Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unable to boot Windows XP


  • This topic is locked This topic is locked

#16
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
The problem machine wont boot using the XP installation CD, instead I get a black screen with a white "_" flashing in the upper left corner for a couple minutes, along with the light on the disk drive flashing as though it is trying to read it, followed by it attempting (and failing) to boot using the HDD
  • 0

Advertisements


#17
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
Lets run a quick fix.

Download the enclosed folder. [attachment=47874:pcifix.zip]

Save and extract its contents to the USB drive. It is a folder containing a batch file. Do not extract or run the batch file in a working computer.

Insert the USB drive in the troubled computer and boot to the Reatogo desktop. Throughout "My computer", browse to the USB drive and double click on the pcifix.bat file. The batch file will disappear.

Attempt to restart in Normal Mode. If able to boot in Normal Mode, get a connection and please run Combofix as previously requested.
  • 0

#18
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
after using the fix, it now boots into normal mode, trying to get an internet connection hooked up to it and run combofix now
  • 0

#19
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
:D :D
  • 0

#20
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
got combofix running on the problem machine, will post the log as soon as its done
  • 0

#21
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
ComboFix 11-02-17.01 - Administrator 02/17/2011 19:16:53.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.203 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\alot
c:\documents and settings\Administrator\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml

.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-17 23:32 . 2011-02-17 23:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-02-17 23:31 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-17 23:31 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-01-25 01:47 . 2011-01-25 01:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\simppulltoolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-14 14:35 . 2010-12-14 14:35 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\tmpidcrl.dll
2010-12-14 14:35 . 2009-08-18 15:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2010-12-14 14:35 . 2009-08-18 15:24 17816 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-11-23 22:55 . 2010-11-23 22:55 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.

------- Sigcheck -------

[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{fa887e92-8f5f-4ec9-99ca-09be0e4120d6}"= "c:\program files\AddThis Toolbar\Helper.dll" [2011-01-04 356864]
"{00725d68-069b-4095-9ff1-e7469c0e95df}"= "c:\program files\Software_Master\prxtbSoft.dll" [2011-01-03 175400]

[HKEY_CLASSES_ROOT\clsid\{fa887e92-8f5f-4ec9-99ca-09be0e4120d6}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{4ACB7285-8557-43C3-80DA-22D40B15DC77}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_CLASSES_ROOT\clsid\{00725d68-069b-4095-9ff1-e7469c0e95df}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00725d68-069b-4095-9ff1-e7469c0e95df}]
2011-01-03 15:16 175400 ----a-w- c:\program files\Software_Master\prxtbSoft.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EBF8AAF-0A31-4786-909A-97A0EF101743}]
2011-01-04 17:44 1536000 ----a-w- c:\program files\AddThis Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}"= "c:\program files\AddThis Toolbar\Toolbar.dll" [2011-01-04 1536000]
"{00725d68-069b-4095-9ff1-e7469c0e95df}"= "c:\program files\Software_Master\prxtbSoft.dll" [2011-01-03 175400]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{b43176cc-4d9e-493b-a636-d9cbfe39c6da}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{58E510FE-36D8-4DEF-9385-CD04A1F555A3}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{00725d68-069b-4095-9ff1-e7469c0e95df}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}"= "c:\program files\AddThis Toolbar\Toolbar.dll" [2011-01-04 1536000]
"{00725D68-069B-4095-9FF1-E7469C0E95DF}"= "c:\program files\Software_Master\prxtbSoft.dll" [2011-01-03 175400]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{b43176cc-4d9e-493b-a636-d9cbfe39c6da}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{58E510FE-36D8-4DEF-9385-CD04A1F555A3}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{00725d68-069b-4095-9ff1-e7469c0e95df}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\AddThis Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\AddThis Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9701:TCP"= 9701:TCP:Services
"9702:TCP"= 9702:TCP:Services
"7489:TCP"= 7489:TCP:Services

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/2/2010 4:55 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/2/2010 4:55 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 7:29 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 00:29]

2011-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 00:29]

2011-02-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]

2011-02-17 c:\windows\Tasks\User_Feed_Synchronization-{D92E767C-5AAF-4F8D-995A-EAB1906AA541}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 06:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
.
- - - - ORPHANS REMOVED - - - -

BHO-{C4B8BAB4-1667-11DF-A242-BA9455D89593} - c:\program files\simppulltoolbar\auxi\simppulltoolbAu.dll
BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-conduitEngine - c:\program files\ConduitEngine\ConduitEngineUninstall.exe
AddRemove-England Photo Gallery Screensaver - c:\program files\Away.com



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-17 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Ireland: The Emerald Isle.scr 960031 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-261903793-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,4e,bf,35,f7,93,50,47,83,fc,45,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,7e,13,ae,1b,81,a2,4d,91,c1,95,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,4e,bf,35,f7,93,50,47,83,fc,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-17 19:30:21
ComboFix-quarantined-files.txt 2011-02-18 00:30

Pre-Run: 149,190,819,840 bytes free
Post-Run: 149,975,355,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - EA51C5BA697B33A1045CA3A0831947DC
  • 0

#22
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
There is an indication of toolbars an browser helpers related to Ask.com, Conduit and AddThis Toolbar. These rather than help will put your computer at risk. If you do not have an Antivirus program, I would recommend AVAST. In addition, there are two important files that have failed the signature test.

Can you tell me which drive letter is assigned to the CD_ROM when booting in Normal Mode? Perhaps we may be able to extract a copy of these files from the CD.
  • 0

#23
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
In normal mode, the CD drive letter is "D:"

also, they were using AVG before I had to uninstall it to run Combofix, would Avast be a better solution than reinstalling AVG?
  • 0

#24
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
Yes, I believe AVAST will be better than AVG.

Remove the toolbars I mention above.

Insert your Install CD in the CD_ROM, then go to Start -> Run, copy and paste the following commands one by one and click OK:

CMD /C Expand D:\I386\tcpip.sy_ c:\WINDOWS\system32\dllcache\tcpip.sys
CMD /C Expand D:\I386\sfcfiles.dl_ c:\WINDOWS\system32\dllcache\sfcfiles.dll


If successful, Run Combofix once again and post its report.
  • 0

#25
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
when I put the install CD in the problem computer, it seems to not read it, (checked by going to my computer -> D: and seeing an empty folder instead of the contents of the disk)

and I get an error "can't open input file d:\i386\tcpip.sy_." when trying to use the first command (same error with the second one, but ending in "\sfcfiles.dl_"

also, how would I go about removing the toolbars? I was able to find "add this toolbar" in add/remove programs, and disable conduit through internet explorer, but I cant find anythng about removing conduit, and I also cannot find anything relating to the ask.com one you mentioned, should I just install and scan with Avast to get rid of them?

Edited by vahi, 17 February 2011 - 08:11 PM.

  • 0

Advertisements


#26
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
If you insert the OTLPE CD instead, can the files be read?
  • 0

#27
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
yes, it reads the OTLPE CD

Should I go ahead and run those commands with the OTLPE CD instead of the installation CD?

Edited by vahi, 17 February 2011 - 08:39 PM.

  • 0

#28
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
No. The Install CD is corrupted and the files in the OTLPE CD are old.

There is a download from Microsoft with the SP3 files you need. It is a large download but you will need it.

Download the Windows XP Service Pack 3 - ISO-9660 CD Image File. This is a .iso file, so you will need a program such as ImgBurn. Once the iso file is downloaded and ImgBurn Installed, just right click on the iso file and select "Burn using ImgBurn", insert a clean CD, then click on the Write image.

The image will be burn to a CD. This CD will not be bootable, but it will contain all the SP3 Files you ever need. Once burn, in the CD there will be a self extracting cabinet file, WindowsXP-KB936929-SP3-X86-ENU. I use winrar as a file extractor. With winrar I right click on this cabinet file and select Extract Files and as a destination you can select C:\SP3. This folder will be created in the process. Once the files are extracted to the SP3 folder, then it will be easy to extract to the location you need. The above commands to extract the files will change to be:

CMD /C Expand C:\SP3\I386\tcpip.sy_ c:\WINDOWS\system32\dllcache\tcpip.sys
CMD /C Expand C:\SP3\I386\sfcfiles.dl_ c:\WINDOWS\system32\dllcache\sfcfiles.dll


Let me know if you experience any problems.
  • 0

#29
vahi

vahi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
ComboFix 11-02-17.01 - Administrator 02/17/2011 23:20:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.180 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml

.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-18 04:18 . 2008-04-14 10:42 1614848 -c--a-w- c:\windows\system32\dllcache\sfcfiles.dll
2011-02-18 04:18 . 2008-04-14 05:50 361344 -c--a-w- c:\windows\system32\dllcache\tcpip.sys
2011-02-18 04:14 . 2011-02-18 04:14 -------- d-----w- C:\SP3
2011-02-17 23:32 . 2011-02-17 23:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-02-17 23:31 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-17 23:31 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-01-25 01:47 . 2011-01-25 01:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\simppulltoolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-14 14:35 . 2010-12-14 14:35 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\tmpidcrl.dll
2010-12-14 14:35 . 2009-08-18 15:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2010-12-14 14:35 . 2009-08-18 15:24 17816 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-11-23 22:55 . 2010-11-23 22:55 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.

------- Sigcheck -------

[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00725d68-069b-4095-9ff1-e7469c0e95df}"= "c:\program files\Software_Master\prxtbSoft.dll" [2011-01-03 175400]

[HKEY_CLASSES_ROOT\clsid\{00725d68-069b-4095-9ff1-e7469c0e95df}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00725d68-069b-4095-9ff1-e7469c0e95df}]
2011-01-03 15:16 175400 ----a-w- c:\program files\Software_Master\prxtbSoft.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00725d68-069b-4095-9ff1-e7469c0e95df}"= "c:\program files\Software_Master\prxtbSoft.dll" [2011-01-03 175400]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{00725d68-069b-4095-9ff1-e7469c0e95df}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{00725D68-069B-4095-9FF1-E7469C0E95DF}"= "c:\program files\Software_Master\prxtbSoft.dll" [2011-01-03 175400]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{00725d68-069b-4095-9ff1-e7469c0e95df}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9701:TCP"= 9701:TCP:Services
"9702:TCP"= 9702:TCP:Services
"7489:TCP"= 7489:TCP:Services

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/2/2010 4:55 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/2/2010 4:55 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 7:29 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 00:29]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 00:29]

2011-02-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]

2011-02-17 c:\windows\Tasks\User_Feed_Synchronization-{D92E767C-5AAF-4F8D-995A-EAB1906AA541}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 06:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-17 23:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Ireland: The Emerald Isle.scr 960031 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-261903793-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,4e,bf,35,f7,93,50,47,83,fc,45,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,7e,13,ae,1b,81,a2,4d,91,c1,95,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,4e,bf,35,f7,93,50,47,83,fc,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-17 23:30:31
ComboFix-quarantined-files.txt 2011-02-18 04:30
ComboFix2.txt 2011-02-18 00:30

Pre-Run: 149,481,545,728 bytes free
Post-Run: 149,489,225,728 bytes free

- - End Of File - - F25E8B5B3A7A11177E6A8766643A365E
  • 0

#30
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,999 posts
Download the enclosed file. [attachment=47878:CFScript.txt]

Save it next to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP