:Processes explorer.exe winmnawu.exe winrldyen.exe winvnxrd.exe :Services :Reg :Files C:\WINDOWS\TEMP\winmnawu.exe C:\WINDOWS\TEMP\winrldyen.exe C:\WINDOWS\TEMP\winvnxrd.exe :Commands [purity] [emptytemp] [start explorer] [Reboot]
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93124 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
machine acting strange
Started by
Gator
, Nov 05 2008 03:27 PM
-
This topic is locked
209 replies to this topic
#196
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 14 November 2008 - 06:26 PM
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
Register to Remove
#197
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 14 November 2008 - 06:37 PM
Here are the logs
========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: winmnawu.exe
Unable to kill process: winrldyen.exe
Unable to kill process: winvnxrd.exe
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\TEMP\winmnawu.exe moved successfully.
C:\WINDOWS\TEMP\winrldyen.exe moved successfully.
C:\WINDOWS\TEMP\winvnxrd.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_77c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_e78.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_710.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11142008_192748
Files moved on Reboot...
File C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_77c.dat not found!
File C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_e78.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_710.dat not found!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:07, on 2008-11-14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\TEMP\winhsbsqy.exe
C:\WINDOWS\TEMP\winscpt.exe
C:\WINDOWS\TEMP\rcfql.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6907 bytes
Just checked windows\temp and 3 new .exe are there.
========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: winmnawu.exe
Unable to kill process: winrldyen.exe
Unable to kill process: winvnxrd.exe
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\TEMP\winmnawu.exe moved successfully.
C:\WINDOWS\TEMP\winrldyen.exe moved successfully.
C:\WINDOWS\TEMP\winvnxrd.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_77c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_e78.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_710.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11142008_192748
Files moved on Reboot...
File C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_77c.dat not found!
File C:\DOCUME~1\James\LOCALS~1\Temp\Perflib_Perfdata_e78.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_710.dat not found!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:07, on 2008-11-14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\TEMP\winhsbsqy.exe
C:\WINDOWS\TEMP\winscpt.exe
C:\WINDOWS\TEMP\rcfql.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6907 bytes
Just checked windows\temp and 3 new .exe are there.
#198
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 14 November 2008 - 06:40 PM
Gator,
Sorry. Beats my two pair.
I hate to fail and run but, I've got to be offline until Sunday night. If somebody else hasn't got you straightened out by then. I'll try to come up with another hairbrained idea.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#199
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 14 November 2008 - 06:45 PM
Ok no problem. This win32/Sality.nar is very vigirous. Think that one reason the .dat files were not found in the OJT reboot are that they are renamed from one boot to the next. Maybe we could try deleting Perflib_Perfdate_whaterver.dat
Will be gone here also most of the weekend will check back late sunday if possible and if not on Monday evening.
Thanks to you all
#200
Rorschach112
-
- Authentic Member
-
- 3,651 posts
Teacher Emeritus
Posted 14 November 2008 - 06:51 PM
Hello Gator
I will be helping you
Few things we need to do
Then do this
Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
I will be helping you
Few things we need to do
- Make sure you have an Internet Connection.
- Download OTCleanIt to your desktop and run it
- A list of tool components used in the Cleanup of malware will be downloaded.
- If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
- Click Yes to beging the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Then do this
Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
- Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program.
- Under File Age at the top, change it from 30 days to 90 days
- Under Additional Scans check the boxes beside Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - Session Manager Settings, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
- Under Rootkit Search change it to Yes
- Now click the Run Scan button on the toolbar.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
#201
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 14 November 2008 - 07:14 PM
Ok Thanks
Report attached
Attached Files
-
OTScanIt.Txt 188.25KB
347 downloads
#202
Rorschach112
-
- Authentic Member
-
- 3,651 posts
Teacher Emeritus
Posted 14 November 2008 - 07:22 PM
Ok lets continue
You need to disconnect your PC from the internet completely before doing this fix
Start OTScanIt2. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Also post a new HJT log and the Eset Online Scanner log from before if you have it
You need to disconnect your PC from the internet completely before doing this fix
Start OTScanIt2. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YN -> aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe
YY -> winpglgdd.exe -> %SystemRoot%\temp\winpglgdd.exe
YY -> winpevpx.exe -> %SystemRoot%\temp\winpevpx.exe
YY -> gprk.exe -> %SystemRoot%\temp\gprk.exe
[Win32 Services - Safe List]
YY -> (Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Disabled | Stopped] ->
[Registry - Safe List]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\TEMP\bklwon.exe" -> C:\WINDOWS\TEMP\bklwon.exe [C:\WINDOWS\TEMP\bklwon.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\erjt.exe" -> C:\WINDOWS\TEMP\erjt.exe [C:\WINDOWS\TEMP\erjt.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\fhtyo.exe" -> C:\WINDOWS\TEMP\fhtyo.exe [C:\WINDOWS\TEMP\fhtyo.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\fhyw.exe" -> C:\WINDOWS\TEMP\fhyw.exe [C:\WINDOWS\TEMP\fhyw.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\glsecx.exe" -> C:\WINDOWS\TEMP\glsecx.exe [C:\WINDOWS\TEMP\glsecx.exe:*:Enabled:ipsec]
YY -> "C:\WINDOWS\TEMP\gprk.exe" -> C:\WINDOWS\temp\gprk.exe [C:\WINDOWS\TEMP\gprk.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\jkvpe.exe" -> C:\WINDOWS\TEMP\jkvpe.exe [C:\WINDOWS\TEMP\jkvpe.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\jxxtos.exe" -> C:\WINDOWS\TEMP\jxxtos.exe [C:\WINDOWS\TEMP\jxxtos.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\lrev.exe" -> C:\WINDOWS\TEMP\lrev.exe [C:\WINDOWS\TEMP\lrev.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\mkeocc.exe" -> C:\WINDOWS\TEMP\mkeocc.exe [C:\WINDOWS\TEMP\mkeocc.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\njxb.exe" -> C:\WINDOWS\TEMP\njxb.exe [C:\WINDOWS\TEMP\njxb.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\nvytp.exe" -> C:\WINDOWS\TEMP\nvytp.exe [C:\WINDOWS\TEMP\nvytp.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\oedl.exe" -> C:\WINDOWS\TEMP\oedl.exe [C:\WINDOWS\TEMP\oedl.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\pbhq.exe" -> C:\WINDOWS\TEMP\pbhq.exe [C:\WINDOWS\TEMP\pbhq.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\qcxwk.exe" -> C:\WINDOWS\TEMP\qcxwk.exe [C:\WINDOWS\TEMP\qcxwk.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\qmmjee.exe" -> C:\WINDOWS\TEMP\qmmjee.exe [C:\WINDOWS\TEMP\qmmjee.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\rcfql.exe" -> C:\WINDOWS\TEMP\rcfql.exe [C:\WINDOWS\TEMP\rcfql.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\saehng.exe" -> C:\WINDOWS\TEMP\saehng.exe [C:\WINDOWS\TEMP\saehng.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\tleyg.exe" -> C:\WINDOWS\TEMP\tleyg.exe [C:\WINDOWS\TEMP\tleyg.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\ualqg.exe" -> C:\WINDOWS\TEMP\ualqg.exe [C:\WINDOWS\TEMP\ualqg.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\uhrgdy.exe" -> C:\WINDOWS\TEMP\uhrgdy.exe [C:\WINDOWS\TEMP\uhrgdy.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\undjjx.exe" -> C:\WINDOWS\TEMP\undjjx.exe [C:\WINDOWS\TEMP\undjjx.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winajnjv.exe" -> C:\WINDOWS\TEMP\winajnjv.exe [C:\WINDOWS\TEMP\winajnjv.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\wincpik.exe" -> C:\WINDOWS\TEMP\wincpik.exe [C:\WINDOWS\TEMP\wincpik.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\windgwy.exe" -> C:\WINDOWS\TEMP\windgwy.exe [C:\WINDOWS\TEMP\windgwy.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\windumtar.exe" -> C:\WINDOWS\TEMP\windumtar.exe [C:\WINDOWS\TEMP\windumtar.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winegjhb.exe" -> C:\WINDOWS\TEMP\winegjhb.exe [C:\WINDOWS\TEMP\winegjhb.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winfdwa.exe" -> C:\WINDOWS\TEMP\winfdwa.exe [C:\WINDOWS\TEMP\winfdwa.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\wingeik.exe" -> C:\WINDOWS\TEMP\wingeik.exe [C:\WINDOWS\TEMP\wingeik.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winhsbsqy.exe" -> C:\WINDOWS\TEMP\winhsbsqy.exe [C:\WINDOWS\TEMP\winhsbsqy.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winmnawu.exe" -> C:\WINDOWS\TEMP\winmnawu.exe [C:\WINDOWS\TEMP\winmnawu.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winmpvvyd.exe" -> C:\WINDOWS\TEMP\winmpvvyd.exe [C:\WINDOWS\TEMP\winmpvvyd.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winmveqbf.exe" -> C:\WINDOWS\TEMP\winmveqbf.exe [C:\WINDOWS\TEMP\winmveqbf.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winnxafoq.exe" -> C:\WINDOWS\TEMP\winnxafoq.exe [C:\WINDOWS\TEMP\winnxafoq.exe:*:Enabled:ipsec]
YY -> "C:\WINDOWS\TEMP\winpevpx.exe" -> C:\WINDOWS\temp\winpevpx.exe [C:\WINDOWS\TEMP\winpevpx.exe:*:Enabled:ipsec]
YY -> "C:\WINDOWS\TEMP\winpglgdd.exe" -> C:\WINDOWS\temp\winpglgdd.exe [C:\WINDOWS\TEMP\winpglgdd.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winqjrh.exe" -> C:\WINDOWS\TEMP\winqjrh.exe [C:\WINDOWS\TEMP\winqjrh.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winrldyen.exe" -> C:\WINDOWS\TEMP\winrldyen.exe [C:\WINDOWS\TEMP\winrldyen.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winscpt.exe" -> C:\WINDOWS\TEMP\winscpt.exe [C:\WINDOWS\TEMP\winscpt.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winssfavh.exe" -> C:\WINDOWS\TEMP\winssfavh.exe [C:\WINDOWS\TEMP\winssfavh.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winvkjifr.exe" -> C:\WINDOWS\TEMP\winvkjifr.exe [C:\WINDOWS\TEMP\winvkjifr.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winvnxrd.exe" -> C:\WINDOWS\TEMP\winvnxrd.exe [C:\WINDOWS\TEMP\winvnxrd.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winwjldu.exe" -> C:\WINDOWS\TEMP\winwjldu.exe [C:\WINDOWS\TEMP\winwjldu.exe:*:Enabled:ipsec]
YN -> "C:\WINDOWS\TEMP\winymivl.exe" -> C:\WINDOWS\TEMP\winymivl.exe [C:\WINDOWS\TEMP\winymivl.exe:*:Enabled:ipsec]
[Files/Folders - Created Within 90 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> rsit -> %SystemDrive%\rsit
NY -> RSIT.exe -> %UserProfile%\Desktop\RSIT.exe
NY -> cureit.exe -> %UserProfile%\Desktop\cureit.exe
NY -> autoruns.exe -> %UserProfile%\Desktop\autoruns.exe
NY -> Autoruns -> %UserProfile%\Desktop\Autoruns
NY -> Autoruns.zip -> %UserProfile%\Desktop\Autoruns.zip
NY -> Firefox Setup 3.0.3.exe -> %UserProfile%\Desktop\Firefox Setup 3.0.3.exe
NY -> JavaRa -> %UserProfile%\Desktop\JavaRa
NY -> JavaRa.zip -> %UserProfile%\Desktop\JavaRa.zip
NY -> Lop SD -> %SystemDrive%\Lop SD
NY -> LopSD.exe -> %UserProfile%\Desktop\LopSD.exe
NY -> Flash_Disinfector.exe -> %UserProfile%\Desktop\Flash_Disinfector.exe
NY -> Qoobox -> %ProgramFiles%\Qoobox
NY -> WinsockxpFix.exe -> %UserProfile%\Desktop\WinsockxpFix.exe
NY -> mbam-setup.exe -> %UserProfile%\Desktop\mbam-setup.exe
NY -> Viewpoint -> %CommonProgramFiles%\Viewpoint
[Start Explorer]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Also post a new HJT log and the Eset Online Scanner log from before if you have it
#203
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 14 November 2008 - 07:36 PM
Ok Here are 2 logs. When the Eset Online Scanner ran it showed me what it did but could not get it to a log.
Explorer killed successfully
[Processes - Safe List]
Unable to kill process aawservice.exe .
Unable to kill process winpglgdd.exe .
C:\WINDOWS\temp\winpglgdd.exe moved successfully.
Unable to kill process winpevpx.exe .
C:\WINDOWS\temp\winpevpx.exe moved successfully.
Unable to kill process gprk.exe .
C:\WINDOWS\temp\gprk.exe moved successfully.
[Win32 Services - Safe List]
Service Viewpoint Manager Service stopped successfully.
Service Viewpoint Manager Service deleted successfully.
File not found.
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\bklwon.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\erjt.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\fhtyo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\fhyw.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\glsecx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\gprk.exe deleted successfully.
File C:\WINDOWS\temp\gprk.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\jkvpe.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\jxxtos.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\lrev.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\mkeocc.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\njxb.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\nvytp.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\oedl.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\pbhq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\qcxwk.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\qmmjee.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\rcfql.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\saehng.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\tleyg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\ualqg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\uhrgdy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\undjjx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winajnjv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\wincpik.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\windgwy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\windumtar.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winegjhb.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winfdwa.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\wingeik.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winhsbsqy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winmnawu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winmpvvyd.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winmveqbf.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winnxafoq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winpevpx.exe deleted successfully.
File C:\WINDOWS\temp\winpevpx.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winpglgdd.exe deleted successfully.
File C:\WINDOWS\temp\winpglgdd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winqjrh.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winrldyen.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winscpt.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winssfavh.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winvkjifr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winvnxrd.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winwjldu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winymivl.exe deleted successfully.
[Files/Folders - Created Within 90 Days]
C:\rsit folder moved successfully.
C:\Documents and Settings\James\Desktop\RSIT.exe moved successfully.
C:\Documents and Settings\James\Desktop\cureit.exe moved successfully.
C:\Documents and Settings\James\Desktop\autoruns.exe moved successfully.
C:\Documents and Settings\James\Desktop\Autoruns folder moved successfully.
C:\Documents and Settings\James\Desktop\Autoruns.zip moved successfully.
C:\Documents and Settings\James\Desktop\Firefox Setup 3.0.3.exe moved successfully.
C:\Documents and Settings\James\Desktop\JavaRa folder moved successfully.
C:\Documents and Settings\James\Desktop\JavaRa.zip moved successfully.
C:\Lop SD folder moved successfully.
C:\Documents and Settings\James\Desktop\LopSD.exe moved successfully.
C:\Documents and Settings\James\Desktop\Flash_Disinfector.exe moved successfully.
C:\Program Files\Qoobox\Quarantine\Registry_backups folder moved successfully.
C:\Program Files\Qoobox\Quarantine\F folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS\temp folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS\Tasks folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS\system32 folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager\ViewCPData folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Experience Technology\Components folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Experience Technology folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Common folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Documents and Settings\James folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Documents and Settings folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C folder moved successfully.
C:\Program Files\Qoobox\Quarantine folder moved successfully.
C:\Program Files\Qoobox folder moved successfully.
C:\Documents and Settings\James\Desktop\WinsockxpFix.exe moved successfully.
C:\Documents and Settings\James\Desktop\mbam-setup.exe moved successfully.
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime folder moved successfully.
C:\Program Files\Common Files\Viewpoint folder moved successfully.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.33b fix logfile created on 11142008_202628
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:26, on 2008-11-14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6787 bytes
Explorer killed successfully
[Processes - Safe List]
Unable to kill process aawservice.exe .
Unable to kill process winpglgdd.exe .
C:\WINDOWS\temp\winpglgdd.exe moved successfully.
Unable to kill process winpevpx.exe .
C:\WINDOWS\temp\winpevpx.exe moved successfully.
Unable to kill process gprk.exe .
C:\WINDOWS\temp\gprk.exe moved successfully.
[Win32 Services - Safe List]
Service Viewpoint Manager Service stopped successfully.
Service Viewpoint Manager Service deleted successfully.
File not found.
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\bklwon.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\erjt.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\fhtyo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\fhyw.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\glsecx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\gprk.exe deleted successfully.
File C:\WINDOWS\temp\gprk.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\jkvpe.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\jxxtos.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\lrev.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\mkeocc.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\njxb.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\nvytp.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\oedl.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\pbhq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\qcxwk.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\qmmjee.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\rcfql.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\saehng.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\tleyg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\ualqg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\uhrgdy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\undjjx.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winajnjv.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\wincpik.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\windgwy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\windumtar.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winegjhb.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winfdwa.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\wingeik.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winhsbsqy.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winmnawu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winmpvvyd.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winmveqbf.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winnxafoq.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winpevpx.exe deleted successfully.
File C:\WINDOWS\temp\winpevpx.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winpglgdd.exe deleted successfully.
File C:\WINDOWS\temp\winpglgdd.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winqjrh.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winrldyen.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winscpt.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winssfavh.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winvkjifr.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winvnxrd.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winwjldu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\winymivl.exe deleted successfully.
[Files/Folders - Created Within 90 Days]
C:\rsit folder moved successfully.
C:\Documents and Settings\James\Desktop\RSIT.exe moved successfully.
C:\Documents and Settings\James\Desktop\cureit.exe moved successfully.
C:\Documents and Settings\James\Desktop\autoruns.exe moved successfully.
C:\Documents and Settings\James\Desktop\Autoruns folder moved successfully.
C:\Documents and Settings\James\Desktop\Autoruns.zip moved successfully.
C:\Documents and Settings\James\Desktop\Firefox Setup 3.0.3.exe moved successfully.
C:\Documents and Settings\James\Desktop\JavaRa folder moved successfully.
C:\Documents and Settings\James\Desktop\JavaRa.zip moved successfully.
C:\Lop SD folder moved successfully.
C:\Documents and Settings\James\Desktop\LopSD.exe moved successfully.
C:\Documents and Settings\James\Desktop\Flash_Disinfector.exe moved successfully.
C:\Program Files\Qoobox\Quarantine\Registry_backups folder moved successfully.
C:\Program Files\Qoobox\Quarantine\F folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS\temp folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS\Tasks folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS\system32 folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\WINDOWS folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager\ViewCPData folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Manager folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Experience Technology\Components folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Viewpoint Experience Technology folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint\Common folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files\Viewpoint folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Program Files folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Documents and Settings\James folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C\Documents and Settings folder moved successfully.
C:\Program Files\Qoobox\Quarantine\C folder moved successfully.
C:\Program Files\Qoobox\Quarantine folder moved successfully.
C:\Program Files\Qoobox folder moved successfully.
C:\Documents and Settings\James\Desktop\WinsockxpFix.exe moved successfully.
C:\Documents and Settings\James\Desktop\mbam-setup.exe moved successfully.
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime folder moved successfully.
C:\Program Files\Common Files\Viewpoint folder moved successfully.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.33b fix logfile created on 11142008_202628
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:26, on 2008-11-14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 6787 bytes
#204
Rorschach112
-
- Authentic Member
-
- 3,651 posts
Teacher Emeritus
Posted 14 November 2008 - 07:48 PM
How is your PC running ?
#205
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 14 November 2008 - 07:57 PM
Still cannot access the Trend Micro Internet Security Control Panel, keep getting dialog box stating that there is no internet connection etc.
The following files are in the windows/temp folder
T30debuglogfile.txt
WGAErrlog.txt
WGANofify.settings
Perflib_Perfdata_710.dat
There are no .exe files in the windows\temp folder as yet but have not rebooted the computer since the internet connection reconnected.
Still do not know if can go to safe mode.
Register to Remove
#206
Rorschach112
-
- Authentic Member
-
- 3,651 posts
Teacher Emeritus
Posted 14 November 2008 - 08:00 PM
Those files are legit
Lets do a few scans, sorry if you have done these before but its important I see new ones
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Lets do a few scans, sorry if you have done these before but its important I see new ones
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
#207
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 14 November 2008 - 08:24 PM
Ran Mbam here is log
Malwarebytes' Anti-Malware 1.30
Database version: 1399
Windows 5.1.2600 Service Pack 3
2008-11-14 21:07:35
mbam-log-2008-11-14 (21-07-35).txt
Scan type: Quick Scan
Objects scanned: 55929
Time elapsed: 3 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Clicked on reboot as Mbam requested.
Was presented with dialog box stating that netsh.exe failed to initialize.
System rebooted
Was presented with dialog box stating that jusched.exe (Java) encountered problem and needs to close.
I am unable to get to Kaspersky site. W32/Sality will not allow.
Downloaded Combofix but I am unabe to access the anti-virus program to turn it off.
Stopped here to let you know what has happened and make sure you want me to continue with ComboFix.
There ar 4 new .exe files in windows\temp folder
windvqg
winsixes
ufboy
hetjv
winsixes now dissappeared from folder
Got to get some sleep up since 3 am.
Thanks will be back when can this weekend.
Edited by Gator, 14 November 2008 - 08:49 PM.
#208
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 15 November 2008 - 05:40 AM
You can use the Windows OS CD's that you have with your desktop if you have those. If you don't have any Windows OS CD's, contact Microsoft or go purchase it.Thanks but that is not an option have no os disks to reload this unit.
This is from an expert in our field.
This user is infected with Sality, so as long as the legitimate exes are not disinfected, there's no way you can clean this machine. These random files in the tempfolder will always be regenerated again.
There's no way you can deal with this manually, since it's an AV scanner that should disinfect the legitimate exe files first.
Problem is, Sality targets most AV scanners and even if you manage to install an AV scanner that is not targetted, Sality will infect it as well.
Even if the files could be disinfected, a lot of the exe files will become corrupted > result > damaged Windows.
So, this is actually a lost case and the fastest and especially safest method is to format and reinstall. I don't see any other solution.
This thread has been going on for too long and imho this is irresponsible, because as long as this computer stays online, it's responsible for infecting a lot of other computers.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
#209
Gator
-
- Authentic Member
-
- 121 posts
Authentic Member
Posted 16 November 2008 - 03:32 PM
Thanks for the last post except for the quote from the expert about my being irresponsible. I was only trying to get help for my other computer. I thought this was the place to come for that but guess he feels I have taken too much time and have run the risk of infecting other units My apology to you all.
I will not logging in again so as not to place this service at peril.
#210
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 17 November 2008 - 04:29 PM
That was directed to me not you. Guess I should have removed that part before posting.except for the quote from the expert about my being irresponsible.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
