Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help ! automatic updates keep turning off [RESOLVED]


  • This topic is locked This topic is locked

#1
Rada

Rada

    New Member

  • Member
  • Pip
  • 2 posts
Hi my computer recently started crashing, also everytime I restart my automatic updates are turned off. I did an hijackthis scan and also a combo fix log. Here are the results (sry for my bad english hehe, any help would be much appreciated):


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:09 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [winsock32] C:\WINDOWS\system32:winsock32.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM2fbc9fd5] Rundll32.exe "C:\WINDOWS\system32\yuoewkbs.dll",s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15034/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqpPJCS - C:\WINDOWS\
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4400 bytes


ComboFix 08-06-20.4 - Rada 2008-06-30 16:46:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1634 [GMT -4:00]
Running from: C:\Documents and Settings\Rada\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM2fbc9fd5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cpaougcl.ini
C:\WINDOWS\system32\dwpeuwml.ini
C:\WINDOWS\system32\fccywTJy.dll
C:\WINDOWS\system32\fifqogcv.ini
C:\WINDOWS\system32\fudgpjgj.ini
C:\WINDOWS\system32\iemhxgxy.ini
C:\WINDOWS\system32\myypsjxd.ini
C:\WINDOWS\system32\smerfxgd.ini
C:\WINDOWS\system32\tdcijbiw.ini
C:\WINDOWS\system32\yJTwyccf.ini
C:\WINDOWS\system32\yJTwyccf.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 16:53 . 2008-06-30 16:53 22 --a------ C:\WINDOWS\pskt.ini
2008-06-30 16:53 . 2008-06-30 16:53 0 --a------ C:\WINDOWS\BM2fbc9fd5.xml
2008-06-30 14:29 . 2008-06-30 14:29 81,920 --a------ C:\WINDOWS\system32\vcgoqfif.dll
2008-06-30 14:26 . 2008-06-30 14:26 91,136 --a------ C:\WINDOWS\system32\yuoewkbs.dll
2008-06-29 14:33 . 2008-06-29 15:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-29 14:33 . 2008-06-29 14:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-28 12:33 . 2008-06-28 12:33 90,624 --a------ C:\WINDOWS\system32\eaxkpxkd.dll
2008-06-27 12:33 . 2008-06-27 12:33 90,624 --a------ C:\WINDOWS\system32\emqipdrw.dll
2008-06-27 12:30 . 2008-06-27 12:30 91,648 --a------ C:\WINDOWS\system32\maoergaj.dll
2008-06-26 12:29 . 2008-06-26 12:29 91,648 --a------ C:\WINDOWS\system32\kfltoirn.dll
2008-06-25 16:38 . 2008-06-25 16:38 <DIR> d-------- C:\Program Files\Foxit Software
2008-06-24 23:00 . 2008-06-24 23:00 91,136 --a------ C:\WINDOWS\system32\icgldgkl.dll
2008-06-24 16:51 . 2008-06-24 16:51 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\atitray
2008-06-24 16:39 . 2007-09-28 21:05 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-06-24 16:36 . 2008-06-24 16:36 <DIR> d-------- C:\Program Files\MultiRes
2008-06-24 16:35 . 2008-06-24 16:35 <DIR> d-------- C:\Program Files\Radeon Omega Drivers
2008-06-24 16:35 . 2008-06-24 16:35 472,576 --a------ C:\WINDOWS\Radeon Omega Drivers v4.8.442 Uninstall.exe
2008-06-24 16:10 . 2008-06-24 16:10 10 --a------ C:\WINDOWS\WININIT.INI
2008-06-20 03:02 . 2008-06-20 03:02 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\CyberLink
2008-06-20 03:01 . 2008-06-20 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-19 22:24 . 2008-06-19 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-06-19 22:04 . 2008-06-19 22:24 24 ---hs---- C:\WINDOWS\SA67EF720.tmp
2008-06-16 02:30 . 2008-06-16 12:20 <DIR> d-------- C:\Documents and Settings\Rada\browser - logitech
2008-06-16 02:29 . 2008-06-16 02:29 <DIR> d-------- C:\Documents and Settings\Rada\logitech
2008-06-16 02:28 . 2008-06-16 02:28 <DIR> d-------- C:\Program Files\Common Files\Remote Control USB Driver
2008-06-13 22:30 . 2008-06-13 22:30 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-13 22:30 . 2008-06-13 22:47 <DIR> d-------- C:\Program Files\Multimedia Card Reader
2008-06-13 01:45 . 2008-06-13 01:45 60,416 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-13 01:40 . 2008-06-29 20:47 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\mIRC
2008-06-12 12:18 . 2008-06-25 10:32 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\skypePM
2008-06-12 12:18 . 2008-06-12 12:18 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-12 12:14 . 2008-06-12 12:14 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-12 12:14 . 2008-06-25 16:32 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\Skype
2008-06-11 02:39 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 02:39 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-23 04:20 . 2008-06-26 16:40 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-23 02:54 . 2008-05-23 02:54 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\Nero
2008-05-23 02:42 . 2008-05-23 02:42 <DIR> d-------- C:\Program Files\Nero
2008-05-23 02:42 . 2008-05-23 02:44 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-23 02:42 . 2008-05-23 02:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-21 11:36 . 2008-05-21 11:36 1,409 --a------ C:\WINDOWS\system32\tmp1AC89.FOT
2008-05-20 19:40 . 2008-05-20 19:40 <DIR> d-------- C:\Documents and Settings\Rada\WINDOWS
2008-05-20 19:40 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-05-20 19:28 . 2008-05-20 19:28 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\Proxima Software
2008-05-07 13:07 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-07 13:07 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-06 00:57 . 2008-05-06 00:57 <DIR> d-------- C:\Documents and Settings\Rada\Application Data\SorensonMedia
2008-05-06 00:54 . 2008-05-06 00:54 <DIR> d-------- C:\Program Files\OJOsoft
2008-05-02 05:49 . 2008-05-02 05:49 99,264 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 19:56 --------- d-----w C:\Documents and Settings\Rada\Application Data\FileZilla
2008-06-28 14:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-06-28 14:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-06-27 12:49 --------- d-----w C:\Documents and Settings\Rada\Application Data\uTorrent
2008-06-24 20:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 20:34 --------- d-----w C:\Program Files\Creative
2008-06-24 20:34 --------- d-----w C:\Documents and Settings\Rada\Application Data\ATI
2008-06-24 20:23 --------- d-----w C:\Program Files\MyCentria
2008-06-11 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-10 23:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-27 13:50 94,208 ----a-w C:\WINDOWS\DUMP5488.tmp
2008-05-14 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-13 19:25 --------- d-----w C:\Documents and Settings\Rada\Application Data\Alien Skin
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-07 19:15 684 ----a-w C:\WINDOWS\Fonts\AT662___.PFM
2008-04-07 19:15 676 ----a-w C:\WINDOWS\Fonts\AT663___.PFM
2008-04-07 19:15 676 ----a-w C:\WINDOWS\Fonts\AT661___.PFM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"winsock32"="C:\WINDOWS\system32:winsock32.exe" [ ]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"BM2fbc9fd5"="C:\WINDOWS\system32\yuoewkbs.dll" [2008-06-30 14:26 91136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpPJCS]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= d:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\fccywTJy

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2c8fac49]
--a------ 2008-06-30 14:29 81920 C:\WINDOWS\system32\vcgoqfif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a--c--- 2007-03-20 16:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2fbc9fd5]
--a------ 2008-06-30 14:26 91136 C:\WINDOWS\system32\yuoewkbs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 19:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a--c--- 2003-10-06 14:57 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
--a------ 2005-01-27 04:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R1800]
--a------ 2007-01-12 05:00 177664 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a--c--- 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a--c--- 2003-11-05 18:06 110592 C:\WINDOWS\system32\ulutil2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-11-06 04:27 200704 d:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-16 01:28 155648 D:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 14:49 36352 D:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"ose"=3 (0x3)
"O&O Defrag"=2 (0x2)
"NMIndexingService"=3 (0x3)
"usnjsvc"=3 (0x3)
"EPSON_PM_RPCV4_01"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aawservice"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"D:\\Program Files\\Steam\\SteamApps\\[email protected]\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\Steam\\SteamApps\\[email protected]\\counter-strike source\\hl2.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-29 14:25]
R0 ulsata2;ulsata2;C:\WINDOWS\system32\DRIVERS\ulsata2.sys [2006-04-06 17:52]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 03:55]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 08:00]
S3 CTMSFSYN;Creative SoundFont Synth;C:\WINDOWS\system32\drivers\ctmsfsyn.sys []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0DA3B9B7-3DB5-97A1-DA31-969D6950BB42}]
C:\WINDOWS\system32:winsock32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 16:53:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BM2fbc9fd5.xml
C:\WINDOWS\pskt.ini 22 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-06-30 16:55:27
ComboFix-quarantined-files.txt 2008-06-30 20:54:55

Pre-Run: 17,822,941,184 bytes free
Post-Run: 17,710,362,624 bytes free

206 --- E O F --- 2008-06-20 16:35:21
  • 0

Advertisements


#2
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

I'm looking over your logs and will get back with you soon.

Please do not run any other tools than what I ask of you from now on.

Thanks,

Mike :)
  • 0

#3
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again :)

Step 1. Installing the Recovery Console

I would like you to install the Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, you will not need to do this step.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. Click No when it asks you to run ComboFix.

After you have done this proceed with the next steps.

Step 2. Making a CFScript

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
http://www.geekstogo.com/forum/Help-automatic-updates-keep-turning-off-t203542.html&gopid=1273895#entry1273895
Collect::[4]
C:\WINDOWS\system32\vcgoqfif.dll
C:\WINDOWS\system32\yuoewkbs.dll
C:\WINDOWS\system32\eaxkpxkd.dll
C:\WINDOWS\system32\emqipdrw.dll
C:\WINDOWS\system32\maoergaj.dll
C:\WINDOWS\system32\kfltoirn.dll
C:\WINDOWS\system32\icgldgkl.dll
C:\WINDOWS\system32\fccywTJy.dll
File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\BM2fbc9fd5.xml
C:\WINDOWS\system32\tmp1AC89.FOT
C:\WINDOWS\uninst.exe
Folder::
C:\Program Files\MyCentria
ADS::
C:\WINDOWS\system32
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsock32"=-
"BM2fbc9fd5"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpPJCS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2c8fac49]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2fbc9fd5]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0DA3B9B7-3DB5-97A1-DA31-969D6950BB42}]
FileLook::
C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\nod32fixtemdono.reg
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 3. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4. Running Kaspersky Online Virusscaner

Click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

In your next reply

Please post the log from ComboFix.
Please post the log from MBAM.
Please post the log from Kaspersky.

If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 01 July 2008 - 03:47 AM.

  • 0

#4
Rada

Rada

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi thanks a lot for the help, I was in a hurry b/c I had some work deadlines so I did a desperate format. But I will save this procedure for next time, does it applies to any sutuation ?
  • 0

#5
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Thanks for responding, the fix was specific for your problem so it won't apply for next time, BUT, there shouldn't be a next time!! :)

The below steps have some important tips on how to stay safe and keep up-to-date, so be sure to read it!

Step 1. Flushing old Restore Points and creating a new one

Right-click on "My Computer." The "System Properties" dialogue box will appear, showing a number of tabs. From here you can reset System Restore and configure Automatic Updates.

First, click the System Restore tab.

* Check the box beside "Turn off System Restore"
* Click "Apply"
* At the prompt, click "Yes"

Wait while your system deletes existing Restore Points, this may take a few moments.

* Uncheck the box beside "Turn off System Restore"
* Click "Apply"
* At the prompt, click "Yes"

Your system will now create a new Restore Point.

Step 2. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 3. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP