AutorunsDisabled - <orphaned>
BHO: {0347C33E-8762-4905-BF09-768834316C61} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Gamma Loader.exe.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%203/Images/stg_drm.ocx
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1356881614388
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%203/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1 75.75.75.75
TCP: Interfaces\{84F55C19-E82A-4183-9034-E2967C87D2C5} : DHCPNameServer = 192.168.1.1 75.75.75.75
TCP: Interfaces\{E13C97EC-7BB2-439E-AB66-76F3C42763FE} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 Spyware Info | Spyware Info | spyware software | spyware program | protection spyware
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2012-12-27 599936]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-10-1 57440]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2009-7-21 194304]
S4 cpuz132;cpuz132;\??\c:\docume~1\debbie\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\debbie\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
.
=============== File Associations ===============
.
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-03 01:45:10 159744 ----a-r- c:\windows\system32\igfxres.dll
2013-01-03 01:43:34 61440 ----a-r- c:\windows\system32\iAlmCoIn_v3889.dll
2013-01-03 01:43:29 114688 ----a-r- c:\windows\system32\igfxzoom.exe
2013-01-02 23:28:36 -------- d-----w- c:\program files\Microsoft Bootvis
2013-01-02 21:17:47 -------- d-----w- c:\documents and settings\debbie\application data\Product_RM
2013-01-02 21:01:57 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2013-01-02 21:00:02 -------- d-----w- c:\windows\Logs
2013-01-02 20:49:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-01-02 20:49:44 -------- d-----w- c:\windows\system32\wbem\Repository
2013-01-02 20:45:58 -------- d-----w- C:\KPCMS
2013-01-02 20:44:03 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-02 20:44:01 -------- d-----w- c:\documents and settings\all users\application data\WeCareReminder
2013-01-02 20:43:57 -------- d-----w- c:\documents and settings\all users\application data\PopCap Games
2013-01-02 20:43:57 -------- d-----w- c:\documents and settings\all users\application data\Alwil Software
2013-01-02 20:43:51 -------- d-----w- c:\documents and settings\all users\application data\LGMOBILEAX
2013-01-02 20:43:50 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2013-01-02 20:43:48 -------- d-----w- c:\documents and settings\all users\application data\avg9
2013-01-02 20:43:42 -------- d-----w- c:\windows\system32\URTTemp
2013-01-02 20:43:42 -------- d-----w- c:\documents and settings\debbie\WINDOWS
2013-01-02 20:42:30 -------- d-----w- c:\program files\Passware
2012-12-31 01:55:39 -------- d-----w- C:\RECYCLER(2)
2012-12-30 21:14:07 -------- d-----w- c:\documents and settings\debbie\local settings\application data\Sun
2012-12-30 21:01:52 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-30 21:01:52 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-30 21:01:52 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-12-30 21:01:38 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-30 19:55:03 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-30 19:55:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-30 19:31:28 -------- d-----w- c:\documents and settings\debbie\application data\ElevatedDiagnostics
2012-12-30 19:21:53 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-30 19:21:53 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-30 18:10:09 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-12-30 18:09:59 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-12-30 18:09:59 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-12-30 18:09:11 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-12-30 18:08:37 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-12-30 18:07:09 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-12-30 1834 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-12-30 18:05:29 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-12-30 18:05:29 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-12-30 18:02:47 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-12-30 18:02:09 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-12-30 17:59:07 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-12-30 17:59:03 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-12-30 17:58:14 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-12-30 17:56:48 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-12-30 17:52:12 290560 -c----w- c:\windows\system32\dllcache\atmfd.dll
2012-12-30 17:50:36 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-12-30 17:50:34 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-12-30 17:50:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-12-30 17:50:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-12-30 17:50:19 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-12-30 17:50:19 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-12-30 17:50:18 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-12-30 17:50:18 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-12-30 17:50:17 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-12-30 17:50:17 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-12-30 17:31:40 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-12-30 17:31:40 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-12-30 17:31:21 81920 ------w- c:\windows\system32\ieencode.dll
2012-12-30 17:31:13 884712 ------w- c:\program files\msn\msncorefiles\install\msn9components\digcore.exe
2012-12-30 17:31:13 1327320 ------w- c:\program files\msn\msncorefiles\install\msnsusii.exe
2012-12-30 17:31:12 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2012-12-30 17:31:11 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2012-12-30 17:31:11 86016 ------w- c:\program files\msn\msncorefiles\oobe\obepopc.dll
2012-12-30 17:31:11 77824 ------w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll
2012-12-30 17:31:11 229376 ------w- c:\program files\msn\msncorefiles\oobe\obelog.dll
2012-12-30 17:29:15 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2012-12-30 17:25:04 19569 ----a-w- c:\windows\003130_.tmp
2012-12-30 08:19:43 -------- d-----w- c:\windows\{26F3D17D-4FF9-46D5-9255-A1F9FF6BD7E4}
2012-12-30 06:56:19 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2012-12-30 06:56:19 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2012-12-30 06:56:15 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2012-12-30 06:56:14 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2012-12-30 06:56:14 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2012-12-30 06:56:03 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2012-12-30 06:56:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2012-12-30 06:54:59 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2012-12-30 06:53:59 106496 -c--a-w- c:\windows\system32\dllcache\imekrcic.dll
2012-12-30 06:52:58 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2012-12-30 06:52:58 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2012-12-30 06:52:58 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2012-12-30 06:52:29 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2012-12-30 06:52:18 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-12-30 06:49:04 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-12-30 06:49:04 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2012-12-30 06:46:24 83968 ----a-w- c:\program files\messenger\msgsc.dll
2012-12-30 06:46:24 180224 ----a-w- c:\program files\messenger\msgslang.dll
2012-12-30 06:46:24 1695232 ------w- c:\program files\messenger\msmsgs.exe
2012-12-30 06:46:23 33792 ----a-w- c:\program files\messenger\custsat.dll
2012-12-30 06:46:22 -------- d-----w- c:\program files\Messenger
2012-12-30 06:32:10 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-12-30 06:32:10 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-12-30 06:32:10 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-12-30 06:32:10 13312 ----a-w- c:\windows\system32\irclass.dll
2012-12-30 06:31:52 14573 ----a-r- c:\windows\SET1AD.tmp
2012-12-30 06:31:39 13753 ----a-r- c:\windows\SET17A.tmp
2012-12-30 06:31:35 1086058 ----a-r- c:\windows\SET16E.tmp
2012-12-30 06:31:32 1042903 ----a-r- c:\windows\SET16B.tmp
2012-12-28 14:13:24 -------- d-----w- c:\windows\system32\NtmsData
2012-12-28 11:28:34 -------- d-----w- c:\documents and settings\debbie\application data\Registry Mechanic
2012-12-28 07:47:23 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-12-28 04:01:13 -------- d-sh--w- C:\found.000
2012-12-28 03:05:47 599936 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2012-12-27 19:25:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 10:04:05.64 ===============
Attached Files
File Type: zip dds.zip (4.5 KB, 32 views)
File Type: zip GMER rootkit results.zip (652 Bytes, 32 views)
Staywithit is offline  
Sponsored Links
Advertisement
 
Old 01-03-2013, 02:21 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Staywithit. You're welcome.

It appears you didn't attach the second dds log, Attach.txt, to your last post.

It should be on your desktop. Please attach the log to your next reply. Alternately...

Press the Windows "logo" key and "R" key then copy/paste the following into the Run box and click OK:

%temp%\attach.txt

A text file should open. Save it to your desktop then attach that file to your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-05-2013, 11:50 AM   #5
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

This should be the file. sorry for delay in that
this morning i had a bsod after a boot to what seemed to be onboard graphics issue (screen was scrolling patterns of colored lines.

i put in a fx 5200 vid card that was laying around and got a successful boot enough to post this message.

thanks for your help
Attached Files
File Type: zip attach.zip (3.6 KB, 30 views)
Staywithit is offline  
Old 01-05-2013, 11:52 AM   #6
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



fyi,

bsod this morning was

stop: 0x0000007f (0x0000008, 0x80042000, 0x00000000, 0x00000000)
Staywithit is offline  
Old 01-05-2013, 12:34 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Staywithit.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-07-2013, 11:33 AM   #8
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

Computer increasingly not successfully booting...have done a few cmos resets..changed ram to get functionality...
also...when i began to run combofix it found that avg internet security was running...i uninstalled it when I first got computer...but there must be some remnant

Here is combofix log:

ComboFix 13-01-06.01 - Debbie 01/07/2013 10:55:36.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.703 [GMT -8:00]
Running from: e:\downloads\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Debbie\WINDOWS
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-1004336348-117609710-839522115-1004(2)\INFO2
c:\windows\system32\RtlGina2.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-07 to 2013-01-07 )))))))))))))))))))))))))))))))
.
.
2013-01-05 23:22 . 2013-01-05 23:22 -------- d-----w- c:\windows\nview
2013-01-05 23:22 . 2008-05-16 22:01 446464 ----a-w- c:\windows\system32\nvudisp.exe
2013-01-05 23:20 . 2008-05-16 19:48 446464 ----a-w- c:\windows\system32\NVUNINST.EXE
2013-01-05 23:20 . 2013-01-05 23:20 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2013-01-05 23:20 . 2003-11-11 02:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2013-01-05 23:20 . 2003-11-11 02:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2013-01-05 23:20 . 2003-11-11 02:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2013-01-05 23:20 . 2003-11-11 02:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2013-01-05 23:20 . 2003-11-11 02:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2013-01-05 23:20 . 2003-11-11 02:10 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2013-01-05 23:20 . 2013-01-05 23:20 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2013-01-05 23:20 . 2013-01-05 23:20 -------- d-----w- C:\NVIDIA
2013-01-04 18:30 . 2003-11-18 08:09 155648 ----a-w- c:\windows\system32\igfxres.dll
2013-01-03 01:43 . 2004-08-20 23:11 61440 ----a-r- c:\windows\system32\iAlmCoIn_v3889.dll
2013-01-03 01:43 . 2004-08-20 22:56 114688 ----a-r- c:\windows\system32\igfxzoom.exe
2013-01-03 00:59 . 2013-01-03 00:59 -------- d-----w- c:\program files\Intel
2013-01-03 00:55 . 2013-01-03 00:55 -------- d-----w- c:\documents and settings\Debbie\Application Data\SystemRequirementsLab
2013-01-02 23:28 . 2013-01-02 23:57 -------- d-----w- c:\program files\Microsoft Bootvis
2013-01-02 21:17 . 2013-01-02 21:17 -------- d-----w- c:\documents and settings\Debbie\Application Data\Product_RM
2013-01-02 21:01 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2013-01-02 21:00 . 2013-01-02 21:00 -------- d-----w- c:\windows\Logs
2013-01-02 20:49 . 2013-01-02 20:49 -------- d-----w- c:\windows\system32\wbem\Repository
2013-01-02 20:45 . 2013-01-02 20:45 -------- d-----w- C:\KPCMS
2013-01-02 20:44 . 2013-01-02 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2013-01-02 20:44 . 2013-01-02 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-01-02 20:43 . 2013-01-02 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2013-01-02 20:43 . 2013-01-02 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2013-01-02 20:43 . 2013-01-02 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2013-01-02 20:43 . 2013-01-02 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LGMOBILEAX
2013-01-02 20:43 . 2013-01-02 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2013-01-02 20:43 . 2013-01-02 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2013-01-02 20:42 . 2013-01-02 20:42 -------- d-----w- c:\program files\Passware
2012-12-30 21:14 . 2012-12-30 21:14 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\Sun
2012-12-30 21:02 . 2012-12-30 21:02 -------- d-----w- c:\program files\Common Files\Java
2012-12-30 21:01 . 2012-12-30 21:01 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-30 21:01 . 2012-12-30 21:01 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-30 21:01 . 2012-12-30 21:01 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-12-30 21:01 . 2012-12-30 21:01 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-30 19:55 . 2012-12-30 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-30 19:55 . 2012-12-15 00:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-30 19:31 . 2012-12-30 19:31 -------- d-----w- c:\documents and settings\Debbie\Application Data\ElevatedDiagnostics
2012-12-30 19:21 . 2013-01-02 21:13 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-30 19:21 . 2013-01-02 21:13 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-30 18:10 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-12-30 18:09 . 2011-02-08 13:33 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-12-30 18:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-12-30 18:09 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-12-30 18:08 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-12-30 18:07 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-12-30 18:06 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-12-30 18:05 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-12-30 18:05 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-12-30 18:02 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-12-30 18:02 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-12-30 17:59 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-12-30 17:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-12-30 17:58 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-12-30 17:56 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-12-30 17:52 . 2012-12-16 12:23 290560 -c----w- c:\windows\system32\dllcache\atmfd.dll
2012-12-30 17:50 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-12-30 17:50 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-12-30 17:50 . 2012-11-01 12:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-12-30 17:50 . 2012-11-01 12:17 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-12-30 17:50 . 2012-11-01 12:17 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-12-30 17:50 . 2012-11-01 12:17 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-12-30 17:50 . 2012-11-01 12:17 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-12-30 17:50 . 2012-11-01 12:17 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-12-30 17:50 . 2012-11-01 12:17 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-12-30 17:50 . 2012-11-01 12:17 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-12-30 17:43 . 2012-12-30 17:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-12-30 17:31 . 2012-06-05 15:50 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-12-30 17:31 . 2008-04-14 06:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-12-30 17:31 . 2008-04-14 13:41 81920 ------w- c:\windows\system32\ieencode.dll
2012-12-30 17:31 . 2007-04-03 08:12 1327320 ------w- c:\program files\MSN\MSNCoreFiles\Install\msnsusii.exe
2012-12-30 17:31 . 2007-04-03 08:04 884712 ------w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\digcore.exe
2012-12-30 17:31 . 2007-04-03 08:09 11053008 ------w- c:\program files\MSN\MSNCoreFiles\Install\MSN9Components\msncli.exe
2012-12-30 17:31 . 2008-04-14 13:40 966656 ------w- c:\program files\MSN\MSNCoreFiles\OOBE\obemetal.dll
2012-12-30 17:31 . 2008-04-14 13:40 86016 ------w- c:\program files\MSN\MSNCoreFiles\OOBE\obepopc.dll
2012-12-30 17:31 . 2008-04-14 13:40 229376 ------w- c:\program files\MSN\MSNCoreFiles\OOBE\obelog.dll
2012-12-30 17:31 . 2007-04-03 08:14 77824 ------w- c:\program files\MSN\MSNCoreFiles\OOBE\obemtllc.dll
2012-12-30 17:29 . 2008-04-14 13:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2012-12-30 17:25 . 2006-12-29 08:31 19569 ----a-w- c:\windows\003130_.tmp
2012-12-30 08:19 . 2012-12-30 08:19 -------- d-----w- c:\windows\{26F3D17D-4FF9-46D5-9255-A1F9FF6BD7E4}
2012-12-30 06:56 . 2006-02-28 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2012-12-30 06:56 . 2006-02-28 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2012-12-30 06:56 . 2006-02-28 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2012-12-30 06:56 . 2008-04-14 13:41 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2012-12-30 06:56 . 2008-04-14 13:41 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2012-12-30 06:56 . 2008-04-14 13:41 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2012-12-30 06:56 . 2006-02-28 12:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2012-12-30 06:54 . 2001-08-18 06:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2012-12-30 06:53 . 2008-04-14 13:39 106496 -c--a-w- c:\windows\system32\dllcache\imekrcic.dll
2012-12-30 06:52 . 2006-02-28 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2012-12-30 06:52 . 2006-02-28 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2012-12-30 06:52 . 2006-02-28 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2012-12-30 06:52 . 2001-08-18 06:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2012-12-30 06:52 . 2001-08-18 06:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-12-30 06:49 . 2006-02-28 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-12-30 06:49 . 2006-02-28 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-12-30 06:32 . 2006-02-28 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-12-30 06:32 . 2006-02-28 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-12-30 06:32 . 2006-02-28 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-12-30 06:32 . 2006-02-28 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-12-30 06:31 . 2006-02-28 12:00 14573 ----a-r- c:\windows\SET1AD.tmp
2012-12-30 06:31 . 2006-02-28 12:00 13753 ----a-r- c:\windows\SET17A.tmp
2012-12-30 06:31 . 2006-02-28 12:00 1086058 ----a-r- c:\windows\SET16E.tmp
2012-12-30 06:31 . 2006-02-28 12:00 1042903 ----a-r- c:\windows\SET16B.tmp
2012-12-29 10:20 . 2012-12-29 10:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-12-28 14:13 . 2012-12-28 14:13 -------- d-----w- c:\windows\system32\NtmsData
2012-12-28 11:28 . 2012-12-28 11:28 -------- d-----w- c:\documents and settings\Debbie\Application Data\Registry Mechanic
2012-12-28 07:47 . 2012-12-28 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-12-28 04:01 . 2012-12-28 04:01 -------- d-----w- C:\found.000
2012-12-28 03:05 . 2010-09-17 13:00 599936 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2012-12-27 19:25 . 2012-12-30 20:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2006-02-28 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2006-02-28 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2006-02-28 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-06-14 22:20 . 2011-10-04 19:05 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-11-18 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-11-18 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk.disabled [2012-12-30 986]
HP Digital Imaging Monitor.lnk.disabled [2012-6-27 1808]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"McComponentHostService"=3 (0x3)
"BBSvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"GWMDMMSG"=GWMDMMSG.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [12/27/2012 7:05 PM 599936]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 11:10 AM 17149]
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [10/1/2008 3:45 PM 57440]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [7/21/2009 12:24 PM 194304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-30 21:13]
.
2012-12-31 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2012-12-30 23:31]
.
2012-12-31 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2012-12-30 23:31]
.
2012-12-30 c:\windows\Tasks\User_Feed_Synchronization-{7E51B3F1-2347-4FD0-88BF-C29F354BFF53}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1 75.75.75.75
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-01-07 11:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1116)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-01-07 11:13:49 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-07 19:13
.
Pre-Run: 21,183,897,600 bytes free
Post-Run: 21,166,252,032 bytes free
.
- - End Of File - - D9C134DE45BF53FC583906C46741B2A0
Attached Files
File Type: zip ComboFix.zip (5.2 KB, 32 views)
Staywithit is offline  
Old 01-07-2013, 11:44 AM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Staywithit. It appears you have multiple problems beyond malware. You might be better served in one of our other forums. Let me know whether you would like to continue or seek help here:

Hardware Support Forum
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-07-2013, 12:20 PM   #10
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

I would be happy to continue here..however...if you feel that i should go to Hardware support...I will.

Let me know your thought
Staywithit is offline  
Old 01-07-2013, 12:51 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Staywithit. If you want, we will continue. I don't think I'm going to solve your problems though.

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

Do a search for AVG folders and delete any you find.

Please follow these instructions for de-registering AVG products:

**Note: Make sure you only delete AVG products.
  • Go Start > Run and copy/paste wbemtest into the Run box and click 'OK'.
  • Click 'Connect'.
  • Copy/paste root\securitycenter into the box and click 'Connect'.
  • Click 'Query'.
  • Copy/paste SELECT * FROM AntiVirusProduct under 'Enter Query' and click 'Apply'.
  • If there is more than one result, it means there is more than one Antivirus program registered.
  • Double-click on each result to view the properties for that Antivirus product.
  • Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
  • In the 'Query Result' window, click 'Delete' for any Antivirus software that is no longer installed.
  • Click 'Query'.
  • Copy/paste SELECT * FROM FirewallProduct under 'Enter Query' and click 'Apply'.
  • If there is more than one result, it means there is more than one Firewall program registered.
  • Double-click on each result to view the properties for that Firewall product.
  • Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
  • In the 'Query Result' window, click 'Delete' for any Firewall software that is no longer installed.
  • Click 'Close', then 'Exit'.
------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • Under the Update tab, click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-07-2013, 01:33 PM   #12
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

I deleted the file and folder references as you instructed for AVG.
I followed your instructions for deleting root references..thank you

I also updated mbam and ran quick check, it found nothing...
Here is log

Malwarebytes Anti-Malware 1.70.0.1100
Malwarebytes : Free anti-malware download

Database version: v2013.01.07.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Debbie :: JUNGLE [administrator]

1/7/2013 1:13:13 PM
mbam-log-2013-01-07 (13-13-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196235
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Staywithit is offline  
Old 01-07-2013, 01:50 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're welcome. Let me know when you're done with the ESET scan.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-07-2013, 04:22 PM   #14
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

Thanks for assisting through this..the ESET scan had some results (took about 2 hours)
this box is 2 ghz and current ram installed in only 1 gig (was slow)

here are results of log
Attached Files
File Type: txt log.txt (1.1 KB, 44 views)
Staywithit is offline  
Old 01-07-2013, 05:41 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Staywithit. System Volume Information is where Windows keeps old system restore points. Those will get deleted when we uninstall ComboFix.

You can manually delete this file:

E:\DATA - Old Computer\Program Files 2009-06-29 13;38;36\Common Files\miuk\miukd\vocabulary

------------------------------------------------------

Your logs appear clean.

I'm afraid you have problems beyond malware.

I suggest you seek expert advice in our Hardware Support Forum

Let them know you were here first and were cleared of malware.

I will keep this thread open until you finish in the other forum.

Once you are done fixing your other problems, you can come back here and I will give you some final instructions.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-10-2013, 04:03 PM   #16
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

Thanks for your help....I will return after clearing other hardware issues.

appreciate it
Staywithit is offline  
Old 01-10-2013, 05:41 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're welcome. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-13-2013, 07:00 PM   #18
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

I did step one of other trouble shooting. Not done yet...but she needs her computer back...You had said there are some steps for us to clear up?....can you send those instructions to me...
I wish we were done....but time ran out

thanks
Staywithit is offline  
Old 01-14-2013, 04:16 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Staywithit. You're welcome. If you uninstall ComboFix, you will lose all your system restore points. Just to let you know if that has any bearing on what you are doing in the other forum.

Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable AVG before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Support is ending for Windows XP - Microsoft Windows Help

------------------------------------------------------

Make sure all your applications and browsers are up-to-date by visiting Secunia Online Software Inspector here:

Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
  • Click 'Start Scanner'
  • Wait for Status/Currently Processing: at the lower left to say 'Java Applet loaded successfully. Press "Start" to begin.'
  • Click 'Start'.
  • The scan should take less than a minute or so.
  • When done, download and install all the recommended updates.
  • This will help ensure the malware writers cannot use exploits(bugs) in older versions of your applications to infect your computer in the future.
------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 01-18-2013, 03:53 PM   #20
Registered Member
 
Join Date: Dec 2012
Posts: 13
OS: xp home sp3



Chemist,

I have taken the steps you outlined and performed the tasks.
Your help was well written and ultimately I think will help this computer be useful now.

Thanks again.

you may close this thread as solved
Staywithit is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Xp slow boot after splash screen
After the Windows Xp splash screen I get about 30 to 40 seconds of blackness (could be more) before the cursor appears. When I start in Safe Mode it takes a long time to load mup.sys but that could just be because it's the last one to load. Here's by most recent ntbtlog.txt: Service...
Sulla Windows XP Support 5 06-17-2013 10:29 AM
no audio after installing XP Pro SP3 to IBM T60
Sound worked fine before installing XP Pro SP3......after instal, no audio. No audio after installing XP Pro SP3 (from disc) on an IBM/Lenovo T60 ThinkPad. IBM/Lenovo drivers from Lenovo Support site for "Audio Device on High Definition Audio Bus" are not recognized when trying to install...
Ray G Windows XP Support 19 11-20-2012 07:15 AM
Plese help me friends i cant find drivers for my system .I am going to use windows XP
THIS IS MY SYSTEM DEVICE LIST: Device Information Listing for [email protected] - 2/16/2012 10:25:07 PM Realtek RTL8139 Family PCI Fast Ethernet NIC Chip: Realtek Semiconductor RTL8139/810x Fast Ethernet Adapter Detail PnpID VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10
jeeva2012 Driver Support 8 02-18-2012 12:48 PM
McAfee (stinger software)
I have an HP Dv9000 laptop with Windows Vista that i scanned with McAfee (stinger) software and this is what i got any idea if the McAfee stinger scan can also clear up the problem? I do have McAfee Total protection...
Lyuba Resolved HJT Threads 1 06-05-2011 03:43 AM
pix firewall 515E internet problem
Hello this is my pix firewall 515E configuration. Password: Type help or '?' for a list of available commands. pixfirewall> en Password: pixfirewall# show runn : Saved :
uzairsiddiqui Security and Firewalls 0 04-27-2011 05:16 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:44 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts