Jump to content


Photo
- - - - -

Infections I haven't been able to remove


  • This topic is locked This topic is locked
68 replies to this topic

#1 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 02 March 2012 - 08:57 PM

Thanks for your help.

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 16:23:45 on 2012-03-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.624 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\locator.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\S6ovG.com
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\ping.exe
C:\Windows\TEMP\hki9473.exe
C:\Windows\TEMP\hki9473.exe
C:\Windows\TEMP\hki9473.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0A1112F5-E9FD-43D9-AA29-D9ECA8724BCB} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3} : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 87.229.126.50 www.google.com
Hosts: 87.229.126.51 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-22 21504]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-15 24652]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-30 1153368]
S2 sdcoreservice;APLMp50;c:\windows\system32\svchost.exe -k netsvcs [2009-2-22 21504]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-8-30 9216]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-2 41272]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 WinPhlash;WinPhlash;c:\swsetup\sp42853\swinflash\PhlashNT.sys [2007-1-19 38784]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [2011-8-30 105856]
S3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [2011-8-30 105856]
.
=============== Created Last 30 ================
.
2012-03-02 23:47:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-29 22:46:43 83456 ----a-w- c:\windows\system32\S6ovG.exe_
2012-02-24 16:51:18 28160 ----a-w- c:\windows\system32\S6ovG.com
2012-02-15 13:58:08 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-15 13:57:46 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 13:57:41 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-12 23:39:23 -------- d-----w- c:\users\owner\appdata\roaming\PeerNetworking
2012-02-10 22:58:49 332800 ----a-w- c:\users\owner\appdata\local\pjxqczxucj.exe
2012-02-05 14:25:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2012-03-03 00:24:18 83456 ----a-w- c:\windows\system32\S6ovG.exe
2011-12-19 16:27:01 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-19 16:27:00 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 16:26:57.57 ===============


Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2007 2:12:08 AM
System Uptime: 3/2/2012 1:43:07 PM (3 hours ago)
.
Motherboard: Quanta | | 30CF
Processor: AMD Turion™ 64 X2 Mobile Technology TL-58 | Socket S1 | 1900/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 141 GiB total, 73.38 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 0.736 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 1 GiB total, 1.037 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.20
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader 8.3.1
Adobe Shockwave Player 11.5
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
CalyxLoanBridge11
Canon iP1700
Canon iP1700 User Registration
Canon My Printer
Canon ScanGear Starter
Canon Utilities Easy-PhotoPrint
CanoScan Toolbox Ver4.9
CardRd81
CCScore
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CR2
D3DX10
Easy-WebPrint
EasyWorship 2007
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Product Detection
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.6
HP Update
HP User Guides 0057
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
iTunes
Java™ 6 Update 25
kgcbase
KOAIR - Áõ¸í¼­ ¹ß±Þ ½Ã½ºÅÛ
Kodak EasyShare software
LightScribe 1.6.43.1
Malwarebytes' Anti-Malware version 1.51.2.1300
Manual CanoScan LiDE 60
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Mobile Broadband Generic Drivers
Movie Magic Screenwriter
MSCU for Microsoft Vista
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
netbrdg
NVIDIA Drivers
OfotoXMI
OGA Notifier 2.0.0048.0
OmniPage SE 2.0
Point
PowerChurch Plus 10.4
PowerChurch Plus Version 10 Runtime Files
QuickPlay SlingPlayer 0.4.6
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Segoe UI
Setup
SFR
SFR2
SHASTA
skin0001
SKINXSDK
SmartAudio
Spybot - Search & Destroy
staticcr
Synaptics Pointing Device Driver
tooltips
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Viewpoint Media Player
VLC media player 1.1.11
VPRINTOL
VZAccess Manager
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
WIRELESS
Yahoo! Messenger
Yahoo! Software Update
ZTE USB Drivers
.
==== Event Viewer Messages From Past Week ========
.
3/2/2012 9:41:08 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the QuickPlay Task Scheduler (QTS) service to connect.
3/2/2012 9:41:08 AM, Error: Service Control Manager [7000] - The QuickPlay Task Scheduler (QTS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/2/2012 9:39:38 AM, Error: EventLog [6008] - The previous system shutdown at 1:06:34 AM on 3/2/2012 was unexpected.
3/2/2012 4:01:59 PM, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.
3/2/2012 11:40:40 AM, Error: EventLog [6008] - The previous system shutdown at 11:08:45 AM on 3/2/2012 was unexpected.
3/2/2012 10:04:34 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
3/2/2012 10:04:34 AM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/2/2012 10:04:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
3/2/2012 10:04:03 AM, Error: Service Control Manager [7001] - The QuickPlay Task Scheduler (QTS) service depends on the QuickPlay Background Capture Service (QBCS) service which failed to start because of the following error: After starting, the service hung in a start-pending state.
3/2/2012 10:04:00 AM, Error: Service Control Manager [7022] - The QuickPlay Background Capture Service (QBCS) service hung on starting.
3/2/2012 10:02:23 AM, Error: EventLog [6008] - The previous system shutdown at 9:57:36 AM on 3/2/2012 was unexpected.
3/2/2012 1:32:37 PM, Error: Service Control Manager [7001] - The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/2/2012 1:31:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/2/2012 1:05:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pgjpxip
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Tvtfilter service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Tdsmapi service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Sglogplayer service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The SfCtlCom service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Pinnacleupdatesvc service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Pinnaclemarvinusb service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Oracleservicesecinst service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Nsm1bus service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Lvsrvlauncher service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Lvhidsvc service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Hpqcxs08 service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Genregistrar service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The EPSON_EB_RPCV4_01 service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Crauto service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Cmuda3 service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Client32 service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Avgcoresvc service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The AtiPcie service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Aracpi service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The APLMp50 service terminated with the following error: The specified module could not be found.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
3/2/2012 1:05:24 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/2/2012 1:05:01 PM, Error: EventLog [6008] - The previous system shutdown at 12:58:07 PM on 3/2/2012 was unexpected.
3/1/2012 9:57:29 AM, Error: EventLog [6008] - The previous system shutdown at 9:55:12 AM on 3/1/2012 was unexpected.
3/1/2012 9:51:25 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/1/2012 9:51:23 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
3/1/2012 9:32:03 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC MpFilter NetBIOS netbt nsiproxy pgjpxip PSched RasAcd rdbss Smb spldr tdx Wanarpv6
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
3/1/2012 9:31:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
3/1/2012 9:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
3/1/2012 9:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
3/1/2012 9:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
3/1/2012 9:31:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/1/2012 9:30:35 PM, Error: EventLog [6008] - The previous system shutdown at 9:27:46 PM on 3/1/2012 was unexpected.
3/1/2012 9:21:55 PM, Error: EventLog [6008] - The previous system shutdown at 9:19:02 PM on 3/1/2012 was unexpected.
3/1/2012 9:13:11 PM, Error: EventLog [6008] - The previous system shutdown at 9:04:53 PM on 3/1/2012 was unexpected.
3/1/2012 7:09:54 PM, Error: EventLog [6008] - The previous system shutdown at 6:59:21 PM on 3/1/2012 was unexpected.
2/29/2012 9:59:11 PM, Error: EventLog [6008] - The previous system shutdown at 9:36:00 PM on 2/29/2012 was unexpected.
2/29/2012 9:48:30 AM, Error: EventLog [6008] - The previous system shutdown at 9:38:39 AM on 2/29/2012 was unexpected.
2/29/2012 6:46:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
2/29/2012 11:37:08 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.
2/29/2012 10:21:40 PM, Error: EventLog [6008] - The previous system shutdown at 10:19:02 PM on 2/29/2012 was unexpected.
2/28/2012 8:09:38 AM, Error: EventLog [6008] - The previous system shutdown at 11:23:13 PM on 2/27/2012 was unexpected.
2/28/2012 2:29:58 PM, Error: EventLog [6008] - The previous system shutdown at 1:12:31 PM on 2/28/2012 was unexpected.
2/27/2012 10:29:52 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
2/27/2012 10:29:52 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/27/2012 10:28:22 PM, Error: EventLog [6008] - The previous system shutdown at 10:25:09 PM on 2/27/2012 was unexpected.
2/27/2012 10:24:52 PM, Error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/27/2012 10:24:39 PM, Error: Service Control Manager [7031] - The HP Health Check Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/26/2012 10:25:52 AM, Error: EventLog [6008] - The previous system shutdown at 10:00:40 AM on 2/26/2012 was unexpected.
2/25/2012 7:11:09 AM, Error: EventLog [6008] - The previous system shutdown at 7:09:23 AM on 2/25/2012 was unexpected.
2/25/2012 6:53:11 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10003] - WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\System32\bcmihvsrv.dll
2/24/2012 7:43:52 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Tsmservice service to connect.
2/24/2012 7:19:42 PM, Error: EventLog [6008] - The previous system shutdown at 7:11:31 PM on 2/24/2012 was unexpected.
2/24/2012 5:32:39 PM, Error: EventLog [6008] - The previous system shutdown at 5:04:09 PM on 2/24/2012 was unexpected.
2/24/2012 4:30:12 AM, Error: EventLog [6008] - The previous system shutdown at 6:01:52 PM on 2/23/2012 was unexpected.
2/24/2012 11:57:50 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Live ID Sign-in Assistant service, but this action failed with the following error: An instance of the service is already running.
2/24/2012 11:57:40 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
2/24/2012 11:27:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.
2/24/2012 11:27:37 AM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2012 11:26:39 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.
2/24/2012 11:26:39 AM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/24/2012 11:25:09 AM, Error: EventLog [6008] - The previous system shutdown at 11:19:05 AM on 2/24/2012 was unexpected.
.
==== End Of File ===========================


#2 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 04 March 2012 - 07:40 AM

Posted Image

Logs will be closed if you haven't replied within 3 days


Please don't attach the scans / logs for these tools, use "copy/paste".


DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use "copy/paste".
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 05 March 2012 - 08:17 PM

Thanks for responding, Larry. I'd received a virus in January that MalwareBytes had been unable to remove, along with another in February. These disabled Firewall, Windows Defender, Microsoft Security Essentials and would not let me enable them, nor uninstall them so they could be re-installed. And of course, everytime I fired up, they would attract lots of other little infections that I would have scan and delete. But the root causes would not go away.

This weekend disaster happened. After turning on my pc, the infection System Check popped up and started running. I was not around for a few mins and then tried to stop it, but it was too late. Looks like I lost all my data. And it won't let me run the DDS scan. If I save DDS to Desktop or Program Files, the infection removes it. I have to hide it somewhere else in a file that the infection already emptied. I've tried getting the DDS to run in regular and Safe modes to no avail, and have saved it multiple times.

Besides removing many programs and data, the infection has disabled about 20 of the System32 files. So I'm getting about 20 pop-ups of the files that cannot be read on start-up in regular mode. And of course the infection System Check Scan starts all over again. Later on another infection pop up about restoring files joins the fray.

Looks like I'm done for.

I will see if it will allow me to download Malware Bytes (since it removed it) and I'll give you the mbam scan within the hour.

Thanks for your help, Gunslinger

#4 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 05 March 2012 - 08:21 PM

Do you have this folder?
Go to C:\Program Files\Malwarebytes' Anti-Malware\Chameleon
Double Click Chameleon to open the file.

Try clicking Test until one of them works.

MBAM will open and run a quick scan.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 05 March 2012 - 08:44 PM

Under Program Files, the only folder that is left is Windows Collaboration. No other folders or files.

A quick question, as I try to download to mbam, it's sending me to c-net, is that legitimate, or am I being re-directed by this virus?

Two other symptoms I forgot to mention earlier, but I don't know if they'll give any insight: I tried System Restore twice today on the two most recent dates (although they were two weeks ago, which seems pretty far back) and it was unable to restore. My HP backup is stored on drive d, which says it's still full of data, but when I open drive D, it says folder is empty. So unless this infection is simply hiding all my stuff, it really has wiped out pretty much all data.

Secondly, as I've seen a gazillion other people have been by the same thing on these two most recent pages, the first symptoms when I had those couple of non-removable infections, was mostly just redirects on my google and yahoo searches. I'm sure you're way ahead of me on that, but just trying to get the word out for others not to ignore things that seem merely pesky.

So unfortunately, I don't have any of the malwarebytes files, like chameleon anymore. Is this download on Cnet you guys? It's been quite a while since I installed Mbam and I don't remember it going to a different url such as cnet. As you can imagine, I'm being a bit over-careful.

Thanks again

#6 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 05 March 2012 - 08:48 PM

Yes c-net is a legit download for MBAM

Lets try this first:


Download unhide.exe & save it to your windows folder:

Right click on unhide.exe and select Run as administrator (In case you have Vista or Win7)
Reboot

This will unhide folders/files that were set to be hidden by the infection you had.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 06 March 2012 - 05:43 PM

Larry, you're a magician. All the files reappeared.

But I battled all night, going back and forth between safe and regular modes. DDS will not run. The first few times, it would run for 30-45 mins and finally freeze up my pc. I deleted and reloaded (for some reason, I could only download it in regular mode), hoping that would solve the problem, but it hasn't. Now it just runs forever but never concludes. Sometimes it just makes my pc inert, as opposed to frozen.

Everytime I popped back to regular mode, the infection "System Check" would start all over again, hiding files. I was finally able to update mbam again and run it. It removed 5 infections, but still, the root causes are there, causing System Check to kick in again if I open in regular mode.

Sorry this one's such a hassle for you. What step should I take next?

#8 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 06 March 2012 - 05:49 PM

We made progress

Please do not attach the scan results from Combofx. Use copy/paste.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")



Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.


Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 06 March 2012 - 07:30 PM

It just gets better and better... Just so you know, anytime I try to do "Save As" for downloading DDS or ComboFix, it won't save when I'm in Safe Mode. Only in regular mode, which means, of course, that half of my files disappear due to System Check before I can get the download and pull the plug....

ComboFix has popped a message to turn off Microsoft Security Essentials before proceeding. But when I open MSE it says it is turned off (in warning Red) and does not allow me to access settings - simply locked up. So how do I get around this?

#10 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 06 March 2012 - 07:38 PM

Do you have a thumb / flash drive?
Save Combofix to that device and run it from there.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 07 March 2012 - 12:27 AM

Ok, I've tried many times to run ComboFix both from on my hard-drive and from thumb-drive as you suggested. MSE seems to be holding it up still. I've tried to manually turn off MSE from ConfigSecurityPolicy, Setup and msseces .exe files, but all are stopping me. I go ahead and let ComboFix run despite it's warnings of MSE being on (even though the virus gives me the message that it is turned off). It works a little bit and then just dies out. I've twice given it an hour to see if it will finally move one but it doesn't.

This is the same behavior I was getting on trying to run DDS. It eventually freezes or goes inert. However, unlike DDS, I've only tried CF in safe mode, not both modes. And I was originally getting error messages when trying to run: "Error opening file for writing C:\.....\pev.3XE"

In Task Manager, I find that CPU activity goes to 0 for CF15657.3XE - Windows Command Processor.

There is small CPU activity for swxcacls.3XE - Freeware Implementation of xcacls

Please advise, thanks.

#12 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 07 March 2012 - 08:36 AM

Uninstall MSE for now and try Combofix again
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 07 March 2012 - 05:14 PM

Yeah, that's the original problem I've been trying to fix for some weeks. MSE, Windows Defender, Firewall have all been disbled from being uninstalled. I just tried again a few times in case the newest updates of mbam had a fix, but I still can't get them to turn on or uninstall. The good news is System Check has finally disappeared.

What happens with MSE is it tells me: "Error code 0x8004FF56 Security Essentials Installation Wizard is missing a filter manager rollup package needed to complete this installation. To continue installing SE, first download required package."

It then sends me to download an XP .exe file. However, after downloading and during or right after extracting, a popup error says the installation didn't complete. Sometimes it gets as far as the new .exe file opening its installation window for half a sec (that's when I do run instead of save as) but immediately the installation error popup takes over.

So I'm back to where I was a few weeks ago when the first infection or two were not removed by mbam, and they disabled MSE, Firewall, Defender and I started attracting all the monsters.

While typing this, I ran mbam in regular mode. First time I've been able to do that without any infections coming up. So I am celebrating that. The newest updates have kept System Check and it's ilk from ravaging me. But as long as my defenses are down, new ones will come at some point.

So what do you think I should try?

#14 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 07 March 2012 - 05:18 PM

Try Combofix
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#15 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 07 March 2012 - 07:59 PM

Alright, I let ComboFix go for 45 mins. Nothing. Tried DDS again. It locked up after a while. I deleted ComboFix and downloaded again, in case somehow these nasties were messing with it.

It took a while, finally the popups for installing files came up. Some delays, but they would eventually continue.

But then a third popup happened. It was fast and I wasn't paying that much attention. What I did catch before it disappeared was something about "breaking up registry..." and then the long file name at the end, ending in ".hiv-xxxxxx" something or other. The hiv at the end of the file name got my attention. But it disappeared before I could grab pen and paper.

I let the ComboFix window stay open/run for maybe 25-30 mins, nothing happening. And finally my windows explorer and computer froze up.

So, do the bad guys have something that is preventing ComboFix and DDS from loading/working on my pc? I've been trying to use those programs for days to no avail.

Sorry this is such a frustrating one, Larry, I do appreciate your help.

#16 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 07 March 2012 - 08:06 PM

Yes.
Some of these infections can stop anything from running that is trying to remove it.

You could try Combofix from Safe Mode or running from the flash drive.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 08 March 2012 - 11:31 PM

Larry, I keep trying ComboFix and DDS both from saved files on my pc as well as from the flash drive, both in regular and safe modes. The file that keeps popping up when I run ComboFix as having an error is: C:32788R22FWJFW\pev.3XE

It keeps preventing the installation/run. I have deleted and saved again the two programs many times, but keep being stopped by the pev.3XE file. One interesting point, when in safe mode, I am not even allowed to download CF or DDS. I can only get them when in regular mode. Something freezes me up when trying to get them in safe mode.

So, have we run out of bullets?

#18 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 09 March 2012 - 08:02 AM

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:
If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.



Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.
Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 Gunslinger

Gunslinger

    New Member

  • Members
  • Pip
  • 42 posts

Posted 12 March 2012 - 03:01 AM

Good idea on renaming the file when I saved it to the flash drive, I should have thought of that precaution.

Unfortunately, it did not work, in neither safe nor regular modes.

But something interesting did occur.

In all my previous attempts, I would allow CF to run maybe up to a little over an hour or so. Often it didn't matter cause it would simply make my pc freeze or inert before that much time passed anyway. But I finally just ran the program and let it loose.

And 3.5 hours later I got a pop up. Rocketkit [not rootkit] infection has been detected. Be patient, this may take some time.

I rejoiced and made promises to God when I hit the Ok button. And not a darn thing ever happened again.

I let it stay on for another 15 hours. Not a thing. Sigh.

Also tried DDS again, it just adds up the #########s and nothing ever happens. Or as in the case this evening, my pc finally froze.

Please advise.

#20 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 12 March 2012 - 06:56 AM

Delete these files if found.

C:\Windows\system32\S6ovG.com
c:\windows\system32\S6ovG.exe_
c:\windows\system32\S6ovG.exe
c:\users\owner\appdata\local\pjxqczxucj.exe

C:\Windows\TEMP\hki9473.exe
C:\Windows\TEMP\hki9473.exe
C:\Windows\TEMP\hki9473.exe

Delete all files in this folder: C:\Windows\TEMP\
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users