My neighbour has another problem which i try to fix for him
When starting up the computer, only the desktop wallpaper appears
I ran Malware and Atf cleaner
here is the logfile
---------------------------------
ComboFix 09-03-01.01 - User 2009-03-02 12:39:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.66.1033.18.1023.487 [GMT 7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.
2009-03-02 11:53 . 2009-03-02 11:53 3,284 --a------ c:\windows\system32\ANIWZCS{520E509E-90DF-4D3F-9961-44BE0A663251}
2009-03-02 11:36 . 2009-03-02 12:33 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-02 11:31 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-02 11:31 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-02 11:30 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-03-02 11:30 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-02 11:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-02 11:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-02 11:30 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-02 11:29 . 2009-03-02 11:35 <DIR> d-------- c:\windows\LastGood
2009-03-02 11:16 . 2009-03-02 11:16 <DIR> d-------- c:\program files\ERUNT
2009-03-02 10:59 . 2009-03-02 11:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 10:59 . 2009-03-02 10:59 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-02 10:59 . 2009-03-02 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 10:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 10:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-01 21:21 . 2009-03-02 12:31 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 21:14 . 2009-03-02 10:25 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-01 21:14 . 2009-03-01 21:14 <DIR> d-------- c:\program files\AVG
2009-03-01 21:14 . 2009-03-02 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 21:14 . 2009-03-01 21:14 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-01 21:14 . 2009-03-01 21:14 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-01 21:14 . 2009-03-01 21:14 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-01 20:16 . 2009-03-01 20:16 0 --a------ c:\windows\nsreg.dat
2009-03-01 20:00 . 2009-03-01 21:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-01 19:51 . 2009-03-01 19:51 <DIR> d-------- c:\documents and settings\User\Application Data\Simply Super Software
2009-03-01 19:51 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-03-01 17:20 . 2009-03-01 17:20 <DIR> d-------- C:\DataBilling
2009-03-01 16:05 . 2009-03-01 16:05 30,720 --a------ c:\windows\system32\frmwrk32.exe.vir
2009-03-01 16:05 . 2009-03-01 19:29 1,394 --a------ c:\windows\system32\ahtn.htm.vir
2009-02-05 16:46 . 2009-02-05 16:46 <DIR> d-------- c:\program files\ASUS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 05:09 --------- d-----w c:\program files\BillingSystem
2009-03-01 09:05 104,960 ----a-w c:\windows\system32\userinit.exe
2009-02-22 14:59 --------- d-----w c:\program files\EmNetMan
2009-02-06 10:30 --------- d-----w c:\program files\Att2007
2009-02-05 08:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 05:52 8,720 ----a-w c:\windows\system32\syncmc.sys.vir
2008-12-25 05:52 23,700 ----a-w c:\windows\system32\syncps.dll.vir
.
------- Sigcheck -------
2002-09-04 05:34 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 00:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-01 16:05 104960 9dbc7ce9fdfed309a42f3bf314410c0e c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-01_20.06.35.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 05:02:28 163,328 ----a-w c:\windows\ERDNT\2009-03-02\ERDNT.EXE
+ 2009-03-02 04:16:59 3,268,608 ----a-w c:\windows\ERDNT\2009-03-02\Users\00000001\ntuser.dat
+ 2009-03-02 04:16:59 16,384 ----a-w c:\windows\ERDNT\2009-03-02\Users\00000002\UsrClass.dat
+ 2004-08-03 17:56:42 66,560 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2004-08-03 17:56:48 430,592 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2004-08-03 17:56:58 111,104 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2004-08-03 17:56:48 1,134,592 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2004-08-03 17:56:48 112,640 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2004-08-03 17:56:48 36,864 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2004-08-03 17:56:48 120,320 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2004-08-03 17:56:42 66,560 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 07:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 07:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 07:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 07:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 07:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 07:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 07:12:24 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2009-03-01 14:14:28 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-03-20 11:06:36 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-03-01 14:23:58 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-10-16 07:07:48 208,744 ----a-w c:\windows\system32\muweb.dll
- 2009-03-01 13:04:16 59,828 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-02 04:58:23 59,828 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-01 13:04:16 395,780 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-02 04:58:23 395,780 ----a-w c:\windows\system32\perfh009.dat
+ 2008-10-16 07:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
- 2005-10-12 23:12:25 14,048 ------w c:\windows\system32\spmsg.dll
+ 2008-03-20 07:41:20 14,640 ------w c:\windows\system32\spmsg.dll
- 2004-03-17 07:36:52 15,872 ----a-w c:\windows\system32\spupdsvc.exe
+ 2005-02-25 03:35:05 22,752 ----a-w c:\windows\system32\spupdsvc.exe
- 2004-08-03 17:56:48 430,592 ------w c:\windows\system32\wuapi.dll
+ 2008-10-16 07:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2004-08-03 17:56:58 111,104 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 07:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2004-08-03 17:56:48 1,134,592 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 07:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2004-08-03 17:56:48 112,640 ------w c:\windows\system32\wucltui.dll
+ 2008-10-16 07:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2004-08-03 17:56:48 120,320 ------w c:\windows\system32\wuweb.dll
+ 2008-10-16 07:12:24 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2006-12-01 15:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 17:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 17:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 17:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 17:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 17:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 17:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 17:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 17:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 17:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 17:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 17:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 17:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 17:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 17:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-11-07 3739672]
"EPSON Stylus CX7300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDP.EXE" [2007-04-12 182272]
"EPSON Stylus CX7300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDP.EXE" [2007-04-12 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-04 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-08-28 380928]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless G DWA-110"="c:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2007-05-04 1662976]
"protect_autorun"="c:\documents and settings\User\Desktop\CPE17AntiAutorun1400.exe" [2009-02-13 139264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\User\Start Menu\Programs\Startup\
DVR.lnk - c:\dvr\DVR.exe [2008-12-19 28672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-19 113664]
Pabx Link.LNK - c:\program files\BillingSystem\Pabx Link.exe [2008-01-22 438272]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-10-19 118784]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 21:14 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\DVR\\Encode.exe"=
"c:\\Program Files\\Att2007\\att.exe"=
"c:\\Program Files\\EmNetMan\\zkemnetman.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-01 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-01 298264]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-05-02 29696]
R3 SAAVideo;% SAADriver%;c:\windows\system32\drivers\SAAVideo.sys [2008-05-07 26624]
R4 atidgllk;atidgllk;c:\windows\atidgllk.sys [2008-05-02 5376]
S1 syncmc;Frequency SynClock; [x]
S2 netsik;netsik; [x]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25ff0d90-860a-11dd-8431-001e8c87afca}]
\Shell\AutoRun\command - F:\StartPortableApps.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: ส่&งออกไปยัง Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\6mlqh75n.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 12:41:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-02 12:42:11
ComboFix-quarantined-files.txt 2009-03-02 05:42:09
ComboFix2.txt 2009-03-02 03:41:15
ComboFix3.txt 2009-03-01 13:07:12
Pre-Run: 84,493,578,240 bytes free
Post-Run: 84,470,616,064 bytes free
216
-------------------
Hope you can find out where the problem is, and help me like last time
regards toker
Edited by toker, 02 March 2009 - 12:13 AM.
Sign In
Create Account
