Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Can't install driver & can't use system re


  • This topic is locked This topic is locked
16 replies to this topic

#1 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 31 May 2009 - 02:40 PM

I am having an issue with the kid's game computer. I had an issue running a couple of their games that I thought was a video driver problem. I removed the Nvidia driver and attempted to install the latest version. Installing the new driver continues to fail saying I do not have authorization to run the install. I am set up as admin. I attempted to revert back to a previous restore point but system restore is not working. This makes me think it may be malware related. I am attaching a hijack this log. I would appreciate it if someone could take a quick look at it.

Thanks in advance.

Tony

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:13 PM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158796334961
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158796321226
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe

--
End of file - 6741 bytes

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 08 June 2009 - 08:25 AM

Hi MrTony,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#3 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 08 June 2009 - 06:02 PM

Hello Tomk. I really appreciate you looking at this for me. I have run ATF Cleaner and Malwarebytes'. After the scan Malwarebytes showed no issues. I am attaching it's log file and the latest hijack this log below.

I am still unable to install my driver. I am getting an "access denied" "LoadLanguage Failed" error box when I attempt to run the installer. System restore also still not working.

Thanks again for your time.

-- Malware Bytes Log --

Malwarebytes' Anti-Malware 1.37
Database version: 2249
Windows 5.1.2600 Service Pack 3

6/8/2009 5:44:50 PM
mbam-log-2009-06-08 (17-44-50).txt

Scan type: Quick Scan
Objects scanned: 95093
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-- Hijack This Log --

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:45 PM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158796334961
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158796321226
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe

--
End of file - 6865 bytes

#4 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 08 June 2009 - 06:06 PM

MrTony,

Let's get a deeper look.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#5 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 08 June 2009 - 06:42 PM

OK, ran combofix. The log file is below. I did have one issue. I disables my antivirus as described in your previous post (little red umbrella closed on Avira). I did get a warning from combofix that it was not disabled, however. As far as I know, I only have the one instance of this running.

Thanks for the quick response.

-- Combofix Log --

ComboFix 09-06-08.02 - Jeannie 06/08/2009 18:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.262 [GMT -6:00]
Running from: c:\documents and settings\Jeannie\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000206-FFA4-00D9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E3963-FFA4-00FC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00D9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00FC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-010D-0D24-347CA8A3377C}
.

((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-08 23:37 . 2009-06-08 23:37 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 00:12 . 2008-02-03 19:38 -------- d-----w- c:\program files\Steam
2009-06-08 23:37 . 2009-04-05 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:27 . 2006-09-24 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-05-31 15:28 . 2007-04-24 22:24 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-26 19:20 . 2009-04-05 15:07 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 19:19 . 2009-04-05 15:07 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-23 21:37 . 2009-04-23 21:37 442062 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-12 13:53 . 2005-11-26 18:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-05 14:33 . 2009-04-05 14:33 152576 ----a-w- c:\documents and settings\Jeannie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-16 20:18 . 2009-03-29 13:42 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 20:18 . 2009-03-29 13:42 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 20:18 . 2009-03-29 13:42 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 20:18 . 2009-03-29 13:42 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-14 21:37 . 2004-07-11 00:21 1359 ----a-w- c:\windows\eReg.dat
2009-03-14 19:12 . 2009-02-05 23:44 13116 ---ha-w- c:\windows\system32\ealregsnapshot1.reg
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sh--w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sh--w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 343040 --sh--w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2002-08-29 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2002-08-29 11:00 84992 --sh--w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2009-05-21 1217784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-02-06 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Jeannie\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-8-12 225280]
PowerReg Scheduler.exe [2004-2-29 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2006-9-20 241664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-2-6 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^Jeannie^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Jeannie\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57897:TCP"= 57897:TCP:Pando Media Booster
"57897:UDP"= 57897:UDP:Pando Media Booster
"58860:TCP"= 58860:TCP:Pando Media Booster
"58860:UDP"= 58860:UDP:Pando Media Booster

S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\MapleStory\GameGuard\dump_wmimmc.sys --> c:\nexon\MapleStory\GameGuard\dump_wmimmc.sys [?]
S3 lac97inf;lac97inf;\??\c:\docume~1\Jeannie\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Jeannie\LOCALS~1\Temp\lac97inf.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2004-02-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: &Search
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-09 18:31
ComboFix-quarantined-files.txt 2009-06-09 00:31

Pre-Run: 23,191,105,536 bytes free
Post-Run: 24,017,281,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

136 --- E O F --- 2009-06-09 00:03

#6 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 08 June 2009 - 07:14 PM

MrTony,

This should help with that:

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Killall::
    
    SecCenter::
    {00000000-0000-0000-0000-000000000000}
    {00000206-FFA4-00D9-0D24-347CA8A3377C}
    {804E3963-FFA4-00FC-0D24-347CA8A3377C}
    {804E5358-FFA4-00D9-0D24-347CA8A3377C}
    {804E5358-FFA4-00FC-0D24-347CA8A3377C}
    {804E5358-FFA4-010D-0D24-347CA8A3377C}
    
    Registry::
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "57897:TCP"=-
    "57897:UDP"=-
    "58860:TCP"=-
    "58860:UDP"=-
    
    Driver::
    dump_wmimmc
    lac97inf
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#7 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 09 June 2009 - 07:47 PM

Hello again,

I've re-run combo fix with the file you had attached and also run Kaspersky. Nothing major on the virus scan report. I am attaching the logs below.

Thanks

Tony

-- New Combo Fix Log --

ComboFix 09-06-08.02 - Jeannie 06/08/2009 19:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.296 [GMT -6:00]
Running from: c:\documents and settings\Jeannie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeannie\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000206-FFA4-00D9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E3963-FFA4-00FC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00D9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-00FC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804E5358-FFA4-010D-0D24-347CA8A3377C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUMP_WMIMMC
-------\Legacy_LAC97INF
-------\Service_dump_wmimmc
-------\Service_lac97inf


((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-08 23:37 . 2009-06-08 23:37 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 01:45 . 2008-02-03 19:38 -------- d-----w- c:\program files\Steam
2009-06-08 23:37 . 2009-04-05 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:27 . 2006-09-24 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-05-31 15:28 . 2007-04-24 22:24 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-26 19:20 . 2009-04-05 15:07 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 19:19 . 2009-04-05 15:07 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-23 21:37 . 2009-04-23 21:37 442062 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-12 13:53 . 2005-11-26 18:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-05 14:33 . 2009-04-05 14:33 152576 ----a-w- c:\documents and settings\Jeannie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-16 20:18 . 2009-03-29 13:42 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 20:18 . 2009-03-29 13:42 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 20:18 . 2009-03-29 13:42 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 20:18 . 2009-03-29 13:42 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-14 21:37 . 2004-07-11 00:21 1359 ----a-w- c:\windows\eReg.dat
2009-03-14 19:12 . 2009-02-05 23:44 13116 ---ha-w- c:\windows\system32\ealregsnapshot1.reg
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sh--w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sh--w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 343040 --sh--w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2002-08-29 11:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2002-08-29 11:00 84992 --sh--w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-09_00.26.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-09 01:44 . 2009-06-09 01:44 16384 c:\windows\temp\Perflib_Perfdata_158.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2009-05-21 1217784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-06 196608]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-02-06 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Jeannie\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-8-12 225280]
PowerReg Scheduler.exe [2004-2-29 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2006-9-20 241664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-2-6 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^Jeannie^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Jeannie\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57897:TCP"= 57897:TCP:Pando Media Booster
"57897:UDP"= 57897:UDP:Pando Media Booster
"58860:TCP"= 58860:TCP:Pando Media Booster
"58860:UDP"= 58860:UDP:Pando Media Booster

.
Contents of the 'Scheduled Tasks' folder

2004-02-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: &Search
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 19:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1052)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-06-09 19:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-09 01:51
ComboFix2.txt 2009-06-09 00:31

Pre-Run: 23,984,861,184 bytes free
Post-Run: 23,899,787,264 bytes free

153 --- E O F --- 2009-06-09 00:49


-- Kaspersky Log --

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 09, 2009 23:03:46
Records in database: 2332722
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 92178
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:49:55


File name / Threat name / Threats count
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0322440.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.eq 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0322448.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1

The selected area was scanned.

#8 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 09 June 2009 - 10:05 PM

MrTony, Please post a new HijackThis log and let me know if there is any difference with your system.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#9 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 10 June 2009 - 04:24 PM

I attempted to install the Nvidia driver but no success. The system restore did get past the screen where it was stopping before. I did not complete the system restore, however, not knowing if I would undo what ever fixes had been made so far. Do you think I should try running through that?

Re-ran hijack this and the log is below.

Thanks

Tony

-- hyjack this log --

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:32 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158796334961
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158796321226
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe

--
End of file - 6736 bytes

#10 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 10 June 2009 - 04:38 PM

MrTony,

  • Please open HijackThis and run Do a system scan only
  • Check the boxes next to ONLY the entries listed below(if present):
    • O4 - Startup: PowerReg Scheduler V3.exe
      O4 - Startup: PowerReg Scheduler.exe
  • Close all programs except for HijackThis.
  • Click on Fix checked
  • A box will pop up asking you if you wish to fix the selected items. Please choose YES.
  • Once it has fixed them, please exit/close HijackThis.

Then let's get a different log.

Please download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove


#11 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 10 June 2009 - 06:02 PM

Fixed the checked items in hijack this and ran DDS. The log is attached below along with attachment. Again, thanks for all of your help. Tony -- DDS Log -- DDS (Ver_09-05-14.01) - NTFSx86 Run by Jeannie at 17:56:00.68 on Wed 06/10/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.282 [GMT -6:00] AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Nexon\MapleStory\npkcmsvc.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jucheck.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Jeannie\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Steam] "c:\program files\steam\Steam.exe" -silent uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [DVDSentry] c:\windows\system32\DSentry.exe mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe" mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g dwl-g120 wireless usb\120UTIL.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE mPolicies-explorer: <NO NAME> = IE: &Search IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158796334961 DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158796321226 DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2006-9-24 11608] R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2006-9-24 68865] R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2006-9-24 151297] R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2006-9-24 52056] =============== Created Last 30 ================ 2009-06-08 18:21 <DIR> a-dshr-- C:\cmdcons 2009-06-08 18:19 161,792 a------- c:\windows\SWREG.exe 2009-06-08 18:19 155,136 a------- c:\windows\PEV.exe 2009-06-08 18:19 98,816 a------- c:\windows\sed.exe ==================== Find3M ==================== 2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-05-07 09:32 345,600 a---h--- c:\windows\system32\localspl.dll 2009-05-07 09:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll 2009-04-28 22:56 827,392 a---h--- c:\windows\system32\wininet.dll 2009-04-28 22:56 827,392 a---h--- c:\windows\system32\dllcache\wininet.dll 2009-04-28 22:56 233,472 ----h--- c:\windows\system32\dllcache\webcheck.dll 2009-04-28 22:56 1,159,680 a---h--- c:\windows\system32\dllcache\urlmon.dll 2009-04-28 22:56 671,232 a---h--- c:\windows\system32\dllcache\mstime.dll 2009-04-28 22:56 44,544 a---h--- c:\windows\system32\dllcache\pngfilt.dll 2009-04-28 22:56 105,984 ----h--- c:\windows\system32\dllcache\url.dll 2009-04-28 22:56 102,912 ----h--- c:\windows\system32\dllcache\occache.dll 2009-04-28 22:56 3,596,288 a---h--- c:\windows\system32\dllcache\mshtml.dll 2009-04-28 22:56 477,696 a---h--- c:\windows\system32\dllcache\mshtmled.dll 2009-04-28 22:56 193,024 a---h--- c:\windows\system32\dllcache\msrating.dll 2009-04-28 03:05 70,656 ----h--- c:\windows\system32\dllcache\ie4uinit.exe 2009-04-28 03:05 13,824 ----h--- c:\windows\system32\dllcache\ieudinit.exe 2009-04-24 23:27 636,088 ----h--- c:\windows\system32\dllcache\iexplore.exe 2009-04-24 23:26 161,792 ----h--- c:\windows\system32\dllcache\ieakui.dll 2009-04-23 15:37 442,062 a------- c:\windows\system32\PerfStringBackup.TMP 2009-04-17 06:26 1,847,168 a---h--- c:\windows\system32\win32k.sys 2009-04-17 06:26 1,847,168 ----h--- c:\windows\system32\dllcache\win32k.sys 2009-04-15 08:51 585,216 a---h--- c:\windows\system32\rpcrt4.dll 2009-04-15 08:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll 2009-03-21 08:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll 2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll 2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll 2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll 2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll 2009-03-14 13:12 13,116 a---h--- c:\windows\system32\ealregsnapshot1.reg 2008-12-03 18:21 70,424 a------- c:\docume~1\jeannie\applic~1\GDIPFONTCACHEV1.DAT 1998-08-24 12:09 10,000 a------- c:\windows\inf\unregpn.exe 2002-08-29 05:00 94,784 ---sh--- c:\windows\TWAIN.DLL 2008-04-13 18:12 50,688 ---sh--- c:\windows\twain_32.dll 2008-04-13 18:11 1,028,096 ---sh--- c:\windows\system32\mfc42.dll 2008-04-13 18:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll 2008-04-13 18:12 413,696 ---sh--- c:\windows\system32\msvcp60.dll 2008-04-13 18:12 343,040 ---sh--- c:\windows\system32\msvcrt.dll 2008-04-13 18:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll 2008-04-13 18:12 84,992 ---sh--- c:\windows\system32\olepro32.dll 2008-04-13 18:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe 2008-08-28 16:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat ============= FINISH: 17:56:35.84 ===============

Attached Files



#12 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 10 June 2009 - 07:07 PM

MrTony,

You need to go to add and remove programs in your control panel and uninstall Java 2 Runtime Environment, SE v1.4.2

According to the log you provided, system restore is working.

==== System Restore Points ===================

RP1131: 3/12/2009 7:31:40 PM - System Checkpoint
RP1132: 3/13/2009 3:00:20 AM - Software Distribution Service 3.0
RP1133: 3/14/2009 1:12:54 PM - Configured EA Download Manager
RP1134: 3/14/2009 1:14:15 PM - Removed Free Ride Games Player
RP1135: 3/14/2009 1:17:44 PM - Removed Hello Kitty Cutie World
RP1136: 3/14/2009 1:17:59 PM - Removed Hello Kitty Dream Carnival
RP1137: 3/14/2009 1:20:51 PM - Removed Microsoft Money 2003
RP1138: 3/14/2009 1:21:49 PM - Removed Microsoft Money 2003 System Pack
RP1139: 3/14/2009 1:26:17 PM - Software Distribution Service 3.0
RP1140: 3/14/2009 2:05:15 PM - Removed EarthLink Setup Files
RP1141: 3/14/2009 2:06:57 PM - Removed MSN Toolbar
RP1142: 3/14/2009 2:45:25 PM - Installed DirectX
RP1143: 3/29/2009 7:01:54 AM - System Checkpoint
RP1144: 3/29/2009 7:42:27 AM - Installed DirectX
RP1145: 3/29/2009 8:50:16 AM - Restore Operation
RP1146: 3/29/2009 8:51:00 AM - Restore Operation
RP1147: 3/29/2009 8:51:38 AM - Restore Operation
RP1148: 3/29/2009 8:52:46 AM - Restore Operation
RP1149: 3/30/2009 9:39:42 AM - System Checkpoint
RP1150: 4/5/2009 8:33:47 AM - Installed Java™ 6 Update 13
RP1151: 4/12/2009 5:34:01 AM - Restore Operation
RP1152: 4/19/2009 6:58:08 AM - Software Distribution Service 3.0
RP1153: 4/23/2009 3:44:46 PM - Software Distribution Service 3.0
RP1154: 4/27/2009 6:20:45 AM - Software Distribution Service 3.0
RP1155: 4/30/2009 1:26:04 PM - Software Distribution Service 3.0
RP1156: 5/1/2009 6:06:33 AM - Software Distribution Service 3.0
RP1157: 5/1/2009 9:13:29 AM - Software Distribution Service 3.0
RP1158: 5/5/2009 12:35:07 PM - System Checkpoint
RP1159: 5/5/2009 12:42:02 PM - Software Distribution Service 3.0
RP1160: 5/6/2009 3:51:11 PM - Software Distribution Service 3.0
RP1161: 5/21/2009 7:44:27 AM - Software Distribution Service 3.0
RP1162: 5/27/2009 6:09:31 AM - Software Distribution Service 3.0
RP1163: 5/31/2009 9:48:00 AM - System Checkpoint
RP1164: 5/31/2009 2:41:39 PM - Software Distribution Service 3.0
RP1165: 5/31/2009 5:38:51 PM - Software Distribution Service 3.0
RP1166: 6/2/2009 4:35:42 PM - Software Distribution Service 3.0
RP1167: 6/4/2009 6:47:02 AM - Software Distribution Service 3.0
RP1168: 6/8/2009 6:03:21 PM - Software Distribution Service 3.0
RP1169: 6/8/2009 6:49:45 PM - Software Distribution Service 3.0
RP1170: 6/8/2009 8:39:01 PM - Software Distribution Service 3.0
RP1171: 6/9/2009 8:38:10 PM - Software Distribution Service 3.0
RP1172: 6/10/2009 5:46:05 PM - Software Distribution Service 3.0

Which Nvidia driver are you trying to install?
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#13 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 10 June 2009 - 07:56 PM

I removed the java 2 runtime. We were having issues with running a game, so I was attempting to update the driver from 93.71 to the latest on the Nvidia site for my card (175.19). I uninstalled the current driver and dowloaded the new. I have been unable to install the new driver or reinstall the old driver. The installer will not launch. Hope that makes sense. Tony

#14 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 11 June 2009 - 11:24 AM

MrTony,

I think that we've taken care of any malware. I suggest that you post in the windows forum as the Tech Team is better equipped to help you at this point. When you post there, please provide a link back to this thread so that they will have access to all of your information.

Meanwhile, Log looks good :D


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Please re-enable any security that was disabled.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#15 MrTony

MrTony

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 11 June 2009 - 05:51 PM

I've completed the cleanup and will try to put into practice a bit safer computing going forward. Thank you very much for your help with this. I really appreciate your time working through all of these issues with me. I will post over on the Windows board to see if they have any suggestions to take it from here. I think I'm ready to roll... Thanks again Tony

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users