[RESOLVED] XP - Virus 2011

Printable View

Show 40 post(s) from this thread on one page

April 16th, 2011, 10:22 AM
pennydog

[RESOLVED] XP - Virus 2011

I have a notice that I have the XP Virus 2011 on my laptop. It started this morning after I read an email. It kept trying scan, telling me I needed to register in order to get infections removed. I can only get on in safe mode so far, the virus hijacks all home pages. I just ran the malwarebytes and have the log, but again, I had to run in safe mode. Here is the log and I am off to Step 2 in the instructions. Thanks.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6374

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

4/16/2011 10:12:27 AM
mbam-log-2011-04-16 (10-12-27).txt

Scan type: Quick scan
Objects scanned: 230834
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Terry.TERRYT\Local Settings\Application Data\opk.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Terry.TERRYT\Local Settings\Application Data\opk.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Terry.TERRYT\Local Settings\Application Data\opk.exe" -a "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
April 16th, 2011, 12:11 PM
pennydog

After nearly 2 hours of scanning the Gmer scan, it stopped and no save button was seen, so no report. I am rescannning now to see if it will complete. I can only log on in safe mode otherwise the Anti Virus screen pops up and starts to scan. Will post log when it completes if possible.
April 16th, 2011, 01:17 PM
Broni

If still in trouble, skip GMER.
April 16th, 2011, 01:54 PM
pennydog

Thanks Broni. I scanned again but there is no log or anyway to save. I will go on to step 3.

Step 3 - MBR Log

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 95):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75B6000 fltmgr.sys
0xF7588000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7577000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7627000 MountMgr.sys
0xF74B8000 ftdisk.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF74A0000 atapi.sys
0xF7717000 o2sd.sys
0xF7488000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7647000 o2media.sys
0xF7657000 disk.sys
0xF7667000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7875000 sr.sys
0xF783C000 PCTCore.sys
0xF7677000 PxHelp20.sys
0xF7970000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7A22000 NDIS.sys
0xF7956000 Mup.sys
0xF775F000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xBA760000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7767000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7697000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA73D000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA715000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF777F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA6E6000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7993000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF778F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA6AA000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7937000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA693000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA5E2000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7567000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7557000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7999000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA534000 \SystemRoot\system32\DRIVERS\update.sys
0xF794B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7547000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7537000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF799F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AB8000 \SystemRoot\System32\Drivers\Null.SYS
0xF79A3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF780F000 \SystemRoot\System32\drivers\vga.sys
0xBA4F8000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF79A7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF781F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF776F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA7C4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA4C5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA46C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA444000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA7B8000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xBA422000 \SystemRoot\System32\drivers\afd.sys
0xF7527000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA3F7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA387000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA348000 \SystemRoot\system32\DRIVERS\rt73.sys
0xF7507000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA308000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79AF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF793F000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA5D2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AB7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xB9E26000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9935000 \??\C:\DOCUME~1\ADMINI~1.002\LOCALS~1\Temp\fgtdipog.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 18):
0 System Idle Process
4 System
484 C:\WINDOWS\system32\smss.exe
692 csrss.exe
716 C:\WINDOWS\system32\winlogon.exe
764 C:\WINDOWS\system32\services.exe
776 C:\WINDOWS\system32\lsass.exe
936 C:\WINDOWS\system32\svchost.exe
996 svchost.exe
1164 C:\WINDOWS\system32\svchost.exe
1188 svchost.exe
1336 svchost.exe
1684 C:\WINDOWS\explorer.exe
2024 C:\WINDOWS\system32\ctfmon.exe
1288 C:\Program Files\Internet Explorer\iexplore.exe
1856 C:\Program Files\Internet Explorer\iexplore.exe
456 C:\Program Files\Internet Explorer\iexplore.exe
316 C:\Documents and Settings\Administrator.TERRYT.002\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD600BEAS-00KZT0, Rev: 01.06M01

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!
April 16th, 2011, 02:10 PM
pennydog

DDS # 1

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Administrator at 14:03:57.95 on Sat 04/16/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.1075 [GMT -4:00]
.
AV: PC Tools AntiVirus Free *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator.TERRYT.002\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ISTray] "c:\program files\pc tools security\pctsTray.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167360043691
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1.002\applic~1\mozilla\firefox\profiles\megfwhkr.default\
FF - prefs.js: browser.search.selectedEngine - Search Defender
FF - prefs.js: keyword.URL - hxxp://www.search-results.com/web?o=15868&l=dis&prt=PRT&chn=UN&geo=US&ver=UN&q=
FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\pc tools security\bdt\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-1-5 34144]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-1-5 28800]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-27 218592]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2010-7-27 198608]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-7-27 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-7-27 1142224]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-03-14 20:59:47 556780 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 14:04:36.71 ===============
April 16th, 2011, 02:11 PM
pennydog

DDS # 2 and I will wait for further instructions - Thanks.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/28/2006 2:48:02 PM
System Uptime: 4/16/2011 12:14:22 PM (2 hours ago)
.
Motherboard: OEM | | NB-14w2
Processor: Intel(R) Celeron(R) M CPU 410 @ 1.46GHz | U23 | 1466/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 56 GiB total, 41.9 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP182: 1/16/2011 7:06:12 PM - PC Tools AntiVirus Free: Cleaning Threats
RP183: 1/17/2011 7:06:58 PM - PC Tools AntiVirus Free: Cleaning Threats
RP184: 1/18/2011 7:05:30 PM - PC Tools AntiVirus Free: Cleaning Threats
RP185: 1/19/2011 7:08:41 PM - PC Tools AntiVirus Free: Cleaning Threats
RP186: 1/20/2011 7:08:17 PM - PC Tools AntiVirus Free: Cleaning Threats
RP187: 1/21/2011 7:35:23 PM - System Checkpoint
RP188: 1/22/2011 7:08:35 PM - PC Tools AntiVirus Free: Cleaning Threats
RP189: 1/23/2011 7:14:22 PM - System Checkpoint
RP190: 1/23/2011 8:01:21 PM - PC Tools AntiVirus Free: Cleaning Threats
RP191: 1/24/2011 7:46:04 PM - PC Tools AntiVirus Free: Cleaning Threats
RP192: 1/25/2011 8:05:36 PM - PC Tools AntiVirus Free: Cleaning Threats
RP193: 1/26/2011 7:10:18 PM - PC Tools AntiVirus Free: Cleaning Threats
RP194: 1/27/2011 7:19:36 PM - PC Tools AntiVirus Free: Cleaning Threats
RP195: 1/28/2011 8:24:21 PM - System Checkpoint
RP196: 1/29/2011 7:28:47 PM - PC Tools AntiVirus Free: Cleaning Threats
RP197: 1/30/2011 7:37:24 PM - PC Tools AntiVirus Free: Cleaning Threats
RP198: 1/31/2011 7:22:13 PM - PC Tools AntiVirus Free: Cleaning Threats
RP199: 2/1/2011 7:51:52 PM - PC Tools AntiVirus Free: Cleaning Threats
RP200: 2/2/2011 7:45:06 PM - PC Tools AntiVirus Free: Cleaning Threats
RP201: 2/3/2011 7:11:27 PM - PC Tools AntiVirus Free: Cleaning Threats
RP202: 2/4/2011 7:56:19 PM - System Checkpoint
RP203: 2/4/2011 8:29:32 PM - PC Tools AntiVirus Free: Cleaning Threats
RP204: 2/5/2011 8:41:30 PM - PC Tools AntiVirus Free: Cleaning Threats
RP205: 2/6/2011 7:08:55 PM - PC Tools AntiVirus Free: Cleaning Threats
RP206: 2/7/2011 7:05:54 PM - PC Tools AntiVirus Free: Cleaning Threats
RP207: 2/8/2011 7:53:48 PM - PC Tools AntiVirus Free: Cleaning Threats
RP208: 2/8/2011 9:10:58 PM - Software Distribution Service 3.0
RP209: 2/9/2011 10:17:15 PM - PC Tools AntiVirus Free: Cleaning Threats
RP210: 2/11/2011 5:43:23 PM - System Checkpoint
RP211: 2/11/2011 8:35:27 PM - PC Tools AntiVirus Free: Cleaning Threats
RP212: 2/12/2011 7:05:57 PM - PC Tools AntiVirus Free: Cleaning Threats
RP213: 2/13/2011 7:07:21 PM - PC Tools AntiVirus Free: Cleaning Threats
RP214: 2/14/2011 7:25:35 PM - PC Tools AntiVirus Free: Cleaning Threats
RP215: 2/15/2011 7:43:24 PM - PC Tools AntiVirus Free: Cleaning Threats
RP216: 2/16/2011 9:49:06 PM - PC Tools AntiVirus Free: Cleaning Threats
RP217: 2/17/2011 7:07:11 PM - PC Tools AntiVirus Free: Cleaning Threats
RP218: 2/18/2011 8:24:10 PM - PC Tools AntiVirus Free: Cleaning Threats
RP219: 2/19/2011 7:15:22 PM - PC Tools AntiVirus Free: Cleaning Threats
RP220: 2/20/2011 7:08:19 PM - PC Tools AntiVirus Free: Cleaning Threats
RP221: 2/20/2011 10:02:49 PM - Software Distribution Service 3.0
RP222: 2/21/2011 7:44:54 PM - PC Tools AntiVirus Free: Cleaning Threats
RP223: 2/22/2011 7:34:53 PM - PC Tools AntiVirus Free: Cleaning Threats
RP224: 2/23/2011 7:19:43 PM - PC Tools AntiVirus Free: Cleaning Threats
RP225: 2/23/2011 9:57:10 PM - Software Distribution Service 3.0
RP226: 2/25/2011 6:50:45 PM - System Checkpoint
RP227: 2/25/2011 8:30:25 PM - PC Tools AntiVirus Free: Cleaning Threats
RP228: 2/26/2011 7:06:57 PM - PC Tools AntiVirus Free: Cleaning Threats
RP229: 2/27/2011 7:08:42 PM - PC Tools AntiVirus Free: Cleaning Threats
RP230: 2/28/2011 7:32:34 PM - System Checkpoint
RP231: 2/28/2011 8:19:03 PM - PC Tools AntiVirus Free: Cleaning Threats
RP232: 3/1/2011 7:10:52 PM - PC Tools AntiVirus Free: Cleaning Threats
RP233: 3/2/2011 7:15:36 PM - System Checkpoint
RP234: 3/2/2011 9:10:14 PM - PC Tools AntiVirus Free: Cleaning Threats
RP235: 3/3/2011 7:21:00 PM - PC Tools AntiVirus Free: Cleaning Threats
RP236: 3/4/2011 8:17:37 PM - PC Tools AntiVirus Free: Cleaning Threats
RP237: 3/5/2011 8:23:19 PM - PC Tools AntiVirus Free: Cleaning Threats
RP238: 3/6/2011 7:11:28 PM - PC Tools AntiVirus Free: Cleaning Threats
RP239: 3/7/2011 8:39:43 PM - System Checkpoint
RP240: 3/7/2011 10:14:38 PM - PC Tools AntiVirus Free: Cleaning Threats
RP241: 3/8/2011 7:13:11 PM - PC Tools AntiVirus Free: Cleaning Threats
RP242: 3/9/2011 7:38:59 PM - PC Tools AntiVirus Free: Cleaning Threats
RP243: 3/10/2011 7:23:40 PM - PC Tools AntiVirus Free: Cleaning Threats
RP244: 3/11/2011 5:53:46 PM - Software Distribution Service 3.0
RP245: 3/11/2011 7:52:00 PM - PC Tools AntiVirus Free: Cleaning Threats
RP246: 3/12/2011 7:07:04 PM - PC Tools AntiVirus Free: Cleaning Threats
RP247: 3/13/2011 7:32:48 PM - PC Tools AntiVirus Free: Cleaning Threats
RP248: 3/14/2011 9:00:43 PM - System Checkpoint
RP249: 3/14/2011 9:24:59 PM - PC Tools AntiVirus Free: Cleaning Threats
RP250: 3/15/2011 7:08:01 PM - PC Tools AntiVirus Free: Cleaning Threats
RP251: 3/16/2011 8:16:09 PM - PC Tools AntiVirus Free: Cleaning Threats
RP252: 3/17/2011 7:41:26 PM - PC Tools AntiVirus Free: Cleaning Threats
RP253: 3/18/2011 8:17:32 PM - PC Tools AntiVirus Free: Cleaning Threats
RP254: 3/19/2011 7:59:29 PM - PC Tools AntiVirus Free: Cleaning Threats
RP255: 3/20/2011 7:06:49 PM - PC Tools AntiVirus Free: Cleaning Threats
RP256: 3/21/2011 7:40:03 PM - PC Tools AntiVirus Free: Cleaning Threats
RP257: 3/22/2011 9:18:19 PM - PC Tools AntiVirus Free: Cleaning Threats
RP258: 3/23/2011 5:45:33 PM - Software Distribution Service 3.0
RP259: 3/23/2011 7:19:05 PM - PC Tools AntiVirus Free: Cleaning Threats
RP260: 3/24/2011 8:59:16 PM - PC Tools AntiVirus Free: Cleaning Threats
RP261: 3/25/2011 9:32:48 PM - PC Tools AntiVirus Free: Cleaning Threats
RP262: 3/26/2011 7:12:21 PM - PC Tools AntiVirus Free: Cleaning Threats
RP263: 3/27/2011 8:25:55 PM - PC Tools AntiVirus Free: Cleaning Threats
RP264: 3/28/2011 7:30:10 PM - PC Tools AntiVirus Free: Cleaning Threats
RP265: 3/29/2011 7:59:19 PM - System Checkpoint
RP266: 3/29/2011 9:41:51 PM - PC Tools AntiVirus Free: Cleaning Threats
RP267: 3/30/2011 8:17:52 PM - PC Tools AntiVirus Free: Cleaning Threats
RP268: 3/31/2011 8:43:33 PM - System Checkpoint
RP269: 4/1/2011 9:16:45 PM - System Checkpoint
RP270: 4/3/2011 8:57:44 AM - System Checkpoint
RP271: 4/3/2011 8:38:42 PM - PC Tools AntiVirus Free: Cleaning Threats
RP272: 4/4/2011 8:42:42 PM - PC Tools AntiVirus Free: Cleaning Threats
RP273: 4/5/2011 7:11:23 PM - PC Tools AntiVirus Free: Cleaning Threats
RP274: 4/6/2011 7:37:01 PM - System Checkpoint
RP275: 4/6/2011 9:24:47 PM - PC Tools AntiVirus Free: Cleaning Threats
RP276: 4/8/2011 6:52:20 PM - System Checkpoint
RP277: 4/9/2011 7:57:54 PM - PC Tools AntiVirus Free: Cleaning Threats
RP278: 4/10/2011 7:54:49 PM - PC Tools AntiVirus Free: Cleaning Threats
RP279: 4/11/2011 7:06:17 PM - PC Tools AntiVirus Free: Cleaning Threats
RP280: 4/12/2011 7:49:49 PM - System Checkpoint
RP281: 4/12/2011 9:08:35 PM - PC Tools AntiVirus Free: Cleaning Threats
RP282: 4/13/2011 7:22:55 PM - PC Tools AntiVirus Free: Cleaning Threats
RP283: 4/14/2011 9:08:39 PM - PC Tools AntiVirus Free: Cleaning Threats
RP284: 4/16/2011 9:41:15 AM - PC Tools AntiVirus Free: Cleaning Threats
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player
Apple Software Update
Ask Toolbar
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Big Fish Games Client
Big Money Deluxe 1.3
Browser Defender 3.0
Budweiser Dale Jr Screen Saver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen MicroPhoto
Critical Update for Windows Media Player 11 (KB959772)
Foxit Reader
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Image Resizer Powertoy for Windows XP
Java Auto Updater
Java(TM) 6 Update 21
Luxor (remove only)
Mahjong Towers Eternity
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Word Viewer 2003
Microsoft Picture It! Photo Premium 9
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows XP Video Decoder Checkup Utility
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.6.13)
MSXML 6 Service Pack 2 (KB973686)
O2Micro Flash Memory Card Windows Driver V2.00
OpenOffice.org 3.0
PC Tools AntiVirus Free
Peggle World of Warcraft Edition
Ralink Wireless LAN Card
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WOT for Internet Explorer
Zuma Deluxe 1.0
.
==== Event Viewer Messages From Past Week ========
.
4/16/2011 9:44:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
4/16/2011 9:43:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/16/2011 10:29:27 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
4/16/2011 10:13:07 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
.
==== End Of File ===========================
April 16th, 2011, 02:13 PM
Broni
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  - Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  - Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.
  - Close any open browsers.
  - WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  - Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  - If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
April 16th, 2011, 02:37 PM
pennydog

Combo fix log:

ComboFix 11-04-15.06 - Administrator 04/16/2011 14:25:22.4.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.1109 [GMT -4:00]
Running from: c:\documents and settings\Administrator.TERRYT.002\Desktop\ComboFix.exe
AV: PC Tools AntiVirus Free *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Terry.TERRYT\Local Settings\Application Data\opk.exe
c:\documents and settings\Terry.TERRYT\WINDOWS
c:\windows\Temp\tmp3.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-14 20:59 . 2011-03-14 20:59 556780 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2006-06-22 12:18 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2006-06-22 12:18 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"ISTray"="c:\program files\PC Tools Security\pctsTray.exe" [2010-05-11 1287120]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2006-6-22 593920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terry.TERRYT^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Terry.TERRYT\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 23:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-02-27 09:28 16005120 ----a-r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-01-20 04:34 544768 ----a-r- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-08-25 07:25 737369 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [1/5/2006 4:33 AM 34144]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [1/5/2006 4:33 AM 28800]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/27/2010 5:05 PM 218592]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [7/27/2010 5:11 PM 198608]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [7/27/2010 5:05 PM 366840]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - fgtdipog
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
FF - ProfilePath - c:\documents and settings\Administrator.TERRYT.002\Application Data\Mozilla\Firefox\Profiles\megfwhkr.default\
FF - prefs.js: browser.search.selectedEngine - Search Defender
FF - prefs.js: keyword.URL - hxxp://www.search-results.com/web?o=15868&l=dis&prt=PRT&chn=UN&geo=US&ver=UN&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\PC Tools Security\BDT\Firefox
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 14:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2788397230-349101020-3852211074-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,b9,2b,c1,c9,ef,d4,4c,bf,a6,5f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,b9,2b,c1,c9,ef,d4,4c,bf,a6,5f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-04-16 14:34:16
ComboFix-quarantined-files.txt 2011-04-16 18:34
.
Pre-Run: 44,974,346,240 bytes free
Post-Run: 45,649,805,312 bytes free
.
- - End Of File - - A2244BEB8C25EB102C97AF70615C88A1
April 16th, 2011, 02:44 PM
pennydog

Rkill will not run from either of the 3 links. Never mind - it ran, looking for log now

This is the only log I see??? Is htis correct?

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/16/2011 at 14:45:48.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 04/16/2011 at 14:45:53.
April 16th, 2011, 03:24 PM
Broni

Combofix looks pretty good now.

See, if you can update and run MBAM from normal mode now.
If so, post fresh log.
April 16th, 2011, 03:52 PM
pennydog

Ok something is strange. I downloaded the file and saved to the destop, however it will not open. It gives me a box that asks what I want to open with ???? Nothing there will open it and I have never gotten this before. I tried to update my security center and it asks the same thing "open with" it does not work either. What is up with that? I cannot open Mozilla either without getting that same message. IE is my default browser.
April 16th, 2011, 03:55 PM
Broni

Restart computer.
April 16th, 2011, 03:59 PM
pennydog

Restarted and it still does the same thing, the only thing that will open normally is IE, everythng else ask for what program to open. It will not open any .exe files, says not found.
April 16th, 2011, 04:10 PM
Broni
Download and run exeHelper.
- Please download exeHelper from Raktor to your desktop.
- Double-click on exeHelper.com to run the fix.
- A black window should pop up, press any key to close once the fix is completed.
- A log file named log.txt will be created in the directory where you ran exeHelper.com
- Attach the log.txt file to your next message.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
April 16th, 2011, 04:13 PM
pennydog

Log report

exeHelper by Raktor
Build 20100414
Run at 16:11:57 on 04/16/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Show 40 post(s) from this thread on one page