Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

services.exe causing shutdown..

Options
  • 01-12-2009 9:21pm
    #1
    irlirishkev
    Registered Users Posts: 2,505 ✭✭✭


    Hi,

    I've googled this, and searched on Boards. Found loads of references, but nothing that actually fixes it..

    As soon as my laptop boots up, I get a message box that says

    "NT AUTHORITY\SYSTEMC:\WINNT\system32\services.exe terminated unexpectedly with status code 128"
    "The System will shut down in 60seconds"

    So then it shuts down.. I've followed the procedures in the sticky, but to no avail.

    Any thoughts?
    I'm running Windows XP Media Centre Edition, Version 2002, SP3.
    Logs below..





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:10:07, on 01/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.elvisnews.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
    O4 - HKCU\..\Run: [photo_id] C:\WINDOWS\TEMP\~TM7F.tmp
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: algqeh32.exe
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Kevin Kennedy\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.carzone.ie/my/aurigma/ImageUploader4.cab
    O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - https://sisweb.ucd.ie:9010/forms90/jinitiator/jinit.exe
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/KEVINK~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

    --
    End of file - 10807 bytes







    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP . (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 6 Model 13 Stepping 8, GenuineIntel
    .
    [wscsvc] STOPPED (state:1) : Security Center -> Disabled !
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Disabled !
    .
    Internet Explorer 8.0.6001.18702
    .
    C:\ [Fixed-NTFS] .. ( Total:51 Go - Free:21 Go )
    D:\ [CD_Rom]
    .
    Scan : 20:10.55
    Path : C:\Documents and Settings\Kevin Kennedy\Desktop\Rooter.exe
    User : Kevin Kennedy ( Administrator -> YES )
    .
    \\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \SystemRoot\System32\smss.exe (704)
    ______ \??\C:\WINDOWS\system32\csrss.exe (748)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (772)
    ______ C:\WINDOWS\system32\services.exe (816)
    ______ C:\WINDOWS\system32\lsass.exe (828)
    ______ C:\WINDOWS\system32\svchost.exe (976)
    ______ C:\WINDOWS\system32\svchost.exe (1068)
    ______ C:\WINDOWS\system32\svchost.exe (1132)
    ______ C:\WINDOWS\system32\svchost.exe (1192)
    ______ C:\WINDOWS\system32\svchost.exe (1260)
    ______ C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe (156)
    ______ C:\WINDOWS\Explorer.EXE (372)
    ______ C:\WINDOWS\System32\svchost.exe (1476)
    ______ C:\WINDOWS\System32\svchost.exe (1520)
    ______ C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (1728)
    ______ C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (480)
    ______ C:\Documents and Settings\Kevin Kennedy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (640)
    ______ C:\WINDOWS\system32\wbem\wmiprvse.exe (264)
    ______ C:\WINDOWS\system32\NOTEPAD.EXE (1856)
    ______ C:\Documents and Settings\Kevin Kennedy\Desktop\Rooter.exe (1224)
    .
    \\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    \Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:98671104)
    \Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:98703360 | Length:54911969280)
    \Device\Harddisk0\Partition3 (Start_Offset:55018897920 | Length:4984519680)
    .
    \\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\1-Click Maintenance.job
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2130270148-1381328813-2222130153-1005Core.job
    C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2130270148-1381328813-2222130153-1005UA.job
    C:\WINDOWS\Tasks\SA.DAT
    .
    \\ Registry
    .
    .
    \\ Files & Folders
    .
    C:\DOCUME~1\KEVINK~1\Favorites\Kevin\techie\Russian Crack Zone cracks collection.url
    ==> Cracks & Keygens <==
    .
    \\ Scan completed at 20:12.20
    .
    C:\Rooter$\Rooter_1.txt - (01/12/2009 | 20:12.20).c


Comments

  • Options
    #2
    biko
    Registered Users Posts: 81,223 ✭✭✭✭biko


    I'm sure someone with more info will post too but you have algqeh32.exe on your system it seems.
    http://forums.avg.com/us-en/avg-free-forum?sec=thread&act=show&id=45943


  • Options
    #3
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    hi

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


  • Options
    #4
    irlirishkev
    Registered Users Posts: 2,505 ✭✭✭irlirishkev


    Right.. Ran combofix.. pc reloaded, and it booted back up, and so far hasn't tried to shut down again.. here's the log..



    ComboFix 09-12-01.01 - Kevin Kennedy 01/12/2009 23:57.1.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.480 [GMT 0:00]
    Running from: c:\documents and settings\Kevin Kennedy\My Documents\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Kevin Kennedy\My Documents\ZbThumbnail.info
    C:\LOG.TXT
    c:\windows\kb913800.exe
    c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
    c:\windows\system32\config\systemprofile\photo_id.exe
    c:\windows\system32\twain_32.dll

    Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
    .

    2009-12-01 20:11 . 2009-12-01 20:12
    d
    w- C:\Rooter$
    2009-12-01 20:09 . 2009-12-01 20:09
    d
    w- c:\program files\Trend Micro
    2009-12-01 19:49 . 2009-12-01 19:49
    d
    w- c:\program files\ERUNT
    2009-11-29 14:49 . 2009-11-29 14:49
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\Malwarebytes
    2009-11-29 14:49 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-29 14:49 . 2009-11-29 14:49
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-29 14:49 . 2009-11-29 14:49
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-11-29 14:49 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-25 18:35 . 2009-11-05 19:20 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
    2009-11-25 18:35 . 2009-11-03 19:05 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
    2009-11-25 18:35 . 2009-11-03 19:05 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
    2009-11-21 17:26 . 2009-11-21 17:26
    d
    w- c:\documents and settings\Kevin Kennedy\Local Settings\Application Data\Ashampoo Movie Shrink & Burn 3
    2009-11-21 17:26 . 2009-11-21 17:26
    d
    w- c:\documents and settings\Kevin Kennedy\Local Settings\Application Data\ashampoo
    2009-11-21 17:26 . 2009-11-21 17:26
    d
    w- c:\documents and settings\All Users\Application Data\ashampoo
    2009-11-11 21:57 . 2009-11-11 21:57 152576 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2009-11-11 21:55 . 2009-11-11 21:55 79488 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-11-09 21:35 . 2009-11-09 21:35
    d
    w- c:\program files\TomTom International B.V

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-02 00:11 . 2007-05-15 22:12
    d
    w- c:\documents and settings\All Users\Application Data\Kontiki
    2009-12-02 00:05 . 2009-07-11 16:03
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\Dropbox
    2009-12-01 23:53 . 2008-05-10 11:52
    d
    w- c:\documents and settings\All Users\Application Data\avg8
    2009-12-01 21:13 . 2008-12-17 22:30
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\Cabbage
    2009-12-01 19:57 . 2008-01-02 20:26
    d
    w- c:\program files\Common Files\Wise Installation Wizard
    2009-11-29 16:33 . 2007-06-06 21:43
    d
    w- c:\program files\Oront Burning Kit 2
    2009-11-28 13:00 . 2009-11-28 13:00 12 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cbqozg.dat
    2009-11-28 13:00 . 2009-11-28 13:00 4 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\avdrn.dat
    2009-11-25 20:16 . 2006-07-27 22:03
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\Azureus
    2009-11-21 17:16 . 2009-10-18 17:55
    d
    w- c:\program files\bitRipper
    2009-11-11 21:58 . 2006-01-03 14:36
    d
    w- c:\program files\Java
    2009-11-09 21:34 . 2009-01-04 17:25
    d
    w- c:\program files\TomTom HOME 2
    2009-10-27 21:24 . 2009-10-27 21:24
    d
    w- c:\program files\SystemRequirementsLab
    2009-10-27 21:24 . 2009-10-27 21:24 247296 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_d_ind.dll
    2009-10-27 21:24 . 2009-10-27 21:24 247296 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_c_ind.dll
    2009-10-27 21:24 . 2009-10-27 21:24 247296 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_b_ind.dll
    2009-10-27 21:24 . 2009-10-27 21:24 247296 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_a_ind.dll
    2009-10-27 21:24 . 2009-10-27 21:24
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\SystemRequirementsLab
    2009-10-25 20:40 . 2009-10-25 20:39
    d
    w- c:\program files\Flickr Uploadr
    2009-10-25 20:40 . 2009-10-25 20:40
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\Flickr
    2009-10-21 15:58 . 2006-03-10 08:50
    d
    w- c:\program files\DivX
    2009-10-21 15:57 . 2009-08-22 13:27
    d
    w- c:\program files\Common Files\DivX Shared
    2009-10-20 20:25 . 2009-10-20 20:25
    d
    w- c:\program files\AC3Filter
    2009-10-20 18:05 . 2009-10-20 18:05
    d
    w- c:\program files\Digiarty
    2009-10-18 17:44 . 2009-10-18 17:44 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
    2009-10-18 17:44 . 2009-10-18 17:44
    d
    w- c:\program files\dvd43
    2009-10-11 04:17 . 2008-11-09 02:57 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-10-03 14:10 . 2008-12-17 22:30
    d
    w- c:\documents and settings\Kevin Kennedy\Application Data\Cabbage backup
    2009-10-03 14:10 . 2007-12-16 17:39
    d
    w- c:\program files\Cabbage
    2009-09-28 18:44 . 2009-09-28 18:44 1961720 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
    2009-09-11 14:18 . 2005-08-16 04:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-04 21:03 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\msasn1.dll
    2007-10-03 22:00 . 2007-10-03 22:00 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2007-09-09 22:52 . 2007-09-09 22:52 56 -csh--r- c:\windows\system32\68476A0ACF.sys
    2006-01-22 23:24 . 2006-01-22 23:22 56 -csh--r- c:\windows\system32\9410C76E0C.sys
    2007-09-09 22:52 . 2007-09-09 22:52 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @=&quot;{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @=&quot;{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @=&quot;{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Kevin Kennedy\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "Google Update"="c:\documents and settings\Kevin Kennedy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-01 133104]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-25 2029336]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
    "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
    "HostManager"="c:\program files\Common Files\AOL\1138468275\ee\AOLSoftware.exe" [2006-05-10 50760]
    "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-06 827904]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
    "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]

    c:\documents and settings\Kevin Kennedy\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Kevin Kennedy\Application Data\Dropbox\bin\Dropbox.exe [2009-9-2 26784939]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-3 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2004-09-07 16:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-20 18:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1138468275\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1138468275\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Azureus\\Azureus.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\TomTom HOME 2\\xulrunner\\HOMERuntime.exe"=
    "c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
    "c:\\Documents and Settings\\Kevin Kennedy\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/05/2008 11:53 335240]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/05/2008 11:53 108552]
    R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 19:36 908056]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 19:36 297752]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/01/2007 22:33 24652]
    S3 ES-620;Edisonsoft ES-620 USB Infrared Adapter;c:\windows\system32\drivers\ES-620.sys [26/08/2006 17:03 29076]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2130270148-1381328813-2222130153-1005Core.job
    - c:\documents and settings\Kevin Kennedy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-01 17:03]

    2009-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2130270148-1381328813-2222130153-1005UA.job
    - c:\documents and settings\Kevin Kennedy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-01 17:03]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.elvisnews.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
    HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
    HKCU-Run-DellSupport - c:\program files\DellSupport\DSAgnt.exe
    HKLM-Run-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    HKLM-Run-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    HKLM-Run-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
    HKLM-Run-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
    HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
    AddRemove-{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD} - c:\program files\Apoint\Uninstap.exe ADDREMOVE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-02 00:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3782D402-1413-2B4D-D5B93EB7648B29D4}\{9536055C-1E13-65AB-BABDBD84391B7DD3}\{70487E18-04C4-4686-6F59FE851A688CA9}*]
    "526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,
    fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{40886FA5-87BC-FDA7-0C1FAC01C243999B}\{19E564B2-522B-7AA8-1ACCCD0705265332}\{1F2DE655-6E2E-2DD5-8638E8D01A513D14}*]
    "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
    fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'winlogon.exe'(828)
    c:\program files\Intel\Wireless\Bin\LgNotify.dll

    - - - - - - - > 'explorer.exe'(3448)
    c:\windows\system32\WININET.dll
    c:\documents and settings\Kevin Kennedy\Application Data\Dropbox\bin\DropboxExt.3.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
    c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\WLKeeper.exe
    c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
    c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTsvcCDA.EXE
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\progra~1\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\eHome\ehmsas.exe
    c:\program files\Apoint\Apntex.exe
    c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\dllhost.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-02 00:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-02 00:13

    Pre-Run: 22,405,574,656 bytes free
    Post-Run: 21,299,617,792 bytes free

    - - End Of File - - A9AF3823338993B89186F26165E9A3EB


  • Options
    #5
    ActorSeeksJob
    Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    hi

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.
    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
      [*]Click on My Computer under Scan.
      [*]Once the scan is complete, it will display the results. Click on View Scan Report.
      [*]You will see a list of infected items there. Click on Save Report As....
      [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    5. Options
      #6
      irlirishkev
      Registered Users Posts: 2,505 ✭✭✭irlirishkev


      Hi,

      Kaspersky won't run.. my pc doesn't meet the requirements.
      Here are the results from the malware log..
      Malwarebytes' Anti-Malware 1.41
      Database version: 3280
      Windows 5.1.2600 Service Pack 3

      02/12/2009 19:44:05
      mbam-log-2009-12-02 (19-44-05).txt

      Scan type: Quick Scan
      Objects scanned: 117300
      Time elapsed: 10 minute(s), 9 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 0

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      (No malicious items detected)


    6. Advertisement
    7. Options
      #7
      ActorSeeksJob
      Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


      try this instead

      Please click here to download AVP Tool by Kaspersky.
      • Save it to your desktop.
      • Reboot your computer into SafeMode.
        You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
        Use your up arrow key to highlight SafeMode then hit enter        .
      • Double click the setup file to run it.
      • Click Next to continue.
      • It will by default install it to your desktop folder.Click Next.
      • Hit ok at the prompt for scanning in Safe Mode.
      • It will then open a box There will be a tab that says Automatic scan.
      • Under Automatic scan make sure these are checked.

        [*] System Memory
        [*]Startup Objects
        [*]Disk Boot Sectors.
        [*]My Computer.
        [*]Also any other drives (Removable that you may have)

        After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
        Then choose OK again then you are back to the main screen.
        • Then click on Scan at the to right hand Corner.
        • It will automatically Neutralize any objects found.
        • If some objects are left un-neutralized then click the button that says Neutralize all
        • If it says it cannot be Neutralized then chooose The delete option when prompted.
        • After that is done click on the reports button at the bottom and save it to file name it Kas.
        • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

          Note: This tool will self uninstall when you close it so please save the log before closing it.


      • Options
        #8
        irlirishkev
        Registered Users Posts: 2,505 ✭✭✭irlirishkev


        Hi,

        There was no way to save the results of the scan. It was displayed in a window that didn't give me the option. It did find a whole bunch of trojans though, all of which were cleaned.

        My AVG keeps throwing up a threat message (though not since I ran the Kaspersky scan, but I'm still in safe mode).. The threat detected is - c:\windows\system32\svchost.exe Don't know if that means anything to you


      • Options
        #9
        ActorSeeksJob
        Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


        don't fix that

        Download OTL to your Desktop
        • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
        • Under the Custom Scan box paste this in

          netsvcs
          msconfig
          safebootminimal
          safebootnetwork
          activex
          drivers32
          %SYSTEMDRIVE%\*.exe
          /md5start
          eventlog.dll
          scecli.dll
          netlogon.dll
          cngaudit.dll
          sceclt.dll
          ntelogon.dll
          logevent.dll
          iaStor.sys
          nvstor.sys
          atapi.sys
          IdeChnDr.sys
          viasraid.sys
          AGP440.sys
          vaxscsi.sys
          nvatabus.sys
          viamraid.sys
          nvata.sys
          nvgts.sys
          iastorv.sys
          ViPrt.sys
          eNetHook.dll
          explorer.exe
          svchost.exe
          userinit.exe
          qmgr.dll
          ws2_32.dll
          proquota.exe
          imm32.dll
          kernel32.dll
          ndis.sys
          autochk.exe
          spoolsv.exe
          xmlprov.dll
          ntmssvc.dll
          mswsock.dll
          Beep.SYS
          ntfs.sys
          termsrv.dll
          sfcfiles.dll
          st3shark.sys
          ahcix86.sys
          srsvc.dll
          logonui.exe
          KR10N.sys
          mspmsnsv.dll
          comres.dll
          msgsvc.dll
          /md5stop
          %systemroot%\*. /mp /s
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

        • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
          • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
          • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time


      Advertisement