[des]

This netbook had a fake antivirus program launching from an AV8 folder out of program files with a randomized exe running from a local settings temp folder. The original infection was likely due to one or more of 4 java classes later found and deleted by Avast in the java cache. They had pretty blatantly obvious
names like attackkit or something to that effect too lol.

I deleted both the AV8 folder and its contents and that temp folder manually in safe mode and removed their startup entries. The computer was still incredibly slow and hanging indefinitely on shutdown from non-safe mode.

So I ran combofix from safe mode since I suspected this was especially vicious yet pretty common. Yep, it detected that the MBR was infected and rootkit activity as well and decided to restart automatically. Before it could properly shut down, it blue screened and instantly rebooted. I hit F8 and booted in safe mode again using the same account but combofix didn't automatically execute.

So I ran it again manually and it started scanning normally and found quite a few randomized and hidden files in various locations like just the windows folder and C drive and elsewhere. It also took out some dumb side program called whitesmoke translator or something like that but it seemed like random adware.

Combofix rebooted then booted into regular, non-safe mode cuz I didn't catch it in time but did auto-execute and run the Find3m scan and generate a log file. The log looked pretty clean so I rebooted and it still hangs on the login screen at which it should auto-log in (single user) for about 2 minutes. I rebooted and chose the recovery console and ran MBR fix in case combofix did in fact blue screen before repairing the MBR. It said it was indeed abnormal so I let it regenerate a new one.


Now it still hangs on login and indefinitely while shutting down. Avast's tray icon never shows up properly until I open the actual program itself and it's not in "gaming mode" where it hides it purposely so right now I have it temporarily uninstalled. I haven't rebooted yet though. So just now I ran DDS and attached the logs to this post. There's just a few lines I can't identify or decipher in there but otherwise it looks clean. Was the hanging likely due to damage to Avast?

Btw I'd post the original combofix log but I ran it one more time just to be sure and apparently its default action is to overwrite its own log now with the newest one But also included is the latest combofix log which resulted in no deletions.


DDS (Ver_10-03-17.01) - NTFSx86
Run by golferbad7 at 9:27:23.54 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.597 [GMT -10:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\golferbad7\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
StartupFolder: c:\docume~1\golfer~1\startm~1\programs\startup\EPSONA~1.LNK -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-1-1 143840]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-3-6 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-7-7 272256]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswSnx;aswSnx; [x]
RUnknown aswSP;aswSP; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-30 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-9-20 1691480]
S3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-5-28 134144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-10-3 11520]

=============== Created Last 30 ================

2011-03-29 18:46:03 0 d--h--w- c:\windows\PIF
2011-03-29 17:47:57 0 d-sha-r- C:\cmdcons
2011-03-29 17:41:19 98816 ----a-w- c:\windows\sed.exe
2011-03-29 17:41:19 89088 ----a-w- c:\windows\MBR.exe
2011-03-29 17:41:19 256512 ----a-w- c:\windows\PEV.exe
2011-03-29 17:41:19 161792 ----a-w- c:\windows\SWREG.exe
2011-03-29 16:01:28 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2011-03-29 16:01:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-16 23:22:34 319488 ----a-w- c:\windows\HideWin.exe

============= FINISH: 9:28:00.42 ===============

 

[Ried]

Hello desolator144,

Now you have an idea of why we advise the following :wink:

While you may have used ComboFix many times yourself, and see it being used quite often in the forums without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool)

Going forward, I highly recommend you heed such instructions. As explained in Post 2 of our pre-posting topic...

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

That being said, ComboFix does not overwrite the previous logs. Please attach the C:\Qoobox\ComboFix2.txt and the C:\Qoobox\ComboFix3.txt

 

[des]

This computer is a minimal use computer and also not mine and almost nothing is stored on it so I decided if combofix fixed it, yay, otherwise I was going to reinstall XP anyway. And it seemed to be effective against other AV8 installs but of course this one functions differently grrr

Attached are the logs, #3 is the first one.

 

[Ried]

Thanks.

When did you uninstall Avast? The reason I'm asking is because of the Event Viewer entries. Difficult to determine if Avast is part of those or not.

Also, let's sweep through the machine with MBAM. Download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop.

Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

 

[des]

malware bytes is scanning right now but may take a bit on this dual core atom. Avast decided to update from version 5 to 6 in the middle of all this virus chaos and then I uninstalled it, I think, after combofix scan #2 but before the original one. And it was before DDS was run I think.

Oh joy, it's done :-D luckily it found two objects of great concern sitting in the windows directory. It's my nemesis, koobface! I also told it to remove the traces it found of whitesmoke. Ignore the timestamp, this comp is on Hawaii time cuz it's my friend's comp and he's on vacation from the marines and back in town for the week

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6218

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/30/2011 7:22:12 AM
mbam-log-2011-03-30 (07-22-12).txt

Scan type: Quick scan
Objects scanned: 149350
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WhiteSmokeTranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece} (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\bk20856.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\fs1235.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\0x0409.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\data1.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\data1.hdr (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\layout.bin (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\setup.ilg (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\setup.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\program files\installshield installation information\{1adb7bf5-f8eb-4f76-98fd-65a7ffbeaece}\setup.inx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

 

[des]

unfortunately, it's still hanging indefinitely on shutdown and taking excessively long to log in.

 

[Ried]

Open notepad and copy/paste the text in the code box below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8087:TCP"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the C:\ComboFix.txt - please don't attach logs unless requested, it's easiest for me to see the progress or lack thereof, all in front of me in the thread. :wink:

 

[des]

alright, below is the new log. Interesting choice of deletions :4-dontkno


ComboFix 11-03-29.06 - golferbad7 03/30/2011 10:49:15.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.605 [GMT -10:00]
Running from: c:\documents and settings\golferbad7\Desktop\combofix and recov\ComboFix.exe
Command switches used :: c:\documents and settings\golferbad7\Desktop\combofix and recov\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\golferbad7\Desktop\Internet Explorer.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 17:05 . 2011-03-30 17:05 -------- d-----w- c:\documents and settings\golferbad7\Application Data\Malwarebytes
2011-03-30 17:04 . 2011-03-30 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 17:04 . 2010-12-21 04:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 17:04 . 2011-03-30 17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-30 17:04 . 2010-12-21 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 18:46 . 2011-03-29 18:46 -------- d--h--w- c:\windows\PIF
2011-03-29 16:01 . 2011-03-29 16:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-29 15:39 . 2011-03-29 15:39 -------- d-----w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-29 16:01 . 2010-09-20 20:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2010-09-20 19:08 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-09-20 19:08 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-16 23:22 . 2011-01-16 23:22 319488 ----a-w- c:\windows\HideWin.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-02 04:33 . 2011-01-02 04:33 45056 ----a-r- c:\documents and settings\golferbad7\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe
c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext .exe
c:\program files\QuickTime\qttask .exe
c:\windows\OA012Mon .exe
</pre>

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-12 14940040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-08 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"RTHDCPL"="RTHDCPL.EXE" [2010-11-03 19580520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"SynTPEnh"="%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-30 249064]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
.
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [1/1/2011 6:22 PM 143840]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [3/6/2009 7:30 AM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [7/7/2009 5:03 PM 272256]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/30/2010 6:53 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/20/2010 9:46 AM 1691480]
S3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [5/28/2009 2:48 AM 134144]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/3/2010 2:32 PM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:50]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-01 04:53]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-01 04:53]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-30 10:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,73,12,07,ea,0a,35,85,47,b7,a5,27,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,96,f8,ea,5a,22,50,4b,8f,58,0d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-30 10:55:09
ComboFix-quarantined-files.txt 2011-03-30 20:55
ComboFix2.txt 2011-03-29 19:01
.
Pre-Run: 124,769,665,024 bytes free
Post-Run: 124,747,419,648 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B9A4DDB85BFCFDDBC03FC118A8467311

 

[Ried]

I take it the machine still is slow to load and hangs at shutdown?

If so, then I think it would be prudent to run an online scan at Eset and see if it detects any other remnants lurking about. Please go to here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

[des]

just cuz it was installed, I ran Spybot in the meantime and it detected some registry modifications from stuff that was already removed. I'm running ESET right now too. I disabled the printer startup entries and some other legit stuff but that didn't solve the hanging problems either. I have to get this done pretty soon so if ESET doesn't detect anything new, I'll reinstall Avast and pre-boot scan with that as well then if it's still acting up, I'll image this hard drive to my storage drive for any future attempts but then reinstall Windows on it.

 

[Ried]

Sounds like a good plan, desolator144.

 

[des]

awwwww crap, eset found nothing I smell a reinstall.

 

[Ried]

I feel for ya. :smile:

But you know as well as I, that troubleshooting OS issues can take forever and often proves unfruitful in the end. Reinstall is the quickest solution, no doubt. :sayyes:

 

[des]

yeah, I always insult big computer repair shops that reinstall windows as the solution to just about anything and then I run into virus nightmares like this. Btw, as I was backing up his alleged "almost nothing" (14 GB of music) I looked at the system event log and exactly every 7 seconds for the entire list, there's sets of 3 red events with the source of "SideBySide." We're talking zero warning entries, zero random entries. 100% red critical entries in the entire system log lol. The 3 errors are:


Generate Activation Context failed for C:\WINDOWS\System32\bcmwltry.exe. Reference error message: The operation completed successfully.

Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system.

Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.

that bcm is the broadcom wireless utility from Dell which is basically mandatory and not easily disabled but I disabled it last time and made wireless zero take over instead because I hate wireless utilities and this one especially sucked but it ran great for months like that. I just temporarily uninstalled it now and will test the system more. As for the other 2, everyone on a google search references problems writing programs with Visual Studio which I'm quite familiar with as a programmer but finally someone suggested that if you get that error without visual studio installed, you should just reinstall visual C++. I looked at add/remove and something is definitely not right with what versions/updates related to that are currently installed. I'm going to wipe those out and reinstall 2008 SP1 and if that takes care of it. I'm starting to think it's virus-free and this is another problem. At least I may not have to reinstall.

 

[Ried]

I had seen all those SidebySide errors as well, and came up with the same in my research as you had. Definitely worth a shot reinstalling 2008 SP1 and see how it goes.

 

[des]

hmmm well, that didn't help after uninstalling basically every non-windows and non-crucial piece of software and running more various virus scans with still no luck, I finally figured it out. Since this spent almost all its time in hawaii, clearly it came into contact with that cursed tiki man statue from the Brady Bunch and now it's cursed. So yeah, I'm about to torch the hard drive with DBAN to remove any potential MBR issues and reinstall.

 

[Ried]

:laugh: Plausible, definitely a plausible explanation. :grin:

Best of luck to you. :wave: