Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Double Digit Window Explorer Windows Pop Up at Login

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Double Digit Window Explorer Windows Pop Up at Login

Unread postby portdawg » November 17th, 2010, 3:09 pm

I am experiencing 50+ Window Explorer "My Documents" pop up's at login. Please see below:

ComboFix 10-11-17.01 - Administrator 11/17/2010 12:43:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.354 [GMT -6:00]
Running from: c:\documents and settings\administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\saundech\g2mdlhlpx.exe
c:\documents and settings\saundech\Start Menu\Programs\System Tool
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.

2010-11-12 20:10 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 20:10 . 2010-11-12 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 20:10 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 19:53 . 2010-11-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-12 19:36 . 2010-11-12 19:36 -------- d-----w- c:\documents and settings\z
2010-11-12 15:37 . 2010-11-12 15:37 -------- d-----w- c:\documents and settings\administrator\Application Data\Malwarebytes
2010-11-12 15:36 . 2010-11-12 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-11 14:58 . 2010-11-11 14:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-11 08:12 . 2010-11-17 18:59 761344 ----a-w- c:\windows\system32\drivers\uwzqnunri.sys
2010-11-11 08:12 . 2010-11-15 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\eDkHf02039
2010-11-11 08:12 . 2010-11-11 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\eOeFn02039
2010-11-10 13:56 . 2010-11-10 13:56 67336 ----a-w- C:\whtsmk.exe
2010-11-01 14:14 . 2010-11-01 14:14 -------- d-----w- c:\documents and settings\saundech\Application Data\webex

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 20:39 . 2009-12-17 18:02 231936 ----a-w- c:\windows\system32\KaceCredentialProvider.dll
2010-09-02 20:39 . 2009-12-17 18:02 387584 ----a-w- c:\windows\system32\KUsrInit.exe
2010-09-02 20:39 . 2009-12-17 18:02 397312 ----a-w- c:\windows\system32\KWinImpl.dll
.

------- Sigcheck -------

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 115560]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"KBOXUserExtension"="c:\program files\KACE\KBOX\KBOXUserExtension.exe" [2010-09-02 493056]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-08-06 85528]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= "c:\program files\Novell\ZENworks\NalExpEx.dll" [2003-03-24 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\KUsrInit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kwinhook]
2009-07-25 00:32 55808 ----a-w- c:\windows\system32\KWinHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112260698-3555690785-471562439-2476\Scripts\Logon\0\0]
"Script"=\\campus.minneapolis.edu\netlogon\deployment\ISRSShortcut.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112260698-3555690785-471562439-2600\Scripts\Logon\0\0]
"Script"=\\campus.minneapolis.edu\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112260698-3555690785-471562439-2600\Scripts\Logon\0\1]
"Script"=\\campus.minneapolis.edu\NETLOGON\deployment\Outlook.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"WatchDog"=c:\program files\InterVideo\DVD Check\DVDCheck.exe
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"PTHOSTTR"=c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\NOVELL\\GroupWise\\GrpWise.exe"=
"c:\\NOVELL\\GroupWise\\Notify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Remote Assistance TCP
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"8014:TCP"= 8014:TCP:SEP11
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2/7/2007 10:22 AM 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 12:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 3:54 PM 13696]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 5:00 AM 26624]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [1/23/2007 7:07 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2/7/2007 10:23 AM 5808]
R2 BlankScreen;HBDevice;c:\windows\system32\drivers\blankscreen.sys [5/9/2007 8:41 AM 4480]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [3/29/2007 4:50 PM 221184]
R2 Kblock;Kblock;c:\windows\system32\drivers\kblock.sys [5/9/2007 8:41 AM 3742]
R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\KACE\KBOX\KBOXSMMPService.exe [11/8/2010 9:03 AM 2237440]
R2 Mouslock;Mouslock;c:\windows\system32\drivers\mouslock.sys [5/9/2007 8:41 AM 3779]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 5:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/22/2010 7:49 PM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/26/2005 9:56 AM 36608]
R3 nscmnt;Novell Local Security Context Manager;c:\windows\system32\drivers\Novell\nscmnt.sys [7/12/2002 10:36 AM 17984]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [3/25/2010 9:38 PM 23888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/12/2010 2:10 PM 38224]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 xauthnt;Novell XTier Authentication Service;c:\windows\system32\drivers\Novell\xauthnt.sys [6/17/2002 3:32 PM 7728]

--- Other Services/Drivers In Memory ---

*Deregistered* - uwzqnunri

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.minneapolis.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.minneapolis.edu/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\qxfm9nb9.default\
FF - prefs.js: browser.startup.homepage - www.minneapolis.edu
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{EBB8AFFA-E37E-4315-A2CE-354EC79FEB67}");
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ZENRC Tray Icon - zentray.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 12:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uwzqnunri]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\kwinhook.dll

- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DWRCS.EXE
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-11-17 13:02:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-17 19:01

Pre-Run: 61,292,093,440 bytes free
Post-Run: 61,903,986,688 bytes free

- - End Of File - - 208D0D534FB88CEDD80085E21F64C475
portdawg
Active Member
 
Posts: 1
Joined: November 17th, 2010, 3:04 pm
Advertisement
Register to Remove

Re: Double Digit Window Explorer Windows Pop Up at Login

Unread postby Gary R » November 17th, 2010, 6:35 pm

Please familiarize yourself with the forum rules: Forum Posting Rules - Please Read

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems as well.

In order for us to help you it is necessary that you provide us with a HijackThis log and an Uninstall list. Please follow the guideline at the link below to start a new topic and post your logs. Also include your ComboFix log in the same post.

This topic is now closed.
Please start a new topic by following the
Guideline for posting your HijackThis log
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 329 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware