Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cant access security center - antivirus wont update - multiple bsod


  • Please log in to reply

#31
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
did as requested and rebooted - no change.

Also I think it might be something of interest to point out that since we started all of this, rundll32 hangs up on shutdown every time - unless I click "end now" it will stay hung up until I manually shut the pc down. I just noticed this the last time I shut down but did not remember to post it.

Ill be off to bed now, Ill check my email in the morning, but then after that I wont be on till late tomorrow - after 7 pm my time. ( Denver, CO )

Thank you very much for your help this weekend. I sure hope we can get this thing resolved, but if not it is worth it to try right ?
  • 0

Advertisements


#32
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Bhinsz84,

I sure hope we can get this thing resolved, but if not it is worth it to try right ?


We will do our best. There are number of solutions still to attempt.

For now

Download Sophos Anti-Rootkit & save it to your desktop after filling out the questionaire and reading the EULA.

Note: You will need to enter your name, e-mail address and location in order to access the download page.
  • Double-click sarsfx.exe to extract the files.
  • Click the Accept button at the EULA, then Install to the default directory
  • At the next prompt, click Yes to start the program
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click the "Start Scan" button.
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
Come back and tell me if it has been successful.
  • 0

#33
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
unknown hidden file this is the only warning It found. I did notice before that this file was one that was causing my computer to crash before when i was able to run whocrashed.

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\drivers\sptd.sys
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)
  • 0

#34
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hi Bhinsz84,

sptd.sys is part of Daemon Tools. It does show up like that in the scans. I suppose it is possible it is infected but I don't think it is. It can cause problems (BSOD) on some machines. Necessary for CDRom Drive Emulation. You can remove it from your system if you are not using CDRom emulation. If you are, removal can cause problems.

By way of putting you in the picture this is where I think we are.

Your machine is now showing as clean on our scans. This is not conclusive but we have looked pretty deep.

From your first post and our earlier scans my best thought was that we had a rootkit infection or corruption/hardware degradation or maybe a combination of those two. Some of your machines symptoms fit with a rootkit infection but they can also be caused by corruption following infection. Now that the scans are showing clean that seemed the most likely. We are not having success in fixing the update problem and the Security Center issue yet though. One thing that is pointing to hardware problems or corruption is the continuing requirement to use chkdsk cleaning.

We have a number of things to try still though.

Firstly let's try a very old tool for a further check for hidden infection.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Also when you return tell me if you have tried System Restore to take your machine back to a time before the problems began.
  • 0

#35
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
weird i thought I replied to this...


I turned off system restore a loooong time ago. I am usually pretty good at keeping the crap off of my computer and I re install the OS once a year just to keep it up to speed. I keep all my AV and malware bytes updated as well but something got past me - or as you said it could be a hardware issue. I tested the ram and it came out fine - vid card seems ok and the hd with the OS on it is 6 months old ( western digital caviar blue ). I built this machine myself and am no dummy when it comes to these things but this one has me stumped.

"Silent Runners.vbs", revision 63, http://www.silentrunners.org/
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet" ["NVIDIA Corporation"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"avast" = ""C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui" ["AVAST Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}\(Default) = (no title provided)
-> {HKLM...CLSID} = "avast! WebRep"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll" ["AVAST Software"]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java™ Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

00avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\ashShell.dll" ["AVAST Software"]

Groove Explorer Icon Overlay 1 (GFS Unread Stub)\(Default) = "{99FD978C-D287-4F50-827F-B2C658EDA8E7}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 2 (GFS Stub)\(Default) = "{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\(Default) = "{920E6DB1-9907-4370-B3A0-BAFC03D81399}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 3 (GFS Folder)\(Default) = "{16F3DD56-1AF5-4347-846D-7C10C4192619}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

Groove Explorer Icon Overlay 4 (GFS Unread Mark)\(Default) = "{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]

"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" ["NVIDIA Corporation"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\ashShell.dll" ["AVAST Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> grooveLocalGWS\CLSID = "{88FED34C-F0CA-4636-A375-3CB6248B04CD}"
-> {HKLM...CLSID} = "Local Groove Web Services Protocol"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll" [MS]

<<!>> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"
-> {HKLM...CLSID} = "HxProtocol Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\ashShell.dll" ["AVAST Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

00avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\ashShell.dll" ["AVAST Software"]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

00nView\(Default) = "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\Program Files\NVIDIA Corporation\nView\nvshell.dll" ["NVIDIA Corporation"]

igfxcui\(Default) = "{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"
-> {HKLM...CLSID} = "GraphicsShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\igfxpph.dll" ["Intel Corporation"]

NvCplDesktopContext\(Default) = "{A70C977A-BF00-412C-90B7-034C51DA2439}"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\ashShell.dll" ["AVAST Software"]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

"DefaultFileTypeRisk" = (REG_DWORD) dword:0x00001808
{User Configuration|Administrative Templates|Windows Components|Attachment Manager|
Default risk level for file attachments}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Attachment Manager|
Do not preserve zone information in file attachments}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" ["the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" ["the VideoLAN Team"]

VLCPlayVCDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.VCDMovie"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.VCDMovie\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd://%1" ["the VideoLAN Team"]

VLCPlayDVDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.OPENFolder"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" %1" ["the VideoLAN Team"]

VLCPlayMusicFilesOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.OPENFolder"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" %1" ["the VideoLAN Team"]

VLCPlaySVCDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.SVCDMovie"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.SVCDMovie\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file vcd://%1" ["the VideoLAN Team"]

VLCPlayVideoFilesOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.OPENFolder"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\VLC.OPENFolder\shell\Open\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" %1" ["the VideoLAN Team"]


Enabled Scheduled Tasks:
------------------------

"GoogleUpdateTaskUserS-1-5-21-1220945662-2025429265-839522115-500Core" -> launches: "C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskUserS-1-5-21-1220945662-2025429265-839522115-500UA" -> launches: "C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}" = (no title provided)
-> {HKLM...CLSID} = "avast! WebRep"
\InProcServer32\(Default) = "C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll" ["AVAST Software"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"" ["Apple Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\AVAST Software\Avast\AvastSvc.exe"" ["AVAST Software"]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\

<<!>> MSIServer, "Service"


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
<<!>> "UpperFilters" = "kbdclass" [MS],<<!>> "DumaNT" ["Windows ® 2000 DDK provider"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2011-05-02 19:19:38)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 49 seconds.
---------- (total run time: 86 seconds)
  • 0

#36
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hi Bhinsz84,

Wondered what had happened to you. :)

I have just reviewed your thread again and I wonder still if there is a rootkit infection there.

Let's have a look at it again using a different scan:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
  • 0

#37
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 126):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7EB4000 spep.sys
0xB85AA000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xB7E9C000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xB7E6E000 ACPI.sys
0xB7E5D000 pci.sys
0xB80A8000 ohci1394.sys
0xB80B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB80C8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7E3E000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7E18000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7E00000 atapi.sys
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7DE0000 fltmgr.sys
0xB7DCE000 sr.sys
0xB7DB7000 KSecDD.sys
0xB7D2A000 Ntfs.sys
0xB7CFD000 NDIS.sys
0xB7CE3000 Mup.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB697E000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB696A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8208000 \SystemRoot\system32\DRIVERS\HECI.sys
0xB6929000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xB83F0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6905000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB68DD000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8218000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8228000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8574000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8238000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8248000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8258000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB68BA000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8400000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB6881000 \SystemRoot\System32\Drivers\aefygeqa.SYS
0xB87B0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8588000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB686A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8278000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8288000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8468000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6859000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8298000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8470000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8478000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6829000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8480000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8488000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85CE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB67CB000 \SystemRoot\system32\DRIVERS\update.sys
0xB85A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB82B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB82E8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85D0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB37B8000 \SystemRoot\system32\drivers\sthda.sys
0xB3794000 \SystemRoot\system32\drivers\portcls.sys
0xB8308000 \SystemRoot\system32\drivers\drmk.sys
0xB85DC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8788000 \SystemRoot\System32\Drivers\Null.SYS
0xB85DE000 \SystemRoot\System32\Drivers\Beep.SYS
0xB84A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB84B0000 \SystemRoot\System32\drivers\vga.sys
0xB85E0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85E2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8340000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8348000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB855C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB3739000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB36E0000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB8128000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB3692000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB8138000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8570000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB8148000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB366A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB8380000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB8158000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB3648000 \SystemRoot\System32\drivers\afd.sys
0xB8168000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB361D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB35AD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB8178000 \SystemRoot\System32\Drivers\Fips.SYS
0xB6723000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8388000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB671B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB355B000 \SystemRoot\System32\Drivers\DumaNT.SYS
0xB3512000 \SystemRoot\System32\Drivers\aswSP.SYS
0xB34A2000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xB8398000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB81D8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB3462000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB863C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB757B000 \SystemRoot\System32\drivers\Dxapi.sys
0xB83E0000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8751000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD3FE000 \SystemRoot\System32\ATMFD.DLL
0xB36C4000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB273C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB24E5000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xB22C8000 \SystemRoot\system32\drivers\wdmaud.sys
0xB23AD000 \SystemRoot\system32\drivers\sysaudio.sys
0xB1F90000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB1E48000 \SystemRoot\system32\DRIVERS\srv.sys
0xB84A0000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB1BF5000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB1AA2000 \SystemRoot\System32\Drivers\HTTP.sys
0xB865E000 \??\C:\WINDOWS\system32\1E.tmp
0x7C900000 \WINDOWS\system32\ntdll.dll
0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

Processes (total 40):
0 System Idle Process
4 System
688 C:\WINDOWS\system32\smss.exe
740 csrss.exe
764 C:\WINDOWS\system32\winlogon.exe
808 C:\WINDOWS\system32\services.exe
828 C:\WINDOWS\system32\lsass.exe
1004 C:\WINDOWS\system32\nvsvc32.exe
1060 C:\WINDOWS\system32\svchost.exe
1144 svchost.exe
1244 C:\WINDOWS\system32\svchost.exe
1328 svchost.exe
1504 svchost.exe
1736 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1744 C:\WINDOWS\explorer.exe
436 C:\WINDOWS\system32\spoolsv.exe
472 C:\WINDOWS\system32\rundll32.exe
580 C:\Program Files\AVAST Software\Avast\AvastUI.exe
608 C:\WINDOWS\system32\ctfmon.exe
1188 svchost.exe
1208 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1228 C:\Program Files\Bonjour\mDNSResponder.exe
1836 C:\Program Files\Java\jre6\bin\jqs.exe
196 C:\WINDOWS\system32\svchost.exe
2444 C:\WINDOWS\system32\wscntfy.exe
2912 alg.exe
3588 C:\WINDOWS\system32\svchost.exe
4040 C:\WINDOWS\system32\rundll32.exe
3200 C:\WINDOWS\system32\igfxsrvc.exe
3172 C:\WINDOWS\system32\notepad.exe
3880 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1692 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3320 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3840 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1996 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3308 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2192 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2200 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
380 C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1764 C:\Documents and Settings\Administrator.BRIANS\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD6400AAKS-00A7B2, Rev: 01.03B01
PhysicalDrive1 Model Number: WDCWD5000AAKS-75YGA0, Rev: 12.01C02
PhysicalDrive2 Model Number: WDCWD6401AALS-00L3B2, Rev: 01.03B01

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
596 GB \\.\PhysicalDrive2 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
  • 0

#38
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Bhinsz84,

Looks like we might have found something.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Rootkit::
C:\WINDOWS\system32\1E.tmp

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.
  • 0

#39
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
ComboFix 11-05-05.01 - Administrator 05/05/2011 17:04:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2930 [GMT -6:00]
I think this is the log you want - also the first time i ran it combofix threw an error" !!alert it is not safe to continue!! contents of combofix have been compromised - download a fresh copy from bleepingcomputer etc.. then says note you may be infected with a file patching virus 'virut'" computer then went bsod with 0x050 - and on restart explorer.exe kept hanging up.

combofix had automatically uninstalled so i went back and re installed off the second link you gave me before and ran it with that one. it completed but threw an error on test 5 - this was a windows error PEV.cfxxe has encountered a problem...etc. i clicked dont send and combofix completed the scan.

I have screenshots of the errors if you want them.
"

Running from: C:\Documents and Settings\Administrator.BRIANS\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.BRIANS\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))


2011-05-02 04:47:49 . 2011-05-02 04:47:49 -------- d-----w- C:\Program Files\Sophos
2011-05-02 03:51:18 . 2011-05-02 03:51:18 -------- d-----w- C:\WINDOWS\system32\wbem\Repository
2011-05-02 02:42:29 . 2011-04-18 17:12:58 19544 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011-05-02 02:42:28 . 2011-04-18 17:17:34 307288 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2011-05-02 02:42:26 . 2011-04-18 17:17:46 441176 ----a-w- C:\WINDOWS\system32\drivers\aswSnx.sys
2011-05-02 02:42:26 . 2011-04-18 17:16:18 49240 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2011-05-02 02:42:26 . 2011-04-18 17:13:21 25432 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2011-05-02 02:42:25 . 2011-04-18 17:16:06 102488 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2011-05-02 02:42:25 . 2011-04-18 17:16:02 96344 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2011-05-02 02:42:25 . 2011-04-18 17:13:02 30680 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2011-05-02 02:42:13 . 2011-04-18 17:25:12 40112 ----a-w- C:\WINDOWS\avastSS.scr
2011-05-02 02:42:13 . 2011-04-18 17:25:10 199304 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2011-05-02 01:21:52 . 2011-05-02 01:21:52 -------- d-----w- C:\Program Files\ESET
2011-05-02 01:10:54 . 2011-05-02 01:10:54 -------- d-----w- C:\_OTL
2011-05-01 20:43:23 . 2011-05-01 21:24:37 -------- d-----w- C:\Lop SD
2011-05-01 20:43:23 . 2011-05-01 20:46:58 0 ----a-w- C:\paths.bat
2011-04-22 03:09:01 . 2011-04-22 03:09:01 -------- d-----w- C:\Documents and Settings\Administrator.BRIANS\Application Data\Foxit Software
2011-04-22 02:55:08 . 2011-04-22 02:56:13 -------- d-----w- C:\Program Files\WhoCrashed2
2011-04-22 02:39:47 . 2011-04-08 05:14:00 2074216 ----a-w- C:\WINDOWS\system32\nvcuvenc.dll
2011-04-22 02:18:20 . 2011-04-22 02:18:20 -------- d-sh--w- C:\Documents and Settings\Administrator.BRIANS\IECompatCache
2011-04-22 02:16:30 . 2011-04-22 02:16:36 -------- d-----w- C:\WINDOWS\system32\Adobe
2011-04-22 02:07:14 . 2011-04-22 02:07:14 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS\Application Data\NVIDIA Corporation
2011-04-22 02:06:00 . 2011-04-08 05:14:00 944232 ----a-w- C:\WINDOWS\system32\nvdispco3220140.dll
2011-04-22 02:06:00 . 2011-04-08 05:14:00 855656 ----a-w- C:\WINDOWS\system32\nvgenco322060.dll
2011-04-20 03:12:30 . 2011-04-20 03:12:30 -------- d-----w- C:\Program Files\Western Digital Corporation
2011-04-16 19:55:02 . 2011-05-02 02:42:07 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVAST Software
2011-04-16 19:55:02 . 2011-04-16 19:55:02 -------- d-----w- C:\Program Files\AVAST Software
2011-04-16 18:09:59 . 2001-08-18 04:36:34 50688 -c--a-w- C:\WINDOWS\system32\dllcache\umaxscan.dll
2011-04-16 18:08:59 . 2008-04-14 11:42:04 27648 -c--a-w- C:\WINDOWS\system32\dllcache\rw430ext.dll
2011-04-16 18:07:59 . 2008-04-14 06:09:50 5504 -c--a-w- C:\WINDOWS\system32\dllcache\mstee.sys
2011-04-16 18:06:54 . 2001-08-18 04:36:16 372824 -c--a-w- C:\WINDOWS\system32\dllcache\iconf32.dll
2011-04-16 18:05:59 . 2001-08-17 18:10:50 44103 -c--a-w- C:\WINDOWS\system32\dllcache\el515.sys
2011-04-16 18:04:55 . 2001-08-17 19:51:00 13824 -c--a-w- C:\WINDOWS\system32\dllcache\bulltlp3.sys
2011-04-16 17:44:36 . 2011-04-22 02:40:05 259604 ----a-w- C:\WINDOWS\system32\nvdrsdb0.bin
2011-04-16 16:49:17 . 2000-10-05 22:01:06 602244 ----a-w- C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-04-16 16:49:17 . 2000-10-05 21:55:44 77824 ----a-w- C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-04-16 16:49:17 . 2000-10-05 21:55:22 221184 ----a-w- C:\Program Files\Common Files\InstallShield\IScript\iscript.dll
2011-04-16 16:49:17 . 2000-10-05 21:50:52 221184 ----a-w- C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-04-16 16:49:17 . 2000-10-05 21:49:18 32768 ----a-w- C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-04-16 16:49:16 . 2011-04-16 16:49:16 -------- d-----w- C:\Documents and Settings\ADMINI~1~BRI
2011-04-16 16:36:03 . 2011-04-16 16:36:03 -------- d-----w- C:\WINDOWS\B9DB4C7601A446D58910F7AA6376DBAF.TMP
2011-04-16 15:58:01 . 2011-04-16 16:17:22 -------- d-----w- C:\Program Files\Driver Cleaner Pro
2011-04-16 01:21:18 . 2011-04-16 01:21:19 -------- d-----w- C:\Program Files\CCleaner
2011-04-16 00:37:03 . 2008-02-27 04:23:18 676224 ----a-w- C:\WINDOWS\system32\OGACheckControl.dll
2011-04-15 04:07:07 . 2011-04-15 04:07:07 -------- d-----w- C:\Program Files\Common Files\Java
2011-04-15 04:06:56 . 2011-04-15 04:06:46 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2011-04-15 04:03:05 . 2011-04-15 04:04:01 -------- d-----w- C:\Program Files\Registry Cleaner
2011-04-08 04:15:38 . 2011-04-08 04:15:38 81920 ----a-w- C:\WINDOWS\system32\nvwddi.dll
2011-04-08 04:15:38 . 2011-04-08 04:15:38 580200 ----a-w- C:\WINDOWS\system32\easyUpdatusAPIU.dll
2011-04-08 04:15:34 . 2011-04-08 04:15:34 277608 ----a-w- C:\WINDOWS\system32\nvmccs.dll
2011-04-08 04:15:34 . 2011-04-08 04:15:34 13891176 ----a-w- C:\WINDOWS\system32\nvcpl.dll
2011-04-08 04:15:34 . 2011-04-08 04:15:34 111208 ----a-w- C:\WINDOWS\system32\nvmctray.dll
2011-04-08 04:15:32 . 2011-04-08 04:15:32 155752 ----a-w- C:\WINDOWS\system32\nvsvc32.exe
2011-04-08 04:15:32 . 2011-04-08 04:15:32 145000 ----a-w- C:\WINDOWS\system32\nvcolor.exe
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-04-15 04:06:45 . 2010-12-28 00:17:46 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2011-04-08 05:14:00 . 2007-10-25 09:17:00 4111232 ----a-w- C:\WINDOWS\system32\nv4_disp.dll
2011-04-08 05:14:00 . 2007-10-25 09:17:00 2027008 ----a-w- C:\WINDOWS\system32\nvapi.dll
2011-04-08 05:14:00 . 2007-10-25 09:17:00 14856192 ----a-w- C:\WINDOWS\system32\nvoglnt.dll
2011-04-08 05:14:00 . 2007-10-25 09:17:00 12501600 ----a-w- C:\WINDOWS\system32\drivers\nv4_mini.sys
2011-03-07 05:33:50 . 2010-11-10 05:44:11 692736 ------w- C:\WINDOWS\system32\inetcomm.dll
2011-03-04 06:37:06 . 2006-05-30 07:28:14 420864 ----a-w- C:\WINDOWS\system32\vbscript.dll
2011-03-03 13:21:11 . 2006-05-30 07:28:14 1857920 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-02-17 13:18:24 . 2006-05-30 07:28:14 455936 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2011-02-17 13:18:03 . 2006-05-30 07:28:14 357888 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2011-02-17 12:32:12 . 2010-11-11 00:09:52 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
2011-02-15 12:56:39 . 2006-05-30 07:28:14 290432 ----a-w- C:\WINDOWS\system32\atmfd.dll
2011-02-09 13:53:52 . 2006-05-30 07:28:14 270848 ----a-w- C:\WINDOWS\system32\sbe.dll
2011-02-09 13:53:52 . 2006-05-30 07:28:14 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
2011-02-08 13:33:55 . 2006-05-30 07:28:14 978944 ----a-w- C:\WINDOWS\system32\mfc42.dll
2011-02-08 13:33:55 . 2006-05-30 07:28:14 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll


------- Sigcheck -------

Cryptography Services Error !!

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25:04 122512 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2011-04-08 04:15:34 111208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2011-04-08 04:15:34 13891176]
"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 08:57:14 1753192]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2011-04-18 17:25:12 3460784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 17:11:34 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.BRIANS^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.SIRSYSTEM^Start Menu^Programs^Startup^Xfire.lnk]
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^DualCoreCenter.lnk]
backup=C:\WINDOWS\pss\DualCoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 18:49:34 932288 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45:14 35736 ----a-w- C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast]
2011-04-18 17:25:12 3460784 ----a-w- C:\Program Files\AVAST Software\Avast\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12:16 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-11 15:20:18 136176 ----atw- C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44:34 31072 ----a-w- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-09-26 08:35:59 162584 ----a-r- C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-09-26 08:36:05 142104 ----a-r- C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
2006-09-05 11:15:58 497152 ----a-w- C:\Program Files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12:28 1695232 ------w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-04-08 04:15:34 13891176 ----a-w- C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-04-08 04:15:34 111208 ----a-w- C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-02-24 08:57:14 1753192 ----a-w- C:\Program Files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-09-26 08:36:01 138008 ----a-r- C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-09-26 08:33:49 303104 ----a-w- C:\WINDOWS\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-09 05:10:37 1242448 ----a-w- C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 20:49:28 249064 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2007-10-30 08:37:15 208896 ----a-r- C:\WINDOWS\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"iPod Service"=3 (0x3)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 07:46:28 130384]
R3 WinRM;Windows Remote Management (WS-Management);C:\WINDOWS\system32\svchost.exe [2008-04-14 00:12:36 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 07:46:28 753504]
S0 sptd;sptd;C:\WINDOWS\System32\Drivers\sptd.sys [2010-11-12 04:04:41 691696]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

Contents of the 'Scheduled Tasks' folder

2011-05-05 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2025429265-839522115-500Core.job
- C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-11 03:51:04 . 2010-11-11 15:20:18]

2011-05-05 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-2025429265-839522115-500UA.job
- C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-11 03:51:04 . 2010-11-11 15:20:18]


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 19:32:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-2025429265-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,1d,cc,31,ea,b6,89,41,9e,f9,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,1d,cc,31,ea,b6,89,41,9e,f9,9d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1352)
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\webcheck.dll
C:\WINDOWS\system32\WPDShServiceObj.dll
C:\WINDOWS\system32\PortableDeviceTypes.dll
C:\WINDOWS\system32\PortableDeviceApi.dll

------------------------ Other Running Processes ------------------------

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\AVAST Software\Avast\setup\avast.setup
C:\WINDOWS\system32\RUNDLL32.EXE

**************************************************************************

Completion time: 2011-05-05 19:32:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-06 01:32:56
ComboFix2.txt 2011-05-01 14:36:05

Pre-Run: 566,431,973,376 bytes free
Post-Run: 566,521,036,800 bytes free

- - End Of File - - E34498EC81A2A10CB48E24194E1F6951
  • 0

#40
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Bhinsz84,

then says note you may be infected with a file patching virus 'virut'


If it is Virut we are in trouble. The only real solution for that is a complete wipe of the hard drive i.e. re-format followed by re-installation.

This infection is a polymorphic file infector. It infects exe files including essential system files and the tools we use as we use them hence the response from ComboFix.

We will try a different approach now.

Do you have access to another infection free computer to download to?

If you do please follow the instructions below:

Download these tools to a clean machine and save to a removable device like a flash drive or similar or alternatively burn to a CD. Then transfer to the infected computer.

Firstly:

Please download The Avenger by Swandog46 to your Flash drive.

Secondly:

This is a different version of Dr Web CureIt which is named launch.exe.

Important - you must rename the Dr Web CureIt from launch.exe to launch.com before you save it to the infected machine. You can do this by right clicking on the folder and selecting rename.

Another thing: Dr Web automatically reads your operating system. You will most likely be presented with an adapted interface so you will have to "wing it" (adapt my instructions) to fit the situation. In addition my instructions are dated now and I haven't had time to test the latest version of Dr Web so again you will need to just follow the prompts with thought.

Download Dr Web CureIt to the desktop:
  • Doubleclick the launch.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Post the results of the Dr Web scan back here after you have completed the action below. Unless required to by Dr Web do not reboot your computer between actions.

Next

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\1E.tmp


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

So when you return please post
  • Dr Web results
  • Avenger.txt

  • 0

Advertisements


#41
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
here are some notes i took

3 database failures on the short scan... durring SS scaner found that OTL was infected by trojan.siggen2.25631... cannot cure - moved - ( same thing happened with all downloads of otl, including the .com version and scr versions.... ss complete with 5 viruses found - all the above mentioned trojan. running the long scan now and i will post all results as soon as i wake up in the am.

so far the only trojans found have been in stuff ive downloaded from here - which makes sense if i do have virut since the virus would transfer to newly downloaded exe files ... come to think of it i wasnt really having any major issues until i downloaded some windows updates and a new video card driver which comes with some exe files for nvidia - then thinking i had a different issue i continued with other programs ... i will let you know if those show up - not ones you have asked me to download - stuff i was using before to try to get rid of this.
  • 0

#42
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
:)

It will be interesting to see what turns up.
  • 0

#43
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\1E.tmp" not found!
Deletion of file "C:\WINDOWS\system32\1E.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



here is drweb pre virus removal

OTL (1).com;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL (1).exe;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL.com;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL.exe;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL.scr;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
VikPev00;C:\ComboFix;Probably MACRO.SCRIPT.Virus;;
OTL.exe;C:\Documents and Settings\Administrator.BRIANS\Desktop;Trojan.Siggen2.25631;Incurable.Moved.;
Silent Runners.vbs;C:\Documents and Settings\Administrator.BRIANS\Desktop;Probably BATCH.Virus;;
f_0007a1;C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000;Probably BATCH.Virus;;
A0000197.exe;C:\System Volume Information\_restore{21734CDE-3BD4-4FE5-A256-E0ED6AD08D84}\RP1;Trojan.Siggen2.25631;Incurable.Moved.;
A0002496.exe;C:\System Volume Information\_restore{21734CDE-3BD4-4FE5-A256-E0ED6AD08D84}\RP6;Trojan.Siggen2.25631;Incurable.Moved.;


here is a second log i saved after removing what i could


OTL (1).com;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL (1).exe;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL.com;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL.exe;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
OTL.scr;C:\Documents and Settings\Administrator.BRIANS\My Documents\Downloads;Trojan.Siggen2.25631;Incurable.Moved.;
VikPev00;C:\ComboFix;Probably MACRO.SCRIPT.Virus;Incurable.Deleted.;
OTL.exe;C:\Documents and Settings\Administrator.BRIANS\Desktop;Trojan.Siggen2.25631;Incurable.Moved.;
Silent Runners.vbs;C:\Documents and Settings\Administrator.BRIANS\Desktop;Probably BATCH.Virus;Incurable.Deleted.;
f_0007a1;C:\Documents and Settings\Administrator.BRIANS\Local Settings\Application Data\Google\Chrome\User Data\Default\old_Cache_000;Probably BATCH.Virus;Incurable.Deleted.;
A0000197.exe;C:\System Volume Information\_restore{21734CDE-3BD4-4FE5-A256-E0ED6AD08D84}\RP1;Trojan.Siggen2.25631;Incurable.Moved.;
A0002496.exe;C:\System Volume Information\_restore{21734CDE-3BD4-4FE5-A256-E0ED6AD08D84}\RP6;Trojan.Siggen2.25631;Incurable.Moved.;


after the restart avast updated on its own - still cannot access ssecurity center
  • 0

#44
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hi Bhinsz84,

Hmm... if it is Virut we may still be in trouble. Let's see if there is a remnant AV stopping things working properly.

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

#45
Bhinsz84

Bhinsz84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
avast! Free Antivirus
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
DH Driver Cleaner Professional Edition
Registry Cleaner 2.1
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player 10.2.153.1
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP