1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Access Denied Host File

Discussion in 'Malware Removal Help' started by pack1977, Dec 2, 2009.

  1. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    I will get to this as soon as I can tomorrow. I appreciate all your help on this computer. It seems that malware has hit home on this computer and doesn't want to leave. I have been getting alot of work the last few weeks with people getting this crap. Have you heard anything about Facebook causing some of these problems. Most of the computers I've fixed have had people who use Facebook regularly. Just wanted to get your opionion:yikes: Again I just want to say thanks, and I have a different computer to get started on when I get this one done.
     
  2. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi pack1977

    I forget how many posts i've made on forums warning people about the dangers of 'Social Networks'. :confused:
    The thing is, no one is really going to listen because they get hooked on these networks and not going to stop using them.
    If you take the proper precautions .... you are fine.
    But a lot of people use 'Social Networks' when they don't really have much idea of the consequences.

    No problem, just post when you are ready.
     
  3. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    I will have something to you shortly.
     
  4. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    The OTL Fix is stalling on this process in the scan:

    [HKey_classes_Root\xp_ca0d5.DocHostUIHandler]...

    Does this mean anything to you?
     
  5. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    What do you mean by 'stalling'?
    is it just taking a long time or has the program stopped responding?
     
  6. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    Program not responding
     
  7. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    Here is the log from SuperAntiSpyware.
     
  8. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi pack,

    Ok, i won't kick your butt too hard this time.....
    although SAS definitions are out of date! :)
    I read everything.... those definitions were applied on the 1st December..... you ran the report on the 5th.
    As it's an older type of infection.... SAS would have picked it up with the definitions you had.
    Nothing showing and the things it did pick up are nothing to worry about.

    Right, back to the problem in hand:

    Let's check that the registry item in question, is on your system or not.

    Click on Start >> Run, type in regedit
    then click ok.
    Now click on the + next to:
    HKEY_CLASSES_ROOT

    look down the list for:
    xp_ca0d5.DocHostUIHandler

    if it's not there.... just proceed with the fix below.
    If it is there.... complete the next 2 fixes.
    (i doubt anything will actually be removed, but until we run the fix.... we can't be sure)

    If you tried the previous fix and found any processes, you may have to stop them again ( if you have rebooted the system)

    Double click on OTL.exe to run it.
    Copy the lines in the codebox below. (make sure you include the first lot of : )
    Code:
    :Files
    c:\Documents and Settings\All Users\Application Data\61a60
    c:\Documents and Settings\All Users\Application Data\61a60\WES.ico
    c:\Documents and Settings\All Users\Application Data\61a60\WE83b.exe
    c:\Documents and Settings\All Users\Application Data\WESSys
    c:\Documents and Settings\All Users\Application Data\WESSys\wes.cfg
    c:\Documents and Settings\All Users\Application Data\WESSys\vd952342.bd
    %UserProfile%\Application Data\Windows Enterprise Suite
    %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Enterprise Suite.lnk
    %UserProfile%\Application Data\Windows Enterprise Suite\cookies.sqlite
    %UserProfile%\Application Data\Windows Enterprise Suite\47.mof
    %UserProfile%\Application Data\Windows Enterprise Suite\Instructions.ini
    %UserProfile%\Desktop\Windows Enterprise Suite.lnk
    %UserProfile%\Recent\ANTIGEN.sys
    %UserProfile%\Recent\cb.exe
    %UserProfile%\Recent\cid.dll
    %UserProfile%\Recent\CLSV.dll
    %UserProfile%\Recent\ddv.dll
    %UserProfile%\Recent\DBOLE.sys
    %UserProfile%\Recent\eb.exe
    %UserProfile%\Recent\eb.sys
    %UserProfile%\Recent\energy.exe
    %UserProfile%\Recent\exec.tmp
    %UserProfile%\Recent\kernel32.drv
    %UserProfile%\Recent\PE.drv
    %UserProfile%\Recent\PE.tmp
    %UserProfile%\Recent\ppal.exe
    %UserProfile%\Recent\SICKBOY.tmp
    %UserProfile%\Recent\sld.drv
    %UserProfile%\Recent\tjd.dll 
    %UserProfile%\Recent\tjd.sys
    %UserProfile%\Start Menu\Windows Enterprise Suite.lnk
    %UserProfile%\Start Menu\Programs\Windows Enterprise Suite.lnk
    c:\Program Files\Mozilla Firefox\searchplugins\search.xml 
    
    :Reg
    [-HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    “Windows Enterprise Suite”=-
    [-HKEY_CURRENT_USER\Software\Windows Enterprise Suite]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Enterprise Suite]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Windows Enterprise Suite]
    
    :commands
    [emptytemp]
    
    • Return to OTL,
    • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

      .
    • Click the red Run Fix button.
    • If OTListIt prompts for permission to reboot the computer, allow it to do so.
    • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

    Copy and paste the contents of the OTL log in your next reply.

    --------------------

    Close any open browsers.
    Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
    Code:
    Registry::
    [-HKEY_CLASSES_ROOT\xp_ca0d5.DocHostUIHandler]
    
    Go to the Notepad window and click Edit >> Paste
    Then click File >> Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop

    The main ComboFix.exe program should be on your Desktop
    Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
    as below.
    [​IMG]

    Now please wait for ComboFix to finish running.

    Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

    let me know how things go.
     
    Last edited by a moderator: Feb 2, 2014
  9. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    Here are those logs. It might look as if I didn't update malware-bytes, but I did. I just ckecked the database version and it was up to date. I have been manually updating them.

    ComboFix 09-12-03.02 - Luke 12/09/2009 12:33.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.370 [GMT -6:00]
    Running from: c:\documents and settings\Luke\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Luke\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Enterprise Suite *On-access scanning enabled* (Updated) {F1C7A8F3-B848-4EAD-A596-88B0E3671695}
    FW: Enterprise Suite *enabled* {69C0295C-229F-4EAE-9CEF-239ACC472894}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\hid.dll was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\hid.dll

    Infected copy of c:\windows\system32\midimap.dll was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\midimap.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
    .

    2009-12-05 20:55 . 2009-12-05 20:57 117760 ----a-w- c:\documents and settings\Luke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-05 20:55 . 2009-12-05 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-05 20:54 . 2009-12-05 20:54 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-12-05 20:54 . 2009-12-05 20:54 -------- d-----w- c:\documents and settings\Luke\Application Data\SUPERAntiSpyware.com
    2009-12-05 20:50 . 2009-12-05 20:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-05 19:38 . 2009-12-05 19:39 -------- d-----w- c:\program files\ERUNT
    2009-12-03 22:26 . 2009-12-03 22:26 -------- d-----w- c:\documents and settings\Luke\Application Data\AVG9
    2009-12-03 21:53 . 2009-12-01 22:17 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
    2009-12-03 21:53 . 2009-12-01 22:17 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2009-12-03 21:53 . 2009-12-01 22:17 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
    2009-12-03 21:53 . 2009-12-01 22:17 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
    2009-12-03 14:42 . 2009-12-03 14:42 -------- d-----w- C:\_OTL
    2009-12-01 22:18 . 2009-12-01 22:38 -------- d-----w- C:\$AVG
    2009-12-01 22:18 . 2009-12-01 22:18 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-12-01 22:18 . 2009-12-01 22:18 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-12-01 22:18 . 2009-12-01 22:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-12-01 22:18 . 2009-12-01 22:18 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-12-01 22:17 . 2009-12-03 21:52 -------- d-----w- c:\windows\system32\drivers\Avg
    2009-12-01 22:17 . 2009-12-01 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2009-11-30 21:15 . 2009-11-30 21:15 -------- d-----w- c:\documents and settings\Luke\Application Data\Malwarebytes
    2009-11-30 15:56 . 2009-11-30 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-30 15:56 . 2009-11-30 15:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-30 15:54 . 2009-11-30 15:54 -------- d-----w- c:\program files\AVG
    2009-11-14 01:06 . 2009-12-09 18:47 -------- d-----w- c:\documents and settings\Luke\Tracing
    2009-11-12 23:05 . 2009-12-01 16:12 -------- d-----w- c:\documents and settings\MIchelle\Tracing
    2009-11-12 23:01 . 2009-11-12 23:01 -------- d-----w- c:\program files\Microsoft
    2009-11-12 23:01 . 2009-11-12 23:01 -------- d-----w- c:\program files\Windows Live SkyDrive
    2009-11-12 22:56 . 2009-11-12 22:56 -------- d-----w- c:\program files\Common Files\Windows Live
    2009-11-11 21:51 . 2009-11-11 21:52 1408800 ----a-w- c:\documents and settings\MIchelle\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
    2009-11-11 02:19 . 2009-11-11 02:19 79488 ----a-w- c:\documents and settings\Luke\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-09 18:47 . 2008-09-02 02:09 -------- d-----w- c:\documents and settings\Luke\Application Data\OpenOffice.org2
    2009-12-07 22:55 . 2009-04-16 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2009-12-04 20:17 . 2008-11-09 15:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-04 18:05 . 2009-07-28 22:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-03 22:14 . 2009-07-28 22:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-03 22:13 . 2009-07-28 22:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-03 15:07 . 2008-05-26 22:33 -------- d-----w- c:\program files\Java
    2009-12-02 18:07 . 2008-12-31 04:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-12-01 16:46 . 2008-06-13 00:45 -------- d-----w- c:\documents and settings\MIchelle\Application Data\OpenOffice.org2
    2009-12-01 14:40 . 2009-12-05 20:47 22320397 ----a-w- c:\program files\PROCESSLIST.DB
    2009-12-01 14:40 . 2009-12-05 20:47 1258820 ----a-w- c:\program files\PROCESSLISTRELATED.DB
    2009-11-24 23:55 . 2008-05-23 15:44 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-24 20:33 . 2008-06-13 00:46 1 ----a-w- c:\documents and settings\MIchelle\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-11-20 13:39 . 2008-06-05 02:21 11294 ----a-w- c:\documents and settings\MIchelle\Application Data\wklnhst.dat
    2009-11-16 00:10 . 2008-10-04 20:09 -------- d-----w- c:\program files\Musicnotes
    2009-11-12 23:05 . 2008-05-27 03:06 92232 ----a-w- c:\documents and settings\MIchelle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-12 23:00 . 2008-05-26 22:36 -------- d-----w- c:\program files\Windows Live
    2009-11-11 21:52 . 2009-05-06 20:30 127325 ----a-w- c:\documents and settings\MIchelle\Application Data\Move Networks\uninstall.exe
    2009-11-11 21:52 . 2008-06-03 18:04 -------- d-----w- c:\documents and settings\MIchelle\Application Data\Move Networks
    2009-11-11 21:52 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\MIchelle\Application Data\Move Networks\plugins\npqmp071505000011.dll
    2009-11-10 00:29 . 2008-07-07 17:33 -------- d-----w- c:\documents and settings\MIchelle\Application Data\Yahoo!
    2009-11-01 21:59 . 2009-10-28 02:19 -------- d-----w- c:\documents and settings\MIchelle\Application Data\ZoomBrowser EX
    2009-10-28 02:19 . 2009-10-28 02:11 -------- d-----w- c:\documents and settings\MIchelle\Application Data\CameraWindowDC
    2009-10-28 02:11 . 2009-10-28 02:11 -------- d-----w- c:\documents and settings\MIchelle\Application Data\CANON INC
    2009-10-28 01:56 . 2009-10-28 01:53 -------- d-----w- c:\program files\Canon
    2009-10-28 01:54 . 2009-10-28 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
    2009-10-28 01:53 . 2009-10-28 01:53 -------- d-----w- c:\program files\Common Files\Canon
    2009-10-26 01:00 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\MIchelle\Application Data\Move Networks\plugins\npqmp071505000010.dll
    2009-10-14 08:01 . 2008-06-05 02:16 -------- d-----w- c:\program files\Microsoft Works
    2009-10-12 12:39 . 2009-10-12 12:35 91648 ----a-w- c:\documents and settings\Luke\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-12-03_22.15.34 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-09 18:44 . 2009-12-09 18:44 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
    + 2009-12-05 20:54 . 2009-12-05 20:54 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    + 2009-12-05 20:54 . 2009-12-05 20:54 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2009-12-05 20:54 . 2009-12-05 20:54 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
    + 2009-07-12 06:02 . 2009-07-12 06:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2009-12-04 09:00 . 2009-12-04 09:00 195584 c:\windows\Installer\2320d55.msi
    - 2009-07-13 18:07 . 2009-07-13 18:07 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
    + 2009-12-06 19:41 . 2009-12-06 19:41 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
    + 2009-12-09 18:19 . 2009-12-09 18:19 172032 c:\windows\ERDNT\AutoBackup\12-9-2009\Users\00000002\UsrClass.dat
    + 2009-12-09 18:19 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\12-9-2009\ERDNT.EXE
    + 2009-12-06 19:28 . 2009-12-06 19:28 172032 c:\windows\ERDNT\AutoBackup\12-6-2009\Users\00000002\UsrClass.dat
    + 2009-12-06 19:28 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\12-6-2009\ERDNT.EXE
    + 2009-12-05 19:48 . 2009-12-05 19:48 172032 c:\windows\ERDNT\AutoBackup\12-5-2009\Users\00000002\UsrClass.dat
    + 2009-12-05 19:48 . 2005-10-20 18:02 163328 c:\windows\ERDNT\AutoBackup\12-5-2009\ERDNT.EXE
    + 2009-12-05 19:39 . 2009-12-05 19:39 172032 c:\windows\ERDNT\12-5-2009\Users\00000002\UsrClass.dat
    + 2009-12-05 19:39 . 2005-10-20 18:02 163328 c:\windows\ERDNT\12-5-2009\ERDNT.EXE
    + 2009-12-05 20:54 . 2009-12-05 20:54 1583616 c:\windows\Installer\225c1.msi
    + 2009-12-09 18:19 . 2009-12-09 18:19 6995968 c:\windows\ERDNT\AutoBackup\12-9-2009\Users\00000001\NTUSER.DAT
    + 2009-12-06 19:28 . 2009-12-06 19:28 6979584 c:\windows\ERDNT\AutoBackup\12-6-2009\Users\00000001\NTUSER.DAT
    + 2009-12-05 19:48 . 2009-12-05 19:48 6979584 c:\windows\ERDNT\AutoBackup\12-5-2009\Users\00000001\NTUSER.DAT
    + 2009-12-05 19:39 . 2009-12-05 19:39 6979584 c:\windows\ERDNT\12-5-2009\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-07-17 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-16 39408]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe " [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185872]
    "LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-01 2020120]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-13 148888]
    "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\MIchelle\Start Menu\Programs\Startup\
    Greetings Workshop Reminders.lnk - c:\program files\Greetings Workshop\GWREMIND.EXE [1996-6-24 40448]
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

    c:\documents and settings\Luke\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
    Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-12-01 22:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/1/2009 4:18 PM 333192]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/1/2009 4:18 PM 360584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/1/2009 4:17 PM 906520]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/1/2009 4:17 PM 285392]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
    S2 gupdate1c9beb396e4039e;Google Update Service (gupdate1c9beb396e4039e);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 10:51 AM 133104]
    S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 3:30 AM 204800]
    S3 papycpu;papycpu; [x]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

    2009-12-09 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 16:49]

    2009-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 16:51]

    2009-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 16:51]

    2009-12-09 c:\windows\Tasks\User_Feed_Synchronization-{154A219F-33B3-431F-857B-39403A20E1A9}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://msn.com/
    uInternet Settings,ProxyOverride = *.local
    IE: &Search - ?p=GRxdm016YYUS
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-12-09 12:46
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(688)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2756)
    c:\windows\system32\WININET.dll
    c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\OpenOffice.org 2.4\program\soffice.exe
    c:\program files\OpenOffice.org 2.4\program\soffice.BIN
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\windows\system32\HPZipm12.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-09 12:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-09 18:53
    ComboFix2.txt 2009-12-04 16:38
    ComboFix3.txt 2009-12-04 15:48
    ComboFix4.txt 2009-12-04 14:32
    ComboFix5.txt 2009-12-09 18:32

    Pre-Run: 84,492,369,920 bytes free
    Post-Run: 84,427,198,464 bytes free

    - - End Of File - - 8BA5981AFC863BD3CC4213B9C90DA7D6
     
  10. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi pack

    Well something odd is going on here:
    Strange it completed the fix but couldn't clear the temp files!

    CF finds and disinfects these every time.
    Enterprise Suite has been well and truly nuked.... but still shows.

    We have to take a deeper look at what's going on:

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.

    Let me have the Gmer report, it'll help with my insomnia [​IMG]
    Only kidding.
     
  11. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    GMER Log

    GMER 1.0.15.15279 - GMER - Rootkit Detector and Remover
    Rootkit scan 2009-12-12 11:47:14
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Luke\LOCALS~1\Temp\pwkdrfob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA90F60B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? Combo-Fix.sys The system cannot find the file specified. !
    ? C:\ComboFix\catchme.sys The system cannot find the path specified. !
    ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sdcplh.sys
    Device \Driver\atapi \Device\Ide\IdePort0 sdcplh.sys
    Device \Driver\atapi \Device\Ide\IdePort1 sdcplh.sys
    Device \Driver\atapi \Device\Ide\IdePort2 sdcplh.sys
    Device \Driver\atapi \Device\Ide\IdePort3 sdcplh.sys
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sdcplh.sys

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  12. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    You love making life difficult don't you? [​IMG]
    Nothing adds up here.

    Let's try the same online scan ( different thread ;) )

    Please run the F-Secure Online Scanner

    Instructions for use with Internet Explorer

    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs, Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.

    Click the Show Report button and Copy & Paste the entire report in your next reply.

    Instructions for use with Firefox

    If you see the box:
    Click on the license terms to read them, if you agree.....
    put a tick in the box and then click on 'Install'.
    Once the Add on installs, Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.

    Click the Show Report button and Copy & Paste the entire report in your next reply.
     
  13. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    sUBs has pulled ComboFix for the time being, there is an issue that could cause the system to become unbootable if the program is run.
    Please remove your present copy until the issue has been resolved.

    Thanks.
     
  14. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    Here is the Fsecure log, and I will lose the combofix.
     
  15. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi pack

    There's few odd temp files there, let's get them nuked.

    I see you TFC installed.
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    then let me know if you are having any problems at all.

    Thanks.
     
  16. pack1977

    pack1977 Junior Member

    Joined:
    Dec 2, 2009
    Messages:
    26
    It is running fine. I'm going to close this post as I think we have done as much as we can. Thank you for your help.
     
  17. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi pack,

    I'm in agreement with you on that. Although some things may still showing .... the files are empty, so they can't become a problem.

    Now the boring clean up part.... .
    • Please double-click OTL.exe to run it.
    • You should see a CleanUp! button, press that button,
    • This will remove any programs we have asked you to download along with there associated folders.. plus itself.

    To find out how you may have been infected....read this topic:
    So how did i get infected?

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    • Use an AntiVirus Software
      Note*:
      Upon installation MS Security Essentials will check that your OS is a legal copy.

      Only install one AntiVirus program
    • Update your AntiVirus Software regularly
    • Use a 3rd party Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

      Only install one software Firewall
    • Scan regularly with a 'Stand Alone' Anti-Malware scanner:
      Installing another scanner that you can run once or twice a week is always beneficial.
      Something like:
      Malwarebytes Anti-Malware
      SUPERAntiSypware
      Remember to update these programs each time before running.
      You can install more than one of these if you only run them as stand alone programs.
    • Use an alternative browser:
      Some excellent alternatives to MS Internet Explorer are:

      Firefox
      For added security, add the NoScript extension to this browser:
      Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
      also consider adding:
      WOT - Safe Browsing Tool

      Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
      Btw: you don't have to make a contribution.

      Opera

      They offer better security, more stability, and better speed.
    • Keep a backup of your registry
      Keeping a regular backup of your registry will help when something goes wrong.
      Use a program like:
      Erunt

      A full tutorial on how to set up and use Erunt can be found here:
      Erunt tutorial
    • Keep your system clean of temp files etc, using a 'Cleaner':

      Cleaners are programs that will help to clean out your:
      Windows temp files
      Current user temp files
      Cookies
      Temporary Internet flies
      Browser history
      Recycle bin
      Etc.......
      In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
      Programs like:
      CCleaner
      TFC by OldTimer
      ATF Cleaner
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:
      Using and installing SpywareBlaster
    • Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Glad I was able to help.

    Safe surfing.
     
    Last edited by a moderator: Feb 2, 2014

Share This Page