Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

computer crashing

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

computer crashing

Unread postby andorusan » October 24th, 2007, 4:36 pm

Howdy,

I've run spybot and a couple of other programs succesfully but I can't seem to download Hijack this.


I download a file that needs to be unzipped but when I click on HIjack this in the C:\Program Files\HijackThis I get the following message:

Entry Point Not Found

The procedure entry point FetLastErroe could not be located in the dynamic link library KERNAL32.dll

Anyone know what I'm doing wrong?

Tahnk you,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top
Advertisement
Register to Remove

Unread postby beynac » October 26th, 2007, 8:40 am

Good afternoon Andrew. :)

I'll be happy to help you sort out your problem. In order to help me with this, please note the following points:
  • If you have any questions or problems - stop and ask
  • It's important that you do not take any independent action to clean the computer (e.g. scans and clean-up programs)
  • Please continue until I give the "all clear". The symptoms may disappear quite quickly, but this doesn't mean that the computer is clean
----------------------------------------------

Please delete your current version of HijackThis and the zip file. Download the latest version and save it to your desktop: HJTInstall.exe
  • Double click on the HJTInstall.exe icon on your desktop
  • Click I Accept
  • HijackThis will open
  • Click on the Do a system scan and save a log file button.
  • It will scan and then the log will open in notepad.
  • Paste the log as a reply to this thread.
  • Don't use the Analyse This button - its findings are dangerous if misinterpreted.
Do NOT have HijackThis fix anything yet.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby andorusan » October 26th, 2007, 8:23 pm

Howdy, I tried but had the same problem - the same error message as above when I try to run the software.

I click on the link; then i click the save button to save to my desktop; it installs and copies givin mea pop-up to run/open folder or close; I close and then double click the icon on my desktop; I get a popup giving me the choice to run or cancel; I press run and have the choice to install/brose or quit. I click install and then I get...

The procedure entry point FetLastError could not be located in the dynamic link library KERNAL32.dll

still no progress...

Thanks for your help - any idea what might be wrong??
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top

Unread postby beynac » October 27th, 2007, 6:23 am

Good morning.

I can't find out much about your problem. Just one point: you say that the error message refers to KERNAL32.dll. Could you please check the spelling. The Windows file is KERNEL32.dll, with an "E". Also, is it "GetLastError" rather than "FetLastError"?

Are you having problems running, or installing any other programs? Let's try another way of getting the information. WinPatrol 2007 is a very useful program which protects your computer against malicious changes. It also has a function to run a report similar to HijackThis.

Please download WinPatrol 2007 from here: http://www.winpatrol.com/download.html
  • Click on the link: Free Download - Install WinPatrol 2007
  • Save the installation program on your desktop
  • Close your browser and all other open windows
  • Double-click the icon on your desktop to install the program
  • Reboot the computer
  • Right-click on the Scotty icon in your system tray
  • Select Display Services...
  • Tick the List non-Microsoft Services only checkbox
  • Click on the Options tab
  • Click the Hijack Log button
  • The log will open. Please post the contents as a reply to this thread
Please also let me know about the spelling of kernal/kernel and "FetLastError".
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby andorusan » October 27th, 2007, 9:12 am

spelling is kernel not kernal as I had written
but FetLastError was corect

I downloaded a youtube program called videopiggy and now it gives me the exact same message.

I downloaded winpatrol and did everything you said but when I click on the hijack log button nothing happens - only a momentary hour glass.

Off to a slow start it seems eh?

Thank you,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top

Unread postby beynac » October 27th, 2007, 9:26 am

Off to a slow start it seems eh?

It looks like it! :lol:

So, WinPatrol installed and is working? If so, please have a look for the log. It should be on your root drive (e.g. C:\HijackPatrol.log). If so, please post it.

As you had a similar problem with the youtube program, it looks as if there could be a problem with kernel32.dll.

------------------------------------------------

System File Checker

Only do the following if you have Windows XP.

Go to Start > Run, enter sfc /scannow ( note the space between the "c" and "/" ) and click on OK.

This will look for and attempt to replace any corrupt system files that can be found. There are backups of some of these files on your PC and Windows will check for a copy here first. If you are prompted to insert your Windows XP disc, do so. If you don't have this disc and are asked for it, you will have to cancel at this point. Let me know if you have any problems.

For details on the System File Checker, click here.

------------------------------------------------

Please let me know how you get on. In the meantime, I'll do a bit more research. How is the computer running (apart from this problem)?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby andorusan » October 27th, 2007, 10:11 am

Finally got a log!!!

The system file checker required a cd as you thought it might.

The computer seems to be running okay for the most part. I downloaded microsoft updates but for some reason service pck 3? couldn't install properly.

Funny thing on Friday morning - I noticed my CPU was working hard and when I check the task manager - something called bcod.exe was using 50 - 100% of my cpu while the computer was idle. I finaly choose to end the process and the computer was noticable faster with no ill effects. I googled bcod but could find very little information.

Deleting file and defraging seems to have helped the crashing.

Thanks for you help.

Andrew

Log created by WinPatrol version 12.2.2007.0:12.2.2007.0
Scan saved at 7:12:43 AM, on 10/27/2007
Platform: Windows XP SP2 Service Pack 2 (Build 2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\A-SQUARED FREE\A2SERVICE.EXE
C:\PROGRAM FILES\EWIDO ANTI-MALWARE\EWIDOCTRL.EXE
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\PROGRAM FILES\COMMON FILES\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7Debug\mdm.exe
C:\PROGRAM FILES\McAfee\MPF\MpfSrv.exe
C:\PROGRAM FILES\SITEADVISOR\6172\SASERVICE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\hpwuSchd.exe
C:\PROGRAM FILES\HP\HPCORETECH\hpcmpmgr.exe
C:\Program Files\NetAssistant\SmartBridge\MotiveSB.exe
C:\PROGRAM FILES\Java\JRE1.5.0_01\bin\jusched.exe
C:\PROGRAM FILES\COMMON FILES\Real\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SITEADVISOR\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\MSN MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\Google\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
C:\PROGRAM FILES\HP\DIGITAL IMAGING\bin\hpqtra08.exe
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SonyTray.exe
C:\PROGRAM FILES\WinZip\WZQKPICK.EXE
C:\PROGRAM FILES\NETASSISTANT\bin\mpbtn.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WINDOWS LIVE\WLLOGINPROXY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SiteAdv - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: - {7E853D72-626A-48EC-A868-BA8D5E23E045} -
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\Google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\googletoolbar5.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [WinampAgent]C:\Program Files\Winamp\Winampa.exe
O4 - HKLM\..\Run: [HTpatch]C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [AGRSMMSG]AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [HP Software Update]C:\Program Files\HP\HP Software Update\hpwuSchd.exe
O4 - HKLM\..\Run: [HP Component Manager]C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKLM\..\Run: [RebateNation0]C:\Program Files\Rebate_Nation\RebateNation0.exe
O4 - HKLM\..\Run: [NeroFilterCheck]C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge]C:\Program Files\NetAssistant\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe]C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SiteAdvisor]C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe]C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr]C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [Yahoo! Pager]C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg]C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer]C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk=C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk=C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk=C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk=C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk=C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?032242654a15478386af5974d99b9dbf
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?032242654a15478386af5974d99b9dbf
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.5.0_01\bin
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: DirectAnimation Java Classes (dajava) - file://C:\WINDOWS\Java\classes\dajava.cab
O16 - DPF: Microsoft XML Parser for Java (xmldso) - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/fl ... wflash.cab
O21 - WPDShServiceObj - WPDShServiceObj Class - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent - McAfee, Inc. - c:\program files\common files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service - McAfee, Inc. - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: MainSafe Service - - C:\WINDOWS\system32\mainsafe.exe C:\WINDOWS\system32\mainsafe.empty.ini
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SiteAdvisor Service - - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SmartLinkService - Smart Link - slserv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--- Additional WinPatrol Info ---
Default Browser: Internet Explorer - Internet Explorer version 6.00.2900.2180
MSIE: Internet Explorer (6.00.2900.2180)
47 IE Cookies in Folder: C:\Documents and Settings\User\Cookies\

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP01 - HKLM\CS1: PendingFileRenameOperations = \??\C:\DOCUME~1\User\LOCALS~1\Temp\_TinDel.exe
WP01 - HKLM\CCS: PendingFileRenameOperations = \??\C:\DOCUME~1\User\LOCALS~1\Temp\_TinDel.exe
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [McQcTask.job]c:\program files\McAfee\MQC\QcConsol.exe 02/01/2007 1:00 AM
WP31 - Scheduled Tasks: [McDefragTask.job]C:\WINDOWS\system32\defrag.exe Never
WP31 - Scheduled Tasks: [Check Updates for Windows Live Toolbar.job]C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE 10/27/2007 7:11 AM

WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\_NavCClt.Log
WP32 - Hidden File: C:\WINDOWS\QTFont.qfn
WP32 - Hidden File: C:\WINDOWS\WindowsShell.Manifest
WP32 - Hidden File: C:\WINDOWS\winnt.bmp
WP32 - Hidden File: C:\WINDOWS\winnt256.bmp
WP32 - Hidden File: C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
WP32 - Hidden File: C:\WINDOWS\system32\cdplayer.exe.manifest
WP32 - Hidden File: C:\WINDOWS\system32\config\default.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\default.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SAM.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SECURITY.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\software.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\software.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\system.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\system.tmp.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\TempKey.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\userdiff.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\userdifr.LOG
WP32 - Hidden File: C:\WINDOWS\system32\logonui.exe.manifest
WP32 - Hidden File: C:\WINDOWS\system32\ncpa.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\nwc.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\Restore\filelist.xml
WP32 - Hidden File: C:\WINDOWS\system32\sapi.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\WindowsLogon.manifest
WP32 - Hidden File: C:\WINDOWS\system32\wuaucpl.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\CommonClient.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\CommonClient_old.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\IAM.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\IAM_old.dat
WP32 - Hidden File: C:\Program Files\Common Files\Symantec Shared\{F093D63E-BE8E-4AD3-B2C4-7519ACDEB6BE}.dat

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [WinZip File]C:\PROGRA~1\WINZIP\winzip32.exe %1
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .CSS: [Cascading Style Sheet Document]C:\PROGRA~1\MICROS~2\Office10\FRONTPG.EXE %1
WP33 - File Type .DOC: [Microsoft Word Document]C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /n /dde
WP33 - File Type .DOC: [Microsoft Word Document]C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /n /dde
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MSG: [Outlook Item]C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE /f %1
WP33 - File Type .MID: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .MP3: [Winamp media file]C:\Program Files\Winamp\Winamp.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealOne Player\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Format]C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /n /dde
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe shdocvw.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Excel Worksheet]C:\Program Files\Microsoft Office\Office10\EXCEL.EXE /e

Memory currently in use: 71%
Physical Memory Free: 102,676 KB
Paging File Free: 520,404 KB
Virtual Memory Free: 2,054,544 KB


--
End of file
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top

Unread postby beynac » October 27th, 2007, 11:45 am

Well done! :) I can't find any information about bcod.exe either. There's a couple of 'nasties' showing in the log but I think that there's a bit more to this. We'll try another tool (ComboFix) which should tell us a bit more about what's going on. Hopefully, it will run OK - let me know if it doesn't. First, we need to disable Spybot's TeaTimer as it may prevent us from fixing things.

----------------------------------------------------------

Spybot's TeaTimer

We must disable TeaTimer as it may interfere with our fix. This is a two step process.
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have Version 1.5
    • Click once on Resident Protection
    • Right-click the Spybot icon again and make sure Resident Protection is now Unchecked
    • The Spybot icon in the System tray should now be colorless.
  • If you have Version 1.4
    • Click on Exit Spybot S&D Resident
  • For either version, complete the following steps:
    • Open Spybot S&D
    • Click Mode, choose Advanced Mode
    • Go To the bottom of the Vertical Panel on the Left, Click Tools
    • Then click Resident shows a red/white shield.
    • If your firewall raises a question, say OK
    • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
    • OK any prompts.
    • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect
Important: Please make sure that TeaTimer remains disabled until we have cleaned the computer.

----------------------------------------------------------

ComboFix by sUBs

Important: If you already have ComboFix on your computer, please delete it and download the latest version.
  • Download this file - ComboFix.exe. (Please save it on your desktop).
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

---------------------------------------------------------

Please post the ComboFix log or let me know if it won't run.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby beynac » October 27th, 2007, 1:52 pm

I've been doing a bit more research and I'd like you to run the following program, if you can, in addition to ComboFix (as in the above post).

Rootkit Revealer
  • Create a new folder, named RKR, in the root of your main drive (usually Local Disk (C:\)
  • Download Rootkit Revealer from here
  • Unzip (extract) RootkitRevealer.zip to the new folder
  • Go to Start=>Run, enter C:\RKR\RootkitRevealer.exe, then click OK
  • Close all other windows and click on the Scan button
  • Important: Leave the computer idle while the scan runs.
  • When the Scan is finished, click on File=>Save... to save the text file to the C:\RKR\ folder
--------------------------------------

Please post the ComboFix log and the Rootkit Revealer log, if they run.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby andorusan » October 27th, 2007, 7:53 pm

Howdy,

Here's the combofix log

More thanks than I can express. Steak and cold beer await - I'll do the second task later tonight.

ComboFix 07-10-26.4 - User 2007-10-27 17:36:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.91 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\rbap450.dll
C:\Documents and Settings\User\Application Data\rbmysql450.DLL
C:\Documents and Settings\User\Application Data\rbqt450.DLL
C:\Program Files\eqarticle
C:\WINDOWS\Fonts\acrsecI.fon

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 17:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 07:42 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-27 07:42 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-27 07:42 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-27 07:42 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-27 07:42 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-27 07:42 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-27 07:42 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-27 07:42 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-27 07:03 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-27 06:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2007-10-26 18:39 <DIR> d-------- C:\Program Files\Video Piggy
2007-10-26 18:39 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-26 18:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.jpi_cache
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
2007-10-23 15:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-23 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-10-03 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 15:34 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-03 15:34 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-03 14:24 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-03 14:24 <DIR> d-------- C:\Documents and Settings\User\Contacts
2007-10-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-03 14:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-03 14:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 10:37 --------- d-----w C:\Documents and Settings\User\Application Data\SiteAdvisor
2007-10-24 20:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 20:16 --------- d-----w C:\Program Files\Google
2007-10-23 21:13 --------- d-----w C:\Program Files\Napster
2007-10-23 21:13 --------- d-----w C:\Program Files\McAfee
2007-10-23 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-20 19:27 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-20 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-20 19:23 --------- d-----w C:\Program Files\SiteAdvisor
2007-10-03 20:23 --------- d-----w C:\Program Files\Real
2007-10-03 20:21 --------- d-----w C:\Program Files\MSN Messenger
2007-10-01 00:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2006-08-10 01:45 50,688 ---ha-w C:\Documents and Settings\User\Application Data\MBSWinPlugin.dll
2006-08-10 01:45 34,304 ---ha-w C:\Documents and Settings\User\Application Data\MBSCalcPlugin.dll
2006-08-10 01:45 31,744 ---ha-w C:\Documents and Settings\User\Application Data\MBSQTFileTransferPlugin.dll
2006-08-10 01:45 31,232 ---ha-w C:\Documents and Settings\User\Application Data\MBSProcessPlugin.dll
2006-08-10 01:45 29,184 ---ha-w C:\Documents and Settings\User\Application Data\BoxControl.DLL
2006-08-10 01:45 26,624 ---ha-w C:\Documents and Settings\User\Application Data\MBSUsernamePlugin.dll
2006-08-10 01:45 26,112 ---ha-w C:\Documents and Settings\User\Application Data\MBSRegistrationPlugin.dll
2006-08-10 01:45 18,432 ---ha-w C:\Documents and Settings\User\Application Data\EHEncrypt.dll
2006-03-19 00:55 25,944 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-30 13:17 447 ----a-w C:\Program Files\INSTALL.LOG
2005-01-03 01:03 72 ----a-w C:\Documents and Settings\User\Application Data\tvmcwrd.dll
2005-01-03 01:03 44 ----a-w C:\Documents and Settings\User\Application Data\tvmuknwrd.dll
2004-12-04 02:55 7,626 ----a-w C:\Program Files\Account Pro2004.tra
2004-10-30 12:27 246 ----a-w C:\Program Files\Account ProTEST2.tra
2004-10-30 11:51 656 ----a-w C:\Program Files\Account Protest.tra
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" []
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 02:40]
"SiS Tray"="" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 03:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-21 18:38]
"RebateNation0"="C:\Program Files\Rebate_Nation\RebateNation0.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 01:13]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 22:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 06:05]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 21:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-26 07:44:19]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-15 15:19:24]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-04-27 07:03:44]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 11:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-01-30 07:27:40]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-10 19:38:09]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

S2 MSFIE;MainSafe Service;C:\WINDOWS\system32\mainsafe.exe C:\WINDOWS\system32\mainsafe.empty.ini
S3 MSFIEDrv1;MSFIEDrv1;\??\C:\WINDOWS\system32\mxdefdrv.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 23:11:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2006-07-31 09:53:58 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 08:02:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 17:46:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-27 17:48:46 - machine was rebooted
.
--- E O F ---
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top

Unread postby andorusan » October 28th, 2007, 7:53 am

5 times tries I tried to run rootkitrevealer and my computer crashed every time - always at the same place.

I don't know if this is useful info but here are a couple of error reports:

C:\DOCUME~1\User\LOCALS~1\Temp\WER12dc.dir00\Mini102707-02.dmp
C:\DOCUME~1\User\LOCALS~1\Temp\WER12dc.dir00\sysdata.xml

BCCode : 50 BCP1 : E435A000 BCP2 : 00000001 BCP3 : 805D7A1C
BCP4 : 00000001 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

C:\DOCUME~1\User\LOCALS~1\Temp\WER9668.dir00\Mini102707-05.dmp
C:\DOCUME~1\User\LOCALS~1\Temp\WER9668.dir00\sysdata.xml

BCCode : 50 BCP1 : E41ED000 BCP2 : 00000001 BCP3 : 805D7A1C
BCP4 : 00000001 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

Also, whenever my computer boots up I get this new message:

SmartBridge Alerts: MotiveSB.exe – Entry Point Not Found

The procedure entry point GetProcessImageFileNameW could not be located in the dynamic link library PSAPI.DLL

...And yet this morning my computer was running faster than I can remember! Hmmmm...

Looking forward to your replay,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top

Unread postby beynac » October 28th, 2007, 8:09 am

Hi Andrew.

Don't worry about the Rootkit Revealer scan at the moment. It's possible that malware is preventing that running. It could also be responsible for the problems with HijackThis and SmartBridge. However, I have seen something about a similar problem with SmartBridge so that could be unrelated (I'll look into it). I suggest that we fix the things which ComboFix found and then see how things are.

-----------------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\mainsafe.exe
C:\WINDOWS\system32\mainsafe.empty.ini
C:\WINDOWS\system32\mxdefdrv.sys

Folder::
C:\Program Files\Trend Micro\HijackThis

Driver::
MSFIE
MSFIEDrv1

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

------------------------------------------------

HijackThis

I'm hoping that HijackThis will install and run now. I've flagged the HijackThis folder to be deleted by ComboFix. Please delete the previous installation file if it's still on your desktop. I want to make sure that we have a clean sheet for a re-install. If this still doesn't work, please run WinPatrol's Hijack Log again instead.

Please download HJTInstall.exe and save it to your desktop
  • Double click on the HJTInstall.exe icon on your desktop
  • Click I Accept
  • HijackThis will open
  • Click on the Do a system scan and save a log file button.
  • It will scan and then the log will open in notepad.
  • Paste the log as a reply to this thread.
  • Don't use the Analyse This button - its findings are dangerous if misinterpreted.
Do NOT have HijackThis fix anything yet.

---------------------------------------------

Please post the following, as a reply to this thread:
  • The ComboFix log
  • A HijackThis log or a WinPatrol Hijack log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby andorusan » October 28th, 2007, 10:13 am

here's the combofix log

I couldn't open notepad for some reason but combofix seemed happy with word pad saved as a text file.

I was able to run a log with root kit revealer using only Hide Standard ...Files. I'll add it at the end.

ComboFix 07-10-26.4 - User 2007-10-28 7:43:45.2 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\mainsafe.empty.ini
C:\WINDOWS\system32\mainsafe.exe
C:\WINDOWS\system32\mxdefdrv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Trend Micro\HijackThis
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSFIE
-------\LEGACY_MSFIEDRV1
-------\MSFIE
-------\MSFIEDrv1


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-27 18:52 <DIR> d-------- C:\RKR
2007-10-27 17:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 07:42 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-27 07:42 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-27 07:42 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-27 07:42 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-27 07:42 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-27 07:42 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-27 07:42 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-27 07:42 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-27 07:03 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-27 06:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2007-10-26 18:39 <DIR> d-------- C:\Program Files\Video Piggy
2007-10-26 18:39 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-26 18:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.jpi_cache
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
2007-10-23 15:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-23 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-10-03 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 15:34 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-03 15:34 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-03 14:24 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-03 14:24 <DIR> d-------- C:\Documents and Settings\User\Contacts
2007-10-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-03 14:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-03 14:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 11:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-26 10:37 --------- d-----w C:\Documents and Settings\User\Application Data\SiteAdvisor
2007-10-24 20:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 20:16 --------- d-----w C:\Program Files\Google
2007-10-23 21:13 --------- d-----w C:\Program Files\Napster
2007-10-23 21:13 --------- d-----w C:\Program Files\McAfee
2007-10-23 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-20 19:27 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-20 19:23 --------- d-----w C:\Program Files\SiteAdvisor
2007-10-03 20:23 --------- d-----w C:\Program Files\Real
2007-10-03 20:21 --------- d-----w C:\Program Files\MSN Messenger
2007-10-01 00:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2006-08-10 01:45 50,688 ---ha-w C:\Documents and Settings\User\Application Data\MBSWinPlugin.dll
2006-08-10 01:45 34,304 ---ha-w C:\Documents and Settings\User\Application Data\MBSCalcPlugin.dll
2006-08-10 01:45 31,744 ---ha-w C:\Documents and Settings\User\Application Data\MBSQTFileTransferPlugin.dll
2006-08-10 01:45 31,232 ---ha-w C:\Documents and Settings\User\Application Data\MBSProcessPlugin.dll
2006-08-10 01:45 29,184 ---ha-w C:\Documents and Settings\User\Application Data\BoxControl.DLL
2006-08-10 01:45 26,624 ---ha-w C:\Documents and Settings\User\Application Data\MBSUsernamePlugin.dll
2006-08-10 01:45 26,112 ---ha-w C:\Documents and Settings\User\Application Data\MBSRegistrationPlugin.dll
2006-08-10 01:45 18,432 ---ha-w C:\Documents and Settings\User\Application Data\EHEncrypt.dll
2006-03-19 00:55 25,944 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-30 13:17 447 ----a-w C:\Program Files\INSTALL.LOG
2005-01-03 01:03 72 ----a-w C:\Documents and Settings\User\Application Data\tvmcwrd.dll
2005-01-03 01:03 44 ----a-w C:\Documents and Settings\User\Application Data\tvmuknwrd.dll
2004-12-04 02:55 7,626 ----a-w C:\Program Files\Account Pro2004.tra
2004-10-30 12:27 246 ----a-w C:\Program Files\Account ProTEST2.tra
2004-10-30 11:51 656 ----a-w C:\Program Files\Account Protest.tra
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_17.47.38.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-28 04:33:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-27 16:41:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-28 04:33:55 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-28 04:33:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" []
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 02:40]
"SiS Tray"="" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 03:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-21 18:38]
"RebateNation0"="C:\Program Files\Rebate_Nation\RebateNation0.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 01:13]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 22:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 06:05]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 21:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-26 07:44:19]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-15 15:19:24]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-04-27 07:03:44]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 11:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-01-30 07:27:40]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-10 19:38:09]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 BLEUFWL;BLEUFWL;C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
S3 JXTINIH;JXTINIH;C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
S3 QAL;QAL;C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S4 CHELA;CHELA;C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
S4 GVKST;GVKST;C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
S4 NAHDQXNQ;NAHDQXNQ;C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe
S4 ZEYMMJX;ZEYMMJX;C:\DOCUME~1\User\LOCALS~1\Temp\ZEYMMJX.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-28 13:11:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2006-07-31 09:53:58 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 08:02:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 07:49:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-28 7:51:56 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 17:48
.
--- E O F ---


Here is the rootkit revealer log:

C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\1\Thumbs.db:encryptable 10/13/2007 9:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\2\Thumbs.db:encryptable 10/13/2007 9:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\3\Thumbs.db:encryptable 10/13/2007 9:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\4\Thumbs.db:encryptable 10/21/2007 3:31 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\5\Thumbs.db:encryptable 10/13/2007 9:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\6\Thumbs.db:encryptable 10/13/2007 9:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\kitty\Thumbs.db:encryptable 10/13/2007 9:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User\My Documents\Andrew\killdevil\kill2\Thumbs.db:encryptable 10/23/2007 7:18 PM 0 bytes Hidden from Windows API.

Thanks,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top

Unread postby beynac » October 28th, 2007, 10:47 am

Hi Andrew.

It looks as if we're getting somewhere. :) Removing those services with ComboFix has uncovered some more which were being hidden. These would probably have shown up in a Rootkit Revealer scan if we had been able to run it earlier. Let's get rid of them and see how it looks.

Use Wordpad if you still have problems with Notepad. We'll have a look into that later.

----------------------------------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\mainsafe.empty.ini
C:\WINDOWS\system32\mainsafe.exe
C:\WINDOWS\system32\mxdefdrv.sys
C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ZEYMMJX.exe

Driver::
BLEUFWL
JXTINIH
QAL
CHELA
GVKST
NAHDQXNQ
ZEYMMJX


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall

-------------------------------------------------------------------

The Rootkit Revealer scan is showing some items in the folder C:\Documents and Settings\User\My Documents\Andrew\killdevil. The items themselves appear to be harmless, but do you know what this folder is?

Did you have any luck with HijackThis? It could be that it is saving a log but cannot open Notepad. If you have managed to install it, please run a scan and post the log. If you don't get a log please click on Start > My Computer and navigate to the folder C:\Program Files\Trend Micro\HijackThis and see if there is a file hijackthis.log. If there is, please open it with Wordpad and post the contents. Please let me know how you get on.

------------------------------------------------------------------

Please post the following:
  • The ComboFix log
  • A HijackThis log (if you can get one) or a WinPatrol Hijack log (if not)
Please also let me know about the "killdevil" folder.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Top

Unread postby andorusan » October 28th, 2007, 4:26 pm

Howdy beynac,

I was able to run the combo fix but couldn't run hijackthis. Win patrol will start up but it doesn't want to give me a log.

The Killdevil was a philosophy forum I used to belong to. There is a folder of photographs contained within. I noticed there seemed to be a number of programs - I don't think I need these and wouldn't mind deleting them.

I'll keep teying to get a winfix log.

Thanks, Andrew

here's the log from combo fix:

ComboFix 07-10-26.4 - User 2007-10-28 13:58:35.3 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript_used_2007-10-28@7.43.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\mainsafe.empty.ini
C:\WINDOWS\system32\mainsafe.exe
C:\WINDOWS\system32\mxdefdrv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Trend Micro\HijackThis
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-28 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 18:52 <DIR> d-------- C:\RKR
2007-10-27 17:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 07:42 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-27 07:42 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-27 07:42 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-27 07:42 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-27 07:42 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-27 07:42 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-27 07:42 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-27 07:42 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-27 07:03 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-27 06:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2007-10-26 18:39 <DIR> d-------- C:\Program Files\Video Piggy
2007-10-26 18:39 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.jpi_cache
2007-10-23 19:09 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
2007-10-23 15:46 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-23 15:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2007-10-03 17:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 15:34 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-03 15:34 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-03 14:24 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-10-03 14:24 <DIR> d-------- C:\Documents and Settings\User\Contacts
2007-10-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-03 14:22 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-10-03 14:20 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 11:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-26 10:37 --------- d-----w C:\Documents and Settings\User\Application Data\SiteAdvisor
2007-10-24 20:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-24 20:16 --------- d-----w C:\Program Files\Google
2007-10-23 21:13 --------- d-----w C:\Program Files\Napster
2007-10-23 21:13 --------- d-----w C:\Program Files\McAfee
2007-10-23 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-20 19:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-10-20 19:27 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-20 19:23 --------- d-----w C:\Program Files\SiteAdvisor
2007-10-03 20:23 --------- d-----w C:\Program Files\Real
2007-10-03 20:21 --------- d-----w C:\Program Files\MSN Messenger
2007-10-01 00:07 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-14 00:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 00:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 00:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 00:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 00:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 00:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 00:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 00:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 00:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 01:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 01:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 01:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 01:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 01:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2006-08-10 01:45 50,688 ---ha-w C:\Documents and Settings\User\Application Data\MBSWinPlugin.dll
2006-08-10 01:45 34,304 ---ha-w C:\Documents and Settings\User\Application Data\MBSCalcPlugin.dll
2006-08-10 01:45 31,744 ---ha-w C:\Documents and Settings\User\Application Data\MBSQTFileTransferPlugin.dll
2006-08-10 01:45 31,232 ---ha-w C:\Documents and Settings\User\Application Data\MBSProcessPlugin.dll
2006-08-10 01:45 29,184 ---ha-w C:\Documents and Settings\User\Application Data\BoxControl.DLL
2006-08-10 01:45 26,624 ---ha-w C:\Documents and Settings\User\Application Data\MBSUsernamePlugin.dll
2006-08-10 01:45 26,112 ---ha-w C:\Documents and Settings\User\Application Data\MBSRegistrationPlugin.dll
2006-08-10 01:45 18,432 ---ha-w C:\Documents and Settings\User\Application Data\EHEncrypt.dll
2006-03-19 00:55 25,944 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-30 13:17 447 ----a-w C:\Program Files\INSTALL.LOG
2005-01-03 01:03 72 ----a-w C:\Documents and Settings\User\Application Data\tvmcwrd.dll
2005-01-03 01:03 44 ----a-w C:\Documents and Settings\User\Application Data\tvmuknwrd.dll
2004-12-04 02:55 7,626 ----a-w C:\Program Files\Account Pro2004.tra
2004-10-30 12:27 246 ----a-w C:\Program Files\Account ProTEST2.tra
2004-10-30 11:51 656 ----a-w C:\Program Files\Account Protest.tra
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\{DA988749-A1CE-460A-82E1-8B94EE0CEF27}.dat
2003-08-24 13:18:55 32 --sha-w C:\WINDOWS\system32\{AE65161B-21FA-412F-81C2-23B1CCEC97CB}.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_17.47.38.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-28 16:30:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-27 16:41:05 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-28 16:30:36 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-27 16:41:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-28 16:30:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" []
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 02:40]
"SiS Tray"="" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 03:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-21 18:38]
"RebateNation0"="C:\Program Files\Rebate_Nation\RebateNation0.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 01:13]
"StandardInstall"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 22:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 06:05]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-07-24 14:28]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 21:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-26 07:44:19]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-15 15:19:24]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-04-27 07:03:44]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 11:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-01-30 07:27:40]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-10 19:38:09]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 BLEUFWL;BLEUFWL;C:\DOCUME~1\User\LOCALS~1\Temp\BLEUFWL.exe
S3 JXTINIH;JXTINIH;C:\DOCUME~1\User\LOCALS~1\Temp\JXTINIH.exe
S3 QAL;QAL;C:\DOCUME~1\User\LOCALS~1\Temp\QAL.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S4 CHELA;CHELA;C:\DOCUME~1\User\LOCALS~1\Temp\CHELA.exe
S4 GVKST;GVKST;C:\DOCUME~1\User\LOCALS~1\Temp\GVKST.exe
S4 NAHDQXNQ;NAHDQXNQ;C:\DOCUME~1\User\LOCALS~1\Temp\NAHDQXNQ.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-28 19:11:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2006-07-31 09:53:58 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 08:02:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 14:02:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 14:03:24
C:\ComboFix2.txt ... 2007-10-28 07:51
C:\ComboFix3.txt ... 2007-10-27 17:48
.
--- E O F ---
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 157 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index