Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

A Continuing Adventure Against Malware! v2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 17th, 2010, 2:49 pm

Just out of curiosity I tried looking at the startup list through ccleaner as well, but it locked up shortly after I clicked the button. :(

Here's the uninstall list:

7-Zip 4.65 10/18/2009 3.13 MB
Acrobat.com Adobe Systems Incorporated 4/2/2010 1.67 MB 1.1.377
Adobe AIR Adobe Systems Inc. 4/2/2010 1.5.3.9130
Adobe Flash Player 10 ActiveX Adobe Systems Incorporated 4/4/2010 10.0.45.2
Adobe Flash Player 10 Plugin Adobe Systems Incorporated 6/23/2010 10.1.53.64
Adobe Photoshop Elements 6.0 Adobe Systems Inc. 8/28/2008 371.5 MB 6.0
Adobe Reader 9.3.2 Adobe Systems Incorporated 4/15/2010 147.0 MB 9.3.2
Age of Empires III Microsoft Game Studios 6/1/2010 3,748.8 MB 1.00.0000
Age of Empires III - The Asian Dynasties Microsoft Game Studios 6/1/2010 3,748.8 MB 1.00.0000
Age of Empires III - The WarChiefs Microsoft Game Studios 6/1/2010 3,748.8 MB 1.00.0000
Apple Application Support Apple Inc. 3/7/2010 32.4 MB 1.1.0
Apple Mobile Device Support Apple Inc. 3/7/2010 40.3 MB 2.6.0.32
Apple Software Update Apple Inc. 3/27/2009 2.16 MB 2.1.1.116
ArcSoft PhotoImpression 6 ArcSoft 12/27/2008 47.7 MB
Auslogics Disk Defrag Auslogics Software Pty Ltd 2/14/2010 7.55 MB version 3.1
Battlefield: Bad Company™ 2 Electronic Arts 4/2/2010 1,772.6 MB 1.0.0.0
Blitzkrieg Mod HQ-CoH.com 2/14/2010 1.6.5.1
Bonjour Apple Inc. 4/10/2009 0.48 MB 1.0.106
CCleaner Piriform 7/30/2010 2.80 MB 2.34
Company of Heroes: Opposing Fronts Relic 9/26/2008 7,957.3 MB
Counter-Strike: Source Valve 9/26/2008 31.3 MB
Curse Client Curse 3/21/2010 4.0.1.66
Diablo II Blizzard Entertainment 5/31/2010 2,055.1 MB
Dolby Control Center Link Intel Corporation 8/27/2008 33.00 KB 1.0.0
Download Manager 2.3.7 IGN Entertainment, Inc. 9/27/2008 2.80 MB 2.3.7
EA Download Manager Electronic Arts, Inc. 4/2/2010 25.0 MB 6.0.4.10
EA Download Manager UI Electronic Arts 4/2/2010 0.72 MB 6.0.4.10
Empire: Total War The Creative Assembly 2/13/2010 16,483.3 MB
Google Chrome Google Inc. 9/26/2008 107.1 MB 5.0.375.126
Google Toolbar for Internet Explorer Google Inc. 4/19/2010 58.8 MB
Grand Theft Auto IV Rockstar 2/13/2010 0.52 MB
Heroes of Newerth S2 Games 9/20/2009 274.7 MB 0.9.0
Hulu Desktop Hulu LLC 11/7/2009 2.27 MB 0.9.10
Intel(R) Matrix Storage Manager 8/27/2008 3.77 MB
Intel(R) PRO Network Connections 12.1.12.0 Intel 8/27/2008 14.8 MB
Intel® Management Engine Interface Intel Corporation 2/14/2009
iTunes Apple Inc. 3/7/2010 146.3 MB 9.0.3.15
Java(TM) 6 Update 20 Sun Microsystems, Inc. 10/4/2009 95.0 MB 6.0.200
Java(TM) 6 Update 7 Sun Microsystems, Inc. 9/26/2008 136.2 MB 1.6.0.70
Last.fm 1.5.4.24567 Last.fm 10/19/2009 18.4 MB
Launchy 2.1.2 Code Jelly 2/12/2010 12.3 MB
Majesty 2 Paradox Interactive 9/20/2009 1,237.4 MB
Malwarebytes' Anti-Malware Malwarebytes Corporation 7/20/2010 3.90 MB
Medieval II: Total War - Kingdoms The Creative Assembly 2/13/2010 13,368.6 MB
Microsoft .NET Framework 1.1 10/17/2009
Microsoft .NET Framework 3.5 SP1 Microsoft Corporation 2/14/2009 27.8 MB
Microsoft Games for Windows - LIVE Microsoft Corporation 12/16/2009 8.31 MB 3.2.217.0
Microsoft Games for Windows - LIVE Redistributable Microsoft Corporation 11/21/2009 32.3 MB 3.1.99.0
Microsoft Office Professional 2007 Microsoft Corporation 6/5/2009 522.5 MB 12.0.6425.1000
Microsoft Security Essentials Microsoft Corporation 7/20/2010 13.5 MB 1.0.1963.0
Microsoft Silverlight Microsoft Corporation 6/4/2010 4.0.50524.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Corporation 2/12/2010 0.25 MB 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 2/14/2010 0.41 MB 8.0.59193
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Corporation 11/8/2009 0.19 MB 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Corporation 11/7/2009 2.06 MB 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 2/13/2010 0.58 MB 9.0.30729
Mozilla Firefox (3.0.14) Mozilla 9/13/2009 25.7 MB 3.0.14 (en-US)
MSXML 4.0 SP2 (KB936181) Microsoft Corporation 8/27/2008 1.27 MB 4.20.9848.0
MSXML 4.0 SP2 (KB941833) Microsoft Corporation 8/28/2008 1.27 MB 4.20.9849.0
MSXML 4.0 SP2 (KB954430) Microsoft Corporation 11/12/2008 1.28 MB 4.20.9870.0
MSXML 4.0 SP2 (KB973688) Microsoft Corporation 11/25/2009 1.34 MB 4.20.9876.0
MSXML 4.0 SP2 Parser and SDK Microsoft Corporation 8/27/2008 1.23 MB 4.20.9818.0
NVIDIA Display Control Panel NVIDIA Corporation 5/30/2010 109.8 MB 6.14.11.9745
NVIDIA Drivers NVIDIA Corporation 5/30/2010 1.15 MB 1.10.59.37
NVIDIA PhysX NVIDIA Corporation 4/2/2010 73.6 MB 9.10.0129
NVIDIA Stereoscopic 3D Driver NVIDIA Corporation 5/30/2010 13.6 MB 7.17.11.9745
Pando Media Booster Pando Networks Inc. 10/17/2009 6.69 MB 2.3.2.7
Picasa 3 Google, Inc. 1/22/2010 55.9 MB 3.6
Pirates, Vikings, and Knights II PVKII Team 2/13/2010
PodUtil 2.5.2 KennettNet.co.uk 4/10/2009 6.04 MB
Prime95 9/27/2008 4.88 MB
PunkBuster Services Even Balance, Inc. 1/31/2010 0.988
QuickTime Apple Inc. 3/7/2010 77.3 MB 7.65.17.80
RealPlayer RealNetworks 3/27/2009 41.9 MB
Red Orchestra Tripwire Interactive 2/14/2009 2,575.8 MB
Sid Meier's Civilization IV: Beyond the Sword Firaxis 5/30/2010 3,574.7 MB
SigmaTel Audio SigmaTel 8/27/2008 22.3 MB 5.10.5102.0
Spelling Dictionaries Support For Adobe Reader 9 Adobe Systems Incorporated 1/23/2009 30.3 MB 9.0.0
SSIII Solo Ultratus 1.1 3RDsense 10/5/2008 25.7 MB 1.1
Stainless_Steel_6.0_Part1of2 2/14/2010 316.0 MB
Stainless_Steel_6.0_Part2of2 2/14/2010 316.0 MB
Stanford University Antech Systems, Inc. 2/13/2010 204.3 MB 3.0.0
Starcraft 6/15/2009 76.9 MB
Steam Valve 9/26/2008 1.31 MB 1.0.0.0
Third Age - Total War 1.0 Part1 2/14/2010 13,368.6 MB
Third Age - Total War 1.0 Part2 2/14/2010 20,581.1 MB
Third Age - Total War Hotfix1 2/14/2010 20,581.1 MB
Third Age - Total War Patch 1.1 2/14/2010 20,581.1 MB
Third Age - Total War Patch 1.2 2/14/2010 20,581.1 MB
Third Age - Total War Patch 1.3 2/14/2010 20,581.1 MB
Third Age - Total War Patch 1.4 2/14/2010 20,581.1 MB
Tom Clancy's Splinter Cell Conviction Ubisoft 5/30/2010 7,154.9 MB 1.02.000
Ubisoft Game Launcher UBISOFT 5/30/2010 2.82 MB 1.0.0.0
Ventrilo Client Flagship Industries, Inc. 2/16/2009 3.88 MB 3.0.4
VirtualCloneDrive Elaborate Bytes 5/30/2010 2.31 MB
VLC media player 1.0.5 VideoLAN Team 4/1/2010 74.8 MB 1.0.5
Warcraft III Blizzard Entertainment 4/10/2009 1,117.4 MB
Warhammer 40,000: Dawn of War II Relic 2/27/2009 3,879.9 MB
WC3Banlist Knarf 4/10/2009 5.26 MB 3.0
Windows Live installer Microsoft Corporation 10/4/2008 1.70 MB 12.0.1471.1025
Windows Live Messenger Microsoft Corporation 10/4/2008 29.8 MB 8.5.1302.1018
WinPcap 4.0.2 CACE Technologies 4/10/2009 0.19 MB 4.0.0.1040
WinRAR archiver 12/27/2008 3.29 MB
World of Warcraft Blizzard Entertainment 2/12/2010 16,883.8 MB 3.3.0.10958
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm
Advertisement
Register to Remove

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 17th, 2010, 4:22 pm

Please Boot the system into SAFE mode.
Right click the green MS Security Essentials "schoolhouse" icon, and click "Open".
Clcik the "Settings" tab and in the left pane, Click "Real Time Protection"
In The Main Window UNCHECK the box for "Turn on real time protection(Recommended)"
Then click "Save Changes"

Then attempt to run Combofix.exe (zzz.exe) per the previous instructions.
Let's see if it will run to completion and pop up the log.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 17th, 2010, 5:27 pm

Hey askey127,

MS Security Essentials isn't running when I boot into safe mode.

It's worth mentioning that it was installed while the computer was infected. It replaced Live OneCare once the subscription expired. I was never able to get the services running for MSE to operate properly.

Should I try uninstalling it?
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 17th, 2010, 6:45 pm

No let it run as is.
It's perfectly nromal for MSSE.
Let me know how it goes with zzz.exe
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 17th, 2010, 7:31 pm

Combofix told me that WindowsLive Onecare protection for anti malware & anti spyware was running. I uninstalled this long ago so I'm not sure why it's claiming that is running.

I continued despite this and I was able to get a log in safe mode.


ComboFix 10-08-15.01 - Roaa 08/17/2010 17:17:02.1.4 - x86 NETWORK
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3322.2809 [GMT -6:00]
Running from: c:\users\Roaa\Desktop\zzzz.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-17 23:14 . 2010-08-17 23:15 -------- d-----w- C:\32788R22FWJFW
2010-07-21 03:15 . 2010-07-21 03:15 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-20 17:48 . 2010-07-20 17:48 -------- d-----w- c:\users\Roaa\AppData\Roaming\Malwarebytes
2010-07-20 17:16 . 2010-07-20 17:16 -------- d-----w- c:\users\Deeling\AppData\Roaming\Malwarebytes
2010-07-20 17:12 . 2010-07-20 17:12 -------- d-----w- C:\WINSSLog
2010-07-20 17:08 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 17:08 . 2010-07-20 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 17:08 . 2010-07-20 17:08 -------- d-----w- c:\programdata\Malwarebytes
2010-07-20 17:08 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 18:46 . 2009-10-04 17:18 139673 ----a-w- c:\programdata\nvModes.dat
2010-08-17 01:30 . 2010-04-02 05:17 -------- d-----w- c:\users\Roaa\AppData\Roaming\vlc
2010-07-31 00:18 . 2010-02-13 06:55 -------- d-----w- c:\program files\CCleaner
2010-07-31 00:01 . 2010-05-31 04:41 -------- d-----w- c:\programdata\Ubisoft
2010-07-29 02:38 . 2009-02-14 07:31 1356 ----a-w- c:\users\Roaa\AppData\Local\d3d9caps.dat
2010-07-27 15:54 . 2009-05-14 19:56 -------- d-----w- c:\users\Roaa\AppData\Roaming\uTorrent
2010-07-21 03:16 . 2008-08-28 14:17 -------- d-----w- c:\programdata\FLEXnet
2010-07-20 05:27 . 2008-08-28 03:28 1356 ----a-w- c:\users\Deeling\AppData\Local\d3d9caps.dat
2010-06-24 09:18 . 2009-02-14 07:47 -------- d-----w- c:\programdata\NVIDIA
2010-05-31 18:44 . 2010-05-31 18:44 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-31 06:25 . 2008-09-27 17:28 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-05-31 06:25 . 2008-09-27 17:27 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-05-31 05:06 . 2010-05-31 05:06 13552 ----a-w- c:\windows\DIIUnin.dat
2010-05-31 05:06 . 2010-05-31 05:06 94208 ----a-w- c:\windows\DIIUnin.exe
2010-05-31 05:06 . 2010-05-31 05:06 2829 ----a-w- c:\windows\DIIUnin.pif
2010-05-26 17:06 . 2010-06-10 16:33 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 16:33 289792 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Roaa\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-26 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Launchy.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Launchy.lnk
backup=c:\windows\pss\Launchy.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Roaa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Roaa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 01:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-31 04:14 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-27 17:41 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2009-06-17 11:44 85160 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e7,56,61,cb,d5,39,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 135664]
R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2007-04-10 596480]
R3 dc3d;USBCCGP filter driver (dc3d);c:\windows\system32\DRIVERS\dc3d.sys [2009-01-15 15360]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 Normandy;Normandy SR2; [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R4 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 23:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 16:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 23:08]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 23:08]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1000Core.job
- c:\users\Deeling\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-06 15:56]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1000UA.job
- c:\users\Deeling\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-06 15:56]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1001Core.job
- c:\users\Roaa\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-27 02:03]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1850265421-2837915182-2937492470-1001UA.job
- c:\users\Roaa\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-27 02:03]

2010-08-17 c:\windows\Tasks\User_Feed_Synchronization-{0F7C84C4-714A-4C97-A897-BEB0B2DF102C}.job
- c:\windows\system32\msfeedssync.exe [2010-06-10 04:30]

2010-08-17 c:\windows\Tasks\User_Feed_Synchronization-{D2DBB98F-8E5D-4C83-AFFF-B99A7A39F946}.job
- c:\windows\system32\msfeedssync.exe [2010-06-10 04:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {60525742-673A-44CF-B57B-F517BF589BB8} = 69.145.248.50,69.145.232.4
FF - ProfilePath - c:\users\Roaa\AppData\Roaming\Mozilla\Firefox\Profiles\7hs93dud.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\users\Roaa\AppData\Local\HuluDesktop\instances\0.9.10.1\nphdplg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-MsMpSvc
SafeBoot-OneCareMP
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-RGSC - c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 17:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1850265421-2837915182-2937492470-1001\Software\SecuROM\License information*]
"datasecu"=hex:7a,98,61,0a,89,3f,b3,a4,58,7f,bf,32,a0,09,5b,41,ba,1d,6f,f0,bb,
98,40,80,a2,46,fb,53,b5,87,94,e9,fa,1c,c5,0e,7e,96,b4,6b,42,f5,68,13,62,7e,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
Completion time: 2010-08-17 17:23:57
ComboFix-quarantined-files.txt 2010-08-17 23:23

Pre-Run: 155,607,588,864 bytes free
Post-Run: 155,975,712,768 bytes free

- - End Of File - - FEA3E788B2802DC700775195BD317AC5
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 18th, 2010, 7:52 am

strelet007,
I don't see any malware on your system.
You may have to Reformat and Re-Install Vista if this cannot be corrected.
There are a couple things I want to try before resorting to that recommendation. This is the first set of things I want to do.
-----------------------------------------------------------
Disable Windows Defender
Go to Start > Programs > Windows Defender
Click on the Tools menu, click General Settings, Scroll down to Real-Time Protection Options section and Deactivate the Real-Time Protection system.

Then, in the toolbar across the top there is a little downpointing arrow next to the question mark icon.
Click on that, get a drop down list. One of the options is to exit Windows Defender.
Click on that, and there will be a pop up asking if you are sure you want to exit. Click Yes/OK.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click this Entry, if it exists, choose Uninstall/Change, and give permission to Continue:
Java(TM) 6 Update 7
Take extra care in answering questions posed by any Uninstaller.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Right-click SystemLook.exe and choose "Run as administrator".
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    %programfiles% /nofiles
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-----------------------------------------------------------
For your info, there is a long set of instructions on how to fix a corrupt Windows Live OneCare installation.
We would likely have to Uninstall Microsoft Security Essentials first.
It appears possible this is the source of all your problems.
http://support.microsoft.com/kb/2284591
If you print it out, it might work, except you would not be able to install OneCare again at the end.
It might however, fix things enough to allow you to UNINSTALL it.
Then you could re-install MS Security Essentials.
You can try it if you want, or not. (Your choice).

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 19th, 2010, 5:34 am

Hi askey127,

I will be leaving town Friday and will be back Monday to continue this. Thank you so much for volunteering your time to help me fix my problems.

Windows defender was already disabled and I was unable to uninstall Java because it froze.


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:17 on 18/08/2010 by Roaa (Administrator - Elevation successful)

========== dir ==========

C:\Program Files - Parameters: "/nofiles"


---Folders---
7-Zip d----- [05:00 19/10/2009]
Activision d----- [20:06 14/03/2009]
Adobe d----- [14:07 28/08/2008]
Apple Software Update d----- [16:37 27/03/2009]
ArcSoft d----- [20:44 27/12/2008]
Auslogics d----- [10:29 14/02/2010]
BitLocker d----- [07:10 27/09/2008]
Bonjour d----- [23:53 10/04/2009]
CCleaner d----- [06:55 13/02/2010]
Common Files d----- [11:18 02/11/2006]
Download Manager d----- [01:10 28/09/2008]
Elaborate Bytes d----- [03:56 31/05/2010]
Electronic Arts d----- [14:48 02/04/2010]
Empire Total War d----- [18:51 14/05/2009]
Firaxis Games d----- [20:32 14/05/2009]
Google d----- [04:35 27/09/2008]
Heroes of Newerth d----- [10:11 20/09/2009]
Hijackthis d----- [20:49 22/07/2010]
InstallShield Installation Information d--h-- [03:42 28/08/2008]
Intel d----- [03:31 28/08/2008]
Intel Desktop Board d----- [03:34 28/08/2008]
Internet Explorer d----- [11:18 02/11/2006]
iPod d----- [09:16 07/03/2010]
iTunes d----- [23:54 10/04/2009]
Java d----- [04:34 27/09/2008]
Last.fm d----- [16:34 11/04/2009]
Launchy d----- [04:27 13/02/2010]
Malwarebytes' Anti-Malware d----- [17:08 20/07/2010]
Microsoft Games d----- [12:35 02/11/2006]
Microsoft Games for Windows - LIVE d----- [01:50 15/03/2009]
Microsoft Office d----- [23:11 01/09/2008]
Microsoft Security Essentials d----- [03:15 21/07/2010]
Microsoft Silverlight d----- [07:06 27/09/2008]
Microsoft Visual Studio d----- [23:13 01/09/2008]
Microsoft Works d----- [23:13 01/09/2008]
Microsoft.NET d----- [23:13 01/09/2008]
Movie Maker d----- [12:35 02/11/2006]
Mozilla Firefox d----- [18:34 27/09/2008]
MSBuild d----- [12:35 02/11/2006]
MSXML 4.0 d----- [03:30 28/08/2008]
NVIDIA Corporation d----- [17:13 04/10/2009]
Pando Networks d----- [02:14 18/10/2009]
PodUtil d----- [01:20 11/04/2009]
Prime95 d----- [06:49 27/09/2008]
QuickTime d----- [09:15 07/03/2010]
Real d----- [17:41 27/03/2009]
Reference Assemblies d----- [12:35 02/11/2006]
Search Party d----- [17:12 13/02/2010]
SigmaTel d----- [03:45 28/08/2008]
SSIII Solo Ultratus d----- [22:00 05/10/2008]
Starcraft d----- [03:24 16/06/2009]
Steam d----- [02:15 27/09/2008]
Turbine d----- [03:05 18/10/2009]
Ubisoft d----- [04:28 31/05/2010]
Uninstall Information d--h-- [13:00 02/11/2006]
USB PC Camera d----- [20:47 27/12/2008]
Ventrilo d----- [05:17 17/02/2009]
VideoLAN d----- [02:52 18/10/2009]
Warcraft III d----- [15:55 10/04/2009]
WC3Banlist d----- [01:46 11/04/2009]
Windows Calendar d----- [12:35 02/11/2006]
Windows Collaboration d----- [12:35 02/11/2006]
Windows Defender d----- [12:35 02/11/2006]
Windows Journal d----- [12:35 02/11/2006]
Windows Live d----- [04:15 05/10/2008]
Windows Mail d----- [11:18 02/11/2006]
Windows Media Player d----- [12:35 02/11/2006]
Windows NT d----- [11:18 02/11/2006]
Windows Photo Gallery d----- [12:35 02/11/2006]
Windows Portable Devices d----- [18:48 07/11/2009]
Windows Sidebar d----- [12:35 02/11/2006]
WindSolutions d----- [00:59 11/04/2009]
WinPcap d----- [01:47 11/04/2009]
WinRAR d----- [21:27 27/12/2008]
World of Warcraft d----- [23:59 27/09/2008]

-=End Of File=-
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 19th, 2010, 4:36 pm

strelet007,
Ok.
Let me know where you stand when you get back.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 22nd, 2010, 5:04 pm

Thread closing post removed.
Re-opened at the request of the original poster.
Last edited by askey127 on August 25th, 2010, 6:26 am, edited 2 times in total.
Reason: Thread closed too soon.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 25th, 2010, 4:20 pm

Hi askey127,

Thank you for re-opening the thread.

I've spent the last couple days working to clean up Windows Live OneCare. I also ran a chkdsk with automatic repair of bad sectors and file system errors.

So far things look like they're working better. Both MBAM and HJT run without freezing.

It may be worth it to re-run a few scans now that they appear to be working.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 25th, 2010, 5:06 pm

strelet007,
-----------------------------------------------
Run the RSIT Scanner
Please download the scanner from here and save it to your desktop. The icon will be named RSIT.exe
Right click on RSIT.exe and select Run As Administrator to run it. If Windows UAC prompts you, please allow it.
When the scan is complete, two text files will open
log.txt <- this one will be maximized
info.txt <- this one will be minimized
( Default location for both files is C:\rsit\ )
Copy/Paste the contents of both log.txt and info.txt into your next post please. Use two posts if you prefer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 25th, 2010, 8:51 pm

Hi askey127,

Things seemed to be working perfectly when I mentioned MBAM and HJT working. Windows was able to install a number of updates and I finally was able to install MSE and get it running properly. However, upon restarting, I was greeted by Windows Update "configuring updates stage 3 of 3". It sat at 0% for several hours and I had to reboot into safe mode and restart from there to get rid of it.

Now, I can no longer install/ uninstall anything, MBAM can't scan (neither can MSE), and Windows Update freezes when it opens. This is all typical of what symptoms I was experiencing.

RSIT is freezing right when it starts. I really don't understand why the problems disappeared and then came back. :(
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 26th, 2010, 7:41 am

strelet007,
-----------------------------------------
Open Notepad... then copy and paste the following line into Notepad:
(Notepad is in Start, Programs, Accessories)
Code: Select all
cmd  /c  chkdsk  c:  |find  /v  "percent"  >> "%userprofile%\desktop\checkhd.txt"

Now Save the NotePad file like this:
  • Click on File from the top menu bar.
  • Select Save As, use Filename: testhd.bat. and Save As Type: All Files.
  • Choose Desktop as the location
  • Click Save.
Right click on testhd.bat on your desktop and select Run As Administrator to run it.
A Command Prompt box will pop up, then close after a couple minutes.
Please post the contents of the checkhd.txt file from your desktop.
If the file is very long, just copy and paste the LAST 20 or 30 lines into your reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 26th, 2010, 5:56 pm

I had to run it in safe mode.


The type of the file system is NTFS.
The volume is in use by another process. Chkdsk
might report errors when no corruption is present.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
798 large file records processed.

0 bad file records processed.

2 EA records processed.

74 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index entry CHECKH~2.LNK in index $I30 of file 50353 is incorrect.
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 26th, 2010, 7:14 pm

strelet007,
Let's try to fix the file system, and check it again.
Delete checkhd.txt and fixhd.bat and testhd.bat from your desktop.
-----------------------------------------
Open Notepad... then copy and paste the following line into Notepad:
(Notepad is in Start, Programs, Accessories)
Code: Select all
cmd  /c  chkdsk  c: /F

Now Save the NotePad file like this:
  • Click on File from the top menu bar.
  • Select Save As, use Filename: fixhd.bat. and Save As Type: All Files.
  • Choose Desktop as the location
  • Click Save.
Right click on fixhd.bat on your desktop and select Run As Administrator to run it.
It will say it cannot operate on a disk in use, and needs to run on reboot.
Tell it OK
-----------------------------------------
ReBoot
-----------------------------------------
Open Notepad... then copy and paste the following line into Notepad:
(Notepad is in Start, Programs, Accessories)
Code: Select all
cmd  /c  chkdsk  c:  |find  /v  "percent"  >> "%userprofile%\desktop\checkhd.txt"

Now Save the NotePad file like this:
  • Click on File from the top menu bar.
  • Select Save As, use Filename: testhd.bat. and Save As Type: All Files.
  • Choose Desktop as the location
  • Click Save.
Right click on testhd.bat on your desktop and select Run As Administrator to run it.
A Command Prompt box will pop up, then close after a couple minutes.
Please post the contents of the checkhd.txt file from your desktop.
If the file is very long, just copy and paste the LAST 20 or 30 lines into your reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 493 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware