Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! Trojan Sharpro/Rootkit Mayham


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Have you ever had "Folder Lock 6" installed?

Let's see if we can turn on the bluetooth services which is turned off for some reason.


Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:Services
WinVd32

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 77 04 24 6A 6E 39 9F 44 BD B5 48 4A CE C1 D0 9A [binary data]

:files
C:\WINDOWS\system32\WinVd32.sys
sc config LBTServ start= demand /c
     
:Commands
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Also clear the events and run Vino's again.

Ron
  • 0

Advertisements


#32
Arboreal

Arboreal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Yes, I had Folder Lock for a brief moment, quite some time ago.

OTL


========== PROCESSES ==========
All processes killed
========== SERVICES/DRIVERS ==========
Service WinVd32 stopped successfully!
Service WinVd32 deleted successfully!
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default| /E : value set successfully!
========== FILES ==========
C:\WINDOWS\system32\WinVd32.sys moved successfully.
< sc config LBTServ start= demand /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Kevin Henry\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Kevin Henry\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.31.0 log created on 11072011_142219

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






VEW



Vino's Event Viewer v01c run on Windows XP in English
Report run at 07/11/2011 2:26:58 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 07/11/2011 2:25:02 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The WinFLdrv service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 07/11/2011 2:22:22 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The iPod Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:22 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Sony TV Tuner Manager service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:22 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The VAIO Entertainment File Import Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The VAIO Entertainment UPnP Client Adapter service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The VAIO Entertainment Database Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Sony TVTA Manager service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The SonicStageMonitoring service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The PC Tools Startup and Shutdown Monitor service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The MBAMService service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Log: 'System' Date/Time: 07/11/2011 2:22:21 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:22:20 PM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Log: 'System' Date/Time: 07/11/2011 2:22:19 PM
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

Log: 'System' Date/Time: 07/11/2011 2:22:19 PM
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 07/11/2011 2:02:40 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: After starting, the service hung in a start-pending state.

Log: 'System' Date/Time: 07/11/2011 2:02:40 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Terminal Services service hung on starting.

Log: 'System' Date/Time: 07/11/2011 2:02:40 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Automatic Updates service hung on starting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Any progress on the Logitech stuff? The bluetooth service was disabled but it should be back on now.

Folder Lock apparently left two entries in the registry. The odd think is I don't see the one entry in either Combofix or OTL. I was hoping that removing the other would get rid of it but it didn't seem to.

Also your error log says that several services hung this time.

Log: 'System' Date/Time: 07/11/2011 2:02:40 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Terminal Services service hung on starting.

Log: 'System' Date/Time: 07/11/2011 2:02:40 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Automatic Updates service hung on starting.

Let's see if they came up OK on the next boot.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot.


Then run Vino's as before.

Ron
  • 0

#34
Arboreal

Arboreal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
okay here we go.



Vino's Event Viewer v01c run on Windows XP in English
Report run at 07/11/2011 4:12:55 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 07/11/2011 4:12:15 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The WinFLdrv service failed to start due to the following error: The system cannot find the file specified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
This should take care of the remaining error:


Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

Driver::
WinFLdrv


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Did you get the logitech to work?

Ron
  • 0

#36
Arboreal

Arboreal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 11-11-08.01 - Kevin Henry 11/08/2011 5:49.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2943.2166 [GMT -5:00]
Running from: c:\documents and settings\Kevin Henry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin Henry\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WINFLDRV
-------\Service_WinFLdrv
.
.
((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
.
.
2011-11-08 11:05 . 2011-11-08 11:05 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{402E3FF0-83B3-4C2E-9607-F60969B9DAFC}\offreg.dll
2011-11-08 08:57 . 2011-11-08 08:57 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{402E3FF0-83B3-4C2E-9607-F60969B9DAFC}\MpKsl3c8dab22.sys
2011-11-08 08:56 . 2011-10-07 00:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{402E3FF0-83B3-4C2E-9607-F60969B9DAFC}\mpengine.dll
2011-11-07 04:23 . 2011-11-07 04:23 0 ----a-w- c:\windows\system32\REN130.tmp
2011-11-07 04:23 . 2011-11-07 04:23 0 ----a-w- c:\windows\system32\REN12F.tmp
2011-11-07 04:23 . 2011-11-07 04:23 0 ----a-w- c:\windows\system32\REN12E.tmp
2011-11-07 04:23 . 2011-11-07 04:23 -------- d-----w- c:\program files\Java
2011-11-04 02:08 . 2011-11-04 02:08 -------- d-----w- c:\documents and settings\Kevin Henry\Local Settings\Application Data\Logishrd
2011-11-04 02:08 . 2011-11-04 02:08 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-04 02:07 . 2011-09-02 06:30 12184 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-10-31 02:47 . 2011-10-31 02:47 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\QuickScan
2011-10-30 20:25 . 2011-10-30 20:25 -------- d-----w- c:\program files\ESET
2011-10-26 20:46 . 2011-10-26 20:46 47360 ----a-w- c:\documents and settings\Kevin Henry\Application Data\pcouffin.sys
2011-10-25 11:22 . 2011-10-28 03:19 -------- d-----w- C:\Click to DVD 2
2011-10-25 11:14 . 2011-10-26 20:46 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\Vso
2011-10-25 11:02 . 2011-10-25 11:02 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\AVS4YOU
2011-10-25 10:59 . 2011-10-26 20:45 -------- d-----w- c:\program files\Common Files\AVSMedia
2011-10-25 10:58 . 2011-10-26 20:45 -------- d-----w- c:\program files\AVS4YOU
2011-10-25 10:58 . 2011-10-25 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2011-10-25 10:58 . 2010-09-14 22:38 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-10-25 10:36 . 2011-10-25 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2011-10-25 10:35 . 2011-10-26 21:06 -------- d-----w- c:\program files\NCH Software
2011-10-25 10:35 . 2011-10-26 21:06 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\NCH Software
2011-10-23 10:27 . 2011-10-24 00:12 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\Logitech
2011-10-23 10:27 . 2011-10-23 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2011-10-23 10:27 . 2011-11-04 02:08 -------- d-----w- c:\program files\Common Files\Logishrd
2011-10-23 10:27 . 2011-10-23 10:27 -------- d-----w- c:\program files\Common Files\LogiShared
2011-10-23 10:21 . 2011-10-23 10:21 -------- d-----w- c:\program files\JRE
2011-10-23 06:28 . 2011-10-23 06:28 -------- d-----w- C:\_OTL
2011-10-12 18:28 . 2011-10-12 18:28 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\Leadertech
2011-10-12 18:25 . 2011-10-24 00:54 -------- d-----w- c:\documents and settings\Kevin Henry\Application Data\Logishrd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 00:48 . 2011-02-19 21:45 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-12-01 18:28 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-12-01 18:28 220160 ----a-w- c:\windows\system32\oleacc(2).dll
2011-09-26 15:41 . 2004-12-01 18:28 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 15:41 . 2004-12-01 18:28 20480 ----a-w- c:\windows\system32\oleaccrc(2).dll
2011-09-09 09:12 . 2004-12-01 18:28 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-12-01 18:28 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-06 13:20 . 2004-12-01 18:28 1858944 ----a-w- c:\windows\system32\win32k(2).sys
2011-09-03 10:17 . 2004-12-01 18:28 599040 ----a-w- c:\windows\system32\crypt32(2).dll
2011-09-02 06:31 . 2011-09-02 06:31 55064 ----a-w- c:\windows\system32\LMouFiltCoInst.dll
2011-09-02 06:31 . 2009-10-06 02:24 39192 ----a-w- c:\windows\system32\drivers\LMouFilt.Sys
2011-09-02 06:31 . 2011-09-02 06:31 1583896 ----a-w- c:\windows\system32\LkmdfCoInst.dll
2011-09-02 06:31 . 2009-10-06 02:24 41240 ----a-w- c:\windows\system32\drivers\LHidFilt.Sys
2011-08-31 21:00 . 2011-03-19 21:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 21:48 . 2007-08-13 23:54 11081728 ----a-w- c:\windows\system32\ieframe(2).dll
2011-08-22 23:48 . 2004-12-01 18:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-12-01 18:28 916480 ----a-w- c:\windows\system32\wininet(2).dll
2011-08-22 23:48 . 2004-12-01 18:28 1212416 ----a-w- c:\windows\system32\urlmon(2).dll
2011-08-22 23:48 . 2004-12-01 18:28 105984 ----a-w- c:\windows\system32\url(2).dll
2011-08-22 23:48 . 2007-08-13 23:34 2000384 ----a-w- c:\windows\system32\iertutil(2).dll
2011-08-22 23:48 . 2004-12-01 18:28 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-12-01 18:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-12-01 18:28 385024 ------w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-12-01 18:27 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 06:53 . 2011-05-08 17:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kevin Henry\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kevin Henry\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kevin Henry\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kevin Henry\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 77824]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Razer Mamba Driver"="c:\program files\Razer\Mamba\RazerTray.exe" [2009-12-15 3278728]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Kevin Henry\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Kevin Henry\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-5 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS12 Preload]
2008-06-09 15:03 397456 ----a-w- c:\program files\Corel\Corel VideoStudio 12\uvPL.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force V-Bar.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Documents and Settings\\Kevin Henry\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 MpKsl3c8dab22;MpKsl3c8dab22;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{402E3FF0-83B3-4C2E-9607-F60969B9DAFC}\MpKsl3c8dab22.sys [11/8/2011 3:57 AM 28752]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [11/3/2011 9:07 PM 12184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/19/2011 4:36 PM 366152]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [5/24/2010 12:39 AM 632792]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2/27/2009 3:13 PM 114024]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/19/2011 4:36 PM 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/9/2002 6:59 PM 100456]
S1 MpKsldd9037f9;MpKsldd9037f9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29CB61DF-8663-4A7A-BADD-18659ECECFC6}\MpKsldd9037f9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29CB61DF-8663-4A7A-BADD-18659ECECFC6}\MpKsldd9037f9.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\KEVINH~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\KEVINH~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\KEVINH~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\KEVINH~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MAUSBMP;Service for M-Audio Mobile Pre (WDM);c:\windows\system32\drivers\mausbmp.sys [8/12/2009 6:59 PM 154248]
S3 SASENUM;SASENUM;\??\c:\docume~1\KEVINH~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\KEVINH~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [4/17/2009 1:35 PM 23288]
S4 gupdate1c99c256096fa40;Google Update Service (gupdate1c99c256096fa40);c:\program files\Google\Update\GoogleUpdate.exe [3/3/2009 12:27 PM 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/3/2009 12:27 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 17:27]
.
2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 17:27]
.
2011-11-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Kevin Henry\Application Data\Mozilla\Firefox\Profiles\gsyvke5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=13&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.mayanmajix.com/TZOLKIN/DT/DT.html
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6da8d&v=6.010.006.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-08 06:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2156851215-281014071-3479504740-1005\Software\SecuROM\License information*]
"datasecu"=hex:c8,10,ad,78,94,68,98,bd,31,f5,c7,ea,68,73,4a,31,8b,ba,9b,96,ee,
d4,9e,af,44,31,37,e1,2e,d8,9e,7e,47,b4,d4,be,3a,37,09,db,bb,5d,07,03,ec,2f,\
"rkeysecu"=hex:ac,99,07,cc,43,b8,3d,b2,37,2f,23,5d,5c,8e,d9,ff
.
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Pro\2.0\DefaultPreset]
@DACL=(02 0000)
@="DV - NTSC\\Standard 48kHz.prpreset"
.
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Pro\2.0\Help]
@DACL=(02 0000)
"Support"="http://www.adobe.com.../premiere.html"
"Search"="c:\\Program Files\\Adobe\\Adobe Premiere Pro 2.0\\Help\\search.html"
"Keyboard"="c:\\Program Files\\Adobe\\Adobe Premiere Pro 2.0\\Help\\1_21_0_0.html"
"HowToUse"="c:\\Program Files\\Adobe\\Adobe Premiere Pro 2.0\\Help\\0_0_0_0.html"
"ExportToDVD"="c:\\Program Files\\Adobe\\Adobe Premiere Pro 2.0\\Help\\1_19_2_0.html"
"AdobeMediaEncoder"="c:\\Program Files\\Adobe\\Adobe Premiere Pro 2.0\\Help\\1_0_0_0.html"
"Contents"="c:\\Program Files\\Adobe\\Adobe Premiere Pro 2.0\\Help\\1_0_0_0.html"
"Registration"="\"http://store.adobe.com/cgi-bin/WebObjects/WEC?pageID=RegMp1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\documents and settings\Kevin Henry\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-08 06:11:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-08 11:11
ComboFix2.txt 2011-11-03 19:08
ComboFix3.txt 2011-10-30 01:44
ComboFix4.txt 2011-10-28 18:55
.
Pre-Run: 16,374,439,936 bytes free
Post-Run: 16,484,487,168 bytes free
.
- - End Of File - - A9CB56B8DE0C9C16E68C9A5A8650573B




Ran Vino's 1 last time as well


Vino's Event Viewer v01c run on Windows XP in English
Report run at 08/11/2011 4:09:42 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Still having the Logitech issue, seems I need to reinstall it after every reboot or I loose the interface and all my settings. I guess I will try to contact them and see if they have any solutions. Start up on the pc is now ~60sec, give or take. Awesomeness! Thank You very much for your Help Ron, I'd have to say I learned quite a bit from being a part of this process. :)
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Don't know why Logitech is acting so funny. Perhaps they can help you.


We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#38
Arboreal

Arboreal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Heya Ron,

Ok, few questions. Having an issue with Firefox and Adblocker, claims I'm running Firefox 3.o and cannot use adblocker, so I upgrade to 8.0, save to desktop, open up file, go through the steps to install, no issue. Then I open firefox again, and bam, says I'm still running 3.0. restarted, still 3.o. Tried to install again, nothing, still 3.0. Seems Adblocker says I need Firefox 11.0a1 to run. Confused.

Is there a need to uninstall OTL or ComboFIx?

About resetting router and password. It gives me options for the security code, algorithms and algorithm key. What should these be set at, and why? After resetting the password,it all wireless connections to my router are now being blocked (i.e. "Access Blocked" warning on attempted connection). When I connect from the desktop, the new password gets me access, but the password stored on the webpage(settings) sees to be an old on, several characters longer than the new one. No matter how many times I reset the password it is to the same result. Any thoughts?
  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I would just uninstall Firefox first. (You may want to export your settings first. http://kb.mozillazin...ofile_-_Firefox ) Then download and install the latest.


You can keep OTL and Combofix if you like tho OTL should really be downloaded fresh each time as it is often updated. However, even an older version can be useful in an emergency so feel free to keep it if you like. Combofix will automatically update when you run it so it's not a problem. One reason we usually remove them is that the removal process clears the backup folders where they store malware we had them remove. It would be wise to delete the contents of C:\_OTL and c:\qoobox if you do not uninstall them.

As far as the router is concerned they usually have a button on the back called RESET. If you hold it down for 30 seconds it should set it back to factory defaults which should remove all the old passwords. Then you should be able to give the router a new password. (Note this may require you to reconfig the connection to the Internet so if there is no separate dsl/cable modem make sure you know how to do this before you reset it.) When you setup the wireless it will offer you several options depending on which router you have. You have to choose one that works with your equipment. WEP is the older less secure method. WPA and WPA2 are more secure. Sometimes you get to choose 64 bit or 128 bit encryption. 128 is better if your PCs can support it. You can use both WPA and WPA2 at the same time if your router has the mixed mode option. Sometimes you put in a pass phrase which is an easy to remember thing then it gets converted to a string of hex. IF your router and the wireless adapter are not from the same company you will usually have to use the hex string on the PC. Allowing Windows to handle the wireless seems to work better than the proprietary software that came with your network adapter. Anytime you change the key on the wireless link you will have to change the key on any wireless adapter that want to connect to the router.
Check your router maker's website. They usually have very good instructions on how to do it.
  • 0

#40
Arboreal

Arboreal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I used Clean Up on OTL and deleted qoobox. Thanks for the info.

The Firefox is still acting up. I completely uninstalled mozilla firefox using the "add or remove programs" list, then downloaded the newest version (8.0 i believe), reinstalled, and still the same issue. When I go the adblocker addon page it declares I can't get it using 3.1.01. Where am I going wrong?

As far as the router goes, I did use the manual reset on the back before I went to change the password. It's a Linksys so I used the factory default password to get into the settings and changed the password, which continues to allow me settings access, but does not seem to work for any witreless connections. I'll look more into it @ the Linksys site and hopefully figure it out.

What are you opinions on google chrome? Is there a browser you would say is more secure and less problematic?
  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Get the add-on from

https://addons.mozil...n/adblock-plus/

It seems to work OK with my 8.0

Chrome is OK. It also has an adblock plus add-on.
http://adblockplus.org/en/chrome

I'm just used to Firefox.

For your wireless connections you need to use a different key (password) and it may need to be a certain length in order to be accepted. Then you have to make sure that the adapter on the PC knows the same key.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP