Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Mbam wont run and IE will not stay open [Solved]

Started by RubyMarty , Nov 06 2012 01:40 PM

  • This topic is locked This topic is locked

#1
RubyMarty
Posted 06 November 2012 - 01:40 PM

RubyMarty

    Member

  • Member
  • PipPipPip
  • 186 posts
My 14 year old brother in law took it upon himself to attempt to jailbreak his iphone on my clean computer. Well not only did he not succeed when i logged back into my computer i saw over 12 programs he "installed." I removed and deleted all that i could. There are a couple of problems left that i hope that you guys can help me with. First mbam and other removal tool ie. adaware and superantispyware will not run even when trying to change the exe name. Also if you open IE it will briefly show the window and then it will close. I have access to safe mode and the internet is active, I just can not get a browser to load.

Thanks
  • 2

Advertisements

#2
Essexboy
Posted 06 November 2012 - 01:47 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi do you have a USB to transfer some programmes with ?

If so copy these two programmes to the USB plug it into the sick computer and run from the USB

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    winsock.*
    /md5stop
    CREATERESTOREPOINT
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#3
RubyMarty
Posted 07 November 2012 - 03:11 PM

RubyMarty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 186 posts
Here are the logs that you requested from RogueKiller. I could not get OTL to work it gave me the windows error and stops it. I am sorry that it takes me this long to respond as the only computer that i can get on the internet with is at work, so i have to post and then go home and carry out the instructions and then wait to get back to work to post again.

RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Pappi [Admin rights]
Mode : Scan -- Date : 11/06/2012 23:40:18

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e185eac9da3fa5730c15b1740781ce
[BSP] 0b38c0e8c85b9d860cb3265d8e35de24 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 218129509 | Size: 831050 Mo
1 - [XXXXXX] UNKNOWN (0x74) [VISIBLE] Offset (sectors): 729050177 | Size: 265612 Mo
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2692939776 | Size: 25 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 01f6a0a90e45e74d8610844ee4045e58
[BSP] 1dbe1203ebc192a518fed18c9979942d : Standard MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: +++++
--- User ---
[MBR] 2c7552132c62bd0263dd97e5b596a06b
[BSP] 44d2e4c9ebc2dda4a26b21adaceffd0c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: +++++
--- User ---
[MBR] 659cd89007d3026cf8251ab66a999f1b
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 3818 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_11062012_02d2340.txt >>
RKreport[1]_S_11062012_02d2340.txt




RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Pappi [Admin rights]
Mode : Remove -- Date : 11/06/2012 23:40:33

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e185eac9da3fa5730c15b1740781ce
[BSP] 0b38c0e8c85b9d860cb3265d8e35de24 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 218129509 | Size: 831050 Mo
1 - [XXXXXX] UNKNOWN (0x74) [VISIBLE] Offset (sectors): 729050177 | Size: 265612 Mo
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2692939776 | Size: 25 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 01f6a0a90e45e74d8610844ee4045e58
[BSP] 1dbe1203ebc192a518fed18c9979942d : Standard MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: +++++
--- User ---
[MBR] 2c7552132c62bd0263dd97e5b596a06b
[BSP] 44d2e4c9ebc2dda4a26b21adaceffd0c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: +++++
--- User ---
[MBR] 659cd89007d3026cf8251ab66a999f1b
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 3818 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_11062012_02d2340.txt >>
RKreport[1]_S_11062012_02d2340.txt ; RKreport[2]_D_11062012_02d2340.txt



RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Pappi [Admin rights]
Mode : Shortcuts HJfix -- Date : 11/06/2012 23:42:32

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 14 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 55 / Fail 0
My documents: Success 2 / Fail 2
My favorites: Success 2 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 352 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[F:] \Device\CdRom0 -- 0x5 --> Skipped
[G:] \Device\CdRom1 -- 0x5 --> Skipped
[H:] \Device\Harddisk3\DP(1)0-0+9 -- 0x2 --> Restored

Finished : << RKreport[3]_SC_11062012_02d2342.txt >>
RKreport[1]_S_11062012_02d2340.txt ; RKreport[2]_D_11062012_02d2340.txt ; RKreport[3]_SC_11062012_02d2342.txt



Thanks
  • 0

#4
Essexboy
Posted 07 November 2012 - 04:11 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm unusual for OTL to be blocked

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Allow the installation of the recovery console

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#5
RubyMarty
Posted 07 November 2012 - 05:37 PM

RubyMarty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 186 posts
Should i try to run your OTL scan in safe mode first? Or do you just want me to do the combofix scan?

Also do you want me to run on OTL scan after the combofix scan?

Just trying to get a few steps since i cannot do anything from home to help us out

Thanks

J
  • 0

#6
Essexboy
Posted 08 November 2012 - 07:57 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Go combofix first and then follow up with another attempt at an OTL scan
  • 0

#7
RubyMarty
Posted 08 November 2012 - 01:24 PM

RubyMarty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 186 posts
Here is the combofix log. OTL still gave a windows error in both normal and safe mode.

ComboFix 12-11-06.03 - Pappi 11/08/2012 0:03.1.2 - x86
Running from: c:\documents and settings\Pappi\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Germando\Application Data\inst.exe
c:\documents and settings\Germando\WINDOWS
c:\documents and settings\Pappi\Application Data\PriceGong
c:\documents and settings\Pappi\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\4436.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Pappi\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Pappi\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Pappi\Local Settings\Application Data\common_functions.dll
c:\documents and settings\Pappi\Local Settings\Application Data\ie_runner_app.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2012-10-08 to 2012-11-08 )))))))))))))))))))))))))))))))
.
.
2012-11-07 05:43 . 2012-11-07 05:43 711240 ----a-w- c:\windows\is-S52OL.exe
2012-11-06 05:19 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-06 05:19 . 2012-11-07 05:45 -------- d-----w- c:\program files\vMalwarebytes' Anti-Malware
2012-11-06 05:19 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-06 04:35 . 2012-11-06 05:03 -------- d-----w- c:\program files\SpywareBlaster
2012-11-06 04:35 . 2010-01-11 01:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-11-06 04:35 . 2010-01-11 01:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-11-06 04:31 . 2012-11-06 04:31 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2012-11-06 02:35 . 2012-11-06 03:44 -------- d-----w- c:\windows\system32\NtmsData
2012-11-06 02:25 . 2012-11-06 02:25 -------- d-----w- c:\documents and settings\Administrator
2012-11-06 02:21 . 2012-06-26 10:59 940544 ----a-w- c:\documents and settings\Pappi\Local Settings\Application Data\log4cxx.dll
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\WeatherBug
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\Application Data\WeatherBug
2012-11-04 08:45 . 2012-11-06 02:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\boost_interprocess
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\encyclopediabritannicagamesbar
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\Oberon Media
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Oberon Media
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\VisicomToolBar
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\XboxMB
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\program files\Xenocode
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Xenocode
2012-11-04 03:12 . 2012-11-04 03:12 -------- d-----w- c:\documents and settings\Pappi\Application Data\redsn0w
2012-11-04 02:59 . 2012-11-04 02:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WeCareReminder
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\documents and settings\Pappi\Application Data\Yahoo!
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\program files\Yahoo!
2012-11-04 02:44 . 2012-11-04 02:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer
2012-11-04 02:44 . 2012-11-06 02:22 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Conduit
2012-11-04 02:44 . 2012-11-04 02:44 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Temp
2012-11-02 20:59 . 2012-11-02 20:59 -------- d-----w- c:\documents and settings\Pappi\Application Data\Windows Search
2012-11-02 04:11 . 2012-11-02 04:14 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\ApplicationHistory
2012-11-02 03:00 . 2012-11-02 03:01 -------- d-----w- c:\program files\iTunes
2012-11-02 03:00 . 2012-11-02 03:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-02 02:53 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-11-02 02:53 . 2012-11-02 02:53 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY.000\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-02 02:48 . 2012-03-24 06:26 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-08-28 15:14 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2012-03-24 05:17 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2001-08-23 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 18:01 . 2012-03-24 06:09 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01 . 2012-03-24 06:09 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 13:33 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2001-08-17 13:48 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-13 04:39 . 2012-03-30 03:30 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\ksuser.dll
[7] 2004-08-04 . CBCD254547689BFF80C9F547B20911E9 . 4096 . . [5.3.2600.2180] . . c:\windows\$NtServicePackUninstall$\ksuser.dll
.
c:\windows\System32\ksuser.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 spd Updater;spd Updater;c:\program files\SPDUpdater\updater.exe [x]
R3 AsrCDDrv;AsrCDDrv;c:\windows\System32\Drivers\AsrCDDrv.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\documents and settings\Pappi\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll
HKCU-Run-SPMTray - {pf}\\PC Speed Maximizer\\SPMTray.exe
HKCU-Run-SearchEngineProtection - c:\program files\GamesBar\update\SearchEngineProtection.exe
HKCU-Run-Asrsetup - F:\ASRSetup.exe
HKLM-Run-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-08 00:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3160812AS rev.3.AAJ -> Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"f:\\drivers\\all in 1\\amd\\xp64_xp(8.512)\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2012-11-08 00:08:21
ComboFix-quarantined-files.txt 2012-11-08 06:08
.
Pre-Run: 91,736,522,752 bytes free
Post-Run: 92,566,245,376 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - A220269FBE5F11ECFC1A0B2F76C79422


Thanks for your help
J
  • 0

#8
Essexboy
Posted 08 November 2012 - 01:29 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm lets replace the missing file (an audio driver) and then have another look at the MBR

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\ksuser.dll|c:\windows\System32\ksuser.dll



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.

  • 0

#9
Essexboy
Posted 08 November 2012 - 01:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I know you have allready run roguekiller but I would like a second look at the mbr
  • 0

#10
RubyMarty
Posted 09 November 2012 - 01:40 PM

RubyMarty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 186 posts
Here are the logs you wanted. OTL and internet explorer still will not work properly.

ComboFix 12-11-08.01 - Pappi 11/08/2012 23:43:34.2.2 - x86
Running from: c:\documents and settings\Pappi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pappi\Desktop\cfScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-09 to 2012-11-09 )))))))))))))))))))))))))))))))
.
.
2012-11-07 05:43 . 2012-11-07 05:43 711240 ----a-w- c:\windows\is-S52OL.exe
2012-11-06 05:19 . 2012-11-08 06:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-06 05:19 . 2012-11-08 06:23 -------- d-----w- c:\program files\vMalwarebytes' Anti-Malware
2012-11-06 05:19 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-06 04:35 . 2012-11-06 05:03 -------- d-----w- c:\program files\SpywareBlaster
2012-11-06 04:35 . 2010-01-11 01:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-11-06 04:35 . 2010-01-11 01:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-11-06 04:31 . 2012-11-06 04:31 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2012-11-06 02:35 . 2012-11-06 03:44 -------- d-----w- c:\windows\system32\NtmsData
2012-11-06 02:25 . 2012-11-06 02:25 -------- d-----w- c:\documents and settings\Administrator
2012-11-06 02:21 . 2012-06-26 10:59 940544 ----a-w- c:\documents and settings\Pappi\Local Settings\Application Data\log4cxx.dll
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\WeatherBug
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\Application Data\WeatherBug
2012-11-04 08:45 . 2012-11-06 02:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\boost_interprocess
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\encyclopediabritannicagamesbar
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\Oberon Media
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Oberon Media
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\VisicomToolBar
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\XboxMB
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\program files\Xenocode
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Xenocode
2012-11-04 03:12 . 2012-11-04 03:12 -------- d-----w- c:\documents and settings\Pappi\Application Data\redsn0w
2012-11-04 02:59 . 2012-11-04 02:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WeCareReminder
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\documents and settings\Pappi\Application Data\Yahoo!
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\program files\Yahoo!
2012-11-04 02:44 . 2012-11-04 02:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer
2012-11-04 02:44 . 2012-11-06 02:22 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Conduit
2012-11-04 02:44 . 2012-11-04 02:44 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Temp
2012-11-02 20:59 . 2012-11-02 20:59 -------- d-----w- c:\documents and settings\Pappi\Application Data\Windows Search
2012-11-02 04:11 . 2012-11-02 04:14 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\ApplicationHistory
2012-11-02 03:00 . 2012-11-02 03:01 -------- d-----w- c:\program files\iTunes
2012-11-02 03:00 . 2012-11-02 03:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-02 02:53 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-11-02 02:53 . 2012-11-02 02:53 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY.000\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-02 02:48 . 2012-03-24 06:26 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-08-28 15:14 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2012-03-24 05:17 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2001-08-23 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 18:01 . 2012-03-24 06:09 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01 . 2012-03-24 06:09 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 13:33 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2001-08-17 13:48 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-13 04:39 . 2012-03-30 03:30 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 spd Updater;spd Updater;c:\program files\SPDUpdater\updater.exe [x]
R3 AsrCDDrv;AsrCDDrv;c:\windows\System32\Drivers\AsrCDDrv.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-08 23:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3160812AS rev.3.AAJ -> Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"f:\\drivers\\all in 1\\amd\\xp64_xp(8.512)\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(648)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
.
Completion time: 2012-11-08 23:50:24
ComboFix-quarantined-files.txt 2012-11-09 05:50
ComboFix2.txt 2012-11-08 06:08
.
Pre-Run: 92,547,981,312 bytes free
Post-Run: 92,536,971,264 bytes free
.
- - End Of File - - FC5FEF5BA484F65DF9CDAD055979AAAC



RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Pappi [Admin rights]
Mode : Scan -- Date : 11/09/2012 00:02:58

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] ReminderHelper.exe -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e185eac9da3fa5730c15b1740781ce
[BSP] 0b38c0e8c85b9d860cb3265d8e35de24 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 218129509 | Size: 831050 Mo
1 - [XXXXXX] UNKNOWN (0x74) [VISIBLE] Offset (sectors): 729050177 | Size: 265612 Mo
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2692939776 | Size: 25 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 01f6a0a90e45e74d8610844ee4045e58
[BSP] 1dbe1203ebc192a518fed18c9979942d : Standard MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: +++++
--- User ---
[MBR] 2c7552132c62bd0263dd97e5b596a06b
[BSP] 44d2e4c9ebc2dda4a26b21adaceffd0c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: +++++
--- User ---
[MBR] 659cd89007d3026cf8251ab66a999f1b
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 3818 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4]_S_11092012_02d0002.txt >>
RKreport[1]_S_11062012_02d2340.txt ; RKreport[2]_D_11062012_02d2340.txt ; RKreport[3]_SC_11062012_02d2342.txt ; RKreport[4]_S_11092012_02d0002.txt





RogueKiller V8.2.2 [11/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Pappi [Admin rights]
Mode : Remove -- Date : 11/09/2012 00:04:09

¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] ReminderHelper.exe -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]
[RESIDUE] ReminderHelper.exe -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e185eac9da3fa5730c15b1740781ce
[BSP] 0b38c0e8c85b9d860cb3265d8e35de24 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 218129509 | Size: 831050 Mo
1 - [XXXXXX] UNKNOWN (0x74) [VISIBLE] Offset (sectors): 729050177 | Size: 265612 Mo
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 2692939776 | Size: 25 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 01f6a0a90e45e74d8610844ee4045e58
[BSP] 1dbe1203ebc192a518fed18c9979942d : Standard MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: +++++
--- User ---
[MBR] 2c7552132c62bd0263dd97e5b596a06b
[BSP] 44d2e4c9ebc2dda4a26b21adaceffd0c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 131061 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: +++++
--- User ---
[MBR] 659cd89007d3026cf8251ab66a999f1b
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 3818 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[5]_D_11092012_02d0004.txt >>
RKreport[1]_S_11062012_02d2340.txt ; RKreport[2]_D_11062012_02d2340.txt ; RKreport[3]_SC_11062012_02d2342.txt ; RKreport[4]_S_11092012_02d0002.txt ; RKreport[5]_D_11092012_02d0004.txt



Thanks
J
  • 0

Advertisements

#11
Essexboy
Posted 09 November 2012 - 01:44 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Thanks

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\is-S52OL.exe




Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application
    Posted Image
  • Then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click the Start Scan button.

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

THEN

Run a fresh OTL scan selecting all users
  • 0

#12
RubyMarty
Posted 10 November 2012 - 04:00 PM

RubyMarty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 186 posts
The TDDS killer program didnt copy to my usb drive properly, so i just re-downloaded and will run it tonight unless you change your mind from the below logs.

Here is the combofix log

ComboFix 12-11-09.02 - Pappi 11/09/2012 23:54:06.3.2 - x86
Running from: c:\documents and settings\Pappi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pappi\Desktop\cfScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-10 to 2012-11-10 )))))))))))))))))))))))))))))))
.
.
2012-11-07 05:43 . 2012-11-07 05:43 711240 ----a-w- c:\windows\is-S52OL.exe
2012-11-06 05:19 . 2012-11-08 06:24 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-06 05:19 . 2012-11-08 06:23 -------- d-----w- c:\program files\vMalwarebytes' Anti-Malware
2012-11-06 05:19 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-06 04:35 . 2012-11-06 05:03 -------- d-----w- c:\program files\SpywareBlaster
2012-11-06 04:35 . 2010-01-11 01:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2012-11-06 04:35 . 2010-01-11 01:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-11-06 04:31 . 2012-11-06 04:31 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2012-11-06 02:35 . 2012-11-06 03:44 -------- d-----w- c:\windows\system32\NtmsData
2012-11-06 02:25 . 2012-11-06 02:25 -------- d-----w- c:\documents and settings\Administrator
2012-11-06 02:21 . 2012-06-26 10:59 940544 ----a-w- c:\documents and settings\Pappi\Local Settings\Application Data\log4cxx.dll
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\AppData
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\WeatherBug
2012-11-04 08:50 . 2012-11-04 08:50 -------- d-----w- c:\documents and settings\Pappi\Application Data\WeatherBug
2012-11-04 08:45 . 2012-11-06 02:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\boost_interprocess
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\encyclopediabritannicagamesbar
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\Oberon Media
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Oberon Media
2012-11-04 08:45 . 2012-11-04 08:45 -------- d-----w- c:\documents and settings\Pappi\Application Data\VisicomToolBar
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\XboxMB
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\program files\Xenocode
2012-11-04 03:37 . 2012-11-04 03:37 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Xenocode
2012-11-04 03:12 . 2012-11-04 03:12 -------- d-----w- c:\documents and settings\Pappi\Application Data\redsn0w
2012-11-04 02:59 . 2012-11-04 02:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WeCareReminder
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\documents and settings\Pappi\Application Data\Yahoo!
2012-11-04 02:58 . 2012-11-06 04:10 -------- d-----w- c:\program files\Yahoo!
2012-11-04 02:44 . 2012-11-04 02:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer
2012-11-04 02:44 . 2012-11-06 02:22 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Conduit
2012-11-04 02:44 . 2012-11-04 02:44 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\Temp
2012-11-02 20:59 . 2012-11-02 20:59 -------- d-----w- c:\documents and settings\Pappi\Application Data\Windows Search
2012-11-02 04:11 . 2012-11-02 04:14 -------- d-----w- c:\documents and settings\Pappi\Local Settings\Application Data\ApplicationHistory
2012-11-02 03:00 . 2012-11-02 03:01 -------- d-----w- c:\program files\iTunes
2012-11-02 03:00 . 2012-11-02 03:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-11-02 02:53 . 2012-08-28 15:14 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-11-02 02:53 . 2012-11-02 02:53 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY.000\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-02 02:48 . 2012-03-24 06:26 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-08-28 15:14 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2012-03-24 05:17 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2001-08-23 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 18:01 . 2012-03-24 06:09 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01 . 2012-03-24 06:09 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-21 13:33 . 2001-08-23 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2001-08-17 13:48 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-13 04:39 . 2012-03-30 03:30 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 spd Updater;spd Updater;c:\program files\SPDUpdater\updater.exe [x]
R3 AsrCDDrv;AsrCDDrv;c:\windows\System32\Drivers\AsrCDDrv.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-09 23:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3160812AS rev.3.AAJ -> Harddisk2\DR2 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"f:\\drivers\\all in 1\\amd\\xp64_xp(8.512)\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(1248)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
.
Completion time: 2012-11-10 00:00:53
ComboFix-quarantined-files.txt 2012-11-10 06:00
ComboFix2.txt 2012-11-08 06:08
.
Pre-Run: 92,532,219,904 bytes free
Post-Run: 92,520,812,544 bytes free
.
- - End Of File - - 39F2F291A8EF31BDDEAF3AE1EA1A3267


Here is the log that generates by windows when i try to run OTL


<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="OTL.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="ComboFix.exe" SIZE="4998937" CHECKSUM="0x153F51EB" BIN_FILE_VERSION="12.11.9.2" BIN_PRODUCT_VERSION="12.11.9.2" FILE_DESCRIPTION="ComboFix NSIS Installer" COMPANY_NAME="Swearware" PRODUCT_NAME="ComboFix" FILE_VERSION="12.11.09.02" ORIGINAL_FILENAME="ComboFix.exe" INTERNAL_NAME="ComboFix.exe" LEGAL_COPYRIGHT="sUBs" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4CA78B" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="12.11.9.2" UPTO_BIN_PRODUCT_VERSION="12.11.9.2" LINK_DATE="12/05/2009 22:50:46" UPTO_LINK_DATE="12/05/2009 22:50:46" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="OTL.exe" SIZE="602112" CHECKSUM="0xABD80C51" BIN_FILE_VERSION="3.2.69.0" BIN_PRODUCT_VERSION="3.2.69.0" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.69.0" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA0F87" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.69.0" UPTO_BIN_PRODUCT_VERSION="3.2.69.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="RogueKiller.exe" SIZE="430592" CHECKSUM="0xA20A8C3F" BIN_FILE_VERSION="8.2.2.0" BIN_PRODUCT_VERSION="8.2.2.0" PRODUCT_VERSION="8.2.2" FILE_DESCRIPTION="RogueKiller by Tigzy" COMPANY_NAME="Tigzy" PRODUCT_NAME="RogueKiller" FILE_VERSION="8.2.2" ORIGINAL_FILENAME="RogueKiller" INTERNAL_NAME="RogueKiller" LEGAL_COPYRIGHT="Tigzy" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="8.2.2.0" UPTO_BIN_PRODUCT_VERSION="8.2.2.0" LINK_DATE="11/03/2012 15:03:57" UPTO_LINK_DATE="11/03/2012 15:03:57" VER_LANGUAGE="French (France) [0x40c]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


I will finish your instructions from your last post when i get home. Unless you want me to abandon them from the new information. Please Advise



Thanks
Justin
  • 0

#13
Essexboy
Posted 10 November 2012 - 04:16 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No continue please as Combofix confirmed the need for TDSSKiller
  • 0

#14
RubyMarty
Posted 10 November 2012 - 11:48 PM

RubyMarty

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 186 posts
I ran the tdsskiller and it finished with no threats detected.
OTL and IE are still not working


Thanks for your help
J
  • 0

#15
Essexboy
Posted 11 November 2012 - 05:37 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets now run some repairs

Download Windows Repair (all in one) from this site

Install the programme then run

Posted Image

Go to step 3 and allow it to run SFC
Posted Image


On the start repairs tab click start
Posted Image

Select the following items and tick restart system when finished
Posted Image
  • 0
Back to Can't Run Any Antivirus or Malware Removal Programs · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Can't Run Any Antivirus or Malware Removal Programs

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP