Red X for HDD, multiple pos files

May 18, 2009 at 09:51:15
Specs: Microsoft Windows XP Home Edition, 2.5 GHz / 512 MB
Hello,

My pc has been infected and I've noticed that there are many files titled pos followed by three characters. Also the icon for the HDD has been replaced by a red X. Some of the core windows files have probably been corrupted/deleted as when I restart the pc there is a message requesting to insert the Windows XP installation disk.

I appreciate any assistance with this. Thanks in advance.


See More: Red X for HDD, multiple pos files

Report •


#1
May 18, 2009 at 10:03:51
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

Private message


Report •

#2
May 19, 2009 at 08:44:49
Hi neoark,

Thanks for the response. I tried to post this earlier but the site wasn't working. Here's the link:

http://rapidshare.com/files/2345432...

Thanks for your help.


Report •

#3
May 19, 2009 at 11:08:03
Run this script in AVZ your computer will reboot:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{E8E1ADAF-A13D-49D0-BCBB-1D9CD808B62E}');
 QuarantineFile('C:\WINDOWS\system32\jkhff.dll','');
 QuarantineFile('robsmmps.dll','');
 QuarantineFile('C:\WINDOWS\system32\jkhff.exe','');
 QuarantineFile('C:\WINDOWS\system32\drivers\qmkzpwlz.sys','');
 DeleteFile('C:\WINDOWS\system32\drivers\qmkzpwlz.sys');
 DeleteFile('C:\WINDOWS\system32\jkhff.exe');
 DeleteFile('robsmmps.dll');
 DeleteFile('C:\WINDOWS\system32\jkhff.dll');
 BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After your computer reboots:

Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

--------------------------------------------
To Private Message me Click Here


Report •

Related Solutions

#4
May 20, 2009 at 06:04:25
Hi,

I ran the script and after the reboot i'm being told that new hardware has been found and am being asked whether to install the software automatically or from a specific location. Should I just go ahead and let it install it (the wizard states "Unknown" for the actual hardware) or cancel it?

I'll leave the pc on at this stage before continuing with the rest of the instructions.


Report •

#5
May 20, 2009 at 06:10:30
Try to find the driver automatically. If it can't find it leave it and follow Response Number 3 second part.

--------------------------------------------
To Private Message me Click Here


Report •

#6
May 20, 2009 at 07:50:32
ComboFix 09-05-19.08 - Buzz 20/05/2009 14:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.248 [GMT 1:00]
Running from: c:\documents and settings\Buzz\Desktop\123.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Security *enabled* {E641AC2D-955F-4A05-ABE7-F9C534ABDB46}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dilshad\Desktop\MalwareAlarm.lnk
c:\windows\cookies.ini
c:\windows\system32\chlxqrht.ini
c:\windows\system32\ekgeqeuj.ini
c:\windows\system32\gffmnlyx.ini
c:\windows\system32\iwbwvqep.ini
c:\windows\system32\MabryObj.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\ndrpvtpn.ini
c:\windows\system32\open.ico
c:\windows\system32\painetwk.ini
c:\windows\system32\qttehxsi.ini
c:\windows\system32\riqdxwgi.ini
c:\windows\system32\robsmmps.dllbox
c:\windows\system32\tmqrcjbt.ini
c:\windows\system32\unvxdign.ini
c:\windows\system32\wrtpiqpw.ini
C:\z.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 12:18 . 2009-05-20 12:18 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-19 15:35 . 2009-05-19 15:35 -------- d-sh--w c:\documents and settings\Buzz\PrivacIE
2009-05-19 14:50 . 2009-05-19 14:50 -------- d-sh--w c:\documents and settings\Buzz\IETldCache
2009-05-19 14:44 . 2009-05-19 14:44 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-19 14:28 . 2009-05-19 14:31 -------- dc-h--w c:\windows\ie8
2009-05-18 18:18 . 2009-05-18 21:08 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-18 17:35 . 2009-05-18 17:35 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-18 16:09 . 2009-05-18 11:17 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-18 11:18 . 2009-05-18 11:17 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-18 11:14 . 2009-05-18 11:14 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-18 11:13 . 2009-05-18 11:13 -------- d-----w c:\program files\Lavasoft
2009-05-18 08:19 . 2008-05-15 15:15 53168 ----a-w c:\windows\system32\drivers\MpFilter.sys
2009-05-18 04:45 . 2009-05-18 04:45 -------- d-----w c:\windows\system32\MpEngineStore
2009-05-17 19:30 . 2009-05-17 23:52 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-17 19:11 . 2008-06-13 13:10 272128 ------w c:\windows\system32\dllcache\bthport.sys
2009-05-17 19:02 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-17 19:02 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-05-17 19:02 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-05-17 19:02 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-17 19:02 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-17 19:02 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-17 19:02 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-17 19:02 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-17 19:02 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-17 19:02 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-17 18:56 . 2008-05-01 14:30 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-17 18:24 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-17 17:35 . 2009-05-18 07:57 -------- d-----w C:\c9db56cd54bb08c0ba7a

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 14:02 . 2003-02-08 10:01 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-20 14:02 . 2003-02-08 10:02 -------- d-----w c:\program files\Norton Internet Security
2009-05-20 12:46 . 2008-02-17 08:40 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-05-18 20:41 . 2007-09-17 12:13 -------- d-----w c:\program files\WMR11
2009-05-18 18:18 . 2003-02-23 18:15 101272 ----a-w c:\documents and settings\Buzz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-18 17:40 . 2006-10-29 11:48 -------- d-----w c:\program files\Windows Desktop Search
2009-05-18 17:34 . 2005-05-10 07:12 -------- d-----w c:\program files\Java
2009-05-18 17:21 . 2002-11-13 16:34 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-18 16:45 . 2002-11-13 16:48 -------- d-----w c:\program files\Common Files\Adobe
2009-05-18 11:00 . 2004-10-28 11:32 -------- d-----w c:\program files\SymNetDrv
2009-05-18 11:00 . 2003-02-23 17:39 -------- d-----w c:\program files\Microsoft Works
2009-05-18 11:00 . 2003-02-08 10:01 -------- d-----w c:\program files\Norton AntiVirus
2009-05-18 08:19 . 2007-07-15 16:23 -------- d-----w c:\program files\Windows Defender
2009-05-18 08:00 . 2005-10-26 09:26 -------- d-----w c:\program files\QuickTime
2009-05-17 15:26 . 2008-01-04 10:42 15360 ----a-w c:\windows\system32\ctfmon .exe
2009-03-08 03:34 . 2004-01-08 14:23 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2002-08-27 11:43 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2002-08-27 11:43 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2002-08-27 11:43 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2002-08-27 11:43 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2002-08-27 11:43 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2002-08-27 11:43 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2002-08-27 11:43 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2002-08-27 11:43 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2002-08-27 11:43 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:44 . 2002-08-27 11:43 283648 ----a-w c:\windows\system32\pdh.dll
2007-07-26 19:52 . 2007-09-02 08:53 66408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-07-26 19:52 . 2007-09-02 08:53 54112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-07-26 19:52 . 2007-09-02 08:53 34688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-07-26 19:52 . 2007-09-02 08:53 46456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-07-26 19:52 . 2007-09-02 08:53 171880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-07-14 06:45 . 2005-07-14 06:45 8 --sh--r c:\windows\system32\4E4DC8ED88.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7744678D-AC4A-484B-B7CD-803E5F521E90}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-18 516440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll
"wave3"= serwvdrv.dll
"wave4"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\APPS\\ActivSurf\\4448364\\Program\\backWeb-4448364.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\orangebuzz\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [18/05/2009 12:18 64160]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [13/11/2002 17:41 6656]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [13/11/2002 17:44 49232]
R2 nhksrv;Netropa NHK Server;c:\apps\ActivBoard\nhksrv.exe [13/11/2002 17:41 28672]
R2 NISSERV;Norton Internet Security Service;c:\program files\Norton Internet Security\NISSERV.EXE [28/10/2004 12:32 63144]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [22/03/2009 10:59 24936]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [13/11/2002 17:44 139264]
R3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys [01/01/1980 01:00 296179]
R3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [01/01/1980 01:00 231983]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 953168]
S3 Simnslas;Simnslas; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 11:17]

2008-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-02-16 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2004-10-28 10:28]

2003-02-08 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-08-27 07:56]

2003-02-08 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-08-27 07:56]

2009-05-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-02-08 16:26]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{96EE00B6-1A4D-488A-BA49-BCA273C7349B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{83C02AD8-4F7C-476A-A781-F95324FC91DF} - (no file)
BHO-{877DDB35-CCA2-4692-8480-96DBD120C405} - (no file)
BHO-{E8E1ADAF-A13D-49D0-BCBB-1D9CD808B62E} - c:\windows\system32\jkhff.dll
HKCU-Run-Steam - (no file)
HKLM-Run-ATIPTA - c:\ati technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-iamapp - c:\program files\Norton Internet Security\IAMAPP.EXE
HKLM-Run-NAV Agent - c:\progra~1\NORTON~1\navapw32.exe
HKLM-Run-VCSPlayer - c:\program files\Virtual CD v4 SDK\system\vcsplay.exe
HKLM-Run-HPDJ Taskbar Utility - c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
HKLM-Run-WorksFUD - c:\program files\Microsoft Works\wkfud.exe
HKLM-Run-Microsoft Works Portfolio - c:\program files\Microsoft Works\WksSb.exe
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
HKLM-Run-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgr.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
HKU-Default-Run-CTFMON.EXE - c:\windows\System32\CTFMON.EXE
Notify-robsmmps - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} - hxxp://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
FF - ProfilePath - c:\documents and settings\Buzz\Application Data\Mozilla\Firefox\Profiles\ex3wxvlr.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 15:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-83407626-689144389-607913758-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="\[u]0[/u]9"
"DeviceDesc"="\[u]0[/u]9"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6166"
"DeviceInstanceIds"=multi:"\[u]0[/u]0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(376)
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Norton Internet Security\NISUM.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Norton Internet Security\SYMPROXYSVC.EXE
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-05-20 15:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 14:27

Pre-Run: 35,470,553,088 bytes free
Post-Run: 35,599,646,720 bytes free

285 --- E O F --- 2009-05-19 07:09


Report •

#7
May 20, 2009 at 07:58:21
By the way the wizard couldn't install the 'Unknown' hardware, but on reboot there was no such problem. Also should I enable the firewall etc.?

Report •

#8
May 20, 2009 at 08:03:11
Any progress in your original problem? Follow these steps now.

Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects/places to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

--------------------------------------------
To Private Message me Click Here


Report •

#9
May 21, 2009 at 13:53:55
disinfected: virus Virus.Win32.Nsag.b
File: C:\Program Files\Norton AntiVirus\Quarantine\655527AF.dll//Crypt.Quarantine

disinfected: virus Virus.Win32.Nsag.b
File: C:\System Volume Information\_restore{1450A557-4027-4F57-AFFC-65B5F7AFB22A}\RP545\A0041528.dll//Crypt.Quarantine


Report •

#10
May 21, 2009 at 14:10:01
All of those pos*** files have gone. The HDD icon is still replaced with a red X in My Computer.

Report •

#11
May 21, 2009 at 14:27:14
Follow these steps next in order:

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 234 /u > ok.

4) Run this script in AVZ:

begin
 ExecuteRepair(1);
 ExecuteRepair(2);
 ExecuteRepair(5);
 ExecuteRepair(8);
 ExecuteRepair(10);
 RebootWindows(true);
end.

Once your Computer reboots check and see if Red X is gone.

--------------------------------------------
To Private Message me Click Here


Report •

#12
May 22, 2009 at 04:01:05
The red X remains, the found new hardware wizard has come up again

Report •

#13
May 22, 2009 at 04:14:48
1) As for Hardware: go to Administrative tools --> Computer Management --> Device Manager --> Select the hardware thats not working --> right click properties --> select Details tab and post screen shot of it.

2) Run this script in AVZ:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\c9db56cd54bb08c0ba7a\*.*','');
DeleteFileMask('C:\c9db56cd54bb08c0ba7a\','*.*',true);
QuarantineFile('c:\windows\system32\4E4DC8ED88.sys','');
DeleteFile('c:\windows\system32\4E4DC8ED88.sys');
DeleteDirectory('C:\c9db56cd54bb08c0ba7a\');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

3) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

--------------------------------------------
To Private Message me Click Here


Report •

#14
May 23, 2009 at 04:32:36
Sorry I don't know how to post a screen shot.

In the device manager window 2 things are highlighted with an exclamation mark:

i) Other devices > Unknown device
General tab:
Device status: This device is not configured correctly. (Code 1) To reinstall the drivers for this device, click Reinstall Driver.
Details tab:
Device Instance Id: ROOT\LEGACY_UTE5MZU5\0000

ii) SCSI and RAID controllers > SCSI/RAID Host Controller
General tab:
Device status: This device cannot start. (Code 10) Click Troubleshoot to start the troubleshooter for this device.
Details tab:
Device Instance Id: ROOT\SCSIADAPTER\0000
Hardware Ids: HHVCS4SDK
Compatible Ids: GEN_SCSIADAPTER
Matching Device Id: gen_scsiadapter
Service: vcsmpdrv
Class Installer: SysSetup.Dll,ScsiClassInstaller
Class coinstaller: SysSetup.Dll,CriticalDeviceCoInstaller


Report •

#15
May 23, 2009 at 07:03:17
Have you used regedit before?

--------------------------------------------
To Private Message me Click Here


Report •

#16
May 23, 2009 at 07:53:34
No I haven't used regedit.

Here's the log from the Malwarebytes scan:

Malwarebytes' Anti-Malware 1.36
Database version: 2169
Windows 5.1.2600 Service Pack 2

23/05/2009 15:51:18
mbam-log-2009-05-23 (15-51-06).txt

Scan type: Full Scan (A:\|C:\|Q:\|R:\|)
Objects scanned: 234983
Time elapsed: 1 hour(s), 0 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> No action taken.
C:\WINDOWS\system32\libmcl-3.1.1.dll (Trojan.FakeAlert) -> No action taken.


Report •

#17
May 23, 2009 at 07:59:17
Fix what Malware detected. Also scan/fix detected with:

1) SuperAntispyware: http://www.superantispyware.com/dow...

2) http://onecare.live.com/site/en-Us/...

3) http://onecare.live.com/site/en-Us/...

Are you still getting a message requesting to insert the Windows XP installation disk at startup? Finish those steps then we will deal with new hardware problem.

--------------------------------------------
To Private Message me Click Here


Report •

#18
May 23, 2009 at 10:12:02
No i'm not getting that message anymore.

Report •

#19
May 23, 2009 at 10:56:50
Also can you post scan log for superantispyware.

--------------------------------------------
To Private Message me Click Here


Report •

#20
May 24, 2009 at 02:31:17
The Live OneCare scan did not work for some reason, so I ran a full system scan and tune up from the Live OneCare trial version I downloaded. There were no infections found.

Here's the SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2009 at 07:35 PM

Application Version : 4.26.1002

Core Rules Database Version : 3908
Trace Rules Database Version: 1853

Scan type : Complete Scan
Total Scan Time : 01:16:14

Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 7074
Registry threats detected : 0
File items scanned : 28613
File threats detected : 39

Adware.Tracking Cookie
C:\Documents and Settings\Buzz\Cookies\buzz@chitika[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@questionmarket[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@serving-sys[2].txt
C:\Documents and Settings\Buzz\Cookies\buzz@at.atwola[2].txt
C:\Documents and Settings\Buzz\Cookies\buzz@revsci[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@xiti[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@adserver.adtechus[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@smartadserver[2].txt
C:\Documents and Settings\Buzz\Cookies\buzz@tacoda[2].txt
C:\Documents and Settings\Buzz\Cookies\buzz@tribalfusion[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@bs.serving-sys[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@247realmedia[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@media6degrees[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@yadro[1].txt
C:\Documents and Settings\Buzz\Cookies\buzz@collective-media[1].txt
.revsci.net [ C:\Documents and Settings\Buzz\Application Data\Mozilla\Firefox\Profiles\ex3wxvlr.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Buzz\Application Data\Mozilla\Firefox\Profiles\ex3wxvlr.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Buzz\Application Data\Mozilla\Firefox\Profiles\ex3wxvlr.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Buzz\Application Data\Mozilla\Firefox\Profiles\ex3wxvlr.default\cookies.txt ]
C:\Documents and Settings\Dilshad\Cookies\dilshad@insightfirst[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@adnetserver[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@www.zanox-affiliate[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@islamicfinder[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@ads.ft[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@ads.businessweek[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@www.macromedia[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@sdc.rbistats[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@www.islamicfinder[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@hornymatches[2].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@findology[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@www.essayfinder[2].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@a.findarticles[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@accessexcellence[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@statsgod[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@stats.channel4[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@www.admedia365[1].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@adv.webmd[2].txt
C:\Documents and Settings\Dilshad\Cookies\dilshad@findarticles[1].txt


Report •

#21
May 24, 2009 at 04:54:19
Ok your Malware free. As far as Red X for HDD Please post a screenshot of it.

--------------------------------------------
To Private Message me Click Here


Report •

#22
May 24, 2009 at 07:20:12
Sorry I don't know how to post a screenshot of it using this forum

Report •

#23
May 24, 2009 at 08:05:50
Upload it to http://www.imageshack.us/ and post link here or private message it to me.

--------------------------------------------
To Private Message me Click Here


Report •

#24
May 26, 2009 at 10:32:02
Here's the link to it:

http://img33.imageshack.us/img33/44...


Report •

#25
May 26, 2009 at 10:47:43
Post a proper picture with whole desktop including that icon which ever window it is seen in.

--------------------------------------------
To Private Message me Click Here


Report •

#26
May 26, 2009 at 12:11:59
Sorry, here's the link:

http://img16.imageshack.us/img16/60...


Report •

#27
May 26, 2009 at 12:23:28
Follow: http://www.troublefixers.com/drive-...

--------------------------------------------
To Private Message me Click Here


Report •

#28
May 26, 2009 at 14:40:46
Thanks, that's sorted out that red X.

Here's the link to the image you requested earlier about the hardware problem:

http://img32.imageshack.us/img32/59...


Report •

#29
May 26, 2009 at 16:36:03
Did you try to delete them completely and reinstall it via add/remove hardware? In device manager right click and delete them completely.

--------------------------------------------
To Private Message me Click Here


Report •

#30
May 28, 2009 at 03:15:14
No luck

Report •

#31
May 28, 2009 at 05:12:23
Start > run > regedit, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_<8 letters/digits>
On the left side right click the "LEGACY_<8 letters/digits>" key (looks like a folder) and select export. Give the output file a name. Afterward right click it again and select "permissions", click "everyone" and check full control below (under the allow column). Press ok and attempt to delete the LEGACY_<8 letters/digits> key. To do that click it on the left side and press delete on your keyboard, confirm the prompt and reboot the PC.

--------------------------------------------
To Private Message me Click Here


Report •


Ask Question