Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possibly Infected With Malware.


  • This topic is locked This topic is locked

#31
rkinsey1313

rkinsey1313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Ya sorry about that. Got it in there now.
  • 0

Advertisements


#32
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
I see you downloaded ComboFix today. Did you run it?
  • 0

#33
rkinsey1313

rkinsey1313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
I've had it downloaded but I ran it today and it updated. So maybe thats what its from. Usually I will find a file in my Temp folder under C:\Documents and Settings\HP_Administrator\Local Settings\temp called IADHIDE and Combofix gets rid of it. It pops up in there once in a while after surfing the internet so I imagine its from one of the websites I was on. But for some reason this time it didnt get rid of it. So I manually deleted it. And I was gonna post that log too but for some reason the last log in Qoobox shows 1-29. I dont know why that log didnt save.
  • 0

#34
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Did you re-active your system?

Error - 1/25/2011 8:54:05 PM | Computer Name = YOUR-4DACD0EA75 | Source = Windows Product Activation | ID = 1010
Description = The Windows license was restored due to a system error. You might
need to reactivate your Windows product.



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-346832426-1868189324-2465816145-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2009/04/14 17:04:25 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



Remove Program
We need to remove a program. To do this please do the following:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
  • Google Toolbar for Internet Explorer

  • 0

#35
rkinsey1313

rkinsey1313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
No I didnt Re-Activate my system. I'm not sure how to do that. Do I need the CD? If so then I allready returned it so I will have to try to borrow it again. I updated Java, I deleted the Google Toolbar and also ran the OTL Fix. Here is the OTL log.


All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service catchme stopped successfully!
Service catchme deleted successfully!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-346832426-1868189324-2465816145-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
C:\WINDOWS\003085_.tmp deleted successfully.
C:\WINDOWS\HP_48BitScanUpdatePatch.ini moved successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 3100 bytes
->Temporary Internet Files folder emptied: 1916837 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 32014985 bytes
->Flash cache emptied: 1156 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 8192 bytes

Total Files Cleaned = 32.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: HP_Administrator
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.20.6 log created on 02022011_140549

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Did you see anything in the RKU log that looked like a Rootkit? I dont understand why it says "Possible Rootkit Activity!" I've never seen it say that before when I've run it. Thanks.
  • 0

#36
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

I didn't really see anything out of the ordinary with your RKU log.


Windows Activation
You can activate your copy of Windows XP by using any one of the following methods:

Activate Windows XP by using the Internet
If you use this method, the Windows Product Activation wizard establishes a connection to the activation server, sends your installation ID
and then processes the activation request.

Activate Windows XP by using your modem
If you have a modem but you do not have an Internet connection, the wizard detects your modem and establishes a connection
to the activation server through your phone line.

Activate Windows XP by phone
If you do not have a modem or an Internet connection, you can activate Windows XP by calling a Microsoft customer service representative.
The Activation Wizard displays the toll free number that you can dial.

The sections below describe how to use each of these methods. This information can also be found here

How to activate Windows XP by using the Internet
To activate Windows XP by using an Internet connection, follow these steps:
  • Click Start... then go to All Programs... Accessories... System Tools, and then click Activate Windows.
    OR click the Windows Activation icon in the notification area.
  • Click "Yes, let's activate Windows over the Internet now."
  • Click "Read the Windows Product Activation Privacy Statement",... click Back... then click Next.
    Use one of the following methods:
    • If you want to register and activate Windows at the same time,
      • click "Yes, I want to register and activate Windows at the same time."
      • Click "Read the Windows Product Activation Privacy Statement",... click Back... then click Next.
      • Type your contact information in the appropriate boxes in the registration form... then click Next. An asterisk appears next to required information.
    • If you only want to activate Windows
      • Click "No, I don't want to register now; let's just activate Windows",... then click Next.
    The wizard establishes a connection with an activation server, and then processes the activation request.
    When activation is completed and you receive the message, "You have successfully activated your copy of Windows"
  • Click the OK button.

How to Activate Windows XP by Using a Modem
To activate Windows XP by using your modem, follow the steps: How to activate Windows XP by using the Internet.
Note: If you have an Internet connection... disconnect your Internet connection before you follow these steps.

Troubleshooting
If you cannot establish an online connection by using your modem or an Internet connection...
the wizard prompts you to contact a customer service representative to activate your copy of Windows XP by telephone.

How to activate Windows XP by phone
To contact a Microsoft customer service representative to activate Windows by phone, follow these steps:
  • Click Start... then go to All Programs... Accessories... System Tools, and then click Activate Windows.
    OR click the Windows Activation icon in the notification area.
  • Click "Yes, I want to telephone a customer service representative to active Windows now."
  • Click "Read the Windows Product Activation Privacy Statement",... click Back... then click Next.
  • Follow the steps in the Activate Windows by phone dialog box... then click Next.
    Note: The number appears now and differs based on the location that you select.
    When activation is completed and you receive the message, "You have successfully activated your copy of Windows"
  • Click the OK button.

  • 0

#37
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
How are things running now?

Any better?


Scanning with GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
  • 0

#38
rkinsey1313

rkinsey1313

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Hey ST. Here is the GMer Scan. My computer still seems to be runnin like crapola.


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-02 18:35:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6L200M0 rev.BACE1G10
Running: c8fo1dkx.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2448] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

---- EOF - GMER 1.0.15 ----
  • 0

#39
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Did you re-active your version of Windows?

Do you have a Flash Drive?

Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#40
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP