Tech Support banner

Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
8 Posts
If I dont log in in safe mode I cant see any of my desktop icons or the start menu. When I try to run Windows update IE opens and then automatically closes. I tried to run System Restore but I get an error message that I am low on vitural memory and it never completes the restore. Whenever I try to turn mcafee back on it automatically turns back off. I have attached the log files. Thanks for your Help!


Mod: edited in the DDS.txt. In future, please attach only the logs you're requested to attach specifically, unless you have problem posting them. Otherwise, the rest should be posted.

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by n at 19:21:50.88 on Thu 02/17/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.737 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
E:\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: SuperAdBlockerBHO Class: {00000000-6c30-11d8-9363-000ae6309654} - c:\program files\superadblocker.com\super ad blocker\SABBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110125235817.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - c:\program files\webex\productivity tools\ptonecli.dll
TB: Super Ad Blocker Toolbar: {b4b3001e-0f56-4e51-8250-bde11547ec55} - c:\program files\superadblocker.com\super ad blocker\sabtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CARPService] carpserv.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Display Settings] c:\program files\hpq\notebook utilities\hptasks.exe /s
mRun: [QT4HPOT] c:\program files\hpq\one-touch\OneTouch.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199917516093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5277/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SABWinLogon - c:\program files\superadblocker.com\super ad blocker\SABWINLO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000d7} - c:\program files\superadblocker.com\super ad blocker\SABSEHB.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-29 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-29 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-29 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-29 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-29 141792]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2003-7-16 28280]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-29 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-29 88544]
S0 bcnqrvr;bcnqrvr;c:\windows\system32\drivers\mchmvt.sys --> c:\windows\system32\drivers\mchmvt.sys [?]
S1 SABDIFSV;SABDIFSV;c:\program files\superadblocker.com\super ad blocker\sabdifsv.sys [2005-9-21 5632]
S1 SABKUTIL;SABKUTIL;c:\program files\superadblocker.com\super ad blocker\SABKUTIL.SYS [2007-2-20 32256]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 51440]
S2 0303171296518922mcinstcleanup;McAfee Application Installer Cleanup (0303171296518922);c:\windows\temp\030317~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\030317~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\gemplus\gemsafe libraries\bin\GCardSrvNT.exe [2006-1-20 118784]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-7 88176]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-29 271480]
S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-29 271480]
S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-29 171168]
S3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2007-5-25 291328]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2007-5-25 244608]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-29 55840]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2008-9-15 61776]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-29 152960]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-29 52104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-29 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-29 84264]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2011-02-18 00:18:49 -------- d-----w- c:\docume~1\n\applic~1\Malwarebytes
2011-02-17 23:52:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-02-17 23:52:18 -------- d-----w- c:\program files\IObit
2011-02-09 01:55:33 -------- d-----w- c:\windows\LastGood.Tmp
2011-02-08 23:58:33 -------- d-----w- c:\program files\temp
2011-02-08 02:29:03 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-08 02:29:03 -------- d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-04-23 00:29:16 1742176 ----a-w- c:\program files\PhotoshopElementsSyncAgent.exe
2009-04-23 00:29:14 1459552 ----a-w- c:\program files\ems.dll
2008-09-16 16:07:00 537952 ----a-w- c:\program files\ScCore.dll
2008-09-16 16:06:56 12289376 ----a-w- c:\program files\AdobePSL.dll
2008-09-16 16:06:40 34144 ----a-w- c:\program files\asneu.dll
2008-09-16 16:06:36 318304 ----a-w- c:\program files\ARE.dll
2008-09-16 16:06:34 3077472 ----a-w- c:\program files\AdobeLinguistic.dll
2008-09-16 16:06:30 2585952 ----a-w- c:\program files\AdobeLMOrg_libFNP.dll
2008-09-16 16:06:30 2585952 ----a-w- c:\program files\AdobeLMLnhr_libFNP.dll
2008-09-16 16:06:28 2807136 ----a-w- c:\program files\AdobeLM.dll
2008-09-16 16:06:28 2585952 ----a-w- c:\program files\AdobeLMEdit_libFNP.dll
2008-09-16 16:06:28 2585952 ----a-w- c:\program files\AdobeLM_libFNP.dll
2008-09-16 16:06:06 603488 ----a-w- c:\program files\registration.dll
2008-09-16 16:06:02 2078048 ----a-w- c:\program files\PSViews.dll
2008-09-16 16:04:58 148832 ----a-w- c:\program files\pdf2img.dll
2008-09-16 16:03:58 470368 ----a-w- c:\program files\adobe_epic.dll
2008-09-16 16:03:56 220000 ----a-w- c:\program files\adobe_caps.dll
2008-09-16 16:03:46 515936 ----a-w- c:\program files\AdobeUpdater.dll
2008-09-16 16:03:42 4658528 ----a-w- c:\program files\AdobePDFL.dll
2008-09-16 16:03:40 890208 ----a-w- c:\program files\AdobeOwl.dll
2008-09-16 16:03:36 1025376 ----a-w- c:\program files\AdobeOLS.dll
2008-09-16 16:03:34 2954592 ----a-w- c:\program files\AdobePhotoshopElementsMediaServer.exe
2008-09-16 16:03:30 860512 ----a-w- c:\program files\ACE.dll
2008-09-16 16:03:24 32331104 ----a-w- c:\program files\PhotoshopElementsOrganizer.exe
2008-09-16 16:03:18 41878880 ----a-w- c:\program files\PhotoshopElementsEditor.exe
2008-09-16 16:03:18 169312 ----a-w- c:\program files\PhotoshopElementsFileAgent.exe
2008-09-16 16:03:16 2942304 ----a-w- c:\program files\Photoshop Elements 7.0.exe
2008-09-16 16:03:16 2245984 ----a-w- c:\program files\Photoshop.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD600VE-11KWT0 rev.01.03K01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85EEF85C]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ef5a38]; MOV EAX, [0x85ef5ab4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x85F41AB8]
3 CLASSPNP[0xF7643FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000007f[0x85F573B8]
5 ACPI[0xF759A620] -> nt!IofCallDriver[0x804E37D5] -> [0x85F6B940]
\Driver\atapi[0x85F8B538] -> IRP_MJ_CREATE -> 0x85EEF85C
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD600VE-11KWT0______________________01.03K01#5&37cd7add&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85EEF6A2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 19:23:52.78 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hello, and welcome to TSF.

I don't see a log from GMER rootkit scanner, was there a problem with that? If you've already run it and have the log, please attach it in reply.

Otherwise, I would like to get a scan in.

Let's try this version of gmer.


Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you still have troubles, try running the scan in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

If you still have troubles, run the scan with ONLY the Sections and C drive boxes ticked.



Click the image to enlarge it
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please note: This fix should be run in Normal Mode, unless and only if Normal Mode is inaccessible. If so, then use Safe Mode with Networking.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------


  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware. Please note: If the Recovery Console does NOT get installed, click on NO, do not continue, and let me know.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
 

·
Registered
Joined
·
8 Posts
Discussion Starter · #5 ·
OK I ran combofix and it looked liked it was working fine. It downloaded the recovery console and started scanning. Then it gave me a popup that it had found a rootkit and needed to restart. Once it came back up combofix was open and running. Then a blue screen popped up that said I had a serious system error and it needed to restart. It was only there for about three seconds. Once it restarted combofix did not give me a log. I waited for a while then I tried to open combofix and I got the following error message.

16 bit ms dos subsytem

C:\37288R22FWJFW\cmd.cfxxe
C:pROGRA~1\Symantec\S32EVNT1.DLL An installable Virtural Device faild Dll initialization. Chose close to terminate the application.

Now combofix will not run.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
It's possible McAfee has interfered.

Let's do this..

Delete the existing copy of ComboFix. Download a fresh copy, and rename it as you're saving it. Name it josh.exe

Boot Into Safe Mode with Networking, and run ComboFix (josh.exe) again. If Combofix restarts the machine, go back into Safe Mode until a log is produced.
 

·
Registered
Joined
·
8 Posts
Discussion Starter · #7 ·
Ok sorry for the delayed. Ok I ran combo fix but it did not ask me what areas of the computer i wanted to scan. Here is the log.



ComboFix 11-02-19.02 - n 02/20/2011 10:19:41.4.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.716 [GMT -5:00]
Running from: c:\documents and settings\n\Desktop\josh.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joshua Capshaw\System
c:\documents and settings\Joshua Capshaw\System\win_qs8.jqx
c:\program files\SHFOLDER.dll
c:\windows\system32\atdiqvpg.ini
c:\windows\system32\bfdxgpwa.ini
c:\windows\system32\dyebixur.ini
c:\windows\system32\gniqafrs.ini
c:\windows\system32\lbkegsuc.ini
c:\windows\system32\pdhpivvp.ini
c:\windows\system32\puhimatn.ini
c:\windows\system32\pxfbpfbt.ini
c:\windows\system32\qdccqdwq.ini
c:\windows\system32\tcyqavba.ini
c:\windows\system32\wyfivkhg.ini
c:\windows\system32\xfjtplvt.ini

.
((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-17 23:52 . 2011-02-17 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-02-17 23:52 . 2011-02-17 23:52 -------- d-----w- c:\program files\IObit
2011-02-16 02:51 . 2011-02-19 23:24 -------- d-----w- c:\documents and settings\n
2011-02-15 01:24 . 2011-02-15 01:24 -------- d-----w- c:\documents and settings\New
2011-02-09 23:39 . 2011-02-09 23:39 -------- d-----w- c:\documents and settings\Administrator.JOSHUA-AYWVAIN4
2011-02-08 23:58 . 2011-02-08 23:58 -------- d-----w- c:\program files\temp
2011-02-08 02:29 . 2011-02-08 02:29 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 00:29 . 2008-09-16 16:03 1742176 ----a-w- c:\program files\PhotoshopElementsSyncAgent.exe
2009-04-23 00:29 . 2008-09-16 16:05 1459552 ----a-w- c:\program files\ems.dll
2008-09-16 16:07 . 2008-09-16 16:07 537952 ----a-w- c:\program files\ScCore.dll
2008-09-16 16:06 . 2008-09-16 16:06 12289376 ----a-w- c:\program files\AdobePSL.dll
2008-09-16 16:06 . 2008-09-16 16:06 34144 ----a-w- c:\program files\asneu.dll
2008-09-16 16:06 . 2008-09-16 16:06 318304 ----a-w- c:\program files\ARE.dll
2008-09-16 16:06 . 2008-09-16 16:06 3077472 ----a-w- c:\program files\AdobeLinguistic.dll
2008-09-16 16:06 . 2008-09-16 16:06 2585952 ----a-w- c:\program files\AdobeLMOrg_libFNP.dll
2008-09-16 16:06 . 2008-09-16 16:06 2585952 ----a-w- c:\program files\AdobeLMLnhr_libFNP.dll
2008-09-16 16:06 . 2008-09-16 16:06 2807136 ----a-w- c:\program files\AdobeLM.dll
2008-09-16 16:06 . 2008-09-16 16:06 2585952 ----a-w- c:\program files\AdobeLMEdit_libFNP.dll
2008-09-16 16:06 . 2008-09-16 16:06 2585952 ----a-w- c:\program files\AdobeLM_libFNP.dll
2008-09-16 16:06 . 2008-09-16 16:06 603488 ----a-w- c:\program files\registration.dll
2008-09-16 16:06 . 2008-09-16 16:06 2078048 ----a-w- c:\program files\PSViews.dll
2008-09-16 16:05 . 2008-09-16 16:05 124256 ----a-w- c:\program files\pspluginsupport.dll
2008-09-16 16:05 . 2008-09-16 16:05 521568 ----a-w- c:\program files\PseProxy.exe
2008-09-16 16:05 . 2008-09-16 16:05 1857376 ----a-w- c:\program files\psecontact.dll
2008-09-16 16:05 . 2008-09-16 16:05 4699488 ----a-w- c:\program files\PSArt.dll
2008-09-16 16:05 . 2008-09-16 16:05 152928 ----a-w- c:\program files\platform.DLL
2008-09-16 16:05 . 2008-09-16 16:05 4724064 ----a-w- c:\program files\PhotoDownloader.exe
2008-09-16 16:05 . 2008-09-16 16:05 226656 ----a-w- c:\program files\pdfsettings.dll
2008-09-16 16:05 . 2008-09-16 16:05 3803488 ----a-w- c:\program files\MPS.dll
2008-09-16 16:05 . 2008-09-16 16:05 664928 ----a-w- c:\program files\JP2KLib.dll
2008-09-16 16:05 . 2008-09-16 16:05 62816 ----a-w- c:\program files\ingestionfileinfo.dll
2008-09-16 16:05 . 2008-09-16 16:05 652640 ----a-w- c:\program files\FileInfo.dll
2008-09-16 16:05 . 2008-09-16 16:05 673120 ----a-w- c:\program files\ExtendScript.dll
2008-09-16 16:05 . 2008-09-16 16:05 35680 ----a-w- c:\program files\DiscWriter.dll
2008-09-16 16:05 . 2008-09-16 16:05 2585952 ----a-w- c:\program files\CoolType.dll
2008-09-16 16:05 . 2008-09-16 16:05 1344864 ----a-w- c:\program files\catalogtool.exe
2008-09-16 16:05 . 2008-09-16 16:05 79200 ----a-w- c:\program files\OperaMgr.dll
2008-09-16 16:04 . 2008-09-16 16:04 148832 ----a-w- c:\program files\pdf2img.dll
2008-09-16 16:04 . 2008-09-16 16:04 83296 ----a-w- c:\program files\PdfPres.dll
2008-09-16 16:04 . 2008-09-16 16:04 248672 ----a-w- c:\program files\BIBUtils.dll
2008-09-16 16:04 . 2008-09-16 16:04 281952 ----a-w- c:\program files\Bib.dll
2008-09-16 16:04 . 2008-09-16 16:04 601952 ----a-w- c:\program files\AXSLE.dll
2008-09-16 16:04 . 2008-09-16 16:04 673632 ----a-w- c:\program files\AXEDOMCore.dll
2008-09-16 16:04 . 2008-09-16 16:04 173408 ----a-w- c:\program files\AXE8SharedExpat.dll
2008-09-16 16:04 . 2008-09-16 16:04 173920 ----a-w- c:\program files\AXE16SharedExpat.dll
2008-09-16 16:04 . 2008-09-16 16:04 21554528 ----a-w- c:\program files\AuthorScript.dll
2008-09-16 16:04 . 2008-09-16 16:04 116064 ----a-w- c:\program files\APDPreferences.dll
2008-09-16 16:04 . 2008-09-16 16:04 16224 ----a-w- c:\program files\apdhook.dll
2008-09-16 16:04 . 2008-09-16 16:04 136544 ----a-w- c:\program files\apdboot.dll
2008-09-16 16:04 . 2008-09-16 16:04 47456 ----a-w- c:\program files\ahclient.dll
2008-09-16 16:04 . 2008-09-16 16:04 3205472 ----a-w- c:\program files\AGM.dll
2008-09-16 16:04 . 2008-09-16 16:04 355168 ----a-w- c:\program files\adobe_personalization.dll
2008-09-16 16:04 . 2008-09-16 16:04 365408 ----a-w- c:\program files\adobe_eula.dll
2008-09-16 16:03 . 2008-09-16 16:03 470368 ----a-w- c:\program files\adobe_epic.dll
2008-09-16 16:03 . 2008-09-16 16:03 220000 ----a-w- c:\program files\adobe_caps.dll
2008-09-16 16:03 . 2008-09-16 16:03 515936 ----a-w- c:\program files\AdobeUpdater.dll
2008-09-16 16:03 . 2008-09-16 16:03 4658528 ----a-w- c:\program files\AdobePDFL.dll
2008-09-16 16:03 . 2008-09-16 16:03 890208 ----a-w- c:\program files\AdobeOwl.dll
2008-09-16 16:03 . 2008-09-16 16:03 1025376 ----a-w- c:\program files\AdobeOLS.dll
2008-09-16 16:03 . 2008-09-16 16:03 2954592 ----a-w- c:\program files\AdobePhotoshopElementsMediaServer.exe
2008-09-16 16:03 . 2008-09-16 16:03 860512 ----a-w- c:\program files\ACE.dll
2008-09-16 16:03 . 2008-09-16 16:03 32331104 ----a-w- c:\program files\PhotoshopElementsOrganizer.exe
2008-09-16 16:03 . 2008-09-16 16:03 41878880 ----a-w- c:\program files\PhotoshopElementsEditor.exe
2008-09-16 16:03 . 2008-09-16 16:03 169312 ----a-w- c:\program files\PhotoshopElementsFileAgent.exe
2008-09-16 16:03 . 2008-09-16 16:03 2942304 ----a-w- c:\program files\Photoshop Elements 7.0.exe
2008-09-16 16:03 . 2008-09-16 16:03 2245984 ----a-w- c:\program files\Photoshop.dll
2008-09-16 16:00 . 2008-09-16 16:00 98304 ----a-w- c:\program files\sonicmpgcap32.dll
2008-09-16 16:00 . 2008-09-16 16:00 925696 ----a-w- c:\program files\sonicmpgvout.004
2008-09-16 16:00 . 2008-09-16 16:00 923648 ----a-w- c:\program files\sonicmpgvout.003
2008-09-16 16:00 . 2008-09-16 16:00 923648 ----a-w- c:\program files\sonicmpgvout.002
2008-09-16 16:00 . 2008-09-16 16:00 914432 ----a-w- c:\program files\sonicmpgvout.001
2008-09-16 16:00 . 2008-09-16 16:00 745472 ----a-w- c:\program files\stlport_icl8046.dll
2008-09-16 16:00 . 2008-09-16 16:00 518656 ----a-w- c:\program files\sonicmcmpgdec.dll
2008-09-16 16:00 . 2008-09-16 16:00 41984 ----a-w- c:\program files\Plugin.dll
2008-09-16 16:00 . 2008-09-16 16:00 332800 ----a-w- c:\program files\SonicMCDVD_32.DLL
2008-09-16 16:00 . 2008-09-16 16:00 278528 ----a-w- c:\program files\sonicmpgaout.dll
2008-09-16 16:00 . 2008-09-16 16:00 24576 ----a-w- c:\program files\sonicpcmaout.dll
2008-09-16 16:00 . 2008-09-16 16:00 24576 ----a-w- c:\program files\sonicmpgcheck.dll
2008-09-16 16:00 . 2008-09-16 16:00 233472 ----a-w- c:\program files\sonicmpegin.dll
2008-09-16 16:00 . 2008-09-16 16:00 187128 ----a-w- c:\program files\primosdk.DLL
2008-09-16 16:00 . 2008-09-16 16:00 14848 ----a-w- c:\program files\sonicmpgvout.dll
2008-09-16 16:00 . 2008-09-16 16:00 102400 ----a-w- c:\program files\sonicmpgmux.dll
2008-09-16 16:00 . 2008-09-16 16:00 944584 ----a-w- c:\program files\FNP_Act_Installer.dll
2008-09-16 16:00 . 2008-09-16 16:00 499712 ----a-w- c:\program files\MSVCP71.dll
2008-09-16 16:00 . 2008-09-16 16:00 348160 ----a-w- c:\program files\MSVCR71.dll
2008-09-16 16:00 . 2008-09-16 16:00 217088 ----a-w- c:\program files\MainConceptMPADecoder.dll
2008-09-16 16:00 . 2008-09-16 16:00 217032 ----a-w- c:\program files\FnpCommsSoap.dll
2008-09-16 16:00 . 2008-09-16 16:00 1712128 ----a-w- c:\program files\GdiPlus.dll
2008-09-16 16:00 . 2008-09-16 16:00 7506708 ----a-w- c:\program files\Detector2.bin
2008-09-16 16:00 . 2008-09-16 16:00 7420248 ----a-w- c:\program files\Detector1.bin
2008-09-16 16:00 . 2008-09-16 16:00 389120 ----a-w- c:\program files\EPPIM2.DLL
2008-09-16 16:00 . 2008-09-16 16:00 303104 ----a-w- c:\program files\EpJpegUtil31.dll
2008-09-16 16:00 . 2008-09-16 16:00 241664 ----a-w- c:\program files\EpTiffUtil31.dll
2008-09-16 16:00 . 2008-09-16 16:00 2178560 ----a-w- c:\program files\EspionAlbum.dll
2009-09-15 22:56 . 2009-09-15 22:56 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-09-15 22:56 . 2009-09-15 22:56 185232 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-15 22:57 . 2009-09-15 22:57 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-09-15 22:57 . 2009-09-15 22:57 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2010-10-14 03:28 . 2010-04-30 03:21 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-10-03 102400]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2004-09-15 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-22 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 14:28 176128 ----a-w- c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/29/2010 10:20 PM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 10:20 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/29/2010 10:21 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/29/2010 10:20 PM 141792]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/16/2003 7:01 PM 28280]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/29/2010 10:20 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/29/2010 10:20 PM 88544]
S0 bcnqrvr;bcnqrvr;c:\windows\system32\drivers\mchmvt.sys --> c:\windows\system32\drivers\mchmvt.sys [?]
S1 SABDIFSV;SABDIFSV;c:\program files\SuperAdBlocker.com\Super Ad Blocker\sabdifsv.sys [9/21/2005 11:17 AM 5632]
S1 SABKUTIL;SABKUTIL;c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.SYS [2/20/2007 4:02 PM 32256]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 PM 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 51440]
S2 0303171296518922mcinstcleanup;McAfee Application Installer Cleanup (0303171296518922);c:\windows\TEMP\030317~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\030317~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
S2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [1/20/2006 5:15 PM 118784]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/27/2010 5:37 AM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/7/2009 8:00 AM 88176]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 10:20 PM 271480]
S3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [5/25/2007 5:56 PM 291328]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [5/25/2007 5:56 PM 244608]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/29/2010 10:20 PM 55840]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [9/15/2008 7:26 PM 61776]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/29/2010 10:20 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/29/2010 10:20 PM 84264]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-02-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-25 06:20]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 10:37]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 10:37]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1580436667-854245398-1004Core.job
- c:\documents and settings\Joshua Capshaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-17 23:02]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1580436667-854245398-1004UA.job
- c:\documents and settings\Joshua Capshaw\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-17 23:02]

2011-02-19 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-03-29 11:29]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-02-20 10:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29D83109-D499-A3EF-54ABD4209B2D5F0C}\{354D4B2F-7299-D6B0-F9DE68C9556AEC8D}\{1096A586-413B-60D3-8347C002DC18071C}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}*]
"U3XM4AYTSR34Y12YLPZLRGWTOF1"=hex:01,00,01,00,00,00,00,00,46,86,fc,bc,3e,f2,83,
4a,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,a5,0c,02,
86,b3,e2,fc,ad,2c,13,21,4a,2b,9a,03,32,f5,62,73,d1,00,4d,6b,67,c8,a6,d0,02,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\l3codeca.acm
.
Completion time: 2011-02-20 10:32:36
ComboFix-quarantined-files.txt 2011-02-20 15:32
ComboFix2.txt 2007-11-17 13:28

Pre-Run: 14,559,059,968 bytes free
Post-Run: 14,777,147,392 bytes free

- - End Of File - - 9C1C832A3B465C2F5E2DE090EF9A7069
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi,

ComboFix is not that type of tool. It will not ask you what areas you want to scan.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.
 

·
Registered
Joined
·
8 Posts
Discussion Starter · #9 ·
2011-02-20 15:26:28 . 2011-02-21 01:22:36 9,223 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-02-19 23:13:46 . 2011-02-19 23:13:46 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2009-03-29 13:21:55 . 2009-03-29 14:18:12 86 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Joshua Capshaw\System\win_qs8.jqx.vir
2008-09-16 16:00:08 . 2008-09-16 16:00:08 22,800 ----a-w- C:\Qoobox\Quarantine\C\Program Files\shfolder.dll.vir
2007-09-27 21:50:31 . 2011-02-21 01:12:34 691 ----a-w- C:\Qoobox\Quarantine\catchme.log
2007-09-27 21:49:52 . 2007-09-27 21:49:52 2,242 ----a-w- C:\Qoobox\Quarantine\Registry_backups\services_ApiMon.reg.dat
2007-09-27 21:49:51 . 2007-09-27 21:49:51 846 ----a-w- C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat
2007-09-26 21:35:56 . 2007-07-09 01:23:08 15,399 ----a-w- C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-09-26 21:30:10 . 2007-10-25 21:39:36 694,381 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pxfbpfbt.ini.vir
2007-09-25 21:09:21 . 2007-09-26 21:19:17 693,601 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tcyqavba.ini.vir
2007-09-22 20:03:22 . 2007-09-25 20:50:47 693,481 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\atdiqvpg.ini.vir
2007-09-19 21:32:38 . 2007-09-27 21:49:56 7,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mnpoq.ini2.vir
2007-09-15 20:03:59 . 2007-09-15 20:49:32 693,803 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gniqafrs.ini.vir
2007-09-15 18:07:38 . 2007-09-15 19:58:17 693,725 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\puhimatn.ini.vir
2007-09-15 17:56:22 . 2007-09-15 18:02:01 693,545 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dyebixur.ini.vir
2007-09-15 13:51:50 . 2007-09-15 13:52:08 694,024 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\qdccqdwq.ini.vir
2007-09-14 21:09:07 . 2007-09-15 13:47:15 693,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lbkegsuc.ini.vir
2007-09-13 22:35:25 . 2007-09-14 21:03:22 693,844 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\bfdxgpwa.ini.vir
2007-09-12 22:32:21 . 2007-09-13 22:32:52 693,715 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xfjtplvt.ini.vir
2007-09-10 22:24:25 . 2007-09-12 22:25:06 693,656 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wyfivkhg.ini.vir
2007-09-10 21:11:00 . 2007-10-25 21:39:45 2,082 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-09-10 21:10:46 . 2007-09-10 22:21:02 693,545 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pdhpivvp.ini.vir
2007-09-10 21:05:34 . 2007-09-26 21:22:47 2,102,642 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mnpoq.bak2.vir
2007-09-09 21:33:32 . 2007-09-09 21:32:11 7,884 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mnpoq.ini.vir
2007-09-09 21:22:11 . 2007-09-09 21:26:41 7,884 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mnpoq.tmp.vir
2007-09-09 21:04:29 . 2007-09-26 21:42:06 2,898 ----a-w- C:\Qoobox\Quarantine\C\check_LSA7.txt.vir
2007-09-09 20:52:32 . 2007-09-09 20:52:32 105 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Joshua Capshaw\Application Data\WinAntiSpyware 2007 Free\DownloadUWAS7.url.vir
2007-09-09 20:44:25 . 2007-09-13 22:29:37 2,008,150 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mnpoq.bak1.vir
2007-09-09 20:41:29 . 2007-09-09 20:41:31 244,832 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\qopnm.dll.vir
2007-09-09 20:41:28 . 2007-09-09 20:41:28 5 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr.vir
2007-09-09 20:41:28 . 2007-09-09 20:41:28 20 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode.vir
2007-09-09 20:36:44 . 2007-09-09 21:01:02 14 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt.vir
2007-09-09 20:36:44 . 2007-09-09 21:01:02 868 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\NetMon\log.txt.vir
2007-09-09 20:36:35 . 2007-09-09 20:40:06 930 ----a-w- C:\Qoobox\Quarantine\C\Temp\fse\tmpZTF.log.vir
2007-04-24 16:21:00 . 2007-04-24 16:21:00 9,248 ----a-w- C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
OK, good. How is the machine behaving now?

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 24 and save it to your desktop.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.


    Java(TM) 6 Update 4
    Java(TM) 6 Update 7



  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


Please download Malwarebytes' Anti-Malware to your desktop.


  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------
 

·
Registered
Joined
·
8 Posts
Discussion Starter · #11 ·
OK I did everything just as you instructed. I still can not get on the internet. When I open IE it tries to open a webpage and then just closes out. I have been using a flash drive to transfer files and posting on this site from another computer. Her is the Malwarebytes log file.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5844
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
2/22/2011 6:46:08 PM
mbam-log-2011-02-22 (18-46-08).txt
Scan type: Quick scan
Objects scanned: 258528
Time elapsed: 25 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
I'm not really seeing a cause for that. Does IE work in Safe Mode with Networking?

Can you use an alternative browser such as Firefox or Opera?

===============

Download TDSSKiller.exe to your desktop
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Execute TDSSKiller.exe by doubleclicking on it
Press Start Scan

If Malicious objects are found, ensure Cure is selected (it should be by default)
Click Continue then click Reboot now
Once complete, a log will be produced at the root drive which is typically C:\

For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
Attach that log, please.
 

·
Registered
Joined
·
8 Posts
Discussion Starter · #13 ·
OK I downloaded FireFox and installed in on my machine and it works fine. Thanks so much for you help tetonbob!!!!! I really appreciate it. Are there any virus/malware programs you suggest I run on a regular basis?
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi Josh,

OK, that suggests an issue with the current installation of IE7. Let's first try resetting it to defaults.

Reset Settings in Internet Explorer 7

Reset Internet Explorer Settings - IEBlog - Site Home - MSDN Blogs

See if IE works now.

Eventually, we should update it to IE8 as IE8 is more secure.

I'll have answers to your other questions as we continue, Let's see about IE right now.
 

·
Registered
Joined
·
8 Posts
Discussion Starter · #15 ·
ok i tried to reset but I dont have any of the options at the top. Just he google toolbar. There is no file, tools etc... drop down menus. Should I just uninstall and install IE 8. It doesnt really matter to me because Firefox is my main browser that i use.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
If you don't have the Menu bar showing, there should be a tools icon over on the right. You can access Internet Options from Control Panel also.

Try that first. If still no joy, just install IE8 over the top.

Internet Explorer 8: Worldwide sites

Let me know how that goes.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
1 - 17 of 17 Posts
Status
Not open for further replies.
Top