Jump to content

Infections I haven't been able to remove


Recommended Posts

Thanks for your help.

DDS

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Owner at 16:23:45 on 2012-03-02

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.624 [GMT -8:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\system32\locator.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Real\RealPlayer\Update\realsched.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\S6ovG.com

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\ping.exe

C:\Windows\TEMP\hki9473.exe

C:\Windows\TEMP\hki9473.exe

C:\Windows\TEMP\hki9473.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregeng\ereg.ini"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{0A1112F5-E9FD-43D9-AA29-D9ECA8724BCB} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3} : DhcpNameServer = 192.168.1.254

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

Hosts: 87.229.126.50 www.google.com

Hosts: 87.229.126.51 www.bing.com

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-22 21504]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-15 24652]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-8-30 1153368]

S2 sdcoreservice;APLMp50;c:\windows\system32\svchost.exe -k netsvcs [2009-2-22 21504]

S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-8-30 9216]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-2 41272]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]

S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]

S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]

S3 WinPhlash;WinPhlash;c:\swsetup\sp42853\swinflash\PhlashNT.sys [2007-1-19 38784]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 ZTEusbgps;ZTE GPS Port;c:\windows\system32\drivers\ZTEusbgps.sys [2011-8-30 105856]

S3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [2011-8-30 105856]

.

=============== Created Last 30 ================

.

2012-03-02 23:47:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-02-29 22:46:43 83456 ----a-w- c:\windows\system32\S6ovG.exe_

2012-02-24 16:51:18 28160 ----a-w- c:\windows\system32\S6ovG.com

2012-02-15 13:58:08 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2012-02-15 13:57:46 680448 ----a-w- c:\windows\system32\msvcrt.dll

2012-02-15 13:57:41 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-02-12 23:39:23 -------- d-----w- c:\users\owner\appdata\roaming\PeerNetworking

2012-02-10 22:58:49 332800 ----a-w- c:\users\owner\appdata\local\pjxqczxucj.exe

2012-02-05 14:25:31 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

.

==================== Find3M ====================

.

2012-03-03 00:24:18 83456 ----a-w- c:\windows\system32\S6ovG.exe

2011-12-19 16:27:01 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-12-19 16:27:00 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll

2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll

2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 16:26:57.57 ===============

Attach

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 11/6/2007 2:12:08 AM

System Uptime: 3/2/2012 1:43:07 PM (3 hours ago)

.

Motherboard: Quanta | | 30CF

Processor: AMD Turion 64 X2 Mobile Technology TL-58 | Socket S1 | 1900/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 141 GiB total, 73.38 GiB free.

D: is FIXED (NTFS) - 7 GiB total, 0.736 GiB free.

E: is CDROM ()

F: is FIXED (NTFS) - 1 GiB total, 1.037 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

7-Zip 9.20

Activation Assistant for the 2007 Microsoft Office suites

ActiveCheck component for HP Active Support Library

Adobe Flash Player 10 ActiveX

Adobe Reader 8.3.1

Adobe Shockwave Player 11.5

AIM 6

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft PhotoStudio 5.5

CalyxLoanBridge11

Canon iP1700

Canon iP1700 User Registration

Canon My Printer

Canon ScanGear Starter

Canon Utilities Easy-PhotoPrint

CanoScan Toolbox Ver4.9

CardRd81

CCScore

Compatibility Pack for the 2007 Office system

Conexant HD Audio

CR2

D3DX10

Easy-WebPrint

EasyWorship 2007

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESSini

ESSPCD

ESSPDock

ESSSONIC

ESSTOOLS

essvatgt

ESU for Microsoft Vista

HDAUDIO Soft Data Fax Modem with SmartCP

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Active Support Library

HP Active Support Library 32 bit components

HP Customer Experience Enhancements

HP Doc Viewer

HP Easy Setup - Frontend

HP Help and Support

HP Product Detection

HP Quick Launch Buttons 6.20 B1

HP QuickPlay 3.6

HP Update

HP User Guides 0057

HP Wireless Assistant

HPAsset component for HP Active Support Library

HPNetworkAssistant

iTunes

Java 6 Update 25

kgcbase

KOAIR - Áõ¸í¼­ ¹ß±Þ ½Ã½ºÅÛ

Kodak EasyShare software

LightScribe 1.6.43.1

Malwarebytes' Anti-Malware version 1.51.2.1300

Manual CanoScan LiDE 60

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office Live Add-in 1.5

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Small Business Edition 2003

Microsoft Office Word MUI (English) 2007

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

Microsoft WSE 2.0 SP3 Runtime

Mobile Broadband Generic Drivers

Movie Magic Screenwriter

MSCU for Microsoft Vista

MSVCRT

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

muvee autoProducer 6.0

netbrdg

NVIDIA Drivers

OfotoXMI

OGA Notifier 2.0.0048.0

OmniPage SE 2.0

Point

PowerChurch Plus 10.4

PowerChurch Plus Version 10 Runtime Files

QuickPlay SlingPlayer 0.4.6

QuickTime

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

RealUpgrade 1.1

Rhapsody Player Engine

Roxio Activation Module

Roxio Creator Audio

Roxio Creator Basic v9

Roxio Creator Copy

Roxio Creator Data

Roxio Creator EasyArchive

Roxio Creator Tools

Roxio Express Labeler 3

Roxio MyDVD Basic v9

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Segoe UI

Setup

SFR

SFR2

SHASTA

skin0001

SKINXSDK

SmartAudio

Spybot - Search & Destroy

staticcr

Synaptics Pointing Device Driver

tooltips

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition

Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Viewpoint Media Player

VLC media player 1.1.11

VPRINTOL

VZAccess Manager

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

WIRELESS

Yahoo! Messenger

Yahoo! Software Update

ZTE USB Drivers

.

==== Event Viewer Messages From Past Week ========

.

3/2/2012 9:41:08 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the QuickPlay Task Scheduler (QTS) service to connect.

3/2/2012 9:41:08 AM, Error: Service Control Manager [7000] - The QuickPlay Task Scheduler (QTS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/2/2012 9:39:38 AM, Error: EventLog [6008] - The previous system shutdown at 1:06:34 AM on 3/2/2012 was unexpected.

3/2/2012 4:01:59 PM, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.

3/2/2012 11:40:40 AM, Error: EventLog [6008] - The previous system shutdown at 11:08:45 AM on 3/2/2012 was unexpected.

3/2/2012 10:04:34 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.

3/2/2012 10:04:34 AM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/2/2012 10:04:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

3/2/2012 10:04:03 AM, Error: Service Control Manager [7001] - The QuickPlay Task Scheduler (QTS) service depends on the QuickPlay Background Capture Service (QBCS) service which failed to start because of the following error: After starting, the service hung in a start-pending state.

3/2/2012 10:04:00 AM, Error: Service Control Manager [7022] - The QuickPlay Background Capture Service (QBCS) service hung on starting.

3/2/2012 10:02:23 AM, Error: EventLog [6008] - The previous system shutdown at 9:57:36 AM on 3/2/2012 was unexpected.

3/2/2012 1:32:37 PM, Error: Service Control Manager [7001] - The Windows Image Acquisition (WIA) service depends on the Shell Hardware Detection service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

3/2/2012 1:31:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

3/2/2012 1:05:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pgjpxip

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Tvtfilter service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Tdsmapi service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Sglogplayer service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The SfCtlCom service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Pinnacleupdatesvc service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Pinnaclemarvinusb service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Oracleservicesecinst service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Nsm1bus service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Lvsrvlauncher service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Lvhidsvc service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Hpqcxs08 service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Genregistrar service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The EPSON_EB_RPCV4_01 service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Crauto service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Cmuda3 service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Client32 service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Avgcoresvc service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The AtiPcie service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The Aracpi service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7023] - The APLMp50 service terminated with the following error: The specified module could not be found.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

3/2/2012 1:05:24 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

3/2/2012 1:05:01 PM, Error: EventLog [6008] - The previous system shutdown at 12:58:07 PM on 3/2/2012 was unexpected.

3/1/2012 9:57:29 AM, Error: EventLog [6008] - The previous system shutdown at 9:55:12 AM on 3/1/2012 was unexpected.

3/1/2012 9:51:25 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/1/2012 9:51:23 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.

3/1/2012 9:32:03 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC MpFilter NetBIOS netbt nsiproxy pgjpxip PSched RasAcd rdbss Smb spldr tdx Wanarpv6

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

3/1/2012 9:31:52 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

3/1/2012 9:31:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

3/1/2012 9:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

3/1/2012 9:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

3/1/2012 9:31:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

3/1/2012 9:31:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/1/2012 9:30:35 PM, Error: EventLog [6008] - The previous system shutdown at 9:27:46 PM on 3/1/2012 was unexpected.

3/1/2012 9:21:55 PM, Error: EventLog [6008] - The previous system shutdown at 9:19:02 PM on 3/1/2012 was unexpected.

3/1/2012 9:13:11 PM, Error: EventLog [6008] - The previous system shutdown at 9:04:53 PM on 3/1/2012 was unexpected.

3/1/2012 7:09:54 PM, Error: EventLog [6008] - The previous system shutdown at 6:59:21 PM on 3/1/2012 was unexpected.

2/29/2012 9:59:11 PM, Error: EventLog [6008] - The previous system shutdown at 9:36:00 PM on 2/29/2012 was unexpected.

2/29/2012 9:48:30 AM, Error: EventLog [6008] - The previous system shutdown at 9:38:39 AM on 2/29/2012 was unexpected.

2/29/2012 6:46:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

2/29/2012 11:37:08 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Eventlog service.

2/29/2012 10:21:40 PM, Error: EventLog [6008] - The previous system shutdown at 10:19:02 PM on 2/29/2012 was unexpected.

2/28/2012 8:09:38 AM, Error: EventLog [6008] - The previous system shutdown at 11:23:13 PM on 2/27/2012 was unexpected.

2/28/2012 2:29:58 PM, Error: EventLog [6008] - The previous system shutdown at 1:12:31 PM on 2/28/2012 was unexpected.

2/27/2012 10:29:52 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

2/27/2012 10:29:52 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

2/27/2012 10:28:22 PM, Error: EventLog [6008] - The previous system shutdown at 10:25:09 PM on 2/27/2012 was unexpected.

2/27/2012 10:24:52 PM, Error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

2/27/2012 10:24:39 PM, Error: Service Control Manager [7031] - The HP Health Check Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

2/26/2012 10:25:52 AM, Error: EventLog [6008] - The previous system shutdown at 10:00:40 AM on 2/26/2012 was unexpected.

2/25/2012 7:11:09 AM, Error: EventLog [6008] - The previous system shutdown at 7:09:23 AM on 2/25/2012 was unexpected.

2/25/2012 6:53:11 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10003] - WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\System32\bcmihvsrv.dll

2/24/2012 7:43:52 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Tsmservice service to connect.

2/24/2012 7:19:42 PM, Error: EventLog [6008] - The previous system shutdown at 7:11:31 PM on 2/24/2012 was unexpected.

2/24/2012 5:32:39 PM, Error: EventLog [6008] - The previous system shutdown at 5:04:09 PM on 2/24/2012 was unexpected.

2/24/2012 4:30:12 AM, Error: EventLog [6008] - The previous system shutdown at 6:01:52 PM on 2/23/2012 was unexpected.

2/24/2012 11:57:50 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Live ID Sign-in Assistant service, but this action failed with the following error: An instance of the service is already running.

2/24/2012 11:57:40 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

2/24/2012 11:27:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.

2/24/2012 11:27:37 AM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

2/24/2012 11:26:39 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

2/24/2012 11:26:39 AM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

2/24/2012 11:25:09 AM, Error: EventLog [6008] - The previous system shutdown at 11:19:05 AM on 2/24/2012 was unexpected.

.

==== End Of File ===========================

Link to post
Share on other sites

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Thanks for responding, Larry. I'd received a virus in January that MalwareBytes had been unable to remove, along with another in February. These disabled Firewall, Windows Defender, Microsoft Security Essentials and would not let me enable them, nor uninstall them so they could be re-installed. And of course, everytime I fired up, they would attract lots of other little infections that I would have scan and delete. But the root causes would not go away.

This weekend disaster happened. After turning on my pc, the infection System Check popped up and started running. I was not around for a few mins and then tried to stop it, but it was too late. Looks like I lost all my data. And it won't let me run the DDS scan. If I save DDS to Desktop or Program Files, the infection removes it. I have to hide it somewhere else in a file that the infection already emptied. I've tried getting the DDS to run in regular and Safe modes to no avail, and have saved it multiple times.

Besides removing many programs and data, the infection has disabled about 20 of the System32 files. So I'm getting about 20 pop-ups of the files that cannot be read on start-up in regular mode. And of course the infection System Check Scan starts all over again. Later on another infection pop up about restoring files joins the fray.

Looks like I'm done for.

I will see if it will allow me to download Malware Bytes (since it removed it) and I'll give you the mbam scan within the hour.

Thanks for your help, Gunslinger

Link to post
Share on other sites

Under Program Files, the only folder that is left is Windows Collaboration. No other folders or files.

A quick question, as I try to download to mbam, it's sending me to c-net, is that legitimate, or am I being re-directed by this virus?

Two other symptoms I forgot to mention earlier, but I don't know if they'll give any insight: I tried System Restore twice today on the two most recent dates (although they were two weeks ago, which seems pretty far back) and it was unable to restore. My HP backup is stored on drive d, which says it's still full of data, but when I open drive D, it says folder is empty. So unless this infection is simply hiding all my stuff, it really has wiped out pretty much all data.

Secondly, as I've seen a gazillion other people have been by the same thing on these two most recent pages, the first symptoms when I had those couple of non-removable infections, was mostly just redirects on my google and yahoo searches. I'm sure you're way ahead of me on that, but just trying to get the word out for others not to ignore things that seem merely pesky.

So unfortunately, I don't have any of the malwarebytes files, like chameleon anymore. Is this download on Cnet you guys? It's been quite a while since I installed Mbam and I don't remember it going to a different url such as cnet. As you can imagine, I'm being a bit over-careful.

Thanks again

Link to post
Share on other sites

Yes c-net is a legit download for MBAM

Lets try this first:

Download unhide.exe & save it to your windows folder:

Right click on unhide.exe and select Run as administrator (In case you have Vista or Win7)

Reboot

This will unhide folders/files that were set to be hidden by the infection you had.

Link to post
Share on other sites

Larry, you're a magician. All the files reappeared.

But I battled all night, going back and forth between safe and regular modes. DDS will not run. The first few times, it would run for 30-45 mins and finally freeze up my pc. I deleted and reloaded (for some reason, I could only download it in regular mode), hoping that would solve the problem, but it hasn't. Now it just runs forever but never concludes. Sometimes it just makes my pc inert, as opposed to frozen.

Everytime I popped back to regular mode, the infection "System Check" would start all over again, hiding files. I was finally able to update mbam again and run it. It removed 5 infections, but still, the root causes are there, causing System Check to kick in again if I open in regular mode.

Sorry this one's such a hassle for you. What step should I take next?

Link to post
Share on other sites

We made progress

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

It just gets better and better... Just so you know, anytime I try to do "Save As" for downloading DDS or ComboFix, it won't save when I'm in Safe Mode. Only in regular mode, which means, of course, that half of my files disappear due to System Check before I can get the download and pull the plug....

ComboFix has popped a message to turn off Microsoft Security Essentials before proceeding. But when I open MSE it says it is turned off (in warning Red) and does not allow me to access settings - simply locked up. So how do I get around this?

Link to post
Share on other sites

Ok, I've tried many times to run ComboFix both from on my hard-drive and from thumb-drive as you suggested. MSE seems to be holding it up still. I've tried to manually turn off MSE from ConfigSecurityPolicy, Setup and msseces .exe files, but all are stopping me. I go ahead and let ComboFix run despite it's warnings of MSE being on (even though the virus gives me the message that it is turned off). It works a little bit and then just dies out. I've twice given it an hour to see if it will finally move one but it doesn't.

This is the same behavior I was getting on trying to run DDS. It eventually freezes or goes inert. However, unlike DDS, I've only tried CF in safe mode, not both modes. And I was originally getting error messages when trying to run: "Error opening file for writing C:\.....\pev.3XE"

In Task Manager, I find that CPU activity goes to 0 for CF15657.3XE - Windows Command Processor.

There is small CPU activity for swxcacls.3XE - Freeware Implementation of xcacls

Please advise, thanks.

Link to post
Share on other sites

Yeah, that's the original problem I've been trying to fix for some weeks. MSE, Windows Defender, Firewall have all been disbled from being uninstalled. I just tried again a few times in case the newest updates of mbam had a fix, but I still can't get them to turn on or uninstall. The good news is System Check has finally disappeared.

What happens with MSE is it tells me: "Error code 0x8004FF56 Security Essentials Installation Wizard is missing a filter manager rollup package needed to complete this installation. To continue installing SE, first download required package."

It then sends me to download an XP .exe file. However, after downloading and during or right after extracting, a popup error says the installation didn't complete. Sometimes it gets as far as the new .exe file opening its installation window for half a sec (that's when I do run instead of save as) but immediately the installation error popup takes over.

So I'm back to where I was a few weeks ago when the first infection or two were not removed by mbam, and they disabled MSE, Firewall, Defender and I started attracting all the monsters.

While typing this, I ran mbam in regular mode. First time I've been able to do that without any infections coming up. So I am celebrating that. The newest updates have kept System Check and it's ilk from ravaging me. But as long as my defenses are down, new ones will come at some point.

So what do you think I should try?

Link to post
Share on other sites

Alright, I let ComboFix go for 45 mins. Nothing. Tried DDS again. It locked up after a while. I deleted ComboFix and downloaded again, in case somehow these nasties were messing with it.

It took a while, finally the popups for installing files came up. Some delays, but they would eventually continue.

But then a third popup happened. It was fast and I wasn't paying that much attention. What I did catch before it disappeared was something about "breaking up registry..." and then the long file name at the end, ending in ".hiv-xxxxxx" something or other. The hiv at the end of the file name got my attention. But it disappeared before I could grab pen and paper.

I let the ComboFix window stay open/run for maybe 25-30 mins, nothing happening. And finally my windows explorer and computer froze up.

So, do the bad guys have something that is preventing ComboFix and DDS from loading/working on my pc? I've been trying to use those programs for days to no avail.

Sorry this is such a frustrating one, Larry, I do appreciate your help.

Link to post
Share on other sites

Larry, I keep trying ComboFix and DDS both from saved files on my pc as well as from the flash drive, both in regular and safe modes. The file that keeps popping up when I run ComboFix as having an error is: C:32788R22FWJFW\pev.3XE

It keeps preventing the installation/run. I have deleted and saved again the two programs many times, but keep being stopped by the pev.3XE file. One interesting point, when in safe mode, I am not even allowed to download CF or DDS. I can only get them when in regular mode. Something freezes me up when trying to get them in safe mode.

So, have we run out of bullets?

Link to post
Share on other sites

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Link to post
Share on other sites

Good idea on renaming the file when I saved it to the flash drive, I should have thought of that precaution.

Unfortunately, it did not work, in neither safe nor regular modes.

But something interesting did occur.

In all my previous attempts, I would allow CF to run maybe up to a little over an hour or so. Often it didn't matter cause it would simply make my pc freeze or inert before that much time passed anyway. But I finally just ran the program and let it loose.

And 3.5 hours later I got a pop up. Rocketkit [not rootkit] infection has been detected. Be patient, this may take some time.

I rejoiced and made promises to God when I hit the Ok button. And not a darn thing ever happened again.

I let it stay on for another 15 hours. Not a thing. Sigh.

Also tried DDS again, it just adds up the #########s and nothing ever happens. Or as in the case this evening, my pc finally froze.

Please advise.

Link to post
Share on other sites

Delete these files if found.

C:\Windows\system32\S6ovG.com

c:\windows\system32\S6ovG.exe_

c:\windows\system32\S6ovG.exe

c:\users\owner\appdata\local\pjxqczxucj.exe

C:\Windows\TEMP\hki9473.exe

C:\Windows\TEMP\hki9473.exe

C:\Windows\TEMP\hki9473.exe

Delete all files in this folder: C:\Windows\TEMP\

Link to post
Share on other sites

I also found the c:\users\owner\appdata\local\pjxqczxucj.exe and deleted it.

I did not find these three that you listed: C:\Windows\TEMP\hki9473.exe

C:\Windows\TEMP\hki9473.exe

C:\Windows\TEMP\hki9473.exe

but I did find a similar one: hki28927.exe

And it is dated 3/12/2012. So do I get rid of it also?

Your last instruction puzzled me. Qutoe: " Delete all files in this folder: C:\Windows\TEMP\ "

Did you really mean the entire Windows\Temp\ folder? Or did you accidentally truncate the file you were going to tell me to remove?

Link to post
Share on other sites

ComboFix not really working. At 9 minutes after starting, the installation/registry backup box pops up and runs.

At 12 minutes, pop up: Infected with Rootkit.ZeroAccess! It has insterted itself into tcp/ip stack. This is a particularly difficult infection. If unable to connect to internet after running Combofix, reboot once and see if it fixes the problem. If not fixed, run CF once more.

A couple of mins after that: Rootkit is detected. Be patient as this may take some moments.

And then nothing happens for hours.

Please advise.

Link to post
Share on other sites

Lets give another tool a try

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Download TDSSKiller from here and save it to your Desktop.

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.