[Essexboy]

Looks good we are slowly narrowing down the areas of infection

Could you run Combofix again but with a difference

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.





Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[Advertisements]

Hey. Sorry it took so long for me to reply. Different times zones.

So I followed your instructions. Combo fix began to create a restore point when I got the same message as before, half way through:

"boot partition cannot be enumerated correctly"

Even got an image of it this time.



This time it gave me the option not to scan so I clicked no.

Shall I just do combofix scan without the restore point anyway?

Don't think my hdd is damaged, no problems with windows error fix tool. I'm sure it's just the hackers way of going 'no - no creating a restore point we don't control'

Thanks for your time.

Let me know what to do next.

Edited by Picardinal, 02 June 2011 - 05:16 AM.

[Picardinal]

Hey. Sorry it took so long for me to reply. Different times zones.

So I followed your instructions. Combo fix began to create a restore point when I got the same message as before, half way through:

"boot partition cannot be enumerated correctly"

Even got an image of it this time.



This time it gave me the option not to scan so I clicked no.

Shall I just do combofix scan without the restore point anyway?

Don't think my hdd is damaged, no problems with windows error fix tool. I'm sure it's just the hackers way of going 'no - no creating a restore point we don't control'

Thanks for your time.

Let me know what to do next.

Edited by Picardinal, 02 June 2011 - 05:16 AM.

[Picardinal]

OK.

I've gone ahead an run combofix anyway.

Here is the log.

ComboFix 11-06-01.07 - Owner 02/06/2011 12:31:21.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2382 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-06-01 21:21 . 2011-06-01 21:21 -------- d-----w- c:\program files\Microsoft
2011-06-01 21:20 . 2011-06-01 21:20 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-06-01 21:20 . 2011-06-01 21:21 -------- d-----w- c:\program files\Windows Live
2011-06-01 21:17 . 2011-06-01 21:17 -------- d-----w- c:\program files\Common Files\Windows Live
2011-06-01 20:44 . 2011-06-01 20:44 711728 ----a-w- c:\windows\isRS-000.tmp
2011-05-31 21:57 . 2011-05-31 21:57 -------- d-----w- C:\_OTL
2011-05-31 21:56 . 2011-05-31 21:56 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-31 20:16 . 2011-02-22 23:06 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-05-31 20:16 . 2011-05-31 20:16 -------- dc-h--w- c:\windows\ie8
2011-05-31 16:10 . 2011-05-31 16:10 -------- d-----w- c:\program files\Trend Micro
2011-05-31 09:27 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{ACC6D76F-3E24-4DB4-94C1-4FF121BD5341}\mpengine.dll
2011-05-29 17:57 . 2011-05-29 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-05-29 17:53 . 2011-05-29 17:59 -------- d-----w- c:\program files\CCleaner
2011-05-29 17:52 . 2011-05-29 17:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-05-29 17:52 . 2011-05-29 17:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-05-29 17:52 . 2011-05-29 17:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2011-05-29 02:23 . 2011-05-29 02:23 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2011-05-24 16:50 . 2011-05-24 16:56 -------- d-----w- C:\Netgear
2011-05-23 17:07 . 2011-05-23 17:07 -------- d-----w- c:\documents and settings\Administrator.JOHNS.000
2011-05-09 22:13 . 2011-05-09 22:13 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-09 22:13 . 2011-05-09 22:13 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-09 22:13 . 2011-05-09 22:13 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-09 22:13 . 2011-05-09 22:13 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-09 22:13 . 2011-05-09 22:13 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-09 22:13 . 2011-05-09 22:13 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-09 22:13 . 2011-05-09 22:13 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-09 22:13 . 2011-05-09 22:13 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2010-04-01 10:46 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2010-04-01 10:46 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 16:17 . 2010-05-26 13:29 3888 ----a-w- c:\windows\system32\drivers\NTHANDLE.SYS
2011-05-09 20:46 . 2011-01-04 04:33 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-04-29 07:26 . 2011-04-29 07:26 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-29 07:26 . 2011-04-29 07:26 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-29 07:26 . 2011-04-29 07:26 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-29 07:26 . 2011-04-29 07:26 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-29 07:22 . 2011-04-29 07:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-07 05:33 . 2009-01-05 21:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2010-06-25 04:06 . 2010-06-25 04:06 1663664 ----a-w- c:\program files\InstallWoW(2).exe
2011-05-09 22:13 . 2011-05-09 22:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-06-01_19.34.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-16 21:12 . 2010-04-16 21:12 48464 c:\windows\system32\sirenacm.dll
+ 2011-06-01 21:21 . 2011-06-01 21:21 27136 c:\windows\Installer\1d0140.msi
+ 2011-06-01 21:20 . 2011-06-01 21:20 83456 c:\windows\Installer\1d012a.msi
+ 2011-06-01 21:20 . 2011-06-01 21:20 58880 c:\windows\Installer\1d0125.msi
+ 2011-06-01 21:20 . 2011-06-01 21:20 61272 c:\windows\Installer\{E6158D07-2637-4ECF-B576-37C489669174}\IconWlc.exe
+ 2011-06-01 21:21 . 2011-06-01 21:21 80395 c:\windows\Installer\{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}\MsblIco.Exe
+ 2011-06-01 21:21 . 2011-06-01 21:21 429056 c:\windows\Installer\1d014b.msi
+ 2011-06-01 21:21 . 2011-06-01 21:21 155648 c:\windows\Installer\1d0145.msi
+ 2011-06-01 21:21 . 2011-06-01 21:21 140288 c:\windows\Installer\1d013b.msi
+ 2011-06-01 21:20 . 2011-06-01 21:20 202752 c:\windows\Installer\1d0134.msi
+ 2011-06-01 21:20 . 2011-06-01 21:20 149504 c:\windows\Installer\1d012f.msi
+ 2011-06-01 21:20 . 2011-06-01 21:20 107008 c:\windows\Installer\1d0120.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-08-30 1966080]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-10-09 1036288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCsoft Launcher]
2011-04-25 20:45 38184 ----a-w- c:\program files\NCsoft\Launcher\NCLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-12-03 16:46 14944136 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-18 15:42 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSSQL$SQLEXPRESS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"gupdate"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MsMpSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\GRETECH\\GomTVStreamer\\GomTVStreamerLive.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"c:\\Program Files\\Steam\\steamapps\\j_azonic69\\counter-strike\\hl.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base18574\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"1035:TCP"= 1035:TCP:*:Disabled:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:*:Disabled:Akamai NetSession Interface
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [08/04/2009 23:05 722416]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01/04/2010 11:46 366640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [26/03/2010 03:33 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [01/04/2010 11:46 22712]
S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys --> c:\windows\system32\drivers\archlp.sys [?]
S1 ArcSec;ArcSec;c:\windows\system32\drivers\ArcSec.sys --> c:\windows\system32\drivers\ArcSec.sys [?]
S1 MpKsl0b1304da;MpKsl0b1304da;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C5F556CB-BA6A-4731-AC23-AF5199095FE6}\MpKsl0b1304da.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C5F556CB-BA6A-4731-AC23-AF5199095FE6}\MpKsl0b1304da.sys [?]
S1 MpKsl0f972cf6;MpKsl0f972cf6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D58C8A8-BF2B-4A3D-8650-D5A1E18FA361}\MpKsl0f972cf6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D58C8A8-BF2B-4A3D-8650-D5A1E18FA361}\MpKsl0f972cf6.sys [?]
S1 MpKsl166e1f29;MpKsl166e1f29;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl166e1f29.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl166e1f29.sys [?]
S1 MpKsl3afba7fa;MpKsl3afba7fa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45AC6D86-3EAA-4EE8-8B57-D665EA389528}\MpKsl3afba7fa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{45AC6D86-3EAA-4EE8-8B57-D665EA389528}\MpKsl3afba7fa.sys [?]
S1 MpKsl5434aeeb;MpKsl5434aeeb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl5434aeeb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl5434aeeb.sys [?]
S1 MpKsl56d633f3;MpKsl56d633f3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl56d633f3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl56d633f3.sys [?]
S1 MpKsl825ef1ae;MpKsl825ef1ae;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A86B192-3FAF-47C3-B845-E366FEB7C67C}\MpKsl825ef1ae.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A86B192-3FAF-47C3-B845-E366FEB7C67C}\MpKsl825ef1ae.sys [?]
S1 MpKsl87979db1;MpKsl87979db1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D10A9F4F-E573-4F9A-9344-60942C9AFABE}\MpKsl87979db1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D10A9F4F-E573-4F9A-9344-60942C9AFABE}\MpKsl87979db1.sys [?]
S1 MpKsl8be755e8;MpKsl8be755e8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl8be755e8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKsl8be755e8.sys [?]
S1 MpKslc76ded27;MpKslc76ded27;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKslc76ded27.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6E44A99-A2C5-4BBF-9B3B-0E094FDE885C}\MpKslc76ded27.sys [?]
S1 MpKslcfb92932;MpKslcfb92932; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 28312893
*Deregistered* - 28312893
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: {3B89785B-4E94-400A-8705-5841B14063A7} - hxxp://www.arcsoft.com/data/SimHDAss.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vd058cvj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-02 12:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-02 12:37:14
ComboFix-quarantined-files.txt 2011-06-02 11:37
ComboFix2.txt 2011-06-01 19:36
ComboFix3.txt 2011-04-29 14:41
.
Pre-Run: 144,955,338,752 bytes free
Post-Run: 144,993,583,104 bytes free
.
- - End Of File - - 62309814AE09987503D521EF484F2AC9

[Essexboy]

I am nothing if not persistant - I will continue to try and track this down for you as long as your are happy to try. On completion of this run could you enumerate the problems for me please



Download AVP Tool

First we will run a virus scan

On the first tab select all elements down to and including Computer and then select start scan
Once it has finished select report and post that.



Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

[Picardinal]

Hey, thanks for being patient with me. I'm very happy to continue as I want to stop worrying about who's browsing through my system.

I'm happy to keep trying as for various reasons I just cannot format right now.

I'm only 2% into this scan and already three files have popped up saying 'password protected' - even though I have nothing like that on my system - to my knowledge.

Hope they show up in the report. I'll paste the results when it's done.

Looks like it's going to be a long scan.

Thanks again.

Edited by Picardinal, 02 June 2011 - 11:14 AM.

[Essexboy]

Password protected files are not a problem, it just means that the AV cannot scan the contents. The main area of interest will be the analysis report at the end (that only takes a few minutes to run )

[Picardinal]

First part of the scan is done. Definitely found some stuff I think.

Do you want Critial or All events posted?

I will now move onto stage 2.

Will post both when i'm done, and you reply.

Thanks again.

[Essexboy]

Just the criticals will do The analysis should not take too long

[Picardinal]

OK so I had to go sort some stuff out with family/work the last time I posted here.

When I came back to continue this, I must've awoken a sleeping beast because I couldn't get my computer to do anything.

I thought sod it, system restored, safe mode scanned with avira - so I could at least get back to a working desktop etc.

However - during this process I think I've found the cause to a lot of my problems. I don't know to solve it, but I think i've found the key;

Two things:

1) Here is a small part of my avira log, it shows some of the infections to be in old system restore files.

C:\System Volume Information\_restore{34E59A87-20D6-4090-BC0E-4F2D5D763A04}\RP888\A0225641.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d32ecf6.qua'.
C:\System Volume Information\_restore{34E59A87-20D6-4090-BC0E-4F2D5D763A04}\RP886\A0224517.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '55a5c351.qua'.
C:\System Volume Information\_restore{34E59A87-20D6-4090-BC0E-4F2D5D763A04}\RP886\A0224271.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '07fa99b9.qua'.
C:\System Volume Information\_restore{34E59A87-20D6-4090-BC0E-4F2D5D763A04}\RP884\A0222963.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

Now, try as any virus program might. These can't be removed. Avira just detects them over and over.

I suppose I need to release/purge/whatever the locking on system restore.

Problem there is

1) I don't fully know how.
2) When I attempted the first steps towards doing this - I got this message:

"The C:\boot.ini file can not be opened. Operating system and timout settings can not be changed"

So I can't even change my settings to unlock the restore files.

Clever hackers, stopping from even getting to the files.

Help plz.

Thanks for your time.

Edited by Picardinal, 05 June 2011 - 04:22 AM.

[Essexboy]

As they are in system restore then generally they ae impotent unless you restore your system... I will purge them at the end for you

Did you get the AVP analysis run done ?

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.