Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus blocking antivirus, wmi, and windows explorer

Started by mnhertz26 , Jul 28 2010 11:31 PM

  • Please log in to reply

#1
mnhertz26
Posted 28 July 2010 - 11:31 PM

mnhertz26

    New Member

  • Member
  • Pip
  • 1 posts
I accidentally downloaded a virus that posed as an antivirus scan. Now I cannot access my AVG software. I keep getting an error that says WMI error. I also cannot open any folders. Windows explorer is failing. I cannot get into control panel. When I first downloaded this I immediately ran a system restore to the previous day. It ran successfully, or so it seemed. I cannot run a restore anymore. Even when I go into safe mode I can get into system restore, but it will not allow it to complete. I have already run malwarebytes, superantispyware, and combofix. Each program said it fixed a bunch of stuff, but I am not seeing a result. Please help me. Here is my combofix log...
ComboFix 10-07-27.05 - Administrator 07/29/2010 0:32.1.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\d3d9.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\d3d9.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-29 02:29 . 2010-07-29 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-29 02:29 . 2010-07-29 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-29 01:42 . 2010-07-29 01:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-29 01:42 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 01:42 . 2010-07-29 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-29 01:42 . 2010-07-29 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 01:42 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 23:55 . 2010-07-26 23:55 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-14 05:31 . 2010-07-14 05:31 2133536 ----a-w- c:\program files\avg_iswt_stb_all_9_115.exe
2010-07-14 00:22 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 19:30 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-12 19:30 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-12 19:30 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-12 19:30 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-12 12:35 . 2007-11-27 07:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-12 10:20 . 2010-07-12 10:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\HTC
2010-07-12 10:20 . 2010-07-12 12:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Teleca
2010-07-12 10:10 . 2010-07-12 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2010-07-12 10:06 . 2010-07-12 10:11 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-07-12 10:06 . 2010-07-12 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-07-12 09:59 . 2009-06-10 04:49 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-07-12 09:59 . 2009-06-09 18:41 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-07-12 09:59 . 2010-07-12 09:59 -------- d-----w- c:\program files\Spirent Communications
2010-07-12 09:58 . 2010-07-12 10:06 -------- d-----w- c:\program files\HTC
2010-07-12 09:52 . 2010-07-12 09:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2010-07-12 09:35 . 2010-07-12 09:36 -------- d-sh--w- c:\documents and settings\Administrator\Application Data\wyUpdate AU
2010-07-12 07:13 . 2010-07-12 07:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-12 06:19 . 2010-07-12 06:19 -------- d-----w- c:\windows\system32\scripting
2010-07-12 06:19 . 2010-07-12 06:19 -------- d-----w- c:\windows\l2schemas
2010-07-12 06:19 . 2010-07-12 06:19 -------- d-----w- c:\windows\system32\en
2010-07-12 06:19 . 2010-07-12 06:19 -------- d-----w- c:\windows\system32\bits
2010-07-06 22:48 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\spupdwxp.exe
2010-07-06 22:47 . 2008-04-14 00:12 290304 ------w- c:\windows\system32\rhttpaa.dll
2010-07-06 22:46 . 2008-04-14 00:12 176640 ------w- c:\windows\system32\napstat.exe
2010-07-06 22:45 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2010-07-06 22:45 . 2008-04-14 00:11 397312 ------w- c:\windows\system32\mmcex.dll
2010-07-06 22:45 . 2008-04-14 00:11 106496 ------w- c:\windows\system32\mmcfxcommon.dll
2010-07-06 22:45 . 2008-04-14 00:11 184320 ------w- c:\windows\system32\microsoft.managementconsole.dll
2010-07-06 22:44 . 2008-04-14 00:11 86016 ------w- c:\windows\system32\mdmxsdk.dll
2010-07-06 22:44 . 2004-08-04 02:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2010-07-06 22:44 . 2008-04-14 00:11 37376 ------w- c:\windows\system32\l2gpstore.dll
2010-07-06 22:44 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll
2010-07-06 22:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdpash.dll
2010-07-06 22:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdnepr.dll
2010-07-06 22:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdiultn.dll
2010-07-06 22:44 . 2008-04-14 00:09 6144 ------w- c:\windows\system32\kbdbhc.dll
2010-07-06 22:44 . 2008-04-14 00:10 102912 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2010-07-06 22:44 . 2008-04-14 00:09 24064 -c----w- c:\windows\system32\dllcache\pidgen.dll
2010-07-06 22:43 . 2008-04-14 00:12 10752 ------w- c:\windows\system32\smtpapi.dll
2010-07-06 22:43 . 2008-04-14 00:12 9728 ------w- c:\windows\system32\rwnh.dll
2010-07-06 22:43 . 2008-04-13 18:45 46592 ------w- c:\windows\system32\drivers\irbus.sys
2010-07-06 22:43 . 2008-04-13 18:43 9728 ------w- c:\windows\system32\comsdupd.exe
2010-07-06 22:41 . 2008-04-14 00:11 15423 ------w- c:\windows\system32\drivers\ch7xxnt5.dll
2010-07-06 18:46 . 2010-07-06 18:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\HotSync
2010-07-06 05:06 . 2010-07-06 05:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 22:59 . 2007-05-08 22:55 -------- d-----w- c:\program files\Common Files\aol
2010-07-18 18:16 . 2010-07-18 18:16 86459 ----a-w- c:\program files\referralpic.htm
2010-07-14 06:14 . 2001-11-12 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2010-07-13 21:40 . 2001-11-12 20:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG7
2010-07-12 12:36 . 2010-07-12 12:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-07-12 12:36 . 2010-07-12 12:36 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-07-12 08:52 . 2007-06-06 06:51 64368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 07:59 . 2001-11-12 20:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-06 18:51 . 2007-05-08 22:38 -------- d-----w- c:\program files\Java
2010-07-06 18:51 . 2007-05-08 22:38 -------- d-----w- c:\program files\Common Files\Java
2010-07-06 18:30 . 2007-05-11 05:55 -------- d-----w- c:\program files\DivX
2010-06-23 01:01 . 2010-06-23 01:01 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49cc259d-n\msvcp71.dll
2010-06-23 01:01 . 2010-06-23 01:01 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49cc259d-n\jmc.dll
2010-06-23 01:01 . 2010-06-23 01:01 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49cc259d-n\msvcr71.dll
2010-06-23 01:01 . 2010-06-23 01:01 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-74d0d900-n\decora-d3d.dll
2010-06-23 01:01 . 2010-06-23 01:01 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-74d0d900-n\decora-sse.dll
2010-06-14 05:44 . 2010-06-14 05:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVS4YOU
2010-06-14 05:43 . 2010-06-14 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-06-14 05:41 . 2010-06-14 05:33 -------- d-----w- c:\program files\AVS4YOU
2010-06-14 05:41 . 2010-06-14 05:39 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-06-14 01:12 . 2010-06-14 01:12 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31cf043a-n\msvcr71.dll
2010-06-14 01:12 . 2010-06-14 01:12 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31cf043a-n\msvcp71.dll
2010-06-14 01:12 . 2010-06-14 01:12 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31cf043a-n\jmc.dll
2010-05-06 10:41 . 2004-08-03 22:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-03 21:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-06-09 20:49 . 2008-06-09 20:48 59782440 ----a-w- c:\program files\iTunesSetup.exe
2008-06-09 19:27 . 2008-06-09 19:24 8990072 ----a-w- c:\program files\winamp5531_full_emusic-7plus_en-us.exe
2007-10-05 02:19 . 2007-10-05 02:18 23402288 ----a-w- c:\program files\AdbeRdr810_en_US.exe
2007-05-16 03:11 . 2007-05-16 03:08 21612432 ----a-w- c:\program files\DivXInstaller.exe
2007-05-11 23:17 . 2007-05-11 23:17 14173248 ----a-w- c:\program files\wua_wireless_adapter_setup.exe
2007-05-08 22:38 . 2007-05-08 22:38 3098056 ----a-w- c:\program files\LimeWireWin.exe
2001-11-22 11:23 . 2009-06-03 03:52 88 --sh--r- c:\windows\system32\5FB274829A.sys
2001-11-22 11:23 . 2009-06-03 03:52 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1178664948\ee\AOLSoftware.exe" [2006-09-26 50736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1178664948\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-06-10 24576]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-Wdf01000.sys
AddRemove-WinZix_is1 - c:\program files\WinZix\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 00:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-484763869-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,2f,14,62,b7,07,c9,46,ae,b5,ae,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,2f,14,62,b7,07,c9,46,ae,b5,ae,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
.
**************************************************************************
.
Completion time: 2010-07-29 01:09:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 05:09

Pre-Run: 5,830,455,296 bytes free
Post-Run: 8,276,115,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9FB61C2BCA2F11AE332C722445883F2B
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP