19 replies to this topic

[PBvhc27]

Recently I've been noticing issues with my computer. I've noticed the following PC Antispyware 2010, Windows Antivirus Pro. Mbam will run for 3 or so seconds then close. Hijack this will install but will not load. The only anti-spyware that will run is Spyware Doctor. It picked up several items. I'm not seeing any trace of the above mentioned maleware now. However I still can not run any other anti-spyware including Mbam. The are also error pop ups "error loading tapi.nfo" and "cannot find find "file///"

I attempted to run a ComboFix it looked fine then it sat on rebooting windows & I can't find any log for the results.
Thanks in advance

[screen317]

Hi,

Does this file exist?

C:\ComboFix.txt

If so, post its contents.


If not, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

[PBvhc27]

ComboFix will run....then sits on "Rebooting Windows" No log is produced.
Below is the DDS Scan Results:


DDS (Ver_09-07-30.01) - NTFSx86
Run by SANDRA at 18:09:22.60 on Thu 09/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.212 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\SSD\pctsAuxs.exe
C:\Program Files\SSD\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\AOL\1127675071\ee\AOLSoftware.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SSD\pctsTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Combo-Fix\PEV.cfxxe
D:\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.java.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden
uRun: [Desktop Software] "c:\program files\comcastui\universal installer\uinstaller.exe" /ini "uinstaller.ini" /fromrun /starthidden
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [HostManager] c:\program files\common files\aol\1127675071\ee\AOLSoftware.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ISTray] "c:\program files\ssd\pctsTray.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: zip - {3f668164-1e01-44aa-a8c5-286e5244702a} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-2 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-1 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-1 108552]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-31 201320]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-9-2 13360]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-1 297752]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-9-2 69936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\ssd\pctsAuxs.exe [2009-9-2 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\ssd\pctsSvc.exe [2009-9-2 1097096]
S0 vkquwexg;vkquwexg;c:\windows\system32\drivers\combo-fix.sys --> c:\windows\system32\drivers\Combo-Fix.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S2 SpywareCleanerService;SpywareCleanerService;c:\program files\spyware cleaner\scservice.exe --> c:\program files\spyware cleaner\SCService.exe [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-31 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-31 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-31 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-31 40488]

=============== Created Last 30 ================

2009-09-03 17:33 <DIR> --ds---- C:\Combo-Fix
2009-09-03 17:33 389,120 a------- c:\windows\system32\CF16972.exe
2009-09-03 17:17 389,120 a------- c:\windows\system32\CF14672.exe
2009-09-03 17:15 389,120 a------- c:\windows\system32\CF6129.exe
2009-09-03 01:19 389,120 a------- c:\windows\system32\CF18365.exe
2009-09-03 01:09 <DIR> a-dshr-- C:\cmdcons
2009-09-03 00:59 389,120 a------- c:\windows\system32\CF1655.exe
2009-09-03 00:21 230,912 a------- c:\windows\PEV.exe
2009-09-03 00:21 161,792 a------- c:\windows\SWREG.exe
2009-09-03 00:21 98,816 a------- c:\windows\sed.exe
2009-09-03 00:20 389,120 a------- c:\windows\system32\CF28438.exe
2009-09-03 00:03 <DIR> --d----- c:\program files\IObit
2009-09-02 16:48 <DIR> --d----- c:\docume~1\sandra\applic~1\IObit
2009-09-02 16:38 <DIR> --d-h--- c:\windows\PIF
2009-09-02 14:51 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-02 14:51 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-02 14:51 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-02 14:51 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-02 14:50 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-02 14:50 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-02 14:50 <DIR> --d----- c:\program files\SSD
2009-09-02 14:50 <DIR> --d----- c:\docume~1\sandra\applic~1\PC Tools
2009-09-02 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-02 14:44 18,271 a------- c:\windows\system32\cazi.dat
2009-09-02 14:44 14,796 a------- c:\windows\qacofyl.db
2009-09-02 14:44 18,907 a------- c:\windows\system32\uroh.lib
2009-09-02 14:44 16,833 a------- c:\windows\system32\icyf._sy
2009-09-02 10:45 <DIR> --d----- c:\program files\whoMicro
2009-09-02 10:36 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 02:54 0 a------- c:\windows\system32\SBRC.dat
2009-09-02 02:46 69,936 a------- c:\windows\system32\drivers\sbapifs.sys
2009-09-02 02:46 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-09-02 02:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-09-02 02:42 <DIR> --d----- c:\docume~1\sandra\applic~1\Sunbelt
2009-09-02 01:47 <DIR> --d----- c:\program files\Enigma Software Group
2009-09-02 00:20 19,636 a------- c:\windows\system32\jojiron.db
2009-09-01 23:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-01 23:02 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-01 23:02 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-01 23:02 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-01 23:02 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-01 23:02 <DIR> --d----- c:\program files\AVG
2009-09-01 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-01 21:59 <DIR> --d----- c:\docume~1\sandra\applic~1\Malwarebytes
2009-09-01 20:56 <DIR> --d----- c:\program files\CCleaner
2009-09-01 20:39 10,498 a------- c:\windows\is-K5KA3.msg
2009-09-01 20:39 428 a------- c:\windows\is-K5KA3.lst
2009-09-01 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-01 19:33 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-08-31 21:31 4,542 a------- c:\windows\system32\Config.MPF
2009-08-31 21:29 143,360 a------- c:\windows\system32\dunzip32.dll
2009-08-31 21:27 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-08-31 21:27 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-08-31 21:27 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-08-31 21:27 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-08-31 21:27 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-08-31 21:27 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-08-31 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2009-08-23 17:21 10,797 a------- c:\windows\weberujap.db
2009-08-23 17:21 10,270 a------- c:\windows\system32\hiqivuhox.dat
2009-08-11 19:09 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 19:09 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:00 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-09 23:49 <DIR> --d----- C:\e5aecdee7448a74ab1c6c26dda26
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-09-02 00:20 18,337 a------- c:\program files\common files\uferesi.db
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2007-11-26 23:06 86,528 ac------ c:\program files\RAD220,Contrast Media.ppt
2007-11-24 11:50 823,296 ac------ c:\program files\RAD240,Digital Image Characteristics(4).ppt
2007-11-24 11:42 78,848 ac------ c:\program files\RAD240,Ch.28(3).ppt
2007-11-01 17:46 2,186,240 ac------ c:\program files\RAD220,CT Abdomen Images.ppt
2007-11-01 17:37 29,696 ac------ c:\program files\RAD 220,CT Thorax.doc
2007-11-01 17:28 1,190,400 ac------ c:\program files\RAD220,CT Thorax Images.ppt
2007-11-01 17:05 1,125,888 ac------ c:\program files\RAD220,CT Head Images.ppt
2007-10-14 10:56 173,568 ac------ c:\program files\RAD240,Ch.9.ppt
2007-10-04 16:39 1,094,656 ac------ c:\program files\RAD 240, Ch.8.ppt
2007-08-27 21:00 38,400 ac------ c:\program files\Lesson Plan RAD 240.doc
2007-08-27 20:56 46,592 ac------ c:\program files\RAD 240 syllabus .doc
2007-08-27 20:54 24,064 ac------ c:\program files\Report Timeline.doc
2007-08-21 13:41 23,402,288 ac------ c:\program files\AdbeRdr810_en_US.exe
2007-06-03 19:34 545,560 ac------ c:\program files\AdbeRdr80_DLM_en_US.exe
2006-07-01 23:27 6,134,672 ac------ c:\program files\PokerStarsInstallPM.exe
2006-04-02 17:06 1,052,120 ac------ c:\program files\mjpegcodecv3.2.4.zip
2005-06-22 17:16 2,077,424 ac------ c:\program files\WindowsXP-KB894391-x86-ENU.exe
2004-08-04 07:00 94,784 -c-sh--- c:\windows\TWAIN.DLL
2008-04-13 20:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 20:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 20:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 20:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 20:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 20:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-11-03 15:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat

============= FINISH: 18:10:10.90 ===============

[screen317]

Hi,

I notice that you are using more than one antivirus program in resident mode (AVG, Norton, McAfee, and Sunbelt). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE malware to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.


After that, restart your computer and run ComboFix as follows.

First, delete your copy of ComboFix and grab a fresh one. Save it to your Desktop but do not run it yet.

Disable all resident protection programs.

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\ComboFix.exe" /killall

Post the resultant log.

-screen317

[PBvhc27]

Thanks for your help. I don't know why... but the only av program showing in the control panel is avg. I've tried to uninstall the avg and it has an error and will not uninstall. I looked in the program files and I don't see files for Norton, McAfee, or Sunbelt??? I'm at a loss.

I've attempted to run ComboFix as above..It runs through the scan and then hangs at "rebooting windows...please wait" I let in going for 30 minutes...and nothing.

[screen317]

Hi,

Download the McAfee Removal Tool.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.

Uninstall Spyware Cleaner from Add or Remove Programs if present.

After that, please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@echo off
sc stop mfehidk
for %%g in (
mfesmfk
mferkdk
mfebopk
mfeavfk
mfehidk
McSysmon
SpywareCleanerService
McShield
McProxy
SBRE
) do sc delete %%g
for %%g in (
c:\windows\system32\cazi.dat
c:\windows\qacofyl.db
c:\windows\system32\uroh.lib
C:\windows\system32\icyf._sy
c:\windows\system32\jojiron.db
c:\windows\weberujap.db
c:\windows\system32\hiqivuhox.dat
) do del /q /f %%g

Now navigate to your Desktop, and double click Fix.bat

A black window will open and close quickly. This is normal.


Restart your computer.

After that, run DDS again; be sure to post both of its logs.

See if ComboFix will run now.

-screen317

[PBvhc27]

Below are the DDS logs following the McAfee removal. Spy Cleaner was not in the add or remove programs list. ComboFix ran through the scan. At the end I say something that said "system file is infected" and it is still hanging up at "rebooting windows....please wait"


DDS (Ver_09-07-30.01) - NTFSx86
Run by SANDRA at 8:31:57.42 on Sat 09/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.34 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\AOL\1127675071\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SSD\pctsTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SSD\pctsAuxs.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\SSD\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\SANDRA\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.java.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden
uRun: [Desktop Software] "c:\program files\comcastui\universal installer\uinstaller.exe" /ini "uinstaller.ini" /fromrun /starthidden
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [HostManager] c:\program files\common files\aol\1127675071\ee\AOLSoftware.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ISTray] "c:\program files\ssd\pctsTray.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: zip - {3f668164-1e01-44aa-a8c5-286e5244702a} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-2 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-1 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-1 108552]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-9-2 13360]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-1 297752]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-1-15 204800]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-9-2 69936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\ssd\pctsAuxs.exe [2009-9-2 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\ssd\pctsSvc.exe [2009-9-2 1097096]
R3 {79007602-0CDB-4405-9DBF-1257BB3226EE};{79007602-0CDB-4405-9DBF-1257BB3226EE};\systemroot\win32k.sys:2 --> \systemroot\win32k.sys:2 [?]
S0 vkquwexg;vkquwexg;c:\windows\system32\drivers\combo-fix.sys --> c:\windows\system32\drivers\Combo-Fix.sys [?]

=============== Created Last 30 ================

2009-09-04 22:40 <DIR> --ds---- C:\ComboFix
2009-09-04 22:40 389,120 a------- c:\windows\system32\CF1510.exe
2009-09-04 21:31 389,120 a------- c:\windows\system32\CF15937.exe
2009-09-04 21:19 6,134,672 a------- c:\documents and settings\sandra\PokerStarsInstallPM.exe
2009-09-04 20:43 389,120 a------- c:\windows\system32\CF28900.exe
2009-09-03 17:33 389,120 a------- c:\windows\system32\CF16972.exe
2009-09-03 17:17 389,120 a------- c:\windows\system32\CF14672.exe
2009-09-03 17:15 389,120 a------- c:\windows\system32\CF6129.exe
2009-09-03 01:19 389,120 a------- c:\windows\system32\CF18365.exe
2009-09-03 01:09 <DIR> a-dshr-- C:\cmdcons
2009-09-03 00:59 389,120 a------- c:\windows\system32\CF1655.exe
2009-09-03 00:21 230,912 a------- c:\windows\PEV.exe
2009-09-03 00:21 161,792 a------- c:\windows\SWREG.exe
2009-09-03 00:21 98,816 a------- c:\windows\sed.exe
2009-09-03 00:20 389,120 a------- c:\windows\system32\CF28438.exe
2009-09-03 00:03 <DIR> --d----- c:\program files\IObit
2009-09-02 16:48 <DIR> --d----- c:\docume~1\sandra\applic~1\IObit
2009-09-02 16:38 <DIR> --d-h--- c:\windows\PIF
2009-09-02 14:51 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-02 14:51 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-02 14:51 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-02 14:51 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-02 14:50 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-02 14:50 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-02 14:50 <DIR> --d----- c:\program files\SSD
2009-09-02 14:50 <DIR> --d----- c:\docume~1\sandra\applic~1\PC Tools
2009-09-02 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-02 10:45 <DIR> --d----- c:\program files\whoMicro
2009-09-02 10:36 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 02:54 0 a------- c:\windows\system32\SBRC.dat
2009-09-02 02:46 69,936 a------- c:\windows\system32\drivers\sbapifs.sys
2009-09-02 02:46 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-09-02 02:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-09-02 02:42 <DIR> --d----- c:\docume~1\sandra\applic~1\Sunbelt
2009-09-02 01:47 <DIR> --d----- c:\program files\Enigma Software Group
2009-09-01 23:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-01 23:02 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-01 23:02 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-01 23:02 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-01 23:02 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-01 23:02 <DIR> --d----- c:\program files\AVG
2009-09-01 23:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-01 21:59 <DIR> --d----- c:\docume~1\sandra\applic~1\Malwarebytes
2009-09-01 20:56 <DIR> --d----- c:\program files\CCleaner
2009-09-01 20:39 10,498 a------- c:\windows\is-K5KA3.msg
2009-09-01 20:39 428 a------- c:\windows\is-K5KA3.lst
2009-09-01 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-01 19:33 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-08-31 21:29 143,360 a------- c:\windows\system32\dunzip32.dll
2009-08-31 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2009-08-11 19:09 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 19:09 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:00 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-09 23:49 <DIR> --d----- C:\e5aecdee7448a74ab1c6c26dda26

==================== Find3M ====================

2009-09-02 00:20 18,337 a------- c:\program files\common files\uferesi.db
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2007-11-26 23:06 86,528 ac------ c:\program files\RAD220,Contrast Media.ppt
2007-11-24 11:50 823,296 ac------ c:\program files\RAD240,Digital Image Characteristics(4).ppt
2007-11-24 11:42 78,848 ac------ c:\program files\RAD240,Ch.28(3).ppt
2007-11-01 17:46 2,186,240 ac------ c:\program files\RAD220,CT Abdomen Images.ppt
2007-11-01 17:37 29,696 ac------ c:\program files\RAD 220,CT Thorax.doc
2007-11-01 17:28 1,190,400 ac------ c:\program files\RAD220,CT Thorax Images.ppt
2007-11-01 17:05 1,125,888 ac------ c:\program files\RAD220,CT Head Images.ppt
2007-10-14 10:56 173,568 ac------ c:\program files\RAD240,Ch.9.ppt
2007-10-04 16:39 1,094,656 ac------ c:\program files\RAD 240, Ch.8.ppt
2007-08-27 21:00 38,400 ac------ c:\program files\Lesson Plan RAD 240.doc
2007-08-27 20:56 46,592 ac------ c:\program files\RAD 240 syllabus .doc
2007-08-27 20:54 24,064 ac------ c:\program files\Report Timeline.doc
2007-08-21 13:41 23,402,288 ac------ c:\program files\AdbeRdr810_en_US.exe
2007-06-03 19:34 545,560 ac------ c:\program files\AdbeRdr80_DLM_en_US.exe
2006-07-01 23:27 6,134,672 ac------ c:\program files\PokerStarsInstallPM.exe
2006-04-02 17:06 1,052,120 ac------ c:\program files\mjpegcodecv3.2.4.zip
2005-06-22 17:16 2,077,424 ac------ c:\program files\WindowsXP-KB894391-x86-ENU.exe
2004-08-04 07:00 94,784 -c-sh--- c:\windows\TWAIN.DLL
2008-04-13 20:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 20:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 20:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 20:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 20:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 20:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 20:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-13 20:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-11-03 15:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat

============= FINISH: 8:33:29.42 ===============

Here is the second log:

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/10/2005 6:36:21 PM
System Uptime: 9/5/2009 8:29:51 AM (0 hours ago)

Motherboard: Dell Inc. | | 0M3918
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 146 GiB total, 124.192 GiB free.
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic

==== System Restore Points ===================

RP1: 9/3/2009 5:18:05 PM - System Checkpoint
RP2: 9/4/2009 7:51:55 PM - Removed AVG 8.5
RP3: 9/4/2009 7:53:35 PM - Removed AVG 8.5

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
4U MP4 Video Converter (version 3.0.2)
ACDSee
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advanced SystemCare 3
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Uninstaller (Choose which Products to Remove)
ATI Control Panel
ATI Display Driver
AudibleManager
AVG Free 8.5
CCleaner (remove only)
Citrix Presentation Server Client
Comcast Universal Installer v1.2
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative Zen Nano
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
DellSupport
FinePixViewer Ver.4.2
FUJIFILM USB Driver
GEAR driver installer for x86 and x64
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Photo Imaging Software
HP Photo Printing Software
HP Share-to-Web
ImageMixer VCD2 for FinePix
Intel® 537EP V9x DF PCI Modem
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
LG USB Modem driver
Linksys Updater
MainConcept MJPEG Codec Demo
MainConcept MJPG software codec (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 6.0 Parser (KB933579)
My Way Search Assistant
Photo Click
PowerDVD 5.3
Pro Media Director Version 1.1.1.1
Qualxserve Service Agreement
QuickTime
RAW FILE CONVERTER LE
RealPlayer Basic
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic DLA
Sonic MyDVD
Sonic Update Manager
Sound Blaster Live! 24-bit
Spyware Doctor 6.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Antivirus Pro
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

9/5/2009 8:31:11 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The WMDM PMSP Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The WAN Miniport (ATW) Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The Linksys Updater service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
9/4/2009 8:43:26 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/4/2009 8:01:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Beep Fips intelppm mfehidk sbaphd SBRE
9/3/2009 12:46:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep SBRE
9/3/2009 12:27:32 AM, error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
9/3/2009 12:22:41 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/3/2009 12:22:05 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
9/3/2009 1:29:20 AM, error: PlugPlayManager [11] - The device Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226EE}\0000 disappeared from the system without first being prepared for removal.
9/3/2009 1:14:10 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/2/2009 9:30:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
9/2/2009 9:14:12 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
9/2/2009 3:11:03 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
9/2/2009 3:11:03 PM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/2/2009 3:01:42 AM, error: Service Control Manager [7000] - The VIPRE Antivirus + Antispyware service failed to start due to the following error: Access is denied.
9/2/2009 3:01:42 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service SBAMSvc with arguments "" in order to run the server: {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}
9/2/2009 2:59:14 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The SpywareCleanerService service failed to start due to the following error: The system cannot find the file specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The system cannot find the path specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The system cannot find the path specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The system cannot find the path specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The system cannot find the path specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The system cannot find the path specified.
9/2/2009 2:59:14 AM, error: Service Control Manager [7000] - The AntipyProex service failed to start due to the following error: Access is denied.
9/2/2009 2:58:40 AM, error: SRService [104] - The System Restore initialization process failed.
9/2/2009 2:54:25 AM, error: Service Control Manager [7034] - The VIPRE Antivirus + Antispyware service terminated unexpectedly. It has done this 1 time(s).
9/2/2009 2:14:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/2/2009 2:10:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/2/2009 2:10:02 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm mfehidk
9/2/2009 10:49:23 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
9/2/2009 10:49:23 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\basic\setup.exe. Reference error message: The operation completed successfully. .
9/2/2009 10:49:23 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
9/2/2009 10:49:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/2/2009 10:36:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm mfehidk sbaphd
9/2/2009 10:23:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm mfehidk sbaphd SBRE
9/2/2009 1:42:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/1/2009 9:08:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm mfehidk
9/1/2009 8:55:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVG Anti-Spyware Driver BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm mfehidk SRTSPX
9/1/2009 8:47:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 IDSxpx86
9/1/2009 8:47:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Norton 360 service to connect.
9/1/2009 8:47:42 PM, error: Service Control Manager [7000] - The Norton 360 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/1/2009 7:53:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/1/2009 7:52:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AVG Anti-Spyware Driver BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SYMTDI Tcpip
9/1/2009 7:52:46 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2009 7:52:46 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2009 7:52:46 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2009 7:52:46 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/1/2009 7:31:37 PM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 001111AA40D7 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
9/1/2009 5:17:09 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/1/2009 10:49:36 PM, error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
9/1/2009 10:30:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk
8/31/2009 9:43:39 PM, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%3" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
8/31/2009 9:43:39 PM, error: DCOM [10001] - Unable to start a DCOM Server: {6A972E27-93E2-4F98-8367-4101B2073814} as /. The error: "%2" Happened while starting this command: "c:\PROGRA~1\mcafee\msc\mcuimgr.exe" -Embedding

==== End Of File ===========================

[screen317]

Hi,

Quote

ComboFix ran through the scan. At the end I say something that said "system file is infected" and it is still hanging up at "rebooting windows....please wait"

Which system file did it say was infected??


Which PC Tools software do you have installed?

[PBvhc27]

The screen flashed before I could note the entire error, but I believe it said that it was a word doc "Lesson Plan RAD 240.doc"

The PC Tool installed is Spyware Doctor

[PBvhc27]

I ran the scan again the infected file is Windows\System32\eventlog.dll

[screen317]

Okay thanks for letting me know.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply.

[PBvhc27]

I've ran the scan 3 times. Every time it gets to the same point and then encounters an error and has to close...Here's the log for what it did scan...hope it helps

Log file is located at: C:\Documents and Settings\SANDRA\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\is-K5KA3.lst

[1] 2009-09-01 20:39:02 428 C:\WINDOWS\is-K5KA3.lst ()



Cannot access: C:\WINDOWS\is-K5KA3.msg

[1] 2009-09-01 20:39:02 10498 C:\WINDOWS\is-K5KA3.msg ()



Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 07:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe ()

[1] 2004-08-04 07:00:00 10752 C:\i386\DUMPREP.EXE (Microsoft Corporation)



Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 07:00:00 55808 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Cannot access: C:\WINDOWS\temp\hsperfdata_SYSTEM\1976

[screen317]

What's the error that occurs?

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Please download The Avenger2 by SwanDog46.
  
• Unzip avenger.exe to your desktop.
  
• Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
  

  Files to move:
  C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

• Now start The Avenger2 by double clicking avenger.exe on your desktop.
  
• Read the prompt that appears, and press OK.
  
• Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  
• Press the "Execute" button.
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running MBAM and ComboFix.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

[screen317]

Topic re-opened.

[screen317]

Quote

Chris,
I was able to run the avenger, Combofix, and MB. Everything seems to be running fine now...execpt on inital bootup I am still getting the following: Internet Explorer cannot find'file:///". He are my scans...sorry about posting this in a message. Thanks in advance.

Pete
http://www.malwareby...showtopic=23469






Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.










ComboFix 09-09-22.02 - SANDRA 09/22/2009 20:33.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.144 [GMT -4:00]
Running from: c:\documents and settings\SANDRA\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SANDRA\Local Settings\Application Data\yseseb._sy
c:\documents and settings\SANDRA\Local Settings\Application Data\zopegam._sy
.
---- Previous Run -------
.
c:\windows\Installer\7506.MSI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-10 00:04 . 2009-09-10 00:04 -------- d-----w- c:\documents and settings\SHANNON\Application Data\Grisoft
2009-09-08 20:20 . 2009-09-08 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-08 20:18 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 15:01 . 2009-09-06 15:04 -------- d-----w- c:\program files\MSECACHE
2009-09-06 14:10 . 2009-09-06 14:10 -------- d-----w- c:\documents and settings\SANDRA\Application Data\AVG8
2009-09-05 01:19 . 2006-07-02 03:27 6134672 ----a-w- c:\documents and settings\SANDRA\PokerStarsInstallPM.exe
2009-09-03 04:03 . 2009-09-03 04:03 -------- d-----w- c:\program files\IObit
2009-09-02 20:48 . 2009-09-02 20:48 -------- d-----w- c:\documents and settings\SANDRA\Application Data\IObit
2009-09-02 20:38 . 2009-09-02 20:38 -------- d--h--w- c:\windows\PIF
2009-09-02 18:50 . 2009-09-08 20:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 14:50 . 2009-09-02 14:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2009-09-02 14:44 . 2009-09-02 14:44 -------- d-----w- C:\rsit
2009-09-02 14:36 . 2009-09-02 14:44 -------- d-----w- c:\program files\Trend Micro
2009-09-02 06:54 . 2009-09-02 06:54 0 ----a-w- c:\windows\system32\SBRC.dat
2009-09-02 06:42 . 2009-09-02 06:42 -------- d-----w- c:\documents and settings\SANDRA\Application Data\Sunbelt
2009-09-02 05:47 . 2009-09-02 05:47 -------- d-----w- c:\program files\Enigma Software Group
2009-09-02 03:07 . 2009-09-02 16:19 -------- d-----w- C:\$AVG8.VAULT$
2009-09-02 03:02 . 2009-09-06 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-02 03:02 . 2009-09-02 03:02 -------- d-----w- c:\program files\AVG
2009-09-02 01:59 . 2009-09-02 01:59 -------- d-----w- c:\documents and settings\SANDRA\Application Data\Malwarebytes
2009-09-02 00:56 . 2009-09-02 00:56 -------- d-----w- c:\program files\CCleaner
2009-09-02 00:46 . 2009-09-02 00:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-09-01 23:43 . 2009-09-01 23:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-09-01 23:36 . 2009-09-01 23:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-01 23:36 . 2009-09-01 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 01:29 . 2006-03-03 12:07 143360 ----a-w- c:\windows\system32\dunzip32.dll
2009-09-01 01:15 . 2009-09-01 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 01:40 . 2005-01-05 13:08 -------- d-----w- c:\program files\Java
2009-09-02 04:20 . 2009-09-02 04:20 18337 ----a-w- c:\program files\Common Files\uferesi.db
2009-09-02 01:27 . 2009-03-27 20:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-02 01:05 . 2009-03-27 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-02 01:05 . 2009-03-27 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-14 10:58 . 2009-09-02 18:51 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-04 11:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2007-08-21 17:41 . 2007-08-21 17:34 23402288 -c--a-w- c:\program files\AdbeRdr810_en_US.exe
2007-06-03 23:34 . 2007-06-03 23:34 545560 -c--a-w- c:\program files\AdbeRdr80_DLM_en_US.exe
2006-07-02 03:27 . 2006-07-02 03:27 6134672 -c--a-w- c:\program files\PokerStarsInstallPM.exe
2006-04-02 21:06 . 2006-04-02 21:06 1052120 -c--a-w- c:\program files\mjpegcodecv3.2.4.zip
2005-06-22 21:16 . 2005-06-22 21:16 2077424 -c--a-w- c:\program files\WindowsXP-KB894391-x86-ENU.exe
2004-08-04 11:00 . 2004-08-04 11:00 94784 -csh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2004-08-04 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-04 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2004-08-04 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2004-08-04 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2004-08-04 11:00 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2004-08-04 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2004-08-04 11:00 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2004-08-04 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"Desktop Software"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-05 26112]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HostManager"="c:\program files\Common Files\AOL\1127675071\ee\AOLSoftware.exe" [2007-10-08 41824]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-07 282624]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

c:\documents and settings\SHANNON\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127675071\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127675071\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.java.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SSODL-zip-{3f668164-1e01-44aa-a8c5-286e5244702a} - (no file)
Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 20:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(244)
c:\windows\system32\WININET.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\rundll32.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2009-09-23 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 00:42

Pre-Run: 133,265,362,944 bytes free
Post-Run: 133,194,153,984 bytes free

178 --- E O F --- 2009-09-21 20:56







Malwarebytes' Anti-Malware 1.41
Database version: 2845
Windows 5.1.2600 Service Pack 3

9/22/2009 8:50:31 PM
mbam-log-2009-09-22 (20-50-31).txt

Scan type: Quick Scan
Objects scanned: 110051
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\SHANNON\Application Data\AntiSpyware Pro (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\SHANNON\Application Data\AntiSpyware Pro\logs (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\SHANNON\Application Data\AntiSpyware Pro\startup (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\SHANNON\Application Data\AntiSpyware Pro\conf.xml (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\SHANNON\Application Data\AntiSpyware Pro\Sites.black (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\SHANNON\Application Data\AntiSpyware Pro\logs\1238185740.log (Rogue.AntiSpywarePro) -> Quarantined and deleted successfully.

[screen317]

Update MBAM, run a Quick Scan, and post its log.

Also post a fresh HijackThis log, and we'll take it from there.

-screen317

[PBvhc27]

Thanks for all your help. I was able to resolve the error message. I uninstalled Quicktime then reinstalled. Worked like a charm. No other problems and the scans are coming back clean. Thanks again.

[screen317]

Run the following, just to be sure.


Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!