Hi all!
Two days ago as i was downloading a subtitle for a movie, my desktop suddenly changed and an advert saying that my computer have been infected popped up and became my new desktop background. tried to change the background yet there was no place to click. my web searching gave me many options and finally i managed to get successfully solve the problems. then came a new problem! i cannot access www.symantec.com, windows update, many antivirus plus online virus scanners. even some websites where i could get help could not be accessed. i downloaded spydoctor yet couldn't update it. i worked around it by using google's pack. i have used fixwaresout.exe , hijackthis, regcure (it keeps opening every time i start my computer), cleaned the HOST file and there was nothing in the log except this "127.0.0.1 localhost". even the hijackthis log could not open in notepad(seems to be malfunctioning too) but only with wordpad. initially norton 360 was launching at startup yet it isn't lauching in anyway. i have followed a number if not tens of solutions yet i still cannot access antivirus/spyware/malware etc... related sites or even forums. it was by sheer lucky that this websites opened. shuffled the DNS yet the problem persists. checked with the rootkit revealer, failed to reach a solution. i tried lauching anchorfree hotshield same story: couldn't. before this i could. i really do not want to re-install xp because there are too many valuable things in my computer. system restore doesn't work. it says on but when i want to back up my data, there is a prompt which requires me to turn on the system restore, yet the computer shows its on. i am very confused as of now. please help!.
Can you try the steps HERE?.
Especially the Malwarebytes program. Have it fix everything found.
Ignore the DSS scanner program in that sticky for now, it is not available.
See if you can get us a scan with HiJackThis too
thanks for a quick prompt.
I have tried the suggestions in the read before posting:
system restore as i said before has a problem. sometimes, only sometimes works in safe mode.
atf-cleaner cannot be accessed.
microsoft malicious removal tool.... can be accessed to the downloading part and then stops. try the other link... not able to access.
option 9 for the online scanning... all of them cannot be accessed.!
i have been trying to post the HJT log with no success.... i will keep on trying
tried to zip it:
thanks for a quick prompt.
I have tried the suggestions in the read before posting:
system restore as i said before has a problem. sometimes, only sometimes works in safe mode.
atf-cleaner cannot be accessed.
microsoft malicious removal tool.... can be accessed to the downloading part and then stops. try the other link... not able to access.
option 9 for the online scanning... all of them cannot be accessed.!
i have been trying to post the HJT log with no success.... i will keep on trying
Don't worry about the System Restore part...you don't need to do anything with that until we are sure the system is clean.
When you say ATF-Cleaner cannot be accessed do you mean you cannot download it or you have downloaded it but cannot run it?
If nothing else try the built-in disk clean up program on the computer. If you can't do that either don't worry about it.
A key program would be the Malwarebytes program. Have you been able to download and install it?
The main thing is do what you can.
What is happening when you are trying to post the HJT log?
Was the zip file the only way to post it? You can either copy/paste or attach as a .txt file.
tried to copy it.. i couldn't. let me try to attach it as txt file. i have downloaded the Malwarebytes and it is scanning now. i will post its log when it has finished.
several attempt to copy and paste it failed... changed to text file also failed to upload....
Post the malwarebytes log as soon as it is complete. Be sure to have it fix what it finds.
After that I want you to download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop
Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Double Click the Combofix icon on the desktop.
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
When the program begins to run you will be offered a disclaimer. To agree to run the program you must press 1. Please do so.
Then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
Post back here with that log.
NOTE* Do NOT TOUCH the computer while Combofix is running as this could cause the program to stall or fail.
wow! thanks a lot! after using the malwarebytes my computer got 95% fixed! i mean all those websites i couldn't access i can now access. the only isssue left is the norton 360 lauch and system restore malfunctions. i am going to send some logs, (ah! the notepad now works fine and i think i can copy and paste with no problem!). thank you so much!
after sending those logs i will start with the combofix.
malwarebytes log:
Malwarebytes' Anti-Malware 1.25
Database version: 1092
Windows 5.1.2600 Service Pack 2
10:44:19 AM 8/29/2008
mbam-log-08-29-2008 (10-44-19).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 142580
Time elapsed: 44 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\User\Desktop\all in\Unused Desktop Shortcuts\WinRar_v3.51_Crack_by_Bokiv\WinRar_v3.51_Crack_by_Bokiv.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
here is the combofix log:
ComboFix 08-08-28.04 - User 2008-08-29 11:07:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT 8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Documents\Adobe PDF\Data\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Example Files\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Extras\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Settings\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Startup\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Config\_desktop.ini
C:\Documents and Settings\All Users\Documents\Config\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Fonts\_desktop.ini
C:\Documents and Settings\All Users\Documents\Fonts\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000B6C12\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\000A736A\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Videos\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Softwrap\Desktop_.ini
C:\Documents and Settings\All Users\Documents\Softwrap\STREAMCASTNE5221016A\Desktop_.ini
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\SkypeComm.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Legacy_TDSSSERV
-------\Service_NPF
-------\Service_tdssserv
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-29 01:53 . 2008-08-29 11:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-29 01:53 . 2008-08-29 01:53 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-08-29 01:53 . 2008-08-29 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-29 01:53 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-29 01:53 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 22:12 . 2008-08-29 01:21 18,538 --a------ C:\WINDOWS\system32\mstmpxmlfun.xml
2008-08-28 21:51 . 2008-08-28 21:56 <DIR> d-------- C:\Program Files\CCleaner
2008-08-28 14:38 . 2008-08-28 23:01 <DIR> d-------- C:\Documents and Settings\User\Application Data\RegSweep
2008-08-28 14:37 . 2008-08-28 23:01 <DIR> d-------- C:\Program Files\RegSweep
2008-08-28 12:38 . 2008-08-28 22:19 <DIR> d-------- C:\fixwareout
2008-08-28 00:38 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-28 00:38 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-28 00:38 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-28 00:38 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-28 00:37 . 2008-08-28 00:53 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-28 00:37 . 2008-08-28 00:37 <DIR> d-------- C:\Documents and Settings\User\Application Data\PC Tools
2008-08-28 00:34 . 2008-08-28 23:55 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-08-28 00:33 . 2008-08-29 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-28 00:32 . 2008-08-28 00:33 <DIR> d-------- C:\Program Files\Google
2008-08-27 11:03 . 2008-08-28 22:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-26 15:30 . 2008-08-26 15:30 <DIR> d-------- C:\Program Files\MOJOSOFT
2008-08-26 15:30 . 2008-08-26 15:30 <DIR> d-------- C:\Documents and Settings\User\Application Data\mojosoft
2008-08-20 23:34 . 2008-08-20 23:34 <DIR> d-------- C:\Documents and Settings\User\Application Data\cmw
2008-08-20 22:57 . 2008-08-20 22:57 <DIR> d-------- C:\Program Files\WinSCP
2008-08-20 20:50 . 2008-08-20 20:50 <DIR> d-------- C:\Program Files\winpwn
2008-08-20 18:50 . 2008-08-20 18:51 <DIR> d-------- C:\Program Files\QuickTime
2008-08-18 21:28 . 2008-08-18 21:56 <DIR> d-------- C:\Program Files\PFConfig
2008-08-14 10:48 . 2008-05-01 22:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-31 20:58 . 2008-07-31 20:58 44,423 --a------ C:\CONSALTING[1](3).pdf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 15:03 --------- d-----w C:\Program Files\Dream Manifestation Wizard
2008-08-28 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-28 04:27 --------- d-----w C:\Program Files\FlashGet
2008-08-27 16:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-27 03:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-08-26 11:07 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-08-15 15:50 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-08-08 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-06 06:20 --------- d-----w C:\Program Files\K-Meleon
2008-07-31 12:59 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2008-07-22 12:32 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-18 05:55 --------- d-----w C:\Program Files\Foxit Software
2008-07-17 11:08 --------- d-----w C:\Program Files\Alcohol Soft
2008-07-17 07:00 --------- d-----w C:\Program Files\JAP
2008-07-17 06:59 --------- d-----w C:\Program Files\Elecard
2008-07-17 04:41 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-17 04:40 --------- d-----w C:\Documents and Settings\User\Application Data\DAEMON Tools
2008-07-07 11:04 --------- d-----w C:\Documents and Settings\User\Application Data\K-Ninja
2008-07-07 11:02 --------- d-----w C:\Program Files\K-Ninja
2008-07-06 05:34 --------- d-----w C:\Program Files\ABC Amber LIT Converter
2008-07-03 15:18 --------- d-----w C:\Program Files\SopCast
2008-06-29 16:14 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2007-08-21 03:37 8,224 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-11-29 05:19 92,064 ----a-w C:\Documents and Settings\User\mqdmmdm.sys
2006-11-29 05:19 9,232 ----a-w C:\Documents and Settings\User\mqdmmdfl.sys
2006-11-29 05:19 79,328 ----a-w C:\Documents and Settings\User\mqdmserd.sys
2006-11-29 05:19 66,656 ----a-w C:\Documents and Settings\User\mqdmbus.sys
2006-11-29 05:19 6,208 ----a-w C:\Documents and Settings\User\mqdmcmnt.sys
2006-11-29 05:19 5,936 ----a-w C:\Documents and Settings\User\mqdmwhnt.sys
2006-11-29 05:19 4,048 ----a-w C:\Documents and Settings\User\mqdmcr.sys
2006-11-29 05:19 25,600 ----a-w C:\Documents and Settings\User\usbsermptxp.sys
2006-11-29 05:19 22,768 ----a-w C:\Documents and Settings\User\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-21 00:46 217544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Dream Manifestation Wizard"="C:\Program Files\Dream Manifestation Wizard\Dream Manifestation Wizard.exe" [2007-10-09 14:23 6195247]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 13:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"bjcacertd_ft11"="C:\Program Files\Feitian\BJCA\bjcacertd_ft11.exe" [2006-07-17 16:10 94208]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"RegSweep"="C:\Program Files\RegSweep\RegSweep.exe" [2008-08-27 07:28 6751480]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-20 00:25 160592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^MagicDisc.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TIMHost
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VPNClient
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-02-17 14:01 233534 C:\Program Files\HPQ\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 21:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 21:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2004-08-14 04:42 36864 C:\Program Files\mobile PhoneTools\WatchDog.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Documents and Settings\\User\\Desktop\\all in\\Unused Desktop Shortcuts\\Foxit.PDF.Editor.1.4.1531_CRKEXE-FFF\\PDFEdit.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"E:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"13160:TCP"= 13160:TCP:BitComet 13160 TCP
"13160:UDP"= 13160:UDP:BitComet 13160 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-24 05:25]
S3 FYYPPOW;FYYPPOW;C:\DOCUME~1\User\LOCALS~1\Temp\FYYPPOW.exe []
S3 SOAQSUBVZC;SOAQSUBVZC;C:\DOCUME~1\User\LOCALS~1\Temp\SOAQSUBVZC.exe []
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-03-27 23:03]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{205669c4-619e-11dc-9834-0015003c02b4}]
\Shell\1\Command - RUNAUT~1\autorun.pif
\Shell\2\Command - RUNAUT~1\autorun.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25131090-172a-11dc-97a2-0010c6e407dd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e64f32a-308a-11dd-a1f8-0010c6e407dd}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50049ecc-1492-11dc-979b-0010c6e407dd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ee8bbbd-1462-11db-94a8-0010c6e407dd}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80a8dfad-13fd-11dd-a1db-0010c6e407dd}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8414b181-1c7d-11db-94c9-0010c6e407dd}]
\Shell\AutoRun\command - reper.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f1681df-27aa-11dc-97d2-0010c6e407dd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7ce6373-a4d7-11da-86a2-0016353d5a96}]
\Shell\AutoRun\command - Iexplores.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d55d3480-6b04-11dc-984a-0010c6e407dd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f45b0154-b249-11da-86e5-0016353d5a96}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fba019d0-eaa4-11d9-97d7-0010c6e407dd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-08-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-08-29 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-06-27 21:42]
2008-08-28 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-06-27 21:42]
2008-08-29 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job
- C:\Program Files\RegSweep\RegSweep.exe [2008-08-27 07:28]
2008-08-29 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job
- C:\Program Files\RegSweep [2008-08-28 23:01]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-nmapp - C:\Program Files\Pure Networks\Network Magic\nmapp.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qrj78liz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qrj78liz.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 11:35:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-08-29 11:44:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 03:43:41
Pre-Run: 14,813,220,864 bytes free
Post-Run: 14,752,985,088 bytes free
282 --- E O F --- 2008-08-28 07:49:42
wow i guess there it is! the recovery console... how do i get to install it? by the way now 99% percent of the problems have been solved. Thanks a lot! This forum rocks!
Recovery Console and System Restore are two different things.
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
The System Restore feature is built into Windows XP and is used to return your computer to an earlier state if you have a system failure or other major problem with your computer. System Restore automatically tracks changes to your computer and creates restore points before major changes are to occurFor example, restore points are created before new device drivers, automatic updates, unsigned drivers, and some applications are installed. These healthy system checkpoints are created without prompting or intervention from the user the first time the computer is started after Windows XP is installed and, by default, on a daily basis after that. You can also manually create restore points.When you use System Restore, you can revert to a saved state (of several days or weeks earlier if needed) without losing personal data including Word documents, e-mail settings and messages, and your Internet favorites list. System Restore won't lose any data you have stored in the My Documents, My Pictures, or My Music folders either
http://pcsupport.about.com/od/termsr/p/recoveryconsole.htm
The Recovery Console is for use when your system does not start correctly. The Recovery Console is particularly useful if you have to repair your computer by copying a file from a disk or CD-ROM to your hard disk, or if you have to reconfigure a service that is preventing your computer from starting correctly. These actually would be KEY original system files, NOT a saved document or photo or video or whatever. You usually access the Recovery Console using your Windows Operating System CD OR you can install it from the Windows CD onto your Boot Menu.
system restore doesn't work. it says on but when i want to back up my data, there is a prompt which requires me to turn on the system restore, yet the computer shows its on.
Think you have mis-understood something about backing up your data, it really has NOTHING to do with System Restore...you really should back up your data to someplace other than directly on the computer. When you get the prompt to turn on the System Restore...this is a normal prompt, even if System Restore is turned on. The prompt just is to make sure that you DO have it turned on it really isn't telling you it is turned off. System Restore isn't the end all and be all of restoration. If you want to back up important data then you should back it up to a CD or an outside source.
When you use System Restore you are "rolling back" your System to a previous state and date. Generally you will not lose important documents and such made After that Restore point, you are not supposed to anyway but occasionally you may. This is why backup copies of important things should also be kept someplace other than the computer itself.
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
System Restore is no substitute for regularly backing up your data. System Restore comes into play when your computer becomes unstable. System Restore can't be used if your hard drive fails or is melted down in a fire, because the information that System Restore uses is stored on the hard drive itself
When you use Backup, save the backup information to a disk or an external drive for safekeeping. If there's a catastrophic failure, such as a hard drive crash, this backup can be used to restore the data after the hardware repair is complete.
got it. let me first backup my data and then work on making the system restore work. thanks very much!
Once you back up your data. Then the only thing you would need to do with System Restore is turn it off, this will clear the old and possibly infected restore points. Wait a minute and then turn it back on and it will set a new clean Restore point. That is it. You DON'T want to go back to another time or date because you do run the risk of bringing the infection back.
wow! done! thank you so much for your help! i am really excited! problem solved!
Happy everything worked. Glad your computer is back up and running the way you want it to.
Judy
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.