Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Windows Expplorer /Dr Watson debugger crashes + BSOD

This is a discussion on Windows Expplorer /Dr Watson debugger crashes + BSOD within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi A while ago I had a virus/malware problem which was then resolved. The problem caused by Windows explorer to


 
 
Thread Tools Search this Thread
Old 03-23-2011, 08:57 AM   #1
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Hi

A while ago I had a virus/malware problem which was then resolved. The problem caused by Windows explorer to crash and gave me a BSOD when I tried to log in

https://www.techsupportforum.com/foru...us-544372.html


Then just a couple of hours ago I had google Chrome open as well as 'My documents' folder and suddenly received the message that 'Windows explorer has encountered an error and needs to to close, followed by a similar messsage from 'Dr Watson debug manager' I pressed CTRL alt del since my screen was frozen and found that the 'MY DOCUMENTS' folder listed as 'not responding' However then the task manager froze as well and then I was forced to do a manual shutdown by switching the power off


I then restarted my PC and launched Chrome to search for some answers but about 1/2 hour in I received a BSOD


I have completely avoided the same sites that I was on when I was previously infected so I'm not sure if this is being caused by a remant of the previous infection or if my Windows Explorer is corrupted

As I mentioned in my previous thread after my very 1st infection the visual border around status windows such as the task manager changed visually so that they appeared like they were running in safe mode (they no longer had smooth edges/borders and instead had sharp pixellated borders) This remained after my deinfection but apparently caused no problems

I am posting this from a different PC and I will now attempt to get the logs from the affected PC
catdog7 is offline  
Sponsored Links
Advertisement
 
Old 03-23-2011, 08:11 PM   #2
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Hi again

It took a while because of the diffiuclty I had in getting a GMER log

I ran DDS just fine and then ran gmer. Everything was going fine when about 7 hours in I moved the mouse (didn't click anything) and it crashed and my mouse bcame disconnected (light went off).

I plugged my mouse back in and pressed ctrl alt del to but the task manager 'failed to initialize' so I had to switch the power off and reboot. I ran it agin and this time it completed and I saved the log.
However when I clicked the txt file to verify its contents I received the error message 'insufficient system resources' to open the file. I then pressed ctrl alt del and received the same message so yet again I had to switch the power off manually (screen had frozen) and reboot

Heres the logs


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ben at 16:10:16.95 on 24/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.359 [GMT 0:00]
.
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Disabled*
FW: Norton Internet Security 2006 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ben\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-gb\msntb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-gb\msntb.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\documents and settings\ben\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AcctMgr] c:\program files\norton password manager\AcctMgr.exe /startup
mRun: [Norton PasswordManager] c:\program files\common files\symantec shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [razer] c:\program files\razer\razerhid.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128179458656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128179444578
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444552200000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\b3z6qtdk.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-16 191848]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-16 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-16 169320]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-13 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-4-15 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080414.016\NAVENG.Sys [2008-4-15 89936]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080414.016\NavEx15.Sys [2008-4-15 866224]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-1-22 13225]
S2 AnonAswSvc;Anonymizer Anti-Spyware Service;c:\program files\anonymizer\anonymizer software\anonasw\AnonAswSvc.exe [2007-10-22 37560]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\anonymizer\anonymizer software\common\AnonMgmtSvc.exe [2007-10-22 37560]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 iDownloadService;iDownload Service;"c:\program files\idownload\idownloadservice.exe" --> c:\program files\idownload\iDownloadService.exe [?]
S3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\system32\drivers\AEILAB.SYS [2004-10-30 24299]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [2009-4-10 16640]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-24 44928]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-23 13:27:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-23 13:27:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2006-10-01 17:09:52 15302448 ----a-w- c:\program files\IE7RC1-WindowsXP-x86-enu.exe
2006-04-13 16:58:37 42068374 ----a-w- c:\program files\NIS06900_2YR.exe
.
============= FINISH: 16:12:13.06 ===============
Attached Files
File Type: zip Attach.zip (6.3 KB, 46 views)
catdog7 is offline  
Old 03-26-2011, 07:29 AM   #3
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

For AVG antivirus and anti-spyware security software users only.
Quote:
Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well AVG appremover tool.
__________________
nasdaq is offline  
Sponsored Links
Advertisement
 
Old 03-26-2011, 12:28 PM   #4
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



I disabled Norton by right clicking and an 'x' symbol appeared over it indicating that it was disabled but when I ran Combofix , Combofix gave a message saying it detected that Norton was still running and since the Combox window had already started running I decided to let it proceed since I didn't want it to crash

Heres the log



ComboFix 11-03-26.01 - Ben 27/03/2011 20:02:37.13.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.460 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\rnaph.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:16 . 2011-03-12 18:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Media Player Classic
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-23 13:27 . 2011-01-23 13:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-23 13:27 . 2011-01-23 13:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 14:09 1854976 ----a-w- c:\windows\system32\win32k.sys
2006-10-01 17:09 . 2006-10-01 17:09 15302448 ----a-w- c:\program files\IE7RC1-WindowsXP-x86-enu.exe
2006-04-13 16:58 . 2006-04-13 16:58 42068374 ----a-w- c:\program files\NIS06900_2YR.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-19 1242448]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-08 135664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2005-07-29 586896]
"Norton PasswordManager"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-09-09 124096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2004-10-17 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-10-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [31/08/2009 05:48 721904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [16/04/2008 00:59 109616]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\Razerlow.sys [22/01/2007 19:10 13225]
S2 AnonAswSvc;Anonymizer Anti-Spyware Service;c:\program files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe [22/10/2007 10:12 37560]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [22/10/2007 10:12 37560]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 iDownloadService;iDownload Service;"c:\program files\iDownload\iDownloadService.exe" --> c:\program files\iDownload\iDownloadService.exe [?]
S3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\AEILAB.SYS [30/10/2004 12:45 24299]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\SYSTEM32\DRIVERS\AsAudioDevice_351.sys [10/04/2009 17:45 16640]
S3 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [24/01/2008 18:58 44928]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-18 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-09-23 11:13]
.
2006-05-22 c:\windows\Tasks\Norton AntiVirus - Run Norton QuickScan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2005-09-23 11:13]
.
2011-03-25 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\b3z6qtdk.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-27 20:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-03-27 20:32:45
ComboFix-quarantined-files.txt 2011-03-27 19:32
ComboFix2.txt 2011-01-22 12:14
.
Pre-Run: 1,433,600,000 bytes free
Post-Run: 1,695,039,488 bytes free
.
- - End Of File - - A566CDCD9C02E95057DD238965F7D390
catdog7 is offline  
Old 03-27-2011, 07:13 AM   #5
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Open notepad and copy/paste the text in the quote box below into it:

Code:
REGLOCK::
[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
Save this as CFScript on your desktop.



Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Would you know what program you use or have used to open this type of file type .*f*e*#
The asterick represent any character and possibly the # represent a number.

Please let me know if the problem persists.
__________________
nasdaq is offline  
Old 03-27-2011, 12:44 PM   #6
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Ok I ran the scan (Combofix asked me to to update but I clicked no and proceeded)

I don't know exactly what you mean when you said find which program opened .*f*e*# ? I dragged and dropped the txt document onto Combofix and it ran a regular scan and now it's disappeared


Now to elaborate a bit on my problems since I have no way of knowing exactly whats wrong

As I mentioned in my original post these problems are the latest succession in a series of problems that 1st began last year when I was infected with malware (see my linked thread for details) which where finally resolved a few months ago and involved reinstalling Windows Explorer from my original CD (System Pack 2) (my Windows had already been updated to System Pack 3)
Everything seemed to work fine except occasionally when I would have had Google Chrome running for a long time (6 hours +) I would sometimes receive error messages along the lines of 'chrome has encountered and error and needs to close' and when I pressed ctrl alt del to load the the task manager I would get a message along the lines of 'not enough system resources' etc.
This was more likely to happen on flash intensive sites (Youtube etc) however I never received any BSODs

After I shut Chrome down and restarted it I realised I was then able to access the task manager by pressing ctrl alt del. Also occasionally when I loaded my PC up certain icons in the task tray would fail to load (most notably the sound icon) but this was much rarer and was resolved by temporarily uninstalling the sound software which would then auto-install on restart (This icon has currently disappeared after running Combofix)

This latest problem (Windows Explorer crashing) occured while I was running Chrome for a relatively short time (1 hour +) but I did have 'my Documents' folder open which does have a lot of icons/thumbnails in it and can take time to load them all (strain the system?) but I've been using this for a while now with no problems.(there are also a lot of icons on my desktop) Anyway I restarted the system and loaded up Google Chrome (this time without any folders open to minimise the strain on the system) and after about 10 mins I got the BSOD after which I decided to make this post since it was reminiscent of my malware infection.


Since the previous problems happened haphazardly/occasionally I can't narrow down exactly what sequence/conditions must be met for them to arise and don't know if my systems now fixed or not

I've only been the spending the bare minimum on this PC (visiting this forum , running Combofix) to avoid any further problems so I haven't been using my PC how I normally would

Is this being caused by malware or corrupted software or even a hardware problem ? Looking at some other threads some Windows Explorer problems appear to be caused by the latter but I was sceptical about this being my case since my problems all began directly with the malware infection ( although I have had some graphics card problems in the past though they were all software/driver related)


Anyway heres the log Thanks



ComboFix 11-03-26.01 - Ben 28/03/2011 19:36:02.14.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.519 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-28 18:24 . 2011-03-28 18:24 -------- d-----w- c:\windows\LastGood
2011-03-12 18:16 . 2011-03-12 18:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Media Player Classic
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-23 13:27 . 2011-01-23 13:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-23 13:27 . 2011-01-23 13:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 14:09 1854976 ----a-w- c:\windows\system32\win32k.sys
2006-10-01 17:09 . 2006-10-01 17:09 15302448 ----a-w- c:\program files\IE7RC1-WindowsXP-x86-enu.exe
2006-04-13 16:58 . 2006-04-13 16:58 42068374 ----a-w- c:\program files\NIS06900_2YR.exe
.
.
((((((((((((((((((((((((((((( [email protected]_19.22.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-28 18:16 . 2011-03-28 18:16 16384 c:\windows\temp\Perflib_Perfdata_790.dat
+ 2004-10-17 11:43 . 2011-03-28 18:20 73000 c:\windows\SYSTEM32\PERFC009.DAT
- 2004-10-17 11:43 . 2011-03-27 18:51 73000 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-10-17 11:43 . 2011-03-28 18:20 444328 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-10-17 11:43 . 2011-03-27 18:51 444328 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-19 1242448]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-08 135664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2005-07-29 586896]
"Norton PasswordManager"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-09-09 124096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2004-10-17 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-10-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [31/08/2009 05:48 721904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [16/04/2008 00:59 109616]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\Razerlow.sys [22/01/2007 19:10 13225]
S2 AnonAswSvc;Anonymizer Anti-Spyware Service;c:\program files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe [22/10/2007 10:12 37560]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [22/10/2007 10:12 37560]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 iDownloadService;iDownload Service;"c:\program files\iDownload\iDownloadService.exe" --> c:\program files\iDownload\iDownloadService.exe [?]
S3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\AEILAB.SYS [30/10/2004 12:45 24299]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\SYSTEM32\DRIVERS\AsAudioDevice_351.sys [10/04/2009 17:45 16640]
S3 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [24/01/2008 18:58 44928]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-18 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-09-23 11:13]
.
2006-05-22 c:\windows\Tasks\Norton AntiVirus - Run Norton QuickScan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2005-09-23 11:13]
.
2011-03-25 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\b3z6qtdk.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-28 19:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-28 20:03:22
ComboFix-quarantined-files.txt 2011-03-28 19:03
ComboFix2.txt 2011-03-27 19:32
ComboFix3.txt 2011-01-22 12:14
.
Pre-Run: 1,319,034,880 bytes free
Post-Run: 1,478,189,056 bytes free
.
- - End Of File - - 34EF54D9F59E62C15AE0677FF46E62E4
catdog7 is offline  
Old 03-28-2011, 07:48 AM   #7
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



The key I previously tried to unlock is possibly protected by a REG NULL.

Lets try this command.
It will be removed only if not required.

Open notepad and copy/paste the text in the quote box below into it:

Code:
REGNULL::
[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
Save this as CFScript on your desktop.



Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

p.s. If prompted to update ComboFix please do so. The tool is bein updated often and has a life of 10 days.
===

Quote:
Google Chrome running for a long time (6 hours +) I would sometimes receive error messages along the lines of 'chrome has encountered and error and needs to close' and when I pressed ctrl alt del to load the the task manager I would get a message along the lines of 'not enough system resources' etc.
This was more likely to happen on flash intensive sites (Youtube etc) however I never received any BSODs
Chrome of some other running programs are not releasing there resources when closed could be the cause of this 'not enough system resources'.
When you start a program it will set aside some ressources to operate. Once these resources are exceeded you get the error message.

I would start by removing Chrome via the Add/Remove programs applet and reinstall the latest version that came out last week.
This will make sure that Chrome's cache will be cleaned and you will start with a new one.

Google Chrome v10.0.648.204 released
Google Chrome Releases: Stable Channel Update

===

Looking at the attachment from your first post I noticed that your free space is too low.
C: is FIXED (NTFS) - 229 GiB total, 1.474 GiB free.

You should have between 10 and 15 % of free space on your hard disk.

I suggest you delete or move some files to a backup CD or flash drive.

Cleaning up your Flash Cache may also help.
Adobe - Flash Player : Settings Manager - Website Storage Settings panel
__________________
nasdaq is offline  
Old 03-28-2011, 11:39 AM   #8
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Ok I followed the instructions (including updating Combofix) .During the scan my desktop went blank (except for the wallpaper) several times and when it completed the icons reappeared but my task tray icons haven't

You asked to to check which program opens .*f*e*# ? Do you want me to navigate to this folder and click on the specified file ?


From the Combofix logs are you able to determine what's causing these problems ? Is it a remnant from the previous infection or is it corrupted software/hardware ? Or is it a more recent unrelated infection ?

You advised freeing up more disk space - I previously had much lower free space since Windows recommends having at least 200 mb free so I kept it around that level with no issues previously so could this be related to the crashes ?

As I mentioned prevously I have been using my PC the bare minimum to avoid further problems so should I resume as normal now and if it crashes again what should I do - Ask for more assistance in the Virus section or should I go the the Software section ? Thanks



Heres the log



ComboFix 11-03-28.01 - Ben 29/03/2011 19:02:06.15.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.459 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:16 . 2011-03-12 18:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Media Player Classic
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-23 13:27 . 2011-01-23 13:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-23 13:27 . 2011-01-23 13:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 14:09 1854976 ----a-w- c:\windows\system32\win32k.sys
2006-10-01 17:09 . 2006-10-01 17:09 15302448 ----a-w- c:\program files\IE7RC1-WindowsXP-x86-enu.exe
2006-04-13 16:58 . 2006-04-13 16:58 42068374 ----a-w- c:\program files\NIS06900_2YR.exe
.
.
((((((((((((((((((((((((((((( [email protected]_19.22.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-29 17:46 . 2011-03-29 17:46 16384 c:\windows\temp\Perflib_Perfdata_7ac.dat
+ 2004-10-17 11:43 . 2011-03-28 18:20 73000 c:\windows\SYSTEM32\PERFC009.DAT
- 2004-10-17 11:43 . 2011-03-27 18:51 73000 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-10-17 11:43 . 2011-03-28 18:20 444328 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-10-17 11:43 . 2011-03-27 18:51 444328 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-19 1242448]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-08 135664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2005-07-29 586896]
"Norton PasswordManager"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-09-09 124096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2004-10-17 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-10-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [31/08/2009 05:48 721904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [16/04/2008 00:59 109616]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\Razerlow.sys [22/01/2007 19:10 13225]
S2 AnonAswSvc;Anonymizer Anti-Spyware Service;c:\program files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe [22/10/2007 10:12 37560]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [22/10/2007 10:12 37560]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 iDownloadService;iDownload Service;"c:\program files\iDownload\iDownloadService.exe" --> c:\program files\iDownload\iDownloadService.exe [?]
S3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\AEILAB.SYS [30/10/2004 12:45 24299]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\SYSTEM32\DRIVERS\AsAudioDevice_351.sys [10/04/2009 17:45 16640]
S3 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [24/01/2008 18:58 44928]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-18 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-09-23 11:13]
.
2006-05-22 c:\windows\Tasks\Norton AntiVirus - Run Norton QuickScan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2005-09-23 11:13]
.
2011-03-25 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\b3z6qtdk.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-29 19:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2332)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-29 19:27:34
ComboFix-quarantined-files.txt 2011-03-29 18:27
ComboFix2.txt 2011-03-28 19:03
ComboFix3.txt 2011-03-27 19:32
ComboFix4.txt 2011-01-22 12:14
.
Pre-Run: 1,484,845,056 bytes free
Post-Run: 1,460,973,568 bytes free
.
- - End Of File - - A3F645C89206623B32EE56F7F355A60C
catdog7 is offline  
Old 03-29-2011, 05:47 AM   #9
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



With ComboFix I can only remove what is not required.
If anything was remove before hand I cannot see it.

Make sure you get the latest version of Chrome and that you clean you Flash Drive.

Use the computer normally.
Do not try to overload it with open programs at first.

If you get any BSOD or errors please post the error message.

After a BSOD run DDS and post the Extra.txt for my review.
__________________
nasdaq is offline  
Old 03-29-2011, 11:18 AM   #10
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Ok I went to Adobe - Flash Player : Settings Manager - Website Storage Settings panel but within 3 seconds I got a message saying 'A script in this movie is causing this page to run slowly if it continues your computer may become unresponsive' with 'Do you want to abort this script yes/no' underneath

At this point my Chrome screen froze (but my computer didn't) and so I clicked abort script at which point the Flash Control panel started flickering and became distorted but Chrome became responsive again. I tried a couple more times with Chrome but with the same result so I loaded up internet explorer and this time the same thing happened except that after about 10 secs it became responsive again and I was able to clear my flash cache.

I then went to the Chrome update link but it only lists new security updates and when I visited the Chrome download site and clicked install it said it couldn't because of the window I already had running. Is it possible to merely update Chrome instead of performing a complete reinstall (like with Firefox)
so that I don't lose my bookmarks/settings etc ?


You said Combofix can only detect additions not deletions - I noticed that the first time it ran it deleted c:\windows\system32\rnaph.dll - Was this caused by Malware or something else ?

You said to run a DDS if I get another BSOD and post the the EXTRA.txt
After my first BSOD I did run DDS but it only produced DDS.txt and Attach.txt so how to I get the Extra.txt ?

Should I now uninstall Combofix along with the system restore points it created and keep DDS installed ? Or delete them both along with GMER and only reinstall when necessary ? Thanks
catdog7 is offline  
Old 03-29-2011, 12:02 PM   #11
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



I didn't intend to make this a 2nd post but for some reason I can't edit mry previous one

Anyway as I was shutting down a box popped up indicating that 'CCAP' was closing.
Now this is normal - I've been getting this along with similar messages such as 'CCC' for example indicating that processes are taking time to shut down and giving me the option to 'end task' or wait for several years now

However as I mentioned previously before my 1st 'disinfection' these windows all had smooth rounded borders but since then they are are now sharp/jagged and more pixellated (they have the same appearance of windows running in safe mode) indicating something had been changed/altered but with no obvious issues

I don't know if this should be a problem or not but since it coincided with the other problems I was concerned that this could be an indicator that some files may be missing/corrupted and therefore be related to the other problems
catdog7 is offline  
Old 03-30-2011, 07:00 AM   #12
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Quote:
Is it possible to merely update Chrome instead of performing a complete reinstall (like with Firefox)
so that I don't lose my bookmarks/settings etc ?
I do not use Chrome but I suspect that you may be able to do it. Check the help file.

===


Quote:
You said Combofix can only detect additions not deletions - I noticed that the first time it ran it deleted c:\windows\system32\rnaph.dll - Was this caused by Malware or something else ?
The file required for Dial-Up Networking Phonebook utilities in older systems it was normally found in C:\Windows\System\
The deleted copy was here: c:\windows\system32\rnaph.dll

If you feel that you may need it in the future you can restore it by running this script.

Open notepad and copy/paste the text in the quote box below into it:

Code:
DEQUARANTINE::
c:\qoobox\quarantine\c\windows\system32\rnaph.dll.vir | c:\windows\system32\rnaph.dll
QUIT::
Save this as CFScript on your desktop.



Referring to the picture above, drag CFScript into ComboFix.exe

Post the content of the DeQuarantine_log.txt
====

Quote:
You said to run a DDS if I get another BSOD and post the the EXTRA.txt
After my first BSOD I did run DDS but it only produced DDS.txt and Attach.txt
My bad, my memory failed me I should of said Attach.txt.


Quote:
Should I now uninstall Combofix along with the system restore points it created and keep DDS installed ? Or delete them both along with GMER and only reinstall when necessary ? Thanks
When you feel that all is well you must remove ComboFix this way:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

    ComboFix /Uninstall
===

The DDS and GMER should be deleted and reinstalled if you need it later.
They often get updated and you should always used the latest version.

===


Quote:
Anyway as I was shutting down a box popped up indicating that 'CCAP' was closing.
quote from this page:
CCAP.exe

CCAPP.exe is part of Norton Antivirus/Internet Security. I'd say that the
problem is caused by the program not closing quickly enough once Windows
tells all of the programs to quit as it is shutting down.

To increase the time Windows waits for all of the programs to quit you will
need to make a change in the registry according to this web page:


The link provided is no longer valid.

I did found this page and it could be interesting.

ccapp.exe Description, Problems and Solutions - Computing.Net
Check it out. You may be able to find a solution to your problem.
Also Google ccap.exe for more information.

---

p.s. When was the last time you Updated Norton?
__________________
nasdaq is offline  
Old 03-30-2011, 11:34 AM   #13
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



I checked the Chrome site and apparently I already have the latest version (must have updated automatically) but on the forums there seem to a lot of complaints from users involving flash related crashes with the latest version (but no BSODs)

My Norton subscription has long since expired but I've kept it installed because it still occasionally blocks attempted intrusions. I was planning on downloading a free AV like AVG but I was told that having multiple antivirus programs running simultaneously can cause problems and once I delete Norton I won't be able to get it back again without buying it.

I uninstalled GMER/Combofix/DDS but I have yet to start using my PC normally since I'm not sure whether I should perform a full backup of my HD ?

In addition to rnaph.dll you changed/modified/deleted

[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]

What was wrong with this file ? Was it malware related ? Could it potentially have caused a BSOD ? As I said in my last post some of the windows on shut down look different than they did before my infection and so if I perform a backup won't these errors/problems be copied as well ? Thanks
catdog7 is offline  
Old 03-30-2011, 11:57 AM   #14
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Just one more thing that I forgot to mention (I'm not sure if its important or not)

When both the crashes happened I had an external HD plugged in at the time. I've been using it for a while now with no problems however (started using it after my previous Exlporer/Malware crashes)

I just thought to mention it since the BSOD said something about 'dumping memory' (can't remeber the full message) and whether or not this is related

If it happens again should I run DDS with the External HD plugged in ? Thanks
catdog7 is offline  
Old 03-31-2011, 07:05 AM   #15
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



I will remove this key.

[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]

If a program ask for it we can restore it.

Open notepad and copy/paste the text in the quote box below into it:

Code:
Registry::
[-HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
Save this as CFScript on your desktop.



Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Quote:
I just thought to mention it since the BSOD said something about 'dumping memory' (can't remeber the full message) and whether or not this is related
If it happens again should I run DDS with the External HD plugged in ? Thanks
Yes!
If it's possible include the complete error message.
__________________
nasdaq is offline  
Old 03-31-2011, 12:53 PM   #16
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



So what does

Registry::
[-HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]


do exactly ? Could it cause a BSOD ?


Anyway I reinstalled Combofix and ran the script. Should I deinstall it again ?

After running Combofix my task tray has diappeared - is this normal ?


Heres the log



ComboFix 11-03-31.01 - Ben 01/04/2011 20:34:40.16.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.442 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:16 . 2011-03-12 18:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Media Player Classic
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-23 13:27 . 2011-01-23 13:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-23 13:27 . 2011-01-23 13:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2004-08-12 14:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 13:55 290048 ----a-w- c:\windows\system32\atmfd.dll
2006-10-01 17:09 . 2006-10-01 17:09 15302448 ----a-w- c:\program files\IE7RC1-WindowsXP-x86-enu.exe
2006-04-13 16:58 . 2006-04-13 16:58 42068374 ----a-w- c:\program files\NIS06900_2YR.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-19 1242448]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-08 135664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"CTHelper"="CTHELPER.EXE" [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" [2003-02-20 110592]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2005-07-29 586896]
"Norton PasswordManager"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-09-09 124096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-28 180269]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-05-26 257088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-12 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Ben\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2004-10-17 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-10-17 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [31/08/2009 05:48 721904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [16/04/2008 00:59 109616]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\Razerlow.sys [22/01/2007 19:10 13225]
S2 AnonAswSvc;Anonymizer Anti-Spyware Service;c:\program files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe [22/10/2007 10:12 37560]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [22/10/2007 10:12 37560]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 iDownloadService;iDownload Service;"c:\program files\iDownload\iDownloadService.exe" --> c:\program files\iDownload\iDownloadService.exe [?]
S3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\AEILAB.SYS [30/10/2004 12:45 24299]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\SYSTEM32\DRIVERS\AsAudioDevice_351.sys [10/04/2009 17:45 16640]
S3 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [24/01/2008 18:58 44928]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3409403883-1416648256-2670766871-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-08 22:00]
.
2011-03-18 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-09-23 11:13]
.
2006-05-22 c:\windows\Tasks\Norton AntiVirus - Run Norton QuickScan - Ben.job
- c:\progra~1\NORTON~1\NORTON~1\NAVW32.EXE [2005-09-23 11:13]
.
2011-03-25 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Tiscali 10.0
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\b3z6qtdk.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-01 20:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(156)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-04-01 20:59:05
ComboFix-quarantined-files.txt 2011-04-01 19:58
ComboFix2.txt 2011-03-29 18:27
.
Pre-Run: 1,570,652,160 bytes free
Post-Run: 1,552,535,552 bytes free
.
- - End Of File - - 6AD551EEC0447942B05B611BC221B435
catdog7 is offline  
Old 03-31-2011, 07:54 PM   #17
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



Ok I've been surfing around with Chrome for a few hours (haven't done it with other folders open though) and so far avoided any BSOD

However after about 3 hours I received a message 'virtual memory running low windows is freeing up additional memory' and so I decided to stop to avoid another crash
catdog7 is offline  
Old 04-01-2011, 05:45 AM   #18
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Run this fix which will increase your virtual memory settings.

“Your system is low on virtual memory” error message when you try to start an Office program
===

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

    ComboFix /Uninstall
===
__________________
nasdaq is offline  
Old 04-03-2011, 01:49 PM   #19
Registered Member
 
Join Date: Jan 2011
Posts: 60
OS: xp system pack 2



So was/is

Registry::
[-HKEY_USERS\S-1-5-21-3409403883-1416648256-2670766871-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*e*#\OpenWithList]


created by a virus or a Windows original file and if so what potential programs would I need it for ?

I also tried accessing my my 'Temp' folder which contains various caches including temperory internet files but I can know longer find it. It used to be located under user>documents&settings>install in system but its gone.

I know it still exists because after surfing the net my HD space gradually decreased due to cacheing. Unfortunately selecting 'delete temporary internet files' doesn't delete everything so I can only do it manually by entering the folder which I can no longer locate
catdog7 is offline  
Old 04-04-2011, 06:51 AM   #20
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,656
OS: Windows 2000 Pro. - Vista SP 2, W7



Try this.
  • Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.
__________________
nasdaq is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
After closing previous thread my problems continue
Hi there. After lots of great help from CatByte all the memory I had lost was returned and it looked like my problems were solved. However I've noticed that the memory I got back has been going down at the same rate as before (see link to thread below). It also takes a long time to shut down with...
Oberjeen Resolved HJT Threads 7 03-19-2011 03:48 PM
Malware
Hi, my laptop got hijacked. When I power my laptop it will bootup and then I will get a security alert that says, "Virus Alert! Application can't be started! The file mpcmdrun.exe is damaged. Do you want to activate your antivirus software now? If you press yes, then it will open Internet...
dv82u Resolved HJT Threads 14 03-18-2011 11:46 PM
Windows Live Messenger recurring BSOD 0x77 or 0x7A Problem [moved from BSOD, Crashes]
Hello, A very strange and quite permanent problem with using Windows Live Messenger has occured recently. When I log on, I can use it like normal for 5 minutes or so, then the whole computer starts freezing up (While Alt-Tab command still works). Then the mouse input is disabled. Then I get a...
dppp Windows XP Support 5 03-09-2011 08:01 PM
Random popups and site redirecting virus
Hello, I'm new to the forum and my problem is that I'm being redirected to unwanted sites like Tazinga or Binkx. I'm running Windows XP and my laptop is about 7 years old. Any help would be great! Here are the Hijack specc UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED,...
Hexamus Inactive Malware Help Topics 2 01-11-2011 07:15 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:55 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts