Post by: indfin on May 06, 2009, 10:30:59 PM
Twice over the past week this laptop has shut down with a "fatal error" message on a blue screen. It restarts fine, but with a rundll.error. So I wanted to get help before anything major happened.
I ran hijack this, but that too gave an error message when installing/generating the log. Thank you for your help.
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:12 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071009
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 (http://\"http://go.microsoft.com/fwlink/?LinkId=74005\")
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {b1d537f8-62a7-4889-ab27-27169dfda468} - C:\WINDOWS\system32\yuwegiju.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sakenesenu] Rundll32.exe "C:\WINDOWS\system32\domasuro.dll",s
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Harit\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'vwlsp.dll' missing
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab (http://\"http://dl.tvunetworks.com/TVUAx.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wxvault.dll,C:\WINDOWS\system32\dizigiro.dll,C:\WINDOWS\system32\yuhisona.dll,C:\WINDOWS\system32\temomelo.dll,C:\WINDOWS\system32\rafomife.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7199 bytes
Post by: guestolo on May 06, 2009, 11:31:31 PM
Download ComboFix from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)
- * It is important you rename Combofix during the download, but not after.
* Please do not rename Combofix to other names, but only to the one indicated.
SAVE IT ONLY TO YOUR DESKTOP
--------------------------------------------------------------------
[color=\"#2E8B57\"]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with some tools[/color]
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
* Click on Tools.
* Select Advanced.
* In the left hand pane, scroll down to "Resident Shield".
* In the main pane, deselect the option to "Enable Resident Shield."
We will reenable this protection later
- Double click on Combo-Fix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. C:\Combo-Fix.txt
I'll need to see that log later
Afterwards: Do the following
Go to [color=\"#FF0000\"]Kaspersky website[/color] (http://\"http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.kaspersky.com%2Fkos%2Feng%2Fpartner%2Fdefault%2Fkavwebscan.html\") and perform an online antivirus scan.
1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[color=\"#FF0000\"]Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases[/color]
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Please include all the following in your next reply
1. The report from Kaspersky's
2. The log from Combo-Fix
3. Run a fresh scan and save logfile with Hijackthis and post it
Ensure to reenable your protection with AVG
Post by: indfin on May 07, 2009, 11:45:32 AM
________________________________________________________________________________
_______________________
Combo-Fix Log:
ComboFix 09-05-06.05 - Harit 05/07/2009 3:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.442 [GMT -4:00]
Running from: c:\documents and settings\Harit\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Harit\Application Data\pidle
c:\documents and settings\Harit\Application Data\pidle\pidle.exe
c:\documents and settings\Harit\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\biwifasi.dll
c:\windows\system32\darususi.dll
c:\windows\system32\domasuro.dll
c:\windows\system32\drivers\ovfsthexusiwqvdlyhiicxgomqmbexnsetetrp.sys
c:\windows\system32\drivers\ovfsthucttddxpjkosuruvvhpimvkepvcposky.sys
c:\windows\system32\figovafa.dll
c:\windows\system32\fulenoba.dll
c:\windows\system32\gerogije.dll
c:\windows\system32\mavapovi.dll
c:\windows\system32\ovfsthfhqpxrwibapfldperevpwwseeqmmfavm.dll
c:\windows\system32\pidokobo.dll
c:\windows\system32\prnet.tmp
c:\windows\system32\putevama.exe
c:\windows\system32\reguligu.dll
c:\windows\system32\rohitelu.dll
c:\windows\system32\sokodewu.dll
c:\windows\system32\tadezuzu.dll
c:\windows\system32\towemiye.dll
c:\windows\system32\yopopanu.exe
c:\windows\system32\yuwegiju.dll
c:\windows\system32\zosemijo.exe
----- BITS: Possible infected sites -----
hxxp://62.4.83.201
.
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.
2009-05-07 05:19 . 2009-05-07 05:19 -------- d-----w c:\program files\SopCast
2009-04-23 21:38 . 2009-04-23 20:08 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-23 20:09 . 2009-04-23 20:08 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-23 20:01 . 2009-04-23 20:01 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-23 18:59 . 2009-04-23 18:59 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2009-04-23 18:15 . 2009-04-23 18:15 -------- d-----w c:\documents and settings\Harit\Application Data\TVU networks
2009-04-23 18:15 . 2009-04-23 18:15 -------- d-----w c:\documents and settings\Harit\LocalLow
2009-04-23 18:15 . 2009-04-23 18:15 -------- d-----w c:\documents and settings\Harit\Local Settings\Application Data\TVU Networks
2009-04-20 03:12 . 2009-04-20 03:12 -------- d-----w c:\documents and settings\XXX\Application Data\TeamViewer
2009-04-20 03:12 . 2009-04-20 03:12 -------- d-----w c:\program files\TeamViewer
2009-04-20 03:11 . 2009-04-20 03:11 -------- d-----w c:\documents and settings\XXX\temp
2009-04-17 03:15 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 03:15 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 03:15 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 03:15 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 03:15 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 03:15 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 03:15 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 03:15 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 03:15 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 03:15 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 03:11 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 03:11 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 22:02 . 2008-01-13 21:51 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 20:00 . 2008-01-13 20:42 -------- d-----w c:\program files\Lavasoft
2009-04-23 18:59 . 2008-01-18 06:07 -------- d-----w c:\program files\TVUPlayer
2009-03-06 14:22 . 2004-08-11 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 22:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-04-28 17:24 . 2008-04-28 17:24 9722720 ----a-w c:\program files\spybotsd152.exe
2009-01-30 00:55 . 2009-01-30 00:55 60416 --sha-w c:\windows\system32\gulodedo.exe
2009-01-29 09:19 . 2009-01-29 09:19 59904 --sha-w c:\windows\system32\lotonene.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 23:26 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/23/2009 4:09 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2008 2:07 PM 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2008 2:07 PM 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/31/2008 3:16 PM 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/31/2008 3:16 PM 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]
S3 SNDFCAM;Philips FunCam;c:\windows\system32\drivers\sndfcam.sys [2/22/2009 5:58 PM 219008]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [7/27/2008 4:37 AM 100480]
.
Contents of the 'Scheduled Tasks' folder
2009-04-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:08]
2009-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{b1d537f8-62a7-4889-ab27-27169dfda468} - c:\windows\system32\yuwegiju.dll
HKCU-Run-pidle - c:\documents and settings\Harit\Application Data\pidle\pidle.exe
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
FF - ProfilePath - c:\documents and settings\Harit\Application Data\Mozilla\Firefox\Profiles\fk1ojsxc.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Harit\Application Data\Mozilla\Firefox\Profiles\fk1ojsxc.default\extensions\[email protected]\plugins\npTVUAx.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-05-07 03:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-05-07 3:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 07:22
Pre-Run: 43,026,960,384 bytes free
Post-Run: 43,214,217,216 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
209 --- E O F --- 2009-04-17 04:26
________________________________________________________________________________
_______________________________
As I mentioned in my initial post, HijackThis gives an error message when I run it. If it matters, the Error Message is:
mod-Registery_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error#5 - Invalid Procedure or Argument
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:37 PM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1071009
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 (http://\"http://go.microsoft.com/fwlink/?LinkId=74005\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab (http://\"http://dl.tvunetworks.com/TVUAx.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wxvault.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7041 bytes
Thank You.
Post by: guestolo on May 08, 2009, 09:07:25 AM
Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu
download Malwarebytes' Anti-Malware from Here (http://\"http://www.besttechie.net/tools/mbam-setup.exe\") or Here (http://\"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html\")
Save the installer to desktop
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Post by: indfin on May 08, 2009, 11:52:40 AM
Ran ATF and MBAM.
MBAM Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2094
Windows 5.1.2600 Service Pack 3
5/8/2009 12:39:28 PM
mbam-log-2009-05-08 (12-39-28).txt
Scan type: Quick Scan
Objects scanned: 95561
Time elapsed: 4 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
__________________________________________________________________________
Thanks.
Post by: guestolo on May 09, 2009, 01:26:09 PM
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
In addition:
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Browse to the file
c:\windows\system32\gulodedo.exe
Right click and select it
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page
Do the same for the next file
c:\windows\system32\lotonene.exe
One last step:
Please download [color=\"blue\"]DirLook[/color] by jpshortstuff from one of the following mirrors:
[color=\"red\"]Link 1[/color] (http://\"http://jpshortstuff.247fixes.com/DirLook.exe\")
[color=\"red\"]Link 2[/color] (http://\"http://images.malwareremoval.com/jpshortstuff/DirLook.exe\")
[color=\"red\"]Link 3[/color] (http://\"http://downloads.securitycadets.com/DirLook.exe\")
- Double-click DirLook.exe to run it (Vista Users should right-click and select Run As Administrator...).
- Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
- Copy the content of the following codebox into the main textfield:
Code: [Select]
c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}- Click the DirLook button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)
Post by: indfin on May 09, 2009, 02:13:19 PM
First, below is the HijackThis Uninstall Manager Log:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
AIM 6
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
biolsp patch
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Advanced Control Suite
Broadcom TPM Driver Installer
CCScore
Conexant HDA D110 MDC V.92 Modem
Creative@Home
Critical Update for Windows Media Player 11 (KB959772)
Dell Embassy Trust Suite by Wave Systems
Dell Resource CD
Digital Line Detect
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
ETS Upgrade
foobar2000 v0.9.5
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
iTunes
Java(tm) 6 Update 6
Kodak EasyShare software
LimeWire 4.16.6
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.10)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
mZConfig
netbrdg
NetWaiting
NTRU TCG Software Stack
NVIDIA Drivers
O2Micro USB Smart Card Reader
OfotoXMI
P2P Tv Plugin
Philips FunCam
PowerDVD
Preboot Manager
Private Information Manager
QuickSet
QuickTime
RealPlayer
SearchAssist
Secure Update
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Wizards
SFR
SHASTA
skin0001
SKINXSDK
SopCast 3.0.3
Spybot - Search & Destroy
staticcr
TeamViewer 4
tooltips
TVUPlayer 2.4.5.1
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
upekmsi
URL Assistant
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
Wave Infrastructure Installer
Wave Support Software
Winamp
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0)
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
ZTE CDMA1X MODEM
________________________________________________________________________________
________
There are no files called gulodedo.exe or lotonene.exe in c:\windows\system32. So I couldn't do the subsequent steps.
Finally, when I tried to run DirLook.exe, the following message appeared in the black window:
"This tool has been deprecated in favour of SystemLook.
If you were advised to run this by a Forum Helper please inform them, otherwise have a nice day
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Press any ket to continue......."
After I pressed any key, the black window went away and nothing happened.
That's it for now.
Post by: guestolo on May 09, 2009, 02:26:19 PM
[color=\"blue\"]Download Mirror #1[/color] (http://\"http://jpshortstuff.247fixes.com/SystemLook.exe\")
[color=\"blue\"]Download Mirror #2[/color] (http://\"http://images.malwareremoval.com/jpshortstuff/SystemLook.exe\")[/b]
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:Code: [Select]
:dir
c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
:file
c:\windows\system32\gulodedo.exe
c:\windows\system32\lotonene.exe - Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Post by: indfin on May 09, 2009, 02:32:08 PM
Log created at 15:31 on 09/05/2009 by Harit (Administrator - Elevation successful)
========== dir ==========
c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} - Parameters: "(none)"
---Files---
Ad-AwareAE.dat --a--c 493 bytes [20:01 23/04/2009] [20:03 23/04/2009]
Ad-AwareAE.exe --a--c 2902048 bytes [20:01 23/04/2009] [08:17 12/03/2009]
Ad-AwareAE.lan --a--c 9 bytes [20:01 23/04/2009] [20:01 23/04/2009]
Ad-AwareAE.msi --a--c 1802240 bytes [20:01 23/04/2009] [08:17 12/03/2009]
Ad-AwareAE.par --a--c 9320 bytes [20:01 23/04/2009] [20:01 23/04/2009]
Ad-AwareAE.res --a--c 5115615 bytes [20:01 23/04/2009] [08:17 12/03/2009]
instance.dat --a--c 90 bytes [20:01 23/04/2009] [20:01 23/04/2009]
mia.lib --a--c 578782 bytes [20:01 23/04/2009] [08:17 12/03/2009]
---Folders---
None found.
========== file ==========
c:\windows\system32\gulodedo.exe - Unable to find/read file.
c:\windows\system32\lotonene.exe - Unable to find/read file.
-=End Of File=-
Post by: guestolo on May 09, 2009, 02:39:30 PM
But just to make sure, can you do the following
Download [color=\"blue\"]OTMoveIt3.exe[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt3.exe\") by OldTimer:
- Save it to your desktop.
- Double click on OTMoveit3.exe on desktop and Run it
- Copy the entries below in BLUE to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
[color=\"#0000FF\"]
:Files
c:\windows\system32\gulodedo.exe
c:\windows\system32\lotonene.exe[/color]
====================================================== - Return to OTMoveIt3, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log
Post that log please
Post by: indfin on May 09, 2009, 02:47:01 PM
File/Folder c:\windows\system32\gulodedo.exe not found.
File/Folder c:\windows\system32\lotonene.exe not found.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_154455
Post by: guestolo on May 09, 2009, 03:13:47 PM
Go to START>>RUN>>
copy and paste the following
[color=\"#FF0000\"]combofix /u[/color]
and press enter
This will uninstall ComboFix and it's components
Manually delete SystemLook and DirLook
Close all browser windows
Access your Add and Remove windows and uninstall the following
It's outdated and insecure
Javaâ„¢ 6 Update 6
Next do the following:
OTMoveit3.exe
- Double-click OTMoveIt3.exe to run it.
- Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Don't change anything in this list - Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Don't mouseclick during the wait as you may cause the tool to stall - Select Yes to reboot Now
Back in Windows
[color=\"blue\"]Updating Java:[/color]
- Download the latest version of Java Runtime Environment (JRE) 10 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "JRE 6 Update 13".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, beside Platform:>>Check the "agree" box and click Continue.
- Click on the link to download Windows Offline Installation and save to your desktop.
- Then from your desktop double-click on jre-6u13-windows-i586-p.exe that you downloaded to install the newest version.
Post by: indfin on May 09, 2009, 03:47:40 PM
One question: At start up, how do I get rid of the Windows Recovery Console option -- or should I let it be?
Post by: guestolo on May 09, 2009, 03:55:55 PM
If you would like to remove it, let me know
But basically, this is what the Recovery Console is,
Quote
The Recovery Console is a feature of the Windows 2000, Windows XP and Windows Server 2003 operating systems. It provides the means for administrators to perform a limited range of tasks using a command line interface. Its primary function is to enable administrators to recover from situations where Windows does not boot as far as presenting its graphical user interface.
Post by: indfin on May 09, 2009, 04:00:23 PM
Thanks a ton for your help. And it is not necessary for you to answer this, but what was the problem? Why did the blue screen show up? Was it some virus?
Post by: guestolo on May 09, 2009, 04:06:20 PM
I'll leave this topic open for a couple days, give you a chance to see how things are really running
If I don't hear back from you then I'll lock this topic
Or even if you want to pop back in after a couple days and let me know how things are still running
why not
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: indfin on May 09, 2009, 04:13:12 PM