Jump to content

xvcrimsajadevx

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Okay, thanks I'll just keep an eye on the router logs next time it happens to make sure it's not security related. If I have to, I'll just downgrade the Firmware again and secure her computer with a software firewall if I can't find a solution that will keep it working with the updated Firmware.
  2. Still going through that last bit of info, but I got the main stuff done at any rate. A router was already in use (downloaded a software firewall anyways)... Checked the logs and nothing had been recorded since it was last set so hopefully no personal info got through. Admittedly though, the firmware was kept out of date because we were having problems with the wireless function - it would just shut itself off if my sis was downloading large files. I've since updated it, but I'm wondering... is the reason it would shut off because it detected a threat and went into internet lock down? Just making a guess based on the functions I'm seeing with the software firewall. Anyways, thanks again Elise! This has been a huge help Everything's up to date and seems to be working fine at this point... Hopefully I won't need to open such a topic again.
  3. C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\gfedNXyb.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\gfedNXyb.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\System Volume Information\_restore{0D2F6D49-DFE9-4670-A2D1-1B38D1C5EE9B}\RP23\A0021662.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\WINDOWS\system32\dkvoiseq.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\WINDOWS\system32\ondrbeba.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\WINDOWS\system32\rjmyruop.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined C:\WINDOWS\system32\xsqhmtxg.0ni Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
  4. Nope. Everything appears to be running normally at this point. Quick question about ESET... When it starts up it has Remove found threats checked. Should I uncheck it before running the scan or leave as is?
  5. Indeed! I am now able to access the Windows Updates sites with IE again I'm assuming Automatic Updates is working again too, but I disabled it for the time being until we finish the last of this off. As for the new log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5184 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 24/11/2010 6:15:45 PM mbam-log-2010-11-24 (18-15-45).txt Scan type: Full scan (A:\|C:\|E:\|F:\|G:\|H:\|) Objects scanned: 362030 Time elapsed: 3 hour(s), 54 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Mom and Celeana\My Documents\Downloads\MyWebFace.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
  6. Indeed! I am now able to access the Windows Updates sites with IE again I'm assuming Automatic Updates is working again too, but I disabled it for the time being until we finish the last of this off. As for the new log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5184 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 24/11/2010 6:15:45 PM mbam-log-2010-11-24 (18-15-45).txt Scan type: Full scan (A:\|C:\|E:\|F:\|G:\|H:\|) Objects scanned: 362030 Time elapsed: 3 hour(s), 54 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Mom and Celeana\My Documents\Downloads\MyWebFace.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
  7. Yeah, I'll have to thank my mother for this later Unfortunately a fresh install is not an option for me at this time (not sure where my OS disk is), so I'll have to just go with the cleanup for the time being. I do have a question though: Do I have to worry about my files being corrupt, or can I back them up and save them, then transfer them to a new computer without worry? I'm hoping to get a laptop by the end of the year, and I really don't want to loose the information I have on this computer if I don't have to. Anyways, here is the new log from ComboFix: (Keeping fingers crossed it'll actually allow it to post this time) ComboFix 10-11-23.05 - Crim_2 24/11/2010 9:42.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.240 [GMT -7:00] Running from: c:\documents and settings\Crim_2\My Documents\Downloads\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ADS - WINDOWS: deleted 128 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Mike\Application Data\inst.exe c:\program files\winvi c:\program files\winvi\dsktp\AC_RunActiveContent.js c:\program files\winvi\dsktp\desktop.html c:\program files\winvi\dsktp\internetDetection.swf c:\program files\winvi\dsktp\settings.sol c:\temp\1cb c:\temp\1cb\syscheck.log c:\temp\tmpvc14 c:\temp\tmpvc14\dllvc.log c:\windows\jestertb.dll c:\windows\mainms.vpi c:\windows\megavid.cdt c:\windows\muotr.so c:\windows\system32\gfedNXyb.ini c:\windows\system32\gfedNXyb.ini2 c:\windows\system32\i c:\windows\Tasks\At49.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\avwnsket.job . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MYWEBSEARCHSERVICE ((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 ))))))))))))))))))))))))))))))) . 2010-11-19 22:07 . 2010-11-24 17:06 -------- d-----w- c:\windows\system32\CatRoot2 2010-11-19 20:35 . 2008-04-14 12:42 10752 ------w- c:\windows\system32\smtpapi.dll 2010-11-19 20:35 . 2008-04-14 12:42 9728 ------w- c:\windows\system32\rwnh.dll 2010-11-19 20:35 . 2008-04-14 12:41 81920 ------w- c:\windows\system32\ieencode.dll 2010-11-19 20:35 . 2007-04-03 07:12 1327320 ------w- c:\program files\MSN\msncorefiles\install\msnsusii.exe 2010-11-19 20:35 . 2007-04-03 07:04 884712 ------w- c:\program files\MSN\msncorefiles\install\msn9components\digcore.exe 2010-11-19 20:35 . 2007-04-03 07:09 11053008 ------w- c:\program files\MSN\msncorefiles\install\msn9components\msncli.exe 2010-11-19 20:35 . 2008-04-14 12:40 229376 ------w- c:\program files\MSN\msncorefiles\oobe\obelog.dll 2010-11-19 20:35 . 2008-04-14 12:40 966656 ------w- c:\program files\MSN\msncorefiles\oobe\obemetal.dll 2010-11-19 20:35 . 2008-04-14 12:40 86016 ------w- c:\program files\MSN\msncorefiles\oobe\obepopc.dll 2010-11-19 20:35 . 2007-04-03 07:14 77824 ------w- c:\program files\MSN\msncorefiles\oobe\obemtllc.dll 2010-11-19 20:32 . 2006-12-29 07:31 19569 ----a-w- c:\windows\000001_.tmp 2010-11-19 19:42 . 2010-11-19 19:42 -------- d-sh--w- c:\documents and settings\Crim_2\IECompatCache 2010-11-19 07:00 . 2010-11-19 07:00 -------- d-----w- c:\program files\Defraggler 2010-11-08 07:35 . 2010-11-08 07:35 -------- d-----w- c:\program files\yWriter5 2010-11-08 06:24 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-11-08 06:24 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-11-08 06:23 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2010-11-08 05:34 . 2010-11-08 05:38 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-01-08 22:23 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2001-08-18 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-09-07 15:12 . 2010-07-15 22:10 38848 ----a-w- c:\windows\avastSS.scr 2010-09-07 15:11 . 2009-09-04 22:26 167592 ----a-w- c:\windows\system32\aswBoot.exe 2010-09-07 14:52 . 2009-09-04 22:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-09-07 14:52 . 2009-09-04 22:27 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-09-07 14:47 . 2009-09-04 22:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-09-07 14:47 . 2009-09-04 22:27 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-09-07 14:47 . 2009-09-04 22:27 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-09-07 14:47 . 2009-09-04 22:27 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-09-07 14:46 . 2009-09-04 22:27 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-09 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Mike\Start Menu\Programs\Startup\ YouTube Uploader.lnk - c:\documents and settings\Mike\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-9 71152] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk backup=c:\windows\pss\HP Button Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Crim_2^Start Menu^Programs^Startup^Xfire.lnk] path=c:\documents and settings\Crim_2\Start Menu\Programs\Startup\Xfire.lnk backup=c:\windows\pss\Xfire.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service] 2010-03-18 17:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2007-05-16 16:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] 2008-03-22 02:55 16384 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility] 2003-11-07 09:50 19968 ------w- c:\windows\LOGI_MWX.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)] 2010-04-29 21:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] 2010-04-29 21:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-09-06 21:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMax] 2004-03-26 20:40 794624 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2004-04-01 16:52 1368064 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] 2005-03-08 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp] 2005-03-12 09:33 147456 ----a-r- c:\windows\system32\VTTrayp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher] 2003-12-01 17:38 892928 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "xmlprov"=3 (0x3) "WZCSVC"=2 (0x2) "WudfSvc"=2 (0x2) "WTouchService"=2 (0x2) "wscsvc"=2 (0x2) "WPFFontCache_v0400"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "WmiApSrv"=3 (0x3) "Wmi"=3 (0x3) "WinRM"=3 (0x3) "winmgmt"=2 (0x2) "WebClient"=2 (0x2) "W32Time"=2 (0x2) "VSS"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "UTSCSI"=2 (0x2) "UPS"=3 (0x3) "uCamMonitor"=2 (0x2) "TermService"=3 (0x3) "TapiSrv"=3 (0x3) "TabletServicePen"=2 (0x2) "SysmonLog"=3 (0x3) "SwPrv"=3 (0x3) "stisvc"=2 (0x2) "SSDPSRV"=3 (0x3) "srservice"=2 (0x2) "Spooler"=2 (0x2) "SoundMAX Agent Service (default)"=2 (0x2) "ShellHWDetection"=2 (0x2) "SharedAccess"=2 (0x2) "SENS"=2 (0x2) "Schedule"=2 (0x2) "SCardSvr"=3 (0x3) "SamSs"=2 (0x2) "RSVP"=3 (0x3) "RasMan"=3 (0x3) "RasAuto"=3 (0x3) "ProtectedStorage"=2 (0x2) "PolicyAgent"=2 (0x2) "Pml Driver HPZ12"=2 (0x2) "PlugPlay"=2 (0x2) "Pixar Maitre-D Server 1.0.1"=2 (0x2) "Pixar License Server 5.0.2"=2 (0x2) "Pixar Alfred Server 13.5.2"=2 (0x2) "ose"=3 (0x3) "NtmsSvc"=3 (0x3) "NtLmSsp"=3 (0x3) "NMIndexingService"=3 (0x3) "nlsX86cc"=2 (0x2) "Nla"=3 (0x3) "Netman"=3 (0x3) "Netlogon"=3 (0x3) "Net Driver HPZ12"=2 (0x2) "NBService"=3 (0x3) "napagent"=3 (0x3) "MSIServer"=3 (0x3) "MSDTC"=3 (0x3) "MDM"=2 (0x2) "MBAMService"=2 (0x2) "maya70docserver"=2 (0x2) "lanmanworkstation"=2 (0x2) "lanmanserver"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "iPod Service"=3 (0x3) "ImapiService"=3 (0x3) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "HTTPFilter"=3 (0x3) "hpqddsvc"=2 (0x2) "hpqcxs08"=3 (0x3) "hkmsvc"=3 (0x3) "helpsvc"=2 (0x2) "FontCache3.0.0.0"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "FastUserSwitchingCompatibility"=3 (0x3) "EventSystem"=3 (0x3) "Eventlog"=2 (0x2) "ERSvc"=2 (0x2) "EapHost"=3 (0x3) "Dot3svc"=3 (0x3) "Dnscache"=2 (0x2) "dmserver"=2 (0x2) "dmadmin"=3 (0x3) "Dhcp"=2 (0x2) "CryptSvc"=2 (0x2) "COMSysApp"=3 (0x3) "clr_optimization_v4.0.30319_32"=2 (0x2) "cisvc"=3 (0x3) "CCALib8"=2 (0x2) "Browser"=2 (0x2) "Bonjour Service"=2 (0x2) "BITS"=3 (0x3) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "AudioSrv"=2 (0x2) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "aspnet_state"=3 (0x3) "AppMgmt"=3 (0x3) "aliasdocserver"=2 (0x2) "ALG"=3 (0x3) "Akamai"=2 (0x2) "ACDaemon"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\Alias\\Maya6.0\\bin\\maya.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\WINDOWS\\system32\\javaw.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Kids Web Menu\\kidsmenu.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:Windows Remote Management "1039:TCP"= 1039:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [24/02/2006 1:20 AM 21632] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/09/2009 3:27 PM 165584] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/09/2009 3:27 PM 17744] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24/01/2009 10:40 PM 304464] R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [04/08/2010 10:50 AM 14336] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24/01/2009 10:40 PM 20952] R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [08/07/2010 5:52 PM 16168] S3 cirrus;cirrus;c:\windows\system32\drivers\cirrus.sys [15/02/2007 8:13 PM 45696] S3 GAGPDrv;GAGPDrv; [x] S3 hercspud;Hercules ® WDM Audio Driver; [x] S3 hercwdm;Hercules ® WDM Interface Driver; [x] S3 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [08/07/2010 5:52 PM 4497704] S3 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [04/08/2010 10:50 AM 104960] S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [28/02/2008 8:17 PM 87824] S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [28/02/2008 8:15 PM 85696] S3 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [08/07/2010 5:54 PM 113448] S4 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [18/08/2001 5:00 AM 14336] S4 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [04/09/2009 11:21 PM 110592] S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 PM 130384] S4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [19/07/2010 2:48 PM 57344] S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [18/12/2007 9:43 PM 24652] S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18/08/2001 5:00 AM 14336] S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 PM 753504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc Akamai REG_MULTI_SZ Akamai WINRM REG_MULTI_SZ WINRM . Contents of the 'Scheduled Tasks' folder 2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-823518204-725345543-1008Core.job - c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-09 01:53] 2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-823518204-725345543-1008UA.job - c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-09 01:53] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local;localhost Trusted Zone: microsoft.com\*.update Trusted Zone: microsoft.com\update Trusted Zone: microsoft.com\windowsupdate Trusted Zone: windowsupdate.com\download DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Crim_2\Application Data\Mozilla\Firefox\Profiles\ydlni633.default\ FF - prefs.js: browser.startup.homepage - hxxp://s14.invisionfree.com/tripmydaisy/index.php FF - component: c:\documents and settings\Crim_2\Application Data\Mozilla\Firefox\Profiles\ydlni633.default\extensions\firefox@kidzui.com\platform\WINNT_x86-msvc\components\WinKiosk.dll FF - plugin: c:\documents and settings\Crim_2\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Crim_2\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - plugin: c:\program files\Vizzed\Vizzed Retro Game Room\NpVizzedRgr.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) MSConfigStartUp-Cognac - c:\docume~1\Crim_2\LOCALS~1\Temp\~tmpa.exe MSConfigStartUp-MS AntiSpyware 2009 - c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe MSConfigStartUp-MSFox - c:\docume~1\Crim_2\LOCALS~1\Temp\a.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe AddRemove-Campaign Cartographer 2 - c:\documents and settings\mike\desktop\ad&d - campaign cartographer 2\Uninst.isu ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-24 10:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\
  8. Thank you Elise Sorry for including my reports as attachments rather that copying and pasting. For some reason my computer is not allowing the full post to send. I had the same problem with the DDS report which is why it has not been included. I may have added more than you needed to the OTL scan... For some reason every time I hit the Quick Scan button the Extra Registry value would automatically change to None and I would not receive the Extra.Txt report. As for my problem(s), as I have stated I am currently unable to access the Windows Update and Microsoft Updates sites. Internet Explorer tells me it cannot connect to the internet while trying to access these pages, though it will take me to any other page I try. Using the https:// protocal as opposed to http:// does get me onto both web pages, but when I do, I am greeted with [Error number: 0x80072EFF], which means my computer cannot access their servers. As a result, Automatic Updates is not working either. This is all following a Thinkpoint infection my computer recieved earlier this month. I used the instructions here - http://www.2-viruses.com/remove-thinkpoint - to delete all visible components I can find and reset all my computer services to their default settings manually, but after making this discovery a few days back I now know for certain I didn't get everything. Also something I forgot to mention; my computer has been experiencing some troubles shutting itself down. Most times I have to resort to using the power button to turn it off. OTL.Txt Extras.Txt Report.txt
  9. Greetings and Salutations! My computer was just recently infected with the Thinkpoint virus, and though I have removed all visible physical components (as per instructions at http://www.2-viruses.com/remove-thinkpoint as repeated scans with Malwarebytes and AVAST! Antivirus did not turn up any results) my computer problems continue to persist. Order of events: 1) After learning of the infection (I was at work at the time and someone else had control of the computer), I logged onto my own account (which had been unaffected) and ran several unsuccessful full scans and boot scans with AVAST! and MB. 2) After removing the components using the instructions at said site, I then attempted to run a couple more scans using both applications, only to realize that both MBs and AVAST! definitions were not up to date. 3) Attempts to update failed, and soon I realized I could no longer connect to the internet. I also learned at some point that Thinkpoint deleted all previous restore points. 4) Realized Thinkpoint had disabled nearly all computer services. Manually resorted services to default settings. After this, I ran a couple scans again with both programs, coming up with a few trojans and quickly had removed. Since then, my computer had been acting slower than usual and when I would log on using an account with an account with Administrative privileges (the account that had been infected had then previously, but I removed them after removing the infection) I would getting a rather persistent pop from Windows that I now know is related to Automatic Updates. Apparently my computer is no longer able to connect with neither the Microsoft nor Windows Updates sites. Doing so leads me to a page telling me to:
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.