Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Downloader.MisleadApp? Vundo? Both?

Started by Trance the MC , Feb 05 2009 04:47 PM

Please log in to reply

#1
Trance the MC

Posted 05 February 2009 - 04:47 PM

Member

Member
16 posts

My computer problem has gone from annoying to detrimental.
My nephew is a gamer and I believe he was trying to use some kind of keygen.
I have no logs to post because at this time I am unable to properly log into my computer.
Initially I received the popup near my taskbar saying: Warning! Security Report Message: Your computer is infected! It is recommended to start spyware cleaner tool.
My Desktop image was a huge warning and my browser would constantly show words and pages telling me to clean my PC and directing me to a website to purchase software.
I looked it up and it appeared to be the Downloader.MisleadApp. I attempted to clean it, but I was unable to use or update my Webroot Spy Sweeper. I received various errors which I believe came from the virus.
I tried various methods to clean my system and eventually used a portable version of AVG and concentrated on my windows/system32 folder (especially the confog folder) because this is where it appeared the virus was.
Now, when I begin my Windows XP I am presented with nothing but my desktop image. No icons, no taskbar, no start button. nothing.
Ctrl-Alt-Delete gives me the error: Task Manager has been disabled by your administrator.
I am also unable to login as an administrator, getting a message like: Unable to Log You on Because of an Account Restriction.
Trying safe mode hasn't fully worked as I am not able to delete certain files, or my system gives me a warning and then shuts down after 60 seconds.
I'm sure I have left out some things here and there, but I hope you are able to help. I am somewhat computer savvy, so I can follow the instructions fairly well.
Thank you in advance for any help you can provide.

#2
Gravity Gripp

Posted 07 February 2009 - 09:03 AM

Trusted Helper

Malware Removal
1,815 posts

Trance the MC, Welcome to Geeks-To-Go. My name is GravityGripp and I'll be assisting you with your
issues.

First, when you post logs here, post them directly into the reply. Do not attach them, unless told to do so. Also, do not alter the font, color, or size of these logs. This will help me, help you.

Also, if I have not responded to you in a time period longer than 4 days, please feel free to PM me.

Wow, sounds like you're having some issues here. I'll attempt to help you out but this sounds like a pretty bad infection, but let's see what we can do.

STEP ONE
Boot the computer into safe mode with networking and try to follow these instructions.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3
Trance the MC

Posted 10 February 2009 - 10:09 AM

Member

Topic Starter
Member
16 posts

Thank you so much for your help thus far.
I logged into Safe Mode under the administrator account because that is the only way I can CTRL-ALT-DEL and open Task Manager to run Windows Explorer.
After running ComboFix I restarted my system to see where I was in the process. I now cannot login to normal or safe mode, my account or administrator because as soon as I do, it shuts down and returns me immediately to the profile login screen. (Which als just started appearing when I began having problems. Prior to that I was automatically logged into my profile.

Here is my ComboFix Log:

ComboFix 09-02-04.01 - Administrator 2009-02-09 21:54:15.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.356 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG 7.5.476 *On-access scanning disabled* (Outdated)
AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated)
FW: Webroot Desktop Firewall *disabled*
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\MSNQoS.exe
c:\recycler\MSNQoSHandler.log
c:\recycler\MSRecycler.exe
c:\recycler\xyntservice.ini
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\ddcYpoPG.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekacwfchxox.sys
c:\windows\system32\drivers\senekakspcnjyq.sys
c:\windows\system32\drivers\senekalesixwwr.sys
c:\windows\system32\drivers\senekamafikdvi.sys
c:\windows\system32\drivers\senekanfhulnou.sys
c:\windows\system32\drivers\senekavubndkjo.sys
c:\windows\system32\drivers\senekawqpuxxyv.sys
c:\windows\system32\fhjekt.dll
c:\windows\system32\FTPx.dll
c:\windows\system32\gfvudw.dll
c:\windows\system32\jzhtkq.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\search.dll
c:\windows\system32\senekaargfggde.dll
c:\windows\system32\senekafpmbivxi.dat
c:\windows\system32\senekafvnmullq.dll
c:\windows\system32\senekahwwkvxsd.dat
c:\windows\system32\senekaibapqrir.dll
c:\windows\system32\senekaiqiffsny.dll
c:\windows\system32\senekakjgertky.dat
c:\windows\system32\senekaknckmtew.dat
c:\windows\system32\senekamuequvxx.dll
c:\windows\system32\senekankinmeti.dll
c:\windows\system32\senekanqlotkiq.dll
c:\windows\system32\senekatadquehi.dll
c:\windows\system32\senekatnxvkiqq.dat
c:\windows\system32\senekavtpyvqaj.dll
c:\windows\system32\senekayrksxbwn.dat
c:\windows\system32\setup.ini
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll
c:\windows\system32\test.ttt
c:\windows\system32\twex.exe
c:\windows\system32\uniq.tll
c:\windows\system32\urqPfEvs.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe
c:\windows\system32\xxyvvSmM.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-04 20:15 . 2009-02-04 20:15 <DIR> d-------- C:\VundoFix Backups
2009-02-04 20:13 . 2009-02-04 20:13 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-04 03:25 . 2009-02-04 03:25 <DIR> d--hs---- c:\windows\system32\twain32
2009-02-04 00:07 . 2009-02-04 00:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Thinstall
2009-02-03 22:21 . 2009-02-03 22:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Webroot
2009-02-03 07:34 . 2009-02-09 21:54 <DIR> d-------- c:\windows\system32\CatRoot2
2009-02-03 07:34 . 2009-02-03 22:02 8,992 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-02-03 07:34 . 2009-02-03 22:02 32 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-02-03 07:34 . 2009-02-03 22:02 32 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-02-03 07:34 . 2009-02-03 22:02 32 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-02-03 07:10 . 2009-02-03 20:55 <DIR> dr-h----- C:\$VAULT$.AVG
2009-02-03 05:07 . 2009-02-03 05:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2009-02-03 05:07 . 2009-02-03 06:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVG7
2009-01-30 01:00 . 2009-01-30 01:00 <DIR> d-------- c:\program files\Handmark
2009-01-29 23:04 . 2009-01-29 23:25 <DIR> d-------- c:\program files\Common Files\DataViz
2009-01-29 23:04 . 2009-01-29 23:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\DataViz
2009-01-29 23:03 . 2009-01-29 23:29 <DIR> d-------- c:\program files\Documents To Go
2009-01-28 02:09 . 2009-01-28 02:09 0 --ah----- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-01-28 01:50 . 2006-01-27 00:56 938,272 --a------ c:\windows\system32\wodFtpDLX.OCX
2009-01-27 15:30 . 2009-02-03 11:11 2,180 --a------ c:\windows\system32\d3d8caps.dat
2009-01-23 00:58 . 2007-03-31 08:00 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-01-23 00:57 . 2009-01-23 00:57 <DIR> d-------- c:\program files\Fortop Digital Software
2009-01-15 00:09 . 2009-01-15 00:09 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-15 00:09 . 2009-01-15 00:09 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-15 00:07 . 2009-01-15 00:07 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-14 23:39 . 2009-01-15 22:58 <DIR> d-------- c:\program files\Zune
2009-01-14 23:08 . 2009-01-14 23:08 <DIR> d-------- c:\program files\USB Safely Remove
2009-01-14 23:08 . 2009-01-14 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\USBSRService
2009-01-14 22:24 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2009-01-14 22:24 . 2009-01-14 22:24 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-14 22:24 . 2009-01-14 22:24 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-14 06:01 . 2008-05-02 07:30 464,384 --------- c:\windows\system32\imapi2fs.dll
2009-01-14 06:01 . 2008-05-02 07:30 464,384 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2009-01-14 06:01 . 2008-05-02 07:30 317,952 --------- c:\windows\system32\imapi2.dll
2009-01-14 06:01 . 2008-05-02 07:30 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2009-01-14 06:01 . 2008-05-02 03:05 62,592 -----c--- c:\windows\system32\dllcache\cdrom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 03:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 11:09 --------- d-sha-w c:\program files\NetSnippets
2009-02-03 11:07 --------- d-----w c:\documents and settings\trancemc\Application Data\Thinstall
2009-01-30 09:13 --------- d-----w c:\program files\BitComet
2009-01-30 07:57 --------- d-----w c:\documents and settings\trancemc\Application Data\wsInspector
2009-01-30 06:06 --------- d-----w c:\program files\Pocket Science Pty Limited
2009-01-30 02:29 15,960 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-01-28 07:50 --------- d-----w c:\program files\CoffeeCup Software
2009-01-23 19:19 --------- d-----w c:\documents and settings\trancemc\Application Data\USBSafelyRemove
2009-01-13 06:24 --------- d-----w c:\program files\DIY DataRecovery CHK-Mate
2009-01-09 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-01-08 01:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 01:05 --------- d-----w c:\program files\onOne Software
2009-01-07 11:04 --------- d-----w c:\documents and settings\trancemc\Application Data\Alien Skin
2009-01-07 05:33 --------- d-----w c:\documents and settings\trancemc\Application Data\Nero
2009-01-07 05:08 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-07 05:08 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-01-07 03:45 --------- d-----w c:\program files\Common Files\Nero
2009-01-07 02:39 --------- d-----w c:\program files\Nero
2009-01-07 02:33 --------- d-----w c:\program files\Windows Sidebar
2009-01-06 07:29 --------- d-----w c:\program files\MSBuild
2009-01-06 07:28 --------- d-----w c:\program files\Reference Assemblies
2009-01-06 07:06 --------- d-----w c:\program files\MSXML 6.0
2009-01-05 17:52 --------- d-----w c:\program files\DynamicPhotoHDR
2009-01-05 08:30 --------- d-----w c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-01-05 08:28 --------- d-----w c:\program files\GlobalSCAPE
2009-01-05 07:49 --------- d-----w c:\program files\Your Uninstaller 2008
2009-01-05 07:35 --------- d-----w c:\program files\Tribal
2009-01-01 11:40 --------- d-----w c:\program files\FaceOnBody
2008-12-30 01:20 --------- d-----w c:\program files\FLV Player
2008-12-29 22:25 --------- d-----w c:\documents and settings\trancemc\Application Data\Move Networks
2008-12-23 22:25 --------- d-----w c:\documents and settings\All Users\Application Data\FaceOnBody
2008-12-22 23:30 --------- d-----w c:\program files\7-Zip
2008-12-22 20:56 --------- d-----w c:\documents and settings\trancemc\Application Data\Notepad++
2008-12-22 17:21 --------- d-----w c:\program files\PixPlantPhotoshop
2008-12-22 00:04 --------- d-----w c:\program files\Google
2008-12-21 23:44 --------- d-----w c:\program files\Notepad++
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 09:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2001-09-10 14:00 139,264 ----a-w c:\windows\inf\i386\Rtscan.dll
2001-09-10 13:10 61,440 ----a-w c:\windows\inf\i386\onetUSD.dll
2001-08-17 23:43 32,768 -c--a-w c:\windows\inf\i386\Wiamicro.dll
2001-08-03 23:29 13,824 -c--a-w c:\windows\inf\i386\usbscan.sys
2001-06-29 13:10 163,840 ----a-w c:\windows\inf\i386\viceo.dll
2006-09-25 12:57 3,072 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2006-09-25 12:57 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
2005-09-15 23:26 44,153 ----a-w c:\program files\mozilla firefox\components\inspector.dll
2007-10-14 13:13 56 -csh--r c:\windows\system32\B97678233E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Pop-Up Stopper"="c:\program files\Panicware\Pop-Up Stopper\dpps2.exe" [2001-10-16 675840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-25 172032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2002-09-27 4214784]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2007-05-09 2299400]
"Webroot Desktop Firewall"="c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe" [2008-07-31 2401672]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"ACD mPower Tools"="c:\program files\ACD Systems\mPower Tools\1.0\mPowerTools.exe" [2003-03-11 1003520]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

c:\documents and settings\trancemc\Start Menu\Programs\Startup\
Text Monkey PRO.lnk - c:\program files\Text Monkey\TextMonkeyPRO.exe [2005-06-29 918016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2009-01-29 28672]
HotSync Manager.lnk - c:\palm\Hotsync.exe [2004-06-09 471040]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-08-22 784912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\QUALCOMM\Eudora\EuShlExt.dll" [2005-06-07 86016]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2004-11-29 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jzhtkq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"midi1"= evolusbn.dll
"midi3"= evolusbn.dll
"midi5"= evolusbn.dll
"msvideo9"= SDVC03.drv
"midi6"= evolusbn.dll
"midi7"= evolusbn.dll
"midi8"= evolusbn.dll
"midi9"= evolusbn.dll
"VIDC.JPEG"= JpegCode.dll
"VIDC.MJPG"= JpegCode.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Games\\oiltyc\\ot.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1104974216\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"25333:TCP"= 25333:TCP:BitComet 25333 TCP
"25333:UDP"= 25333:UDP:BitComet 25333 UDP
"135:TCP"= 135:TCP:DCOM(135)

R2 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2004-03-02 73296]
S1 c2scsi;c2scsi; [x]
S1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-02 103304]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [2006-05-07 104088]
S2 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2004-12-10 72784]
S2 gupdate1c963c8beb4f11b;Google Update Service (gupdate1c963c8beb4f11b);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-21 133104]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-08-22 10640]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [2006-07-11 42752]
S2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2002-12-06 23200]
S2 UnoInstallerService;Uno Installer;c:\program files\M-Audio Uno\UnoInst.exe [2006-12-19 106496]
S2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2009-01-14 208144]
S2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
S3 aligp;USB Composite Device;c:\windows\system32\drivers\AliGP.sys [2006-05-07 8668]
S3 alihub;Generic Hub on USB 2.0 Bus;c:\windows\system32\drivers\AliHub.sys [2006-05-07 17835]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [2006-05-07 5337]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2007-08-28 38604]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys [2006-12-30 21984]
S3 msvad_multi;Samson Audio (WDM);c:\windows\system32\drivers\SWAudWDM.sys [2005-11-10 25088]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2006-07-11 55552]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SamsonLLDriver;Samson LL Driver;c:\windows\system32\drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\SDVC05.sys [2007-07-31 18088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LBEEPKE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

2009-01-28 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16 []

2009-02-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-21 18:02]

2009-02-09 c:\windows\Tasks\wrSpySweeper_LD1ABDC500FFC45D1BBBD5076ECC7612A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2009-02-09 c:\windows\Tasks\wrSpySweeper_LD1ABDC500FFC45D1BBBD5076ECC7612A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2009-02-09 c:\windows\Tasks\wrSpySweeper_LD1ABDC500FFC45D1BBBD5076ECC7612A.job
- A:\ []
.
- - - - ORPHANS REMOVED - - - -

BHO-{082a0e13-ff2b-4db6-bb96-5a141ab30244} - c:\windows\system32\jzhtkq.dll
HKLM-Run-MSRSvC - c:\recycler\MSRecycler.exe
Notify-ssqNFUKd - ssqNFUKd.dll

.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4metq9c2.default\
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npalnn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsabffx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 22:01:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
"l_encryption_d"="585A4A5A445F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(252)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-02-09 22:07:06
ComboFix-quarantined-files.txt 2009-02-10 04:06:54

Pre-Run: 67,679,268,864 bytes free
Post-Run: 71,065,481,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

329 --- E O F --- 2009-01-15 09:19:10

#4
Gravity Gripp

Posted 12 February 2009 - 09:33 AM

Trusted Helper

Malware Removal
1,815 posts

I apologize for the delay in my response. I was checking with some other experts on this issue. It looks like that the malware that you had took over the process that allows you to log in. When we ran ComboFix, it deleted the bad file thus causing your log in issues. I believe we can fix this issue so don't worry.

Do you have your WIndows XP installation disk?

Edited by Gravity Gripp, 12 February 2009 - 09:36 AM.

#5
Gravity Gripp

Posted 12 February 2009 - 09:56 AM

Trusted Helper

Malware Removal
1,815 posts

Also, did you install the recovery console when you first ran ComboFix?

#6
Trance the MC

Posted 12 February 2009 - 09:58 AM

Member

Topic Starter
Member
16 posts

Do not apologize for the delay. The help you guys give is wonderful and it is greatly appreciated. There are techs that charge ASTRONOMICAL prices for these services.
Yes, I do have my Installation Disk.

#7
Trance the MC

Posted 12 February 2009 - 09:59 AM

Member

Topic Starter
Member
16 posts

Yes, I replied the Recovery Console.
That and XP are my options for operating systems when I start my PC in Safe Mode.

#8
Gravity Gripp

Posted 12 February 2009 - 10:11 AM

Trusted Helper

Malware Removal
1,815 posts

Good to hear, let's give the recovery console a try first.

STEP ONE

You will be presented with the following:

Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log onto
(To cancel, press ENTER)?
Press the number 1 on your keyboard and hit Enter.
At the command prompt, type the following command and press Enter:

copy C:\windows\winlogon.exe C:\windows\winlogon2.exe

Type Exit and press Enter. Take the CD out of the drive and let the computer restart.

STEP TWO

If the previous step worked, you should be able to login now. If you can, please proceed with the following.

First, download OTListIt2 to your desktop.
Once it has finished downloading, please double click on the icon.
When the window appears, please make the following changes:
- Click Output: Minimal Output
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
You may close these windows when you have posted the contents of the files.

#9
Trance the MC

Posted 12 February 2009 - 11:01 AM

Member

Topic Starter
Member
16 posts

Quick question.
I installed the recovery console as you suggested during the ComboFix process.
Do I still need to use the XP Installation CD?

#10
Gravity Gripp

Posted 12 February 2009 - 12:24 PM

Trusted Helper

Malware Removal
1,815 posts

Not at this moment, for now just use the recovery console when your computer boots.

#11
Trance the MC

Posted 13 February 2009 - 02:53 PM

Member

Topic Starter
Member
16 posts

Sad Face
When I booted from my XP CD the Windows Setup screen appeared and after it said it was inspecting my system, I received a message stating:

File \i386\c_437.nls could not be loaded.
The error code is 7.
Setup cannot continue.
Press any key to exit.

So then I booted normally and when it asked which operating system to use, Windows Recovery or Windows XP, I chose Windows Recovery.
Then my machine just hung.
A single underscore blinked at the upper left corner of my screen, but I was able to do nothing.
This happened everytime I chose Windows Recovery.

Is there hope for me?

Thanks in advance for your help.

#12
Gravity Gripp

Posted 14 February 2009 - 05:24 PM

Trusted Helper

Malware Removal
1,815 posts

Just letting you know I haven't forgot about you, I'm discussing the best course of action here with some other experts. I'll get back to you soon.

#13
Gravity Gripp

Posted 15 February 2009 - 08:32 PM

Trusted Helper

Malware Removal
1,815 posts

STEP ONE

Let's try the alternative recovery console.

Download RC.iso and burn it to a cd as an ISO image. You may need a burning tool like ISO Recorder to do this...be sure to get the version for the operating system you'll be creating the disk on.

STEP TWO

You will be presented with the following:

Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log onto
(To cancel, press ENTER)?
Press the number 1 on your keyboard and hit Enter.
At the command prompt, type the following command and press Enter:

copy C:\windows\winlogon.exe C:\windows\winlogon2.exe

Type Exit and press Enter. Take the CD out of the drive and let the computer restart.

#14
Trance the MC

Posted 18 February 2009 - 10:45 AM

Member

Topic Starter
Member
16 posts

Thank you again for your reply.
This time the Recovery console ran.
However, after the step:

At the command prompt, type the following command and press Enter:
copy C:\windows\winlogon.exe C:\windows\winlogon2.exe

It gave me a message saying:
The system cannot find the file specified

Did I type something wrong? How should I proceed?

Thanks in advance for your help.

Joel