Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

am i infected or missing stuff after running the OTL thingy

Started by rupertdigby , Jan 29 2011 11:19 AM

  • This topic is locked This topic is locked

#121
SweetTech
Posted 02 February 2011 - 05:33 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Was ComboFix able to run it's scan successfully before rebooting?

If you look at your USB drive on your clean computer do you see any new folders created on there? I'm specifically looking to see if a ComboFix.txt file is located on there.
  • 0

Advertisements

#122
rupertdigby
Posted 02 February 2011 - 05:37 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
no new report
  • 0

#123
SweetTech
Posted 02 February 2011 - 05:41 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
When ComboFix ran did it install the Windows Recovery Console?
  • 0

#124
rupertdigby
Posted 02 February 2011 - 06:04 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
i saw the pop up window talking about it
  • 0

#125
rupertdigby
Posted 02 February 2011 - 06:32 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
should i try this again to get the desk top again


Hello,

How are you doing today?

What type of file are you looking to grab?

Hopefully we will be able to get you back up and booting today.

Lets see how you make out with these instructions.


Download the enclosed file and save it in the USB drive

  • Boot to xPUD as before and insert the USB drive
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh and Replace.txt that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -r
  • Press Enter
  • After it has finished a report will be located on your USB drive named filerep.txt

Post the contents of the filerep.txt in your next reply and try the computer in Normal Mode.


  • 0

#126
SweetTech
Posted 02 February 2011 - 06:35 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Yeah, see if that will allow you to get back into Windows. It may not.

So we may have to run a different scan with xPUD.

If that doesn't run this:

Hello,

It looks like we are getting somewhere now! :D

Insert the USB into the Infected computer.
(the computer should still be booted with xPUD - if it isn't reboot into xPUD)
Press File
Expand mnt
Click on the folder that represents your USB drive (sdb1)
Confirm that you see the driver.sh that you downloaded there
Press Tool at the top
Choose Open Terminal
Type bash driver.sh -f
Press Enter
You will be prompted to input a filename.
Type the following:

explorer.exe

Press Enter
the script will search for this file.
After it has finished a report will be automatically saved to the USB drive as filefind.txt
locate this file and right click it > choose rename > rename it to explorer.txt
now we will do the same for winlogon.exe and rename the filefind.txt to winlogon.txt
  • 0

#127
rupertdigby
Posted 02 February 2011 - 06:44 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
Beginning replacement procedure

mv "/mnt/sda2/WINDOWS/system32/winlogon.exe" "/mnt/sda2/WINDOWS/system32/winlogon.exe.ntb"
cp "/mnt/sda2/WINDOWS/ServicePackFiles/i386/winlogon.exe" "/mnt/sda2/WINDOWS/system32/winlogon.exe"
  • 0

#128
SweetTech
Posted 02 February 2011 - 06:49 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Any luck booting up?
  • 0

#129
rupertdigby
Posted 02 February 2011 - 06:55 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
booted to desk top with combofix blue pop up box and icons , system tray, start menu

ComboFix - Find3M
Preparing Log Report.
Do not run any programs until ComboFix has finished
_ (blinking here)

finished and created log

ComboFix 11-01-31.02 - Rnady Barron 02/02/2011 18:05:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.425 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\RNADYB~1\LOCALS~1\Temp\winlogon.dat
c:\documents and settings\All Users\Application Data\boost_interprocess\20110120202422.375000
c:\documents and settings\drivers\System
c:\documents and settings\drivers\System\852.cat
c:\documents and settings\drivers\System\852.inf
c:\documents and settings\drivers\System\852.PNF
c:\documents and settings\drivers\System\855.cat
c:\documents and settings\drivers\System\855.inf
c:\documents and settings\drivers\System\855.PNF
c:\documents and settings\drivers\System\865.cat
c:\documents and settings\drivers\System\865.inf
c:\documents and settings\drivers\System\865.PNF
c:\documents and settings\drivers\System\915.cat
c:\documents and settings\drivers\System\915.inf
c:\documents and settings\drivers\System\915.PNF
c:\documents and settings\drivers\System\915M.cat
c:\documents and settings\drivers\System\915M.inf
c:\documents and settings\drivers\System\915M.PNF
c:\documents and settings\drivers\System\945.cat
c:\documents and settings\drivers\System\945.inf
c:\documents and settings\drivers\System\945.PNF
c:\documents and settings\drivers\System\945gm.cat
c:\documents and settings\drivers\System\945GM.inf
c:\documents and settings\drivers\System\945GM.PNF
c:\documents and settings\drivers\System\addon\INFCACHE.1
c:\documents and settings\drivers\System\addon\rimmptsk.cat
c:\documents and settings\drivers\System\addon\Rimmptsk.inf
c:\documents and settings\drivers\System\addon\Rimmptsk.PNF
c:\documents and settings\drivers\System\addon\rimmptsk.sys
c:\documents and settings\drivers\System\addon\rimsptsk.cat
c:\documents and settings\drivers\System\addon\rimsptsk.inf
c:\documents and settings\drivers\System\addon\rimsptsk.PNF
c:\documents and settings\drivers\System\addon\Rimsptsk.sys
c:\documents and settings\drivers\System\addon\RixDICON.dll
c:\documents and settings\drivers\System\addon\rixdptsk.cat
c:\documents and settings\drivers\System\addon\rixdptsk.inf
c:\documents and settings\drivers\System\addon\rixdptsk.PNF
c:\documents and settings\drivers\System\addon\Rixdptsk.sys
c:\documents and settings\drivers\System\addon\snymsico.dll
c:\documents and settings\drivers\System\dmi_pci.cat
c:\documents and settings\drivers\System\dmi_pci.inf
c:\documents and settings\drivers\System\dmi_pci.PNF
c:\documents and settings\drivers\System\E7220.cat
c:\documents and settings\drivers\System\E7220.inf
c:\documents and settings\drivers\System\E7220.PNF
c:\documents and settings\drivers\System\e7230.cat
c:\documents and settings\drivers\System\E7230.inf
c:\documents and settings\drivers\System\E7230.PNF
c:\documents and settings\drivers\System\E7520.cat
c:\documents and settings\drivers\System\E7520.inf
c:\documents and settings\drivers\System\E7520.PNF
c:\documents and settings\drivers\System\E8500.cat
c:\documents and settings\drivers\System\E8500.inf
c:\documents and settings\drivers\System\E8500.PNF
c:\documents and settings\drivers\System\ich4core.cat
c:\documents and settings\drivers\System\ich4core.inf
c:\documents and settings\drivers\System\ich4core.PNF
c:\documents and settings\drivers\System\ich4ide.cat
c:\documents and settings\drivers\System\ich4ide.inf
c:\documents and settings\drivers\System\ich4ide.PNF
c:\documents and settings\drivers\System\ich4usb.cat
c:\documents and settings\drivers\System\ich4usb.inf
c:\documents and settings\drivers\System\ich4usb.PNF
c:\documents and settings\drivers\System\ich5core.cat
c:\documents and settings\drivers\System\ich5core.inf
c:\documents and settings\drivers\System\ich5core.PNF
c:\documents and settings\drivers\System\ich5ide.cat
c:\documents and settings\drivers\System\ich5ide.inf
c:\documents and settings\drivers\System\ich5ide.PNF
c:\documents and settings\drivers\System\ich5usb.cat
c:\documents and settings\drivers\System\ich5usb.inf
c:\documents and settings\drivers\System\ich5usb.PNF
c:\documents and settings\drivers\System\ich6core.cat
c:\documents and settings\drivers\System\ich6core.inf
c:\documents and settings\drivers\System\ich6core.PNF
c:\documents and settings\drivers\System\ich6ide.cat
c:\documents and settings\drivers\System\ich6ide.inf
c:\documents and settings\drivers\System\ich6ide.PNF
c:\documents and settings\drivers\System\ich6usb.cat
c:\documents and settings\drivers\System\ich6usb.inf
c:\documents and settings\drivers\System\ich6usb.PNF
c:\documents and settings\drivers\System\ich7core.cat
c:\documents and settings\drivers\System\ich7core.inf
c:\documents and settings\drivers\System\ich7core.PNF
c:\documents and settings\drivers\System\ich7ide.cat
c:\documents and settings\drivers\System\ich7ide.inf
c:\documents and settings\drivers\System\ich7ide.PNF
c:\documents and settings\drivers\System\ich7usb.cat
c:\documents and settings\drivers\System\ich7usb.inf
c:\documents and settings\drivers\System\ich7usb.PNF
c:\documents and settings\drivers\System\ichxdev.cat
c:\documents and settings\drivers\System\ichXdev.inf
c:\documents and settings\drivers\System\ichXdev.PNF
c:\documents and settings\drivers\System\INFAnswr.txt
c:\documents and settings\drivers\System\INFCACHE.1
c:\documents and settings\drivers\System\SP\ich4id2.cat
c:\documents and settings\drivers\System\SP\ich4ide.cat
c:\documents and settings\drivers\System\SP\ich5id2.cat
c:\documents and settings\drivers\System\SP\ich5id2.inf
c:\documents and settings\drivers\System\SP\ich5id2.PNF
c:\documents and settings\drivers\System\SP\ich6id2.cat
c:\documents and settings\drivers\System\SP\ich6id2.inf
c:\documents and settings\drivers\System\SP\ich6id2.PNF
c:\documents and settings\drivers\System\SP\ich7id2.cat
c:\documents and settings\drivers\System\SP\ich7id2.inf
c:\documents and settings\drivers\System\SP\ich7id2.PNF
c:\documents and settings\drivers\System\SP\INFCACHE.1
c:\documents and settings\Rnady Barron\Application Data\chrtmp
c:\documents and settings\Rnady Barron\Application Data\lovely.ini
c:\documents and settings\Rnady Barron\Application Data\Microsoft\updsts.exe
c:\documents and settings\Rnady Barron\Application Data\net.bat
c:\documents and settings\Rnady Barron\Application Data\net.vbs
c:\documents and settings\Rnady Barron\delme.bat
c:\documents and settings\Rnady Barron\GoToAssistDownloadHelper.exe
c:\documents and settings\Rnady Barron\Local Settings\Temp\winlogon.dat
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{07FAD425-BB95-4C49-B7F5-A370E989E0D4}\setup.msi
C:\smp.bat
c:\windows\system32\_000004_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\18467.exe
c:\windows\system32\6334.exe
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
c:\windows\system32\drivers\DELL_XPS_MM061 .MRK
c:\windows\system32\drivers\inetx26.img
c:\windows\system32\User.ini

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2011-01-03 to 2011-02-03 )))))))))))))))))))))))))))))))
.

2011-02-02 22:03 . 2001-08-17 18:28 871388 -c--a-w- c:\windows\system32\dllcache\bcmdm.sys
2011-02-02 22:02 . 2001-08-17 17:49 23552 -c--a-w- c:\windows\system32\dllcache\atixbar.sys
2011-02-02 22:01 . 2001-08-17 17:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2011-02-02 21:57 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-02-02 19:43 . 2011-02-02 19:43 507904 ------w- c:\windows\system32\winlogon.exe
2011-01-29 15:25 . 2011-01-29 15:25 -------- d-sh--w- c:\documents and settings\Rnady Barron\IECompatCache
2011-01-28 22:38 . 2011-01-28 22:38 -------- d-----w- C:\_OTM
2011-01-28 18:12 . 2011-01-28 18:12 -------- d-sh--w- c:\documents and settings\Rnady Barron\PrivacIE
2011-01-28 15:20 . 2011-01-28 15:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-28 15:19 . 2011-01-28 15:19 -------- d-sh--w- c:\documents and settings\Rnady Barron\IETldCache
2011-01-28 15:07 . 2011-01-28 15:09 -------- dc-h--w- c:\windows\ie8
2011-01-28 15:04 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-28 15:03 . 2010-11-06 00:26 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-28 15:03 . 2010-11-06 00:26 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-28 15:03 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-28 15:03 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-28 15:03 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-28 15:03 . 2010-11-06 00:26 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-28 15:03 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-28 13:53 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{8E29306B-EDFA-47F8-9507-10EBF53CA530}\mpengine.dll
2011-01-26 18:38 . 2011-01-26 18:38 -------- d-----w- c:\documents and settings\Rnady Barron\Application Data\DriverCure
2011-01-26 18:38 . 2011-01-26 18:38 -------- d-----w- c:\documents and settings\Rnady Barron\Application Data\ParetoLogic
2011-01-26 18:38 . 2011-01-26 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-01-26 15:58 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-26 15:58 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-26 15:58 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-26 15:58 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-26 15:58 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-26 15:58 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-26 15:58 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-26 15:58 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-26 15:58 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-25 15:21 . 2011-01-25 15:21 -------- d-----w- c:\documents and settings\Rnady Barron\Application Data\AVG8
2011-01-21 17:52 . 2011-01-29 17:00 -------- d-----w- c:\documents and settings\Rnady Barron\Application Data\FixCleaner
2011-01-21 17:51 . 2011-01-29 17:00 -------- d-----w- c:\program files\FixCleaner
2011-01-21 03:20 . 2011-01-21 03:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-01-21 02:22 . 2011-01-21 02:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-21 01:07 . 2011-01-21 01:07 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-20 22:11 . 2011-01-21 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-01-20 22:04 . 2011-01-20 22:04 -------- d--h--w- c:\windows\PIF
2011-01-20 21:22 . 2011-01-20 21:22 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-01-20 18:47 . 2011-02-02 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-01-20 18:39 . 2011-01-26 13:35 0 ----a-w- c:\windows\Slizilizodo.bin
2011-01-20 18:37 . 2011-01-21 03:03 -------- d-sh--w- c:\documents and settings\Rnady Barron\Application Data\Desktop
2011-01-20 18:37 . 2011-01-20 18:37 190976 ---h--w- c:\temp\8a702136-2fcf-42b5-a671-c7b38facb426\OfferApp-2492.exe
2011-01-13 03:20 . 2008-04-13 19:39 5376 ----a-w- c:\windows\system32\MSPCLOCK.sys
2011-01-13 02:56 . 2011-01-13 02:56 -------- d-----w- c:\program files\directx
2011-01-13 02:54 . 2011-01-13 02:54 -------- d-----w- c:\program files\PIXELA
2011-01-13 02:52 . 2000-01-04 11:39 212992 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-01-13 02:52 . 2011-01-13 04:05 -------- d-----w- c:\documents and settings\drivers\SonyUSB
2011-01-13 02:52 . 2001-11-05 14:23 299923 ----a-w- c:\windows\system32\drivers\sonyhcs.sys
2011-01-13 02:52 . 2001-11-05 14:23 38739 ----a-w- c:\windows\system32\drivers\sonyhcc.sys
2011-01-13 02:52 . 2001-11-05 14:23 6097 ----a-w- c:\windows\system32\drivers\sonyhcb.sys
2011-01-13 02:52 . 2001-07-04 01:39 3654 ----a-w- c:\windows\system32\drivers\Sonyhcp.dll
2011-01-13 02:52 . 2001-07-04 01:33 53248 ----a-w- c:\windows\system32\SONYHCY.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2010-02-11 22:39 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-12-20 23:09 . 2010-01-21 04:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-01-21 04:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2008-06-30 16:59 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]
 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-10 13:47 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-12-06 15:45 839680 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 09:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-14 04:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-14 04:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-14 04:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 21:15 2407184 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ----a-w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]
2006-10-30 11:39 57344 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 21:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"LVCOMSer"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [1/12/2011 9:52 PM 6097]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/26/2011 10:58 AM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/26/2011 10:58 AM 17744]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [1/12/2011 9:52 PM 299923]
.
Contents of the 'Scheduled Tasks' folder

2011-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2011-01-29 c:\windows\Tasks\FixCleaner Scan.job
- c:\program files\FixCleaner\FixCleaner.exe [2011-01-19 20:09]

2011-02-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.com/weather/today/Marietta+GA+30062
uInternet Settings,ProxyServer = http=127.0.0.1:8893
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Rnady Barron\Application Data\Mozilla\Firefox\Profiles\8yq4rf2r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64061
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: The Browser Highlighter: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: The Browser Highlighter: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Npunife - c:\windows\ipxtrxyp.dll
HKCU-Run-System Display - c:\documents and settings\Rnady Barron\Application Data\Sys32Disp.exe.exe
HKLM-Run-Njuga - c:\windows\ejibacepexomi.dll
MSConfigStartUp-PeerGuardian - c:\program files\PeerGuardian2\pg2.exe
MSConfigStartUp-SemanticInsight - c:\program files\RXToolBar\Semantic Insight\SemanticInsight.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-Windows installer - C:\winstall.exe
AddRemove-ESPNMotion - c:\progra~1\ESPNMO~1\UNWISE.EXE
AddRemove-HijackThis - c:\documents and settings\Rnady Barron\My Documents\Downloads\HijackThis.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000001893BE8145661DA93C 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1462859062-1627159297-3116196774-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7940)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-02-02 19:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-03 00:51

Pre-Run: 47,881,834,496 bytes free
Post-Run: 49,598,726,144 bytes free

- - End Of File - - 57F9D2189B9C5B8DB37B6689B9999663
  • 0

#130
SweetTech
Posted 02 February 2011 - 06:57 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
So please confirm that you can now access your Desktop with all of the icons and start menu.
  • 0

Advertisements

#131
rupertdigby
Posted 02 February 2011 - 07:06 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts

So please confirm that you can now access your Desktop with all of the icons and start menu.


every thing on desk top looks normal with a few extra icons i removed before and i left open the log.txt. system tray looks normal
  • 0

#132
rupertdigby
Posted 02 February 2011 - 07:09 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
do i need to now move the combo.fix from flash drive to laptop desk top? do i need to connect to internet?
  • 0

#133
SweetTech
Posted 02 February 2011 - 07:15 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

You did a fantastic job of running xPUD. :D I know that it was a bit difficult at times, and somewhat repeadative. I appreciate your patiences while running the various scans and logs.

We seem to be making some headway with your computer.

When you ran ComboFix it dealt with a lot of malicious files. We need to run ComboFix again, this time we will be creating a script to be run along side it.

If ComboFix prompts you to install the Recovery Console, please allow it to do so.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

File::
c:\windows\Slizilizodo.bin

DirLook::
c:\windows\system32\%APPDATA%
c:\documents and settings\LocalService\UserData
c:\documents and settings\Rnady Barron\Application Data\Desktop

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:8893

Firefox::
FF - ProfilePath - c:\documents and settings\Rnady Barron\Application Data\Mozilla\Firefox\Profiles\8yq4rf2r.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64061
FF - prefs.js: network.proxy.type - 0

Suspect::[100]
c:\windows\TEMP\TMP0000001893BE8145661DA93C

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#134
rupertdigby
Posted 02 February 2011 - 07:22 PM

rupertdigby

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 113 posts
i disabled the avast but don't have a clue if some other type of defense is running that may effect combofix, like the window fire wall. is there a way to check ?
  • 0

#135
SweetTech
Posted 02 February 2011 - 07:23 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
The Windows firewall shouldn't interfere with the ComboFix scan.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP