A HiJack this SpywareDoc talked me into...H E L P!

Printable View

December 3rd, 2009, 09:51 PM
steve_83

A HiJack this SpywareDoc talked me into...H E L P!

Here is the HiJackThis that SpywareDr recommended that I post based on this discussion:
http://discussions.virtualdr.com/sho...44#post1307744

I hope I did this correctly and apologize if I did not, or in a reverse order......whatever.

My best guess is: The problem is in the Malwarebytes logfile.
Also: I was completely unable to get a logfile from gmer.

Would it be good enough to just say that a rootkit/malware scan found nothing with gmer's tool?

Problem summary:

Windows Explorer stops working (*many* instances)
-- Kaspersky Internet Security 2010 stops working
-- Games (not online) stop working
-- Cleaners....will not, or extremely slow
-- Full scans with deep rootkit scans are taking 4-5 hours on the Vista side (300GB WD Raptor HD), and 1/4 that amount on the XP side (150GB WD Raptor HD) of my RAID array.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Preliminany scan results from Bit Defender and Panda per P3-450's instructions:
http://discussions.virtualdr.com/sho...d.php?t=167915

On a 20 mbps connection (if relevant) the Panda scan took 3 hours, there was no option at that URL that said:
Disinfect automatically.

All the results said were:

Quote:

Congratulations!

Today you are not infected
We have detected that the Kaspersky Internet Security protection on your PC is enabled and up-to-date.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On to Bit Defender online scan:

Bit Defender Logfile:

BitDefender QuickScan Beta 32-bit v0.9.8.2
------------------------------------------

Scan date: Thu Dec 03 10:09:48 2009
Machine ID: 745F1D5F

Warning: Only 32-bit processes scanned.

No infection found.
---------------------
Processes
---------
<unsigned> VolPanlu.exe 2380 C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
<unsigned> Creative Audio Service 1244 C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
<unsigned> TWeakIt.exe 2416 C:\Program Files\ASUS\TweakIt\TWeakIt.exe

<verified> SMax4PNP 2548 C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
<verified> Kaspersky Anti-Virus 2528 C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
<verified> Kaspersky Anti-Virus 2720 C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
<verified> Microsoft Office Word 4160 C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
<verified> Firefox 4372 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
<verified> Stereo Vision Control Panel API Server 3676 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
<verified> CPMonitor Application 2480 C:\Program Files (x86)\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
<verified> SaibSVC Application 2616 C:\Program Files (x86)\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
<verified> RoboForm TaskBar Icon 2328 C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
<verified> SUPERAntiSpyware Application 2312 C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

Network activity
----------------
Process avp.exe (2720) connected on port 80 (HTTP) - 65.55.17.39
Process avp.exe (2720) connected on port 80 (HTTP) - 65.55.17.34
Process avp.exe (2720) connected on port 80 (HTTP) - 209.85.225.138
Process avp.exe (2720) connected on port 80 (HTTP) - iy-in-f138.1e100.net
Process avp.exe (2720) connected on port 80 (HTTP) - a96-17-252-20.deploy.akamaitechnologies.com

Process avp.exe (2720) listens on ports: 1110, 19780

Autoruns and critical files
---------------------------
<unsigned> VolPanlu.exe C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
<unsigned> ShellExecuteHook c:\program files (x86)\superantispyware\sasseh.dll
<unsigned> SUPERAntiSpyware WinLogon Processor C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
<unsigned> TWeakIt.exe C:\Program Files\ASUS\TweakIt\TWeakIt.exe
<unsigned> xInsIDE.exe C:\Windows\RaidTool\xInsIDE.exe

<verified> SMax4PNP C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
<verified> RoxMMTrayApp Module C:\Program Files (x86)\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe
<verified> Kaspersky Anti-Virus C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
<verified> Mozilla 3 Virtual Keyboard c:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll
<verified> Sandbox r3 hooks for virtual processes c:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\sbhook.dll
<verified> CPMonitor Application C:\Program Files (x86)\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
<verified> RoboForm TaskBar Icon C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
<verified> SUPERAntiSpyware Application C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
<verified> Windows Sidebar C:\Program Files\Windows Sidebar\sidebar.exe
<verified> Shell Browser UI Library c:\windows\system32\browseui.dll
<verified> Microsoft Feeds Synchronization C:\Windows\system32\msfeedssync.exe
<verified> Web Site Monitor c:\windows\syswow64\webcheck.dll
<verified> Welcome Center oobefldr.dll
<verified> Userinit Logon Application userinit.exe

Browser plugins
---------------

<verified> IE Virtual Keyboard c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
<verified> WebToolBar component c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
<verified> Default Plug-in C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
<verified> Office Plugin for Netscape Navigator C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
<verified> RoboForm Main Module C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
<verified> InstallShield Update Service Setup Player Module C:\Windows\Downloaded Program Files\dwusplay.dll
<verified> InstallShield Update Service Setup Player C:\Windows\Downloaded Program Files\dwusplay.exe
<verified> Macrovision Software Manager Web Agent C:\Windows\Downloaded Program Files\isusweb.dll
<verified> Windows Presentation Foundation (WPF) plug-in for c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> NPSWF32.dll C:\Windows\system32\Macromed\Flash\NPSWF32.dll
<verified> Microsoft Windows Sockets 2.0 Service Provider C:\Windows\System32\mswsock.dll
<verified> E-mail Naming Shim Provider C:\Windows\system32\napinsp.dll
<verified> Network Location Awareness 2 C:\Windows\system32\NLAapi.dll
<verified> PNRP Name Space Provider C:\Windows\system32\pnrpnsp.dll
<verified> LDAP RnR Provider DLL C:\Windows\System32\winrnr.dll
<verified> Internet Explorer C:\Windows\SysWOW64\ieframe.dll

Scan
----

No file uploaded.

Scan finished - communication took 4 sec
Total traffic - 0.04 MB sent, 1.16 KB recvd
Scanned 716 files and modules - 32 seconds
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proceeding to Malwarebytes and SUPERantispyware logs -->
December 3rd, 2009, 09:56 PM
steve_83

SAS in safe mode and Malwarebytes in normal mode files:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/03/2009 at 01:35 PM

Application Version : 4.31.1000

Core Rules Database Version : 4331
Trace Rules Database Version: 2185

Scan type : Complete Scan.....Ran In Safe Mode
Total Scan Time : 00:24:56

Memory items scanned : 134
Memory threats detected : 0
Registry items scanned : 6617
Registry threats detected : 0
File items scanned : 102147
File threats detected : 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes logfile in normal mode:

Malwarebytes' Anti-Malware 1.41
Database version: 3288
Windows 6.0.6002 Service Pack 2

12/3/2009 2:51:31 PM
mbam-log-2009-12-03 (14-51-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206661
Time elapsed: 46 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And finally:

On to the real deal.
My HijackThis logfile -->
December 3rd, 2009, 10:02 PM
steve_83

HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:56 PM, on 12/3/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
C:\Program Files\ASUS\TweakIt\TWeakIt.exe
C:\Program Files (x86)\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [TweakIt Help] "C:\Program Files\ASUS\TweakIt\TweakIt.exe" -r
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files (x86)\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files (x86)\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files (x86)\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files (x86)\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Sound Blaster X-Fi MB Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 10580 bytes

It makes me ill to have a 7 month old i7 920 desktop that cost me waaaaaay too many $$, run like spit.

I can't Thank the members who are schooled in how to interpret these enough.

Steve_83 :)
December 3rd, 2009, 10:49 PM
Broni

MBAM log says "No action taken".
You didn't fix the issue, or you posted the log from before the fix.
Please, correct the problem.
December 4th, 2009, 07:54 AM
steve_83

I thought the rules said:
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

http://discussions.virtualdr.com/sho...d.php?t=167915

:confused:

I'll fix it Broni.....Thanks! :)

Should I post back the new logfile, Please?

Steve_83
December 4th, 2009, 10:37 AM
steve_83

Malwarebytes fixed something along the way

Hooray!

I guess. :confused:

The malwarebytes log for today (12/4/09 where I am) claims that nothing is infected.

Can't remember requesting a fix, but that may be in the logfiles somewhere.

I do know that the Vista side on newest i7 desktop is running a LOT better.

Why ..... in the world ..... Kaspersky hates this program is way beyond my comprehension.
Jealousy perhaps?
-- a Bit envy? :D

The log from today says:

Malwarebytes' Anti-Malware 1.42
Database version: 3291
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828

12/4/2009 8:23:52 AM
mbam-log-2009-12-04 (08-23-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 236168
Time elapsed: 2 hour(s), 14 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you HiJackThis experts can find anything else....kindly post a reply.

I'm at a standstill until we get as much corrected as possible.

In case I haven't said this enough: Thank You moderators, et all to smithereens!

:p

Steve_83
December 4th, 2009, 10:52 AM
steve_83

DANGGIT!

:mad: --> at myself

That infected file was in the ignore list.

I'm running another one....sorry.
:o

Steve_83
December 4th, 2009, 06:39 PM
steve_83

My latest Malwarebytes log, sans that infected file is:

Malwarebytes' Anti-Malware 1.42
Database version: 3292
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18828

12/4/2009 2:14:55 PM
mbam-log-2009-12-04 (14-14-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206727
Time elapsed: 43 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
~~~~~~~~~~~~~~~~~~~~~~~

Does anyone spot anything else in the HiJackThis log, Please? (or)

Could this have been fixed just by continuing to use Malwarebytes despite Kaspersky's attitude towards that program?

If so...shame on --> the Kaspersky moderator's. (dang Picasso wannabe)

:mad:

My desktop is running better X 10 !
:p

Steve_83
December 4th, 2009, 09:03 PM
crunchie

Quote:

Originally Posted by steve_83

I thought the rules said:
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

http://discussions.virtualdr.com/sho...d.php?t=167915

:confused:

I'll fix it Broni.....Thanks! :)

Should I post back the new logfile, Please?

Steve_83

From the same link you provided;

Quote:

* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

:)
December 5th, 2009, 12:01 AM
Broni
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
- This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, select Complete scan.
- Click the green arrow https://discussions.virtualdr.com/im.../2010/11/6.jpg at the right, and the scan will start.
- Click Yes to all if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click File and choose Save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.
December 5th, 2009, 04:47 AM
steve_83

10-4 crunchie & Broni.....Thank you fellows!

This is just a bump that I received this and will do that asap.

I'm running routine maintainence on the XP Pro side of this RAID array.

Once I finish the usual scans there & get into the fubared Vista Drive...I'll post back.

Good to hear from you crunchie ! ;)

It's been awhile since I have needed this type of help.

Bless you too Broni and SpywareDr ! I am --> Indebted.
Thanks gentlemen !

We are definitely making progress.

I want to install 7, but don't think it's a good plan to install a new OS over a sick one.

:rolleyes:

Steve_83
December 5th, 2009, 09:59 AM
steve_83

PLEASE LEND ME A HAND ON THE LOGFILE ????

Dr Web seems to be a nice tool to add to anyone's arsenal.

However....Saving a logfile (I am getting to detest Vista, seriously) :mad:...does not hi-lite and it was saved as:
%USERPROFILE%\DoctorWeb\CureIt.log

I've searched all over for that thing.

Frustrating. :(

It can't be found, or maybe (since I'm new at this program) I didn't tick the correct boxes, etc.

Would it suffice to say that it found nothing after taking 1 hour 50 minutes, ?

I'll await a reply and just leave the thing running so I don't lose it and have to spend another 2 hours to find nothing again.

I've got a busy day today with 3 hours of rack time.

Oh Well ? If life was fair....I'd get what I deserve and be in more trouble.

Re-posting another hijackthis is not any problem.

Steve_83
December 5th, 2009, 11:27 AM
Train

Do a Search for "CureIt.log"

I prefer SuperFinder for searching.
http://fsl.sytes.net/ssearchold.html
December 5th, 2009, 07:15 PM
steve_83

I did Train.
Found nothing. :o

I
detest
Vista.

http://www.drivershq.com/News/Micros...a/102/346.aspx

Quote:

Would it suffice to say that it found nothing after taking 1 hour 50 minutes, ?

I'll await a reply and just leave the thing running (too late now) so I don't lose it and have to spend another 2 hours to find nothing again.

I've got, (now HAD) a busy day today with 3 hours of rack time.

If not, I'll download another program I don't really want (no offense aimed Train, you oughta know that by now) , (or) run the 2 hour scan again.

That's worth it for the efforts I get, have gotten here. :)

If the cureit log isn't necessary....I'll just post another Hijack log.

My Vista drive is running 100% better, but still doesn't smoke like the XP side does, but the XP side isn't loaded with violent 1st person shooter games either.
:D

Thanks again....all.
;)

Steve_83
December 5th, 2009, 07:25 PM
Broni
Your problems may be not necessary connected to any infection, but....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
December 6th, 2009, 07:23 AM
steve_83

These look like there is a compatibilty issue.

Downloaded from bleepingcomputer:

Quote:

Error - Win 32 only
Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP.

Then from subsgeekstogo:

Quote:

Win32. Not a valid combination.

I'm running Vista Ultimate x64 Broni.
Is there a compatible version, please?

I'm trying guy.....please be patient, ok?

Steve_83 :o
December 6th, 2009, 02:01 PM
Broni
I'm sorry. My fault. I should have noticed, you're running 64-bit. Combofix won't run on 64-bit.

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  Since those are pretty big files, you can attach them, if you wish.
December 8th, 2009, 07:32 AM
steve_83

OTL scan results Broni, et all

As usual, you are correct Broni :) ......these are semi-large text files that there's no way jose' that I can interpret.

:confused:

So they are at the links below that I hope you can open with notepad.
I'm having one helluva time mangling attachments today.
Someone might be doing maintenance this early in the am ??

OTL Standard scan results are here.

OTL extras are here.

The latest Microsoft Malicious software removal tool for December is available today, and I came up.....clean !
:p

What next guys?

I'm running significantly better on my Vista side, and the case may be:

All my fubared files emanated from Microsoft updates, and Malwarebytes scans seem to have corrected that.

If I can improve: fine.

Should I post back another hijack logfile, and clean this drive up Please?

Bless you fellows, seriously.

Steve_83 :D
December 8th, 2009, 08:16 PM
Broni

I'm getting an error while trying to download OTL logs.
December 9th, 2009, 07:05 AM
steve_83

F U B A R......

They were in my attachments Broni....I swear, but now they're gone.

:(

I'll post back when I finish up my XP maintanence.
The internet must be : Under Attack. :eek:

I have been getting VERY LARGE (comparatively) Kaspersky update files.

Keep bearing with me, ok? :o

I am still..............Highly Indebted for this sir.
If there is such a thing as: Karma Broni.......you're gonna have a Max Kick A** 2010.
:)

Steve_83
December 9th, 2009, 06:58 PM
Broni

I'm here :)
December 9th, 2009, 08:14 PM
steve_83

Been getting some scans run @ the hospital

ok....just a sec.

Can we pivot that thumb, 90 degrees clockwise, and colo-rrr it?

:o

steve_83 ;)
December 9th, 2009, 08:54 PM
steve_83

2 Attachment(s)

Attachment 9251

Attachment 9252

How's that my friend?

I must have hit them the other morning when I was stressing over the previous post.

Steve_83
December 9th, 2009, 09:12 PM
Broni

The good news is, you don't have any security issues.
The bad news is, you need to go back to your original thread and look for some other solutions.
December 9th, 2009, 09:19 PM
steve_83

[Resolved]

Thank you Broni, and all contributors.
December 9th, 2009, 09:41 PM
Broni

You're welcome :)