Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot run virus scans or OTL


  • This topic is locked This topic is locked

#1
nycmon

nycmon

    Member

  • Member
  • PipPip
  • 29 posts
I guess my computer is infected pretty badly since i can't really do anything at this point as far as trying to to remove this infection...

Originally i used Nod32 but 2 days ago i started getting these window security popups for all these trusted programs asking if i want to unblock them. then Nod32 real-time protection tells me there are over 200 threats and that only 1 was successfully cleaned...but it seemed like the the files being reported are legitimate files such as Apple mobile devices, adobe acrobat, google chrome etc...all these files failed to be cleaned according to nod32...
Assuming that nod32 had been compromised i tried to repair and then uninstall nod32 to no avail...then i tried to d/l and install various other AV products...stopzilla, avg, malwarebytes, bitdefender, etc....could not even complete installation for most...malwarebytes and stopzilla seemed to install but they could not launch any scanners... i have tried the above steps in normal and safemode...can't scan in safemode either

I downloaded and ran OTL...no problem downloading or executing OTL. However, when i click on Quick scan it will exit after like 3 seconds and afterwards the exe/scr/com files will not execute and i get the message:
"windows cannot access the specified device, path or file. you may not have the appropriate permissions to access the item."

I used exehelper which reset the file association and let me try to run OTL again. OTL did the same thing and exited again, after which, clicking on OTL again gives me the previous message again. I assumed this would loop forever so I stopped at this point. I do not have a OTL report to post but would love to be able to post one.

I got desperate and looked through other similar forum posts and tried some solutions & I was able to get combofix to run and here is the log.
Thank you for your time and help!

**UPDATE** - I was able to go in safe mode and change permissions on the files (xp home so i cannot change security permissions from normal windows) I was then able to run OTL, HijackThis, Win32kdiag, and rkill...just scans with the logs...i did not do any fixes or anything since i'm not sure what i should be removing etc. I tried to run them in normal windows as well but it seems once i went out of safemode the virus was able to change permissions again. OTL and HiJackThis both started but exited after a few secs...when i try to run them again their permissions had been changed to deny me access once again. I'm not sure if i should be attaching the logs yet and did not want to clutter up this post... i will attach or copy/paste if needed.
Thank You!


ComboFix 11-07-21.02 - Compaq_Owner 07/21/2011 16:34:40.3.1 - x86
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
.
---- Previous Run -------
.
c:\documents and settings\Administrator.FAMILY\WINDOWS
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Compaq_Owner\Application Data\FFSJ
c:\documents and settings\Compaq_Owner\Application Data\FFSJ\FFSJ.cfg
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\JP\WINDOWS
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
.
.
2011-07-21 13:40 . 2011-07-21 20:28 -------- d-----w- C:\Combo-Fix
2011-07-21 13:04 . 2011-07-21 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-21 05:36 . 2011-07-21 05:36 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-07-21 05:36 . 2011-07-21 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-21 05:36 . 2011-07-21 05:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-21 04:50 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-21 04:49 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-21 02:54 . 2011-07-21 02:54 -------- d-----w- c:\program files\ACW
2011-07-21 02:28 . 2011-07-21 14:01 -------- d-----w- c:\documents and settings\JP
2011-07-20 14:35 . 2011-07-20 14:35 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-20 14:35 . 2011-07-20 14:35 -------- d-----w- c:\program files\Trend Micro
2011-07-19 23:53 . 2011-07-19 23:53 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\QuickScan
2011-07-19 22:13 . 2011-07-19 22:13 -------- d-----w- c:\program files\ESET
2011-07-19 16:18 . 2011-07-19 16:18 1152 ----a-w- c:\windows\system32\windrv.sys
2011-07-19 16:17 . 2011-07-20 20:28 -------- d-----w- c:\program files\SpyNoMore
2011-07-19 16:17 . 2011-07-19 16:17 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GetRightToGo
2011-07-19 14:50 . 2011-07-19 14:50 -------- d-----w- c:\program files\Common Files\iS3
2011-07-19 14:50 . 2011-07-20 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-07-18 17:41 . 2011-07-18 17:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2011-07-18 16:45 . 2011-07-18 16:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\RoboForm
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»3.scr
2011-07-08 14:57 . 2011-07-08 14:57 -------- d-----w- c:\windows\system32\WPB1003_ŽÑˆ»3 dir
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»2.scr
2011-07-08 14:57 . 2011-07-08 14:57 -------- d-----w- c:\windows\system32\WPB1003_ŽÑˆ»2 dir
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»1.scr
2011-07-08 14:57 . 2011-07-08 14:57 -------- d-----w- c:\windows\system32\WPB1003_ŽÑˆ»1 dir
2011-07-08 14:51 . 2011-07-08 14:51 -------- d-----w- c:\windows\system32\v_269_ss2 dir
2011-07-08 14:51 . 2011-07-08 14:51 203264 ----a-w- c:\windows\system32\v_269_ss2.scr
2011-07-08 14:51 . 2011-07-08 14:52 -------- d-----w- c:\windows\system32\v_269_ss1 dir
2011-07-08 14:51 . 2011-07-08 14:51 203264 ----a-w- c:\windows\system32\v_269_ss1.scr
2011-07-08 14:44 . 2011-07-08 14:44 503892 ----a-w- c:\windows\v_322_ss2Uninst.exe
2011-07-08 14:44 . 2011-07-08 14:44 1308501 ----a-w- c:\windows\v_322_ss2.scr
2011-07-08 14:43 . 2011-07-08 14:43 503892 ----a-w- c:\windows\v_322_ss1Uninst.exe
2011-07-08 14:43 . 2011-07-08 14:43 1118130 ----a-w- c:\windows\v_322_ss1.scr
2011-07-08 14:43 . 2011-07-08 14:43 503892 ----a-w- c:\windows\v_360_ss2Uninst.exe
2011-07-08 14:43 . 2011-07-08 14:43 1422643 ----a-w- c:\windows\v_360_ss2.scr
2011-07-08 14:42 . 2011-07-08 14:42 503892 ----a-w- c:\windows\v_360_ss1Uninst.exe
2011-07-08 14:42 . 2011-07-08 14:42 1199595 ----a-w- c:\windows\v_360_ss1.scr
2011-07-08 14:36 . 2011-07-08 14:44 -------- d-----w- c:\windows\system32\WPB810_3 dir
2011-07-08 14:36 . 2011-07-08 14:36 532480 ----a-w- c:\windows\system32\WPB810_3.scr
2011-07-08 14:36 . 2011-07-08 14:54 -------- d-----w- c:\windows\system32\WPB810_ŽÑˆ»2 dir
2011-07-08 14:36 . 2011-07-08 14:36 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»2.scr
2011-07-08 14:35 . 2011-07-08 14:47 -------- d-----w- c:\windows\system32\WPB810_ŽÑˆ»1 dir
2011-07-08 14:35 . 2011-07-08 14:35 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»1.scr
2011-07-08 14:33 . 2011-07-08 14:33 503892 ----a-w- c:\windows\v_310_ss2Uninst.exe
2011-07-08 14:33 . 2011-07-08 14:33 1521079 ----a-w- c:\windows\v_310_ss2.scr
2011-07-08 14:32 . 2011-07-08 14:32 503892 ----a-w- c:\windows\v_310_ss1Uninst.exe
2011-07-08 14:32 . 2011-07-08 14:32 1217107 ----a-w- c:\windows\v_310_ss1.scr
2011-07-08 14:31 . 2011-07-08 14:31 503892 ----a-w- c:\windows\v_294_ss2Uninst.exe
2011-07-08 14:31 . 2011-07-08 14:31 1381093 ----a-w- c:\windows\v_294_ss2.scr
2011-07-08 14:31 . 2011-07-08 14:31 503892 ----a-w- c:\windows\v_294_ss1Uninst.exe
2011-07-08 14:31 . 2011-07-08 14:31 1136767 ----a-w- c:\windows\v_294_ss1.scr
2011-07-08 14:30 . 2011-07-08 14:30 503891 ----a-w- c:\windows\v_287_ss2Uninst.exe
2011-07-08 14:30 . 2011-07-08 14:30 1714122 ----a-w- c:\windows\v_287_ss2.scr
2011-07-08 14:29 . 2011-07-08 14:29 503892 ----a-w- c:\windows\v_287_ss1Uninst.exe
2011-07-08 14:29 . 2011-07-08 14:29 1170379 ----a-w- c:\windows\v_287_ss1.scr
2011-07-08 14:26 . 2011-07-08 14:26 -------- d-----w- c:\windows\system32\v_273_ss2 dir
2011-07-08 14:23 . 2011-07-08 14:26 203264 ----a-w- c:\windows\system32\v_273_ss2.scr
2011-07-08 14:22 . 2011-07-08 14:23 -------- d-----w- c:\windows\system32\v_273_ss1 dir
2011-07-08 14:22 . 2011-07-08 14:22 203264 ----a-w- c:\windows\system32\v_273_ss1.scr
2011-07-08 14:19 . 2011-07-08 14:19 -------- d-----w- c:\windows\system32\v_239_ss1 dir
2011-07-08 14:19 . 2011-07-08 14:19 201728 ----a-w- c:\windows\system32\v_239_ss1.scr
2011-07-08 14:17 . 2011-07-08 14:18 4727391 ----a-w- c:\windows\WPB603_ŽÑˆ»3.exe
2011-07-08 14:17 . 2011-07-08 14:18 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»3.scr
2011-07-08 14:17 . 2011-07-08 14:18 5338153 ----a-w- c:\windows\WPB603_ŽÑˆ»2.exe
2011-07-08 14:17 . 2011-07-08 14:18 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»2.scr
2011-07-08 14:15 . 2011-07-08 14:17 4788965 ----a-w- c:\windows\WPB603_ŽÑˆ»1.exe
2011-07-08 14:15 . 2011-07-08 14:18 29696 ----a-w- c:\windows\mickey32.dll
2011-07-08 14:15 . 2011-07-08 14:17 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»1.scr
2011-06-25 14:52 . 2011-07-21 02:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»3.scr
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»2.scr
2011-07-08 14:57 . 2011-07-08 14:57 532480 ----a-w- c:\windows\system32\WPB1003_ŽÑˆ»1.scr
2011-07-08 14:36 . 2011-07-08 14:36 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»2.scr
2011-07-08 14:35 . 2011-07-08 14:35 532480 ----a-w- c:\windows\system32\WPB810_ŽÑˆ»1.scr
2011-07-08 14:18 . 2011-07-08 14:17 4727391 ----a-w- c:\windows\WPB603_ŽÑˆ»3.exe
2011-07-08 14:18 . 2011-07-08 14:17 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»3.scr
2011-07-08 14:18 . 2011-07-08 14:17 5338153 ----a-w- c:\windows\WPB603_ŽÑˆ»2.exe
2011-07-08 14:18 . 2011-07-08 14:17 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»2.scr
2011-07-08 14:17 . 2011-07-08 14:15 4788965 ----a-w- c:\windows\WPB603_ŽÑˆ»1.exe
2011-07-08 14:17 . 2011-07-08 14:15 467536 ----a-w- c:\windows\WPB603_ŽÑˆ»1.scr
2011-06-06 19:55 . 2011-06-06 19:55 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2011-06-06 19:55 . 2011-06-06 19:55 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
2011-06-06 00:58 . 2011-06-06 00:58 53248 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-06-06 00:57 . 2011-06-06 00:57 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-06-02 14:02 . 2004-08-04 05:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-09-23 01:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2009-08-21 22:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-04 05:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 05:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 05:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-04 05:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-04 05:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 05:00 385024 ----a-w- c:\windows\system32\html.iec
2006-05-03 16:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 17:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 19:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2GDR\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\SoftwareDistribution\Download\13d5d266d7681d26b42f8dff88cadc20\SP2QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" [2011-05-28 512400]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-06-06 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-06-06 2903448]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"EvtMgr6"="c:\program files\Logi\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"TkBellExe1"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-19 202256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-19 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2010-07-12 1067984]
.
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.51.lnk - c:\program files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 454656]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRealMode"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^setup_9.0.0.722_20.08.2010_21-52.lnk]
backup=c:\windows\pss\setup_9.0.0.722_20.08.2010_21-52.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpKiller
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShredAgent
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2005-05-10 17:50 253952 -c--a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-01-24 02:56 544768 -c--a-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-08-19 07:06 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"MDM"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Widgets\\YahooWidgets.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\real\\RealUpgrade\\realupgrade.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 4\\AutoUpdate.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\IObit\\Password Folder\\PasswordFolder.exe"=
"c:\\Program Files\\VideoStream\\VideoStream.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5010:UDP"= 5010:UDP:emule udp
"110:TCP"= 110:TCP:BT
"110:UDP"= 110:UDP:BT1
"5000:TCP"= 5000:TCP:emule tcp
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 54343852;54343852 Boot Guard Driver;c:\windows\system32\DRIVERS\54343852.sys [x]
R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R1 54343851;54343851;c:\windows\system32\DRIVERS\54343851.sys [x]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [2011-05-28 351232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24576]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
R3 jumi;%Jumi%;c:\windows\system32\DRIVERS\jumi.sys [2010-06-03 13112]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-02-26 137344]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-02-26 8320]
R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2010-01-29 24416]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WipeFile;WipeFile;c:\windows\system32\DRIVERS\WipeFile.sys [2007-03-03 57472]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [2011-02-23 13496]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-12-19 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-12 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [2010-08-24 10448]
S2 PfFilter;PfFilter;c:\program files\IObit\Password Folder\pffilter.sys [2011-01-12 163648]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-03-12 30576]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-07-20 c:\windows\Tasks\ASC4_AutoUpdate.job
- c:\program files\IObit\Advanced SystemCare 4\AutoUpdate.exe [2011-05-11 18:46]
.
2011-07-21 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-05-11 18:46]
.
2011-07-18 c:\windows\Tasks\Game_Booster_AutoUpdate.job
- c:\program files\IObit\Game Booster\AutoUpdate.exe [2011-03-31 23:07]
.
2011-07-21 c:\windows\Tasks\Game_Booster_Startup.job
- c:\program files\IObit\Game Booster\GameBox.exe [2011-07-15 23:08]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2637110039-1654121908-4178984955-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-27 05:30]
.
2011-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2637110039-1654121908-4178984955-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-27 05:30]
.
2011-07-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2637110039-1654121908-4178984955-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2637110039-1654121908-4178984955-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-07-18 c:\windows\Tasks\SmartDefrag_Schedule.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-31 22:19]
.
2011-07-21 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-31 22:19]
.
2011-07-21 c:\windows\Tasks\User_Feed_Synchronization-{D4801835-F956-4975-AEF8-0E5592BA2263}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\0gma2n4r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
FF - prefs.js: network.proxy.type - 4
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
Notify-TPSvc - TPSvc.dll
SafeBoot-Wdf01000.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-21 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB3255$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b8,13,18,95,fa,b5,43,8a,e8,b5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b8,13,18,95,fa,b5,43,8a,e8,b5,\
.
[HKEY_USERS\S-1-5-21-2637110039-1654121908-4178984955-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{97D1B5A3-39C5-C0D4-0C0C-0066D4EBC639}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\SUPER *]
"DisplayName"="SUPER ?Version 2009.bld.36 (June 10, 2009)"
"UninstallString"="c:\\PROGRA~1\\ERIGHT~1\\SUPER\\Setup.exe /remove /q0"
"InstallDate"="2009-06-22 20:22"
"InstallLocation"="c:\\Program Files\\eRightSoft\\SUPER"
"InstallSource"="c:\\Documents and Settings\\Compaq_Owner\\Desktop"
"DisplayIcon"="c:\\Program Files\\eRightSoft\\SUPER\\SUPER.exe"
"DisplayVersion"="Version 2009.bld.36 (June 10, 2009)"
"VersionMajor"=dword:00000000
"VersionMinor"=dword:00000000
"Publisher"="eRightSoft"
"HelpLink"="http://www.eRightSoft.com"
"URLInfoAbout"="http://www.eRightSoft.com"
"URLUpdateInfo"="http://www.eRightSoft.com"
"Contact"="[email protected]"
.
Completion time: 2011-07-21 16:44:26
ComboFix-quarantined-files.txt 2011-07-21 20:44
ComboFix2.txt 2010-08-21 07:51
.
Pre-Run: 6,291,963,904 bytes free
Post-Run: 6,249,820,160 bytes free
.
Current=18 Default=18 Failed=17 LastKnownGood=19 Sets=,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
- - End Of File - - A9AB07EDEDD5F3CE4B823230AFC984CA

Edited by nycmon, 22 July 2011 - 02:47 PM.

  • 0

Advertisements


#2
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
Hello nycmon and welcome to G2G, sorry about the delay.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


======================================


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time. Please scan at least 3 of the files below:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
  • 0

#3
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
THANK YOU so much for replying!
I guess I knew i shouldn't be using combofix on my own, but i got desperate since the previous help forum i was on (afterdawn) was practically telling me i should reformat without even trying to go through any removal procedures with me. So i thought i had nothing to lose....
After I run a scan with Jotti, it gives me a "permalink" is this what you need me to post for each file?

explorer.exe - http://virusscan.jot...75153e3f9caa252
lsass.exe - http://virusscan.jot...7ae6ec76182a1bc
services.exe - http://virusscan.jot...3af557cfbe40473
winlogon.exe - http://virusscan.jot...2674bf846846f4b
svchost.exe - http://virusscan.jot...954b45532c1766d

Sorry if that wasn't what you needed. The scans all seemed to say the files are clean.

Thank you, once again, for your help!
  • 0

#4
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
Please download OTH.scr and OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    Posted Image
  • Then select Start OTL to run the tool.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  • 0

#5
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
when i start OTH and click on Kill All Processes the program just exits and when i try to start OTH again, it says "windows cannot access the specified device, path , or file. You may not have the appropriate permissions to access the file" Should i try to run this in safemode?
  • 0

#6
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
Please use a clean computer to create the bootable CD.

Please print or make a copy of these instructions so that you know what you are doing.


  • Download OTLPENet.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#7
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Thank you! i will try to get to a clean computer and try to do this by tonight. Thank you so much for taking time out of your busy schedule to help!
  • 0

#8
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
:)
  • 0

#9
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
OK! I was finally able to use another comp to d/l and run otlpenet.exe. I booted from the cd and was able to to run OTL! Oh and i think i forgot to mention that my computer is a dual OS (XP home and XP professional) It's the Home Edition which is infected. The Professional OS seems totally unaffected and can run scans etc just fine. I wasn't sure if i could d/l and run from the Pro OS since it's clean....So i just went to my friend's house and did it ^^
Here it is & Thank You!

Attached File  OTL.Txt   184.95KB   65 downloads
  • 0

#10
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
Hi,

Please do not attach logs unless instructed so that I can read them more easily.


1. Please read this topic and decide for yourself if you still want to continue the use of IObit.


2. Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    C:\WINDOWS\System32\SmartDefragBootTime.exe ()
    C:\WINDOWS\meta4.exe
    C:\WINDOWS\MOTA113.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


3. Please save the attach file (fix.txt) to your flash drive and boot your computer from the CD again, insert the flash drive afterward and follow the instructions below.

Save the attached file (fix.txt) to your desktop
  • Run OTL.
  • Click on Run Fix button.
  • You will receive a message that "No Fix has been provided".
  • Click OK to load it from a file.
  • Locate "fix.txt" on your desktop and click open.
  • Once the script is in the "Custom Scan/Fixes", click on Run Fix again.
  • It will now execute the script.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Post that report in your next reply.

Attached Files

  • Attached File  fix.txt   3.04KB   91 downloads

  • 0

Advertisements


#11
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
IS malwarebyte's still having intellectual property theft issues with Iobit? The article was from 2009 so that is why I ask. I plan on removing iobit security 360 anyways...thought i had done that previously. I only use their ASC and tools. Thank you for that information though.

Here are the results for the 3 files requested for scanning. I willl run the fix and attach the OTL log in the next reply. Thank You!

1) VirSCAN.org Scanned Report :
Scanned time : 2011/07/28 10:01:03 (EDT)
Scanner results: Scanners did not find malware!
File Name : SmartDefragBootTime.exe
File Size : 29520 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 42690db7b7babfd8ba3d0de9da544b80
SHA1 : 7008e982b4540c73fdbdc142730f0a97b111bb7e
Online report : http://file.virscan....de00b3b5a0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.3 20110728202121 2011-07-28 8.58 -
AhnLab V3 2011.07.28.00 2011.07.28 2011-07-28 1.51 -
AntiVir 8.2.6.18 7.11.12.147 2011-07-28 0.74 -
Antiy 2.0.18 20110728.11631467 2011-07-28 0.02 -
Arcavir 2011 201107140423 2011-07-14 0.05 -
Authentium 5.1.1 201107280940 2011-07-28 1.57 -
AVAST! 4.7.4 110728-0 2011-07-28 0.01 -
AVG 8.5.850 271.1.1/3793 2011-07-28 0.36 -
BitDefender 7.90123.8646949 7.38435 2011-07-28 7.17 -
ClamAV 0.97.1 13369 2011-07-28 0.01 -
Comodo 4.0 9538 2011-07-28 1.52 -
CP Secure 1.3.0.5 2011.07.28 2011-07-28 0.23 -
Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 16.42 -
F-Prot 4.6.2.117 20110727 2011-07-27 0.86 -
F-Secure 7.02.73807 2011.07.28.03 2011-07-28 12.20 -
Fortinet 4.2.257 13.489 2011-07-27 0.42 -
GData 22.1346 20110716 2011-07-16 0.17 -
ViRobot 20110728 2011.07.28 2011-07-28 0.68 -
Ikarus T3.1.32.20.0 2011.07.28.78944 2011-07-28 5.54 -
JiangMin 13.0.900 2011.07.27 2011-07-27 1.58 -
Kaspersky 5.5.10 2011.07.28 2011-07-28 0.10 -
KingSoft 2009.2.5.15 2011.7.28.18 2011-07-28 0.92 -
McAfee 5400.1158 6420 2011-07-27 9.43 -
Microsoft 1.7104 2011.07.27 2011-07-27 5.82 -
NOD32 3.0.21 6332 2011-07-28 0.02 -
Norman 6.07.10 6.07.00 2011-07-27 16.04 -
Panda 9.05.01 2011.07.27 2011-07-27 2.72 -
Trend Micro 9.200-1012 8.316.08 2011-07-28 0.03 -
Quick Heal 11.00 2011.07.28 2011-07-28 1.34 -
Rising 20.0 23.68.02.03 2011-07-27 0.30 -
Sophos 3.20.2 4.66 2011-07-28 3.93 -
Sunbelt 3.9.2497.2 9988 2011-07-27 0.62 -
Symantec 1.3.0.24 20110727.001 2011-07-27 0.14 -
nProtect 20110728.02 3595667 2011-07-28 1.25 -
The Hacker 6.7.0.1 v00264 2011-07-26 0.54 -
VBA32 3.12.16.4 20110728.0901 2011-07-28 3.77 -
VirusBuster 5.3.0.4 14.0.143.0/57357872011-07-28 0.00 -

2)VirSCAN.org Scanned Report :
Scanned time : 2011/07/28 10:14:19 (EDT)
Scanner results: 8% Scanner(s) (3/37) found malware!
File Name : meta4.exe
File Size : 217073 byte
File Type : PE32 executable for MS Windows (console) Intel 80386
MD5 : 67f51b1a82fb11bbb9d486f7ce41cd35
SHA1 : 47c3c04a031a21c118ef34e8c29db8beddcd38f1
Online report : http://file.virscan....b02247f3b9.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.3 20110728202121 2011-07-28 8.16 -
AhnLab V3 2011.07.28.00 2011.07.28 2011-07-28 4.08 -
AntiVir 8.2.6.18 7.11.12.147 2011-07-28 1.29 -
Antiy 2.0.18 20110728.11631467 2011-07-28 0.02 -
Arcavir 2011 201107140423 2011-07-14 0.08 -
Authentium 5.1.1 201107280940 2011-07-28 1.81 -
AVAST! 4.7.4 110728-0 2011-07-28 0.09 -
AVG 8.5.850 271.1.1/3793 2011-07-28 1.89 -
BitDefender 7.90123.8646949 7.38435 2011-07-28 4.97 -
ClamAV 0.97.1 13369 2011-07-28 0.20 -
Comodo 4.0 9538 2011-07-28 1.73 -
CP Secure 1.3.0.5 2011.07.28 2011-07-28 0.18 -
Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 18.71 -
F-Prot 4.6.2.117 20110727 2011-07-27 0.90 -
F-Secure 7.02.73807 2011.07.28.03 2011-07-28 0.61 -
Fortinet 4.2.257 13.489 2011-07-27 0.45 -
GData 22.1346 20110716 2011-07-16 0.11 -
ViRobot 20110728 2011.07.28 2011-07-28 0.40 -
Ikarus T3.1.32.20.0 2011.07.28.78944 2011-07-28 6.31 -
JiangMin 13.0.900 2011.07.27 2011-07-27 2.08 -
Kaspersky 5.5.10 2011.07.28 2011-07-28 0.24 -
KingSoft 2009.2.5.15 2011.7.28.18 2011-07-28 1.28 Win32.Troj.Kryptik.AE.394752
McAfee 5400.1158 6420 2011-07-27 9.60 -
Microsoft 1.7104 2011.07.27 2011-07-27 16.28 -
NOD32 3.0.21 6332 2011-07-28 0.43 -
Norman 6.07.10 6.07.00 2011-07-27 16.03 -
Panda 9.05.01 2011.07.27 2011-07-27 1.73 -
Trend Micro 9.200-1012 8.316.08 2011-07-28 0.12 -
Quick Heal 11.00 2011.07.28 2011-07-28 1.54 Suspicious - DNAScan
Rising 20.0 23.68.02.03 2011-07-27 3.26 -
Sophos 3.20.2 4.66 2011-07-28 3.80 -
Sunbelt 3.9.2497.2 9988 2011-07-27 0.66 -
Symantec 1.3.0.24 20110727.001 2011-07-27 0.14 -
nProtect 20110728.02 3595667 2011-07-28 1.16 Trojan/W32.Agent.217073
The Hacker 6.7.0.1 v00264 2011-07-26 0.57 -
VBA32 3.12.16.4 20110728.0901 2011-07-28 3.90 -
VirusBuster 5.3.0.4 14.0.143.0/57357872011-07-28 0.00 -

3)VirSCAN.org Scanned Report :
Scanned time : 2011/07/28 10:19:10 (EDT)
Scanner results: 5% Scanner(s) (2/37) found malware!
File Name : MOTA113.exe
File Size : 66560 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : faf96e03b03725bc816c11d5af009681
SHA1 : 2320e8b54d52a31f257785126153f9c30e10ef70
Online report : http://file.virscan....b9bfadb62c.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.3 20110728202121 2011-07-28 6.28 -
AhnLab V3 2011.07.28.00 2011.07.28 2011-07-28 1.58 -
AntiVir 8.2.6.18 7.11.12.147 2011-07-28 5.38 -
Antiy 2.0.18 20110728.11631467 2011-07-28 0.12 -
Arcavir 2011 201107140423 2011-07-14 0.05 -
Authentium 5.1.1 201107280940 2011-07-28 2.57 -
AVAST! 4.7.4 110728-0 2011-07-28 0.01 -
AVG 8.5.850 271.1.1/3793 2011-07-28 5.77 -
BitDefender 7.90123.8646949 7.38435 2011-07-28 4.44 -
ClamAV 0.97.1 13369 2011-07-28 0.04 PUA.Packed.TeLock
Comodo 4.0 9538 2011-07-28 1.41 -
CP Secure 1.3.0.5 2011.07.28 2011-07-28 0.06 -
Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 15.34 -
F-Prot 4.6.2.117 20110727 2011-07-27 2.76 -
F-Secure 7.02.73807 2011.07.28.03 2011-07-28 0.41 -
Fortinet 4.2.257 13.489 2011-07-27 0.19 -
GData 22.1346 20110716 2011-07-16 0.11 -
ViRobot 20110728 2011.07.28 2011-07-28 0.38 -
Ikarus T3.1.32.20.0 2011.07.28.78944 2011-07-28 4.73 -
JiangMin 13.0.900 2011.07.27 2011-07-27 2.33 -
Kaspersky 5.5.10 2011.07.28 2011-07-28 0.42 -
KingSoft 2009.2.5.15 2011.7.28.18 2011-07-28 1.02 -
McAfee 5400.1158 6420 2011-07-27 13.81 -
Microsoft 1.7104 2011.07.27 2011-07-27 14.91 -
NOD32 3.0.21 6332 2011-07-28 1.29 -
Norman 6.07.10 6.07.00 2011-07-27 14.04 -
Panda 9.05.01 2011.07.27 2011-07-27 4.49 -
Trend Micro 9.200-1012 8.316.08 2011-07-28 0.45 -
Quick Heal 11.00 2011.07.28 2011-07-28 1.02 Suspicious - DNAScan
Rising 20.0 23.68.02.03 2011-07-27 4.12 -
Sophos 3.20.2 4.66 2011-07-28 5.69 -
Sunbelt 3.9.2497.2 9988 2011-07-27 2.01 -
Symantec 1.3.0.24 20110727.001 2011-07-27 0.23 -
nProtect 20110728.02 3595667 2011-07-28 1.35 -
The Hacker 6.7.0.1 v00264 2011-07-26 0.54 -
VBA32 3.12.16.4 20110728.0901 2011-07-28 6.93 -
VirusBuster 5.3.0.4 14.0.143.0/57357872011-07-28 0.00 -
  • 0

#12
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here is the log from OTL. I should mention that when i saved the fix.txt file to the desktop after starting windows with REATOGO-X-PE, the file didn't show in the window when i clicked "load fix from file" and then navigated to desktop. I saw the file on the desktop but it didn't show up on the load-fix window.... Also when i tried to load the file directly from the flashdrive it showed up but once i load the fix from the file, OTL seemed to freeze up and won't let me click anything..... So I was forced to open the fix.txt file and copy/paste the fix directly into OTL...which then worked and allowed me to click on the Run Fix button... Not sure if you needed all that info but I figured I should report all strange behaviors...please let me know if i should continue to detail everything in the future.
Thank You!

========== OTL ==========
Prefs.js: {1CE11043-9A15-4207-A565-0C94C42D590D}:11.3.7.0 removed from extensions.enabledItems
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SNM deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon\ deleted successfully.
C:\WINDOWS\system32\phar_unmip.dat moved successfully.
C:\WINDOWS\system32\phar_histprot.dat moved successfully.
C:\WINDOWS\system32\pc_webproxy.dat moved successfully.
C:\WINDOWS\system32\pc_video.dat moved successfully.
C:\WINDOWS\system32\pc_tabloids.dat moved successfully.
C:\WINDOWS\system32\pc_socialnetworks.dat moved successfully.
C:\WINDOWS\system32\pc_searchengines.dat moved successfully.
C:\WINDOWS\system32\pc_regionaltlds.dat moved successfully.
C:\WINDOWS\system32\pc_pornography.dat moved successfully.
C:\WINDOWS\system32\pc_onlineshop.dat moved successfully.
C:\WINDOWS\system32\pc_onlinepay.dat moved successfully.
C:\WINDOWS\system32\pc_onlinedating.dat moved successfully.
C:\WINDOWS\system32\pc_news.dat moved successfully.
C:\WINDOWS\system32\pc_im.dat moved successfully.
C:\WINDOWS\system32\pc_illegal.dat moved successfully.
C:\WINDOWS\system32\pc_hate.dat moved successfully.
C:\WINDOWS\system32\pc_games.dat moved successfully.
C:\WINDOWS\system32\pc_gambling.dat moved successfully.
C:\WINDOWS\system32\pc_drugs.dat moved successfully.
C:\Documents and Settings\Compaq_Owner\Application DataProductTweaks.xml moved successfully.
C:\Documents and Settings\Compaq_Owner\Application Datauser_gensett.xml moved successfully.
C:\Documents and Settings\Compaq_Owner\Application Dataprivacy.xml moved successfully.
C:\WINDOWS\system32\asdict.dat moved successfully.
C:\WINDOWS\system32\aspdict-en.dat moved successfully.
C:\WINDOWS\system32\wsbl.dat moved successfully.
C:\WINDOWS\system32\ph_white.dat moved successfully.
C:\WINDOWS\system32\ph_summ.dat moved successfully.
C:\WINDOWS\system32\ph_black.dat moved successfully.
C:\WINDOWS\system32\pcwords2.dat moved successfully.
C:\WINDOWS\system32\pcwords.dat moved successfully.
C:\WINDOWS\system32\drivers\vdi3mjkz.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Administrator.FAMILY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Compaq_Owner
->Temp folder emptied: 117547219 bytes
->Temporary Internet Files folder emptied: 5798062 bytes
->Java cache emptied: 19056 bytes
->FireFox cache emptied: 45933794 bytes
->Google Chrome cache emptied: 229991646 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 2945 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: JP
->Temp folder emptied: 6974 bytes
->Temporary Internet Files folder emptied: 75785 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16903525 bytes
->Flash cache emptied: 456 bytes

User: LocalService
->Temp folder emptied: 3596 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 3596 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 2087 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2952721 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3851 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 9375211 bytes

Total Files Cleaned = 409.00 mb


OTLPE by OldTimer - Version 3.1.48.0 log created on 07282011_144222
  • 0

#13
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
Great initiative about copy-pasting the OTL script. :)
Do you have the SUPER (Simplified Universal Player Encoder & Renderer) by EightSoft installed in this computer?


Please delete any copy of ComboFix that you have and then download and run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


  • 0

#14
nycmon

nycmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Yes I do have SUPER installed. Does it need to be removed? I can't seem to disable Spybot search & destroy. It's preventing me from disabling it...I don't know if it's corrupted...should I uninstall it or something before I try combofix?
Thank you!

Edited by nycmon, 28 July 2011 - 03:06 PM.

  • 0

#15
sempai

sempai

    Trusted Helper

  • Malware Removal
  • 785 posts
The reason I ask is because meta4.exe and MOTA113.exe are part of SUPER, as you can see in the result of VirSCAN.org some scanner reported them as malware but I believe that it's a false positive.

No need to disable Spybot Search and Destroy, just make sure that tea timer is not running. AV programs needs to be disabled before running combofix.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP