1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved malware-log from scan- how do I proceed?

Discussion in 'Malware and Virus Removal Archive' started by missy77, 2010/09/28.

Page 1 of 3
  1. 2010/09/28
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    [Resolved] malware-log from scan- how do I proceed?

    as requested, here is:


    dds:
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Lisa at 0:04:11.90 on Wed 09/29/2010
    Internet Explorer: 8.0.6001.18943
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1013.165 [GMT -4:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\FinePixViewer\QuickDCF2.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
    C:\Program Files\Southwest Airlines\Ding\Ding.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EQ6QGRZW\dds[1].scr

    ============== Pseudo HJT Report ===============

    uWindow Title = Windows Internet Explorer provided by Comcast
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.comcast.net/
    mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6840
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = <local>
    mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6840
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.8.0.5\IPSBHO.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    uRun: [Windows Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [EPSON Stylus CX9400Fax Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticfa.exe /fu "c:\windows\temp\E_SBE01.tmp" /EF "HKCU "
    uRun: [Aim6]
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe "
    mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe "
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
    mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe "
    mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe "
    mRun: [Persistence] "c:\windows\system32\igfxpers.exe "
    mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll ",CheckUSBController
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    StartupFolder: c:\users\lisa\appdata\roaming\micros~1\windows\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: facebook.com\www
    Trusted Zone: gallery.com
    Trusted Zone: gateway.com
    Trusted Zone: kodakgallery.com
    Trusted Zone: ofoto.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1108000.005\symds.sys [2010-9-26 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1108000.005\symefa.sys [2010-9-26 173104]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-8-31 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys [2010-9-26 501888]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100924.001\IDSvix86.sys [2010-9-26 344112]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1108000.005\ironx86.sys [2010-9-26 116784]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1108000.005\symtdiv.sys [2010-9-26 339504]
    R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.8.0.5\ccsvchst.exe [2010-9-26 126392]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-2-26 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-26 102448]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-09-28 02:24:26 0 d-----w- c:\users\lisa\appdata\roaming\Malwarebytes
    2010-09-28 02:24:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-28 02:24:06 0 d-----w- c:\programdata\Malwarebytes
    2010-09-28 02:24:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-28 02:24:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-15 00:58:36 502272 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 00:58:26 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 00:57:22 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 00:51:38 739328 ----a-w- c:\windows\system32\inetcomm.dll

    ==================== Find3M ====================

    2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-30 17:39:43 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-04-30 17:39:43 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-30 17:39:43 143360 ----a-w- c:\windows\inf\infstrng.dat
    2009-11-21 08:24:48 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-10-26 04:29:08 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-12-21 04:30:27 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-03-02 01:58:03 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009030120090302\index.dat
    2009-05-16 04:16:28 16384 --sha-w- c:\windows\temp\cookies\index.dat
    2009-05-16 04:16:28 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
    2009-05-16 04:16:28 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

    ============= FINISH: 0:08:41.04 ===============

    attach:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/22/2007 6:08:47 PM
    System Uptime: 9/28/2010 10:59:39 PM (2 hours ago)

    Motherboard: Gateway | |
    Processor: Intel(R) Core(TM) Duo CPU T2450 @ 2.00GHz | uFCPGA2 | 800/533mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 139 GiB total, 17.893 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 1.668 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================


    3ivx MPEG-4 5.0.3 (remove only)
    ABBYY FineReader 5.0 Sprint
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Photoshop 6.0
    Adobe Reader 9.1
    Adobe Shockwave Player 11
    Adobe SVG Viewer
    AIM 6
    Amazon MP3 Downloader 1.0.5
    Amazon Unbox Video
    AOL Instant Messenger
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoImpression 6
    ArcSoft Print Creations
    Audible Download Manager
    Bejeweled 2 Deluxe
    Blasterball 3
    Bonjour
    Browser Address Error Redirector
    BUM
    CCleaner (remove only)
    Comcast High-Speed Internet Install Wizard
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    DING!
    Download Updater (AOL LLC)
    EPSON CX9400 User's Guide
    EPSON Printer Software
    EPSON Scan
    EPSON Stylus CX9400Fax Series Scanner Driver Update
    EPSON Web-To-Page
    Family Feud 2
    FATE
    FinePixViewer Resource
    FinePixViewer Ver.5.5
    FlipShare
    Gateway Connect
    Gateway Game Console
    Gateway Recovery Center Installer
    Geek Squad 24 Hour Computer Support
    Google Earth
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    IrfanView (remove only)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Java(TM) SE Runtime Environment 6 Update 1
    KODAK EASYSHARE Gallery Easy Upload, v2.1
    KODAK EASYSHARE Gallery Upload ActiveX Control
    Linkit_eBay
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Digital Image Starter Edition 2006
    Microsoft Digital Image Starter Edition 2006 Editor
    Microsoft Digital Image Starter Edition 2006 Library
    Microsoft IntelliPoint 6.1
    Microsoft Money 2006
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    MIKSOFT Mobile Media Converter
    Motorola SM56 Data Fax Modem
    Move Networks Media Player for Internet Explorer
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 and SOAP Toolkit 3.0
    Norton AntiVirus
    OGA Notifier 2.0.0048.0
    Penguins!
    Pinnacle Instant DVD Recorder
    Polar Bowler
    Polar Golfer
    Power2Go 5.0
    QuickTime
    RAW FILE CONVERTER LE
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    SigmaTel Audio
    Skypeâ„¢ 3.8
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Tradewinds
    TreeSize Free V2.2.1
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Verizon Yahoo! Applications
    Viewpoint Media Player
    WD SmartWare
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Zwei-Stein Video Compositor 3.01 (Beta 2).

    ==== End Of File ===========================



    I had a problem (virus?) with my computer and was able to repair using a drive scan. Thanks to the great help on another forum, I am up now. The only problem I am left with is I can't get the internet to work completly. One problem is my bank, I can log in, but the pop I usually see and have to OK wont come up. And on facebook, I can log in ok and such, but I cant send a private message because that box wont pop up. What is the fix?


    here is what went on prior to now in case it helps:

    http://www.windowsbbs.com/windows-vista/95299-how-get-past-stop-error-screen.html


    here is the log of the scan:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4707

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18943

    9/28/2010 2:25:23 PM
    mbam-log-2010-09-28 (14-25-23).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 331127
    Time elapsed: 3 hour(s), 12 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 21
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6 faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4d b7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanc ed\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Now what?
     
    Last edited: 2010/09/28
    missy77,
    #1
  2. 2010/09/29
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    added scan to original post, hope I did it right this time. if not please tell me what I missed. Thanks!
     
    missy77,
    #2


  3. to hide this advert.

  4. 2010/09/29
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #3
  5. 2010/09/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    ===============================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
    broni,
    #4
  6. 2010/09/29
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    Hi there and thanks!

    I just wanted to also say I can log into email, msn, but I cant open pages. I also can not update windows, it says there are updates, but it only flashes when I try to click windows updates. I saw you helping someone on another thread with that same problem and have been trying to follow along.

    So I tried to download GMER and it goes to the stop error screen

    PAGE_FAULT_IN_NONPAGED_AREA

    If this is the first time...

    *** kxldapow.sys - adress B6D8AD3D base at B6D7F000, DATESTAMP 4B274F8D

    then it did dump...

    I can reboot and start in regular mode. I just cant get the GMER to work.
     
    missy77,
    #5
  7. 2010/09/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Proceed with next step.
     
    broni,
    #6
  8. 2010/09/29
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    oh and another weird thing is I use Microsoft Windows Mail
    Version 6.0.6000.16386. The send/recieve will not highlight, so I have not been able to get mail through it since before this happened. (I can obviously get it via internet)


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Gateway
    BIOS Manufacturer: Phoenix Technologies LTD
    System Manufacturer: Gateway
    System Product Name: MT6840
    Logical Drives Mask: 0x0000001c

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`9cb8a800 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!
    Press ENTER to exit...
     
    missy77,
    #7
  9. 2010/09/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    MBRCheck log looks good :)
    We'll worry about other issues, when your computer is clean.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #8
  10. 2010/09/30
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    fyi took about 40-50 mins to run



    ComboFix 10-09-29.01 - Lisa 09/30/2010 0:53.1.2 - x86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1013.164 [GMT -4:00]
    Running from: c:\users\Lisa\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\windows
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system32\spool\prtprocs\w32x86\LMPriNT.dll
    D:\Autorun.inf

    c:\windows\system32\Drivers\atapi.sys . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
    .

    2010-09-30 05:11 . 2010-09-30 05:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-30 05:11 . 2010-09-30 05:12 -------- d-----w- c:\users\Lisa\AppData\Local\temp
    2010-09-28 02:24 . 2010-09-28 02:24 -------- d-----w- c:\users\Lisa\AppData\Roaming\Malwarebytes
    2010-09-28 02:24 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-28 02:24 . 2010-09-28 02:24 -------- d-----w- c:\programdata\Malwarebytes
    2010-09-28 02:24 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-28 02:24 . 2010-09-28 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-27 16:35 . 2010-09-30 03:10 15256 ----a-w- c:\users\Lisa\AppData\Roaming\Microsoft\IdentityCRL\ppcrlconfig.dll
    2010-09-15 00:58 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 00:58 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 00:57 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 00:51 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-29 14:26 . 2007-08-10 02:30 -------- d-----w- c:\programdata\Viewpoint
    2010-09-29 14:18 . 2007-05-22 22:11 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-09-29 14:18 . 2009-03-02 01:28 -------- d-----w- c:\programdata\Amazon
    2010-09-29 14:18 . 2009-03-02 01:28 -------- d-----w- c:\program files\Amazon
    2010-09-28 18:51 . 2007-05-22 22:27 -------- d-----w- c:\program files\Common Files\Java
    2010-09-28 18:49 . 2007-05-22 22:27 -------- d-----w- c:\program files\Java
    2010-09-27 00:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-08-15 07:06 . 2007-05-22 22:22 -------- d-----w- c:\programdata\Microsoft Help
    2010-08-11 01:32 . 2007-08-08 02:47 -------- d-----w- c:\users\Lisa\AppData\Roaming\Apple Computer
    2010-07-28 13:38 . 2010-07-28 13:38 570776 ----a-w- c:\users\Lisa\AppData\Roaming\Geek Squad 24 Hour Computer Support\update\Update.exe
    2010-07-17 09:00 . 2010-07-05 22:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Sidebar "= "c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
    "IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
    "USB2Check "= "c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

    c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-5-16 303104]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-2-26 2057536]
    WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-2-26 9136960]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring "=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\SYMDS.SYS [2009-08-30 328752]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\SYMEFA.SYS [2010-04-22 173104]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [2010-08-31 692272]
    S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\ccHPx86.sys [2010-02-26 501888]
    S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100924.001\IDSvix86.sys [2010-05-28 344112]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\Ironx86.SYS [2010-04-29 116784]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAV\1108000.005\SYMTDIV.SYS [2010-05-06 339504]
    S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-02-26 110592]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.comcast.net/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = <local>
    Trusted Zone: facebook.com\www
    Trusted Zone: gallery.com
    Trusted Zone: gateway.com
    Trusted Zone: kodakgallery.com
    Trusted Zone: libertybaycu.org\www
    Trusted Zone: ofoto.com
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-30 01:12
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NAV]
    "ImagePath "= "\ "c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \ "NAV\" /m \ "c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1 "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    Completion time: 2010-09-30 01:19:59
    ComboFix-quarantined-files.txt 2010-09-30 05:19

    Pre-Run: 21,377,769,472 bytes free
    Post-Run: 21,670,105,088 bytes free

    - - End Of File - - A4343D030920DCEAB7E73812FE341D67
     
    missy77,
    #9
  11. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
atapi.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #10
  12. 2010/09/30
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:46 on 30/09/2010 by Lisa
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "atapi.sys "
    C:\Windows\ERDNT\cache\atapi.sys --a---- 19944 bytes [05:17 30/09/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
    C:\Windows\System32\drivers\atapi.sys --a---- 19944 bytes [18:51 11/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a---- 21560 bytes [22:10 13/02/2008] [22:10 13/02/2008] B35CFCEF838382AB6490B321C87EDF17
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a---- 19944 bytes [18:51 11/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a---- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a---- 21560 bytes [02:33 20/09/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a---- 21560 bytes [22:10 13/02/2008] [22:10 13/02/2008] B35CFCEF838382AB6490B321C87EDF17
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a---- 21560 bytes [22:10 13/02/2008] [22:10 13/02/2008] E03E8C99D15D0381E02743C36AFC7C6F
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a---- 21560 bytes [02:33 20/09/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a---- 19944 bytes [18:51 11/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

    -= EOF =-
     
    missy77,
    #11
  13. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\System32\drivers\atapi.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
    broni,
    #12
  14. 2010/09/30
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    My show hidden folders/files was already check marked.

    Explorer is opening to documents, there are 21 files showing. Not sure what you mean for me to upload??? searched - C:\Windows\System32\drivers\atapi.sys in all of explorer, cant find a file with that name.
     
    Last edited: 2010/09/30
    missy77,
    #13
  15. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go to http://www.virustotal.com/ and click on "Browse" button.
    Navigate to C:\Windows\System32\drivers\atapi.sys
    Highlight atapi.sys file, click "Open" button.
     
    broni,
    #14
  16. 2010/09/30
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    Sorry!!! Duh! I got it!
     
    missy77,
    #15
  17. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #16
  18. 2010/09/30
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    I am on another computer, just to be sure I did it right, it shows a sending file box now and has been doing so for about 28 minutes... is this correct?
     
    missy77,
    #17
  19. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #18
  20. 2010/09/30
    missy77

    missy77 Inactive Thread Starter

    Joined:
    2006/09/16
    Messages:
    208
    Likes Received:
    1
    Jotti's malware scan
    This file has been scanned before. The results for this previous scan are listed below.





    --------------------------------------------------------------------------------

    Filename: atapi.sys
    Status: Acquiring previous results...


    --------------------------------------------------------------------------------
    Additional info
    File size: 19944 bytes
    Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
    MD5: 1f05b78ab91c9075565a9d8a4b880bc4
    SHA1: 218442cd7afecbc8d102c4e31d9ef3528642191b






    Scanners
    No result available No result available
    No result available No result available
    No result available No result available
    No result available No result available
    No result available No result available
    No result available No result available
    No result available No result available
    No result available No result available
     
    missy77,
    #19
  21. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That won't work. I need YOUR file to be scanned.

    Click on "Scan again" button.
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...