Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Troj Win32.Qhost.r & Troj.JS.Redirector.b [RESOLVED]


  • This topic is locked This topic is locked

#46
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Stamper -

Problem! I tried to run the scan and here is what I got:

Warning! Error using list of user profiles. You may not have access rights to the whole registry.
Fatal! Unable to open any local hard drives. Disk scan may not be supported on this version of Windows.

:)
  • 0

Advertisements


#47
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hmmm....is there another account with Administrator access that you can log in with? If so, try doing that and running the scan from that account.
  • 0

#48
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Stamper -

When I sign on the only account that comes up is SHILO/Administrator. Also, when I look in User Accounts, the only account there is SHILO/Admin and it has Guest (account is off).

When I explore C: Docs & Settings, I see the following:
Admin
All Users
Default User
Owner
TEST (this is the last one set up that I use)

These have me confused - are these accounts too?
  • 0

#49
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
No, looks like you are on the admin account. Lets try another scanner and see how it does.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Edited by Stamper19, 30 March 2008 - 08:57 PM.

  • 0

#50
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Malwarebytes' Anti-Malware 1.09
Database version: 572

Scan type: Quick Scan
Objects scanned: 31392
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#51
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Log looks clean (which is a good thing). Lets try one more scan.

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • In the Rootkit Search box click Yes.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.

Edited by Stamper19, 31 March 2008 - 06:21 AM.

  • 0

#52
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Hi Stamper19!

I ran the OTScanit and attached is the log. I just wanted to verify that the only setting I was to change was to check RootKit. The other settings said to scan only Non Microsoft, the Scan All Users was NOT checked, and also only files created in last 30 days were scanned. Just wanted to verify. Thanks!

Attached Files


  • 0

#53
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
The main reason I asked that was because the scan took only a few seconds!
  • 0

#54
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hi Shiloravinn,

You did everything correctly :)

Lets try one final thing.

First, log into the administrator account (your usual account) in safe mode. To enter safe mode restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once you are in safe mode, create a new account with full adminsitrative rights. Reboot (to normal mode) and log in under the new account. Next we are going to run OTScan It again. Follow all the instructions for running it as you did previously, but also check the following : under Files Modified Within select 90 days; in the three top boxes (Processes, Services, Drivers) select All; next to the Run Scan button select Scan All Users.

Lets see if that gives us anything.
  • 0

#55
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Hi Stamper19,

When I Safe boot, there are two accounts that come up: Administrative and SHILO but only SHILO during Normal boot.

I set up a new account named Stamper19 - fitting don't ya think! When I tried to run OTScanit, I got the following errors: "Error loading process libraries!" and when I hit Abort (on that little error screen) another popped up with: Invalid class string.

Thanks!
  • 0

Advertisements


#56
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
I set up a new account named Stamper19 - fitting don't ya think!
A most excellent name! :)

When I tried to run OTScanit, I got the following errors:  "Error loading process libraries!" and when I hit Abort (on that little error screen) another popped up with:  Invalid class string.
Try deleting it and redownloading it.
  • 0

#57
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Hi Stamper!

I deleted OTScan and downloaded again, same error messages. So just to check, I tried to run it on my SHILO account and it started to run (I aborted).

I thought you would like the name! LOL :)
  • 0

#58
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hey Shilo,

Try running combofix under the new account that you created. Lets see if that works.
  • 0

#59
SHILORAVINN

SHILORAVINN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
ComboFix 08-04-01.2 - STAMPER19 2008-04-01 14:31:10.2 - NTFSx86
Running from: C:\Documents and Settings\STAMPER19\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-31 16:56 . 2008-03-31 16:56 <DIR> dr-h-c--- C:\Documents and Settings\STAMPER19\Application Data\yahoo!
2008-03-31 16:54 . 2008-03-31 16:54 <DIR> d----c--- C:\Documents and Settings\STAMPER19\Application Data\Grisoft
2008-03-31 16:54 . 2008-04-01 08:00 <DIR> d----c--- C:\Documents and Settings\STAMPER19\Application Data\AVG7
2008-03-31 16:52 . 2002-03-09 12:59 <DIR> d----c--- C:\Documents and Settings\STAMPER19\WINDOWS
2008-03-31 16:52 . 2002-03-09 12:58 <DIR> d----c--- C:\Documents and Settings\STAMPER19\Application Data\Symantec
2008-03-30 20:27 . 2008-03-30 20:27 <DIR> d-------- C:\Program Files\Sophos
2008-03-29 15:57 . 2008-03-29 15:57 <DIR> d----c--- C:\_OTMoveIt
2008-03-27 19:21 . 2008-03-27 19:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-27 19:15 . 2008-03-27 19:39 <DIR> d----c--- C:\SDFix
2008-03-27 18:56 . 2008-04-01 08:00 <DIR> d-------- C:\Documents and Settings\TEST\Application Data\AVG7
2008-03-27 18:55 . 2008-03-27 18:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-27 18:14 . 2008-03-28 08:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-26 22:47 . 2008-03-26 22:47 <DIR> d----c--- C:\HostsXpert 4.2 - Hosts File Manager
2008-03-26 22:09 . 2008-03-26 22:09 4,172 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-26 18:37 . 2008-03-26 18:37 <DIR> d----c--- C:\Deckard
2008-03-22 21:15 . 2008-03-22 21:15 <DIR> d-------- C:\Documents and Settings\TEST\Application Data\Grisoft
2008-03-22 21:14 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-03-22 20:16 . 2008-03-28 12:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-22 20:16 . 2008-03-28 11:57 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-22 17:00 . 2008-03-28 12:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 17:00 . 2008-03-22 17:00 <DIR> d-------- C:\Documents and Settings\TEST\Application Data\SUPERAntiSpyware.com
2008-03-22 17:00 . 2008-03-22 17:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 16:59 . 2008-03-22 16:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 01:24 . 2008-03-22 01:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-22 01:24 . 2008-03-22 01:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-22 01:14 . 2008-03-22 01:14 <DIR> d-------- C:\Documents and Settings\TEST\Application Data\Malwarebytes
2008-03-22 01:12 . 2008-03-22 01:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-22 01:12 . 2008-03-22 01:12 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 23:41 . 2008-03-29 20:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-21 23:41 . 2008-03-21 23:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 11:37 . 2008-03-21 11:39 <DIR> d-------- C:\Program Files\Shop'NCook 3.4
2008-03-21 11:36 . 2008-03-21 11:37 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{339435FA-E925-4791-9BFE-65E5B24DD2F3}
2008-03-20 15:56 . 2008-03-20 15:56 63,488 --a------ C:\WINDOWS\xobglu16.dll
2008-03-20 15:56 . 2008-03-20 15:56 23,552 --a------ C:\WINDOWS\xobglu32.dll
2008-03-06 20:30 . 2008-03-28 12:04 <DIR> d-------- C:\Program Files\QuickTime
2008-03-06 20:30 . 2008-03-06 20:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-06 20:29 . 2008-03-06 20:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-06 20:29 . 2008-03-06 20:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 20:52 --------- d-----w C:\Program Files\Web Publish
2008-03-28 16:04 --------- d-----w C:\Program Files\Windows Defender
2008-03-28 16:03 --------- d-----w C:\Program Files\palmOne
2008-03-28 16:03 --------- d-----w C:\Program Files\Google
2008-03-27 22:54 --------- dc----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-22 05:00 --------- d-----w C:\Program Files\Macrogaming
2008-03-22 03:44 1,411 ----a-w C:\Program Files\Solitaire.lnk
2008-03-22 03:25 --------- d-----w C:\Documents and Settings\TEST\Application Data\Talkback
2008-03-22 02:38 --------- d-----w C:\Program Files\Microsoft Picture It! 2002
2008-03-22 02:14 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-22 02:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-18 02:45 --------- d-----w C:\Program Files\Java
2008-03-15 20:57 --------- d-----w C:\Documents and Settings\TEST\Application Data\ZoomBrowser EX
2008-03-15 20:56 --------- dc----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-14 04:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-16 05:00 --------- d-----w C:\Program Files\Folder Lock
2008-02-13 06:39 --------- d-----w C:\Program Files\Modem Helper
2008-02-13 06:39 --------- d-----w C:\Program Files\Microsoft Money 2006
2008-02-13 04:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Talkback
2008-02-13 04:48 --------- d-----w C:\Program Files\Winkflash
2008-02-13 04:43 --------- d-----w C:\Program Files\Serif
2008-02-13 04:40 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-02-07 23:38 --------- d-----w C:\Program Files\Windows Live
2008-02-07 23:37 --------- dc----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-02 04:30 218,688 ----a-w C:\Documents and Settings\TEST\Application Data\GDIPFONTCACHEV1.DAT
2007-07-11 17:21 769,536 ----a-w C:\Documents and Settings\TEST\Application Data\sfdnwin.dll
2002-04-15 01:32 8,981,440 -c--a-w C:\Program Files\ADOBE ACROBAT READER.exe
.

((((((((((((((((((((((((((((( [email protected]_19.30.59.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-28 01:41:54 63,016 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-03-31 20:56:24 63,016 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-03-28 01:41:54 402,406 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-03-31 20:56:24 402,406 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 19:25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zzzHPSETUP"="D:\Setup.exe" [ ]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2007-04-05 15:29 684118]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 17:24 54840]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-17 21:49 180269]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-27 18:57 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 18:55 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-22 23:26 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
backup=C:\WINDOWS\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^SHILO^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=C:\WINDOWS\pss\Forget Me Not.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
--a------ 2001-03-27 21:00 102400 C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
--a------ 2001-09-23 09:14 163840 C:\WINDOWS\DELLMMKB.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTWinModem1]
--a------ 2001-04-03 12:38 38912 C:\WINDOWS\SYSTEM32\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-11-17 21:49 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"NVSvc"=2 (0x2)
"Nhksrv"=2 (0x2)
"ImapiService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\palmOne\\HOTSYNC.EXE"=
"C:\\WINDOWS\\SYSTEM32\\java.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Web Publish\\WPWIZ.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 11:01:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-05-08 04:45:13 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1099011333.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-04-01 07:01:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-01 11:13:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B2BEDA78-5451-42BF-80D9-711A639D1A74}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 14:38:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\3.tmp"
.
Completion time: 2008-04-01 14:42:51
ComboFix-quarantined-files.txt 2008-04-01 18:41:49
ComboFix2.txt 2008-03-28 23:32:29
Pre-Run: 9,389,899,776 bytes free
Post-Run: 9,390,665,728 bytes free
.
2008-03-28 04:04:17 --- E O F ---
  • 0

#60
Stamper19

Stamper19

    Trusted Helper

  • Retired Staff
  • 1,991 posts
Hi Shilo,

Well, combofix ran, but nothing new in the logs. At this point everything we have run has come up clean, even though we are seeing some errors in some of the scans. As such, its time for us to consider other possible causes for the problems you are having, such as Windows XP issues or Hardware problems. Since these are not malware related the best thing to do is to post a new thread in the Windows XP forum here. Whereas my training is in dealing with malware, the techs in that forum are trained to handle Windows issues and will be better equipped to troubleshoot this problem. When you post your thread mention that you have been cleared of malware and feel free to refer them to this thread if they need to see whats been going on. Hopefully they will be able to get to the bottom of this.

You should clean up the tools that we downloaded as well. To do this do the following:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Let me know if you have any questions or if this anything else I can for you.

Cheers,
Stamper
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP