Feb

17

Infected with trojan/virus and windows will not boot anymore

Filed Under Virus | 

hi and thank you to anyone who is willing to help

I am currently running windows xp pro edition service pack 3 and it was up to date by about the 15th of December.

So i would say about a couple of weeks ago i got hit with the vundo virus and i think some other virus / Trojans. I also noticed that i had tinyproxy.exe installed.

I had been trying to remove the virus / trojans myself which i hope wasn’t a mistake.

i was using avg8 free edition with no firewall except the windows one.(i now know that this was a really bad mistake)

so when i first got infected with the virus avg told me about it and said that my pc was infected.i tried to clean it up with a combination of anti-virus tools

i tried ccleaner , windows defender, hijackthis, cleansweep, and i may have used one other but i can not remember it at this time. so long story short nothing was working.i eventually got some help from a friend using a remote assistance program called webex.com and we tried to clean up as much of it as we could by going through the registry. Nothing was working so after countless hours i told him to stop trying and gave it another try on my own.

so i downloaded vundofix and that told me that it did not decect any sign of vundo.i then also tried vundobegone it helped a bit most of the trojan was gone but i was still geting files rewritten when i rebooted like tinyproxy.exe

i had installed maleware bytes and ran it multiple times and still could not completely remove the infections.i also tried to download a firewall/anti virus program called pc tools internet security 2009. I think this program helped stop more of the virus when i was connected to the internet since it kept blocking an ie.tmp program from accessing the internet.

i also had run a symantec security check to at least see what files where still left on my pc but the scan could never be completed and would always crash. the last thing that was happening when i was running the maleware bytes program was that it was telling me that some startup program was infected and that it wanted to delete it after reboot.

Also one thing that i may have jumped ahead on was that i had cleared my system restore points by unchecking and rechecking the box labeled turn off system restore .

I have gotten these errors when trying to boot up:

windows - registry recovery

one of the files contaning the systems registry data had to be recovered by the use of a log or alternate copy.the recovery was successful.

pctsTray.exe application error

the application failed to initialize properly (0xc0000142).click on OK to terminate the application

So the main problem i am having now is that i cant seem to get windows to boot up in either safe mode or in regular mode, what happens in either boot cycle is that it gets to the windows screen loads all the way up to the part when i click to log on as administrator and then goes black for a sec and then says logging off and saving settings.

when i log in in safe mode i can get to the screen where it shows safe mode in the corners and its say what service pack and build i am using but then hangs for a bit and goes back to the login screen .

So i am using a secondary pc to write all my posts and i am willing to reformat my pc if necessary but i would like to see if i can recovery some files on the pc.So if we can not get windows to work properly then i was wondering if i could connect my hard drive to this pc and recovery the files,but i am concerned about getting this pc infected due to the fact that it is not mine .so i do not know what files are safe and if there is a way to prescan them but lets see what we can do with getting windows to start first.

At the Advanced Start Menu, select Last Know Good configuration and see if it boots fully. You can also try Enable VGA mode if that fails.

Are you able to install a couple of utilities on the working computer that would allow you to burn a special diagnostics cd?

thank you for answering so fast

i have tried both vga mode and last known good configuration and still no luck getting past the login screen

yes i can install whatever i need to on the working pc to set up a diagnostics cd

At the Advanced Start Menu, select Last Know Good configuration and see if it boots fully. You can also try Enable VGA mode if that fails.

I will be awaiting your reply on what tools i will need

Download and install the ISO Recorder version for your operating system.

Download and install the Microsoft Diagnostics and Recovery Toolset, choosing the Typical installation during setup

Insert a blank cd into your cd/dvd burner. Browse to C:\Program Files\Microsoft Diagnostics and Recovery Toolset and right click erd50.iso, then select Copy image to CD. Follow the instructions in the following link to finish creating the bootable cd.

http://isorecorder.alexfeinman.com/HowTo.htm

Once finished, restart the PC with the cd in the drive and boot to the cd to verify it works properly. If successful, restart the computer but remove the cd upon startup and boot back into normal mode, then post back here to let me know it was successful. I’ll post instructions on how to proceed from there.

I just fixed a Gateway for a friend. He had Xp with sp2 and it would get to the screen with the icons and the taskbar, then lock up completely. I ran the installation disk (Gateway disk) for windows and it gave two choices- a clean install or a clean install with backup. I did the latter and backed up the documents and settings to the c drive. After the install I ran McAfee and Spybot on the system and again on the backup. He had over 30 infections. Spybot is free and I think it does a good job.

If you do this don’t forget to run windows update, to get security patches and your service packs.

I haven’t used a windows disk to reinstall a system in a long time, but its got to be close to the gateway disk.

Good Luck

Welcome to linabbs michigankid

I’d like to get my hands on one of those Gateway disks, because after quite a number of re-installs with a retail Operating System disc and several OEM discs, I have never seen an option to backup. :)

Hello,

I know, windows usually gives the two options, one being repair, but I haven’t done a clean install since windows 98.

If you want to follow it further, it was Model: GT 4016, SER: GCM64 110 51252.

Gateway made some changes in June, 2005 on how they provided their system and recovery disks. I don’t know how much it would cost, but it should be available.

ok so the cd is made and it works
when ever you are ready noahdfear and thank you

Boot with the cd and when prompted, connect to the operating system (should show C:\windows).

Once logged on, Click Start>System Tools>System Restore

The System Restore interface should open where you can select to restore the system to an earlier time.

There should be at least one available restore point (one made when you turned System Restore back on).

Select it and restart when prompted, removing the cd upon reboot.

If startup is successful, post back here (before doing anything else) and we’ll see about cleaning it up.

If unsuccessful, post back here as well and we’ll try some other options.

Make note of and post any errors encountered!

yay
so the restore worked i used the farthest one back.I will be leaving the infected pc running so that there is hopefully no chance of it not booting up again and i am leaving it off line from the internet until further advised.I would like to mention that when we do get it hooked up to the internet i would like to download a firewall of your choice right away since i do remember that tinyproxy and other programs were sending out connections and i know that windows firewall is only good to stop incoming connections.

Great news!

We need to see what the system has running on it, so you’ll need to connect temporarily if you have no means of transferring files.

Please download DDS and save it to your desktop.Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS will open two (2) logs: DDS.txt
Attach.txt

Save both reports to your desktop.

Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ….. just post it as you would any other log.

here is the dds.txt

DDS (Ver_09-01-07.01) - NTFSx86
Run by ryan at 1:55:41.20 on Sun 01/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.292 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\ryan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7EFBC57C-CD57-481F-B794-648FCE9C9116} - No File
uRun: [PowerBar]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfDsqrp

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryan\applic~1\mozilla\firefox\profiles\nl5xa3gh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://handsomeboys.org/
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

============= SERVICES / DRIVERS ===============

R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 bnrgaeki;bnrgaeki;c:\windows\system32\drivers\gmlewlbr.sys –> c:\windows\system32\drivers\gmlewlbr.sys [?]
S0 ezmevcc;ezmevcc;c:\windows\system32\drivers\ltqca.sys –> c:\windows\system32\drivers\ltqca.sys [?]
S0 flkuzsm;flkuzsm;c:\windows\system32\drivers\ndnjk.sys –> c:\windows\system32\drivers\ndnjk.sys [?]
S0 gvrwpn;gvrwpn;c:\windows\system32\drivers\yvhr.sys –> c:\windows\system32\drivers\yvhr.sys [?]
S0 hgidlvrp;hgidlvrp;c:\windows\system32\drivers\erst.sys –> c:\windows\system32\drivers\erst.sys [?]
S0 ingzlb;ingzlb;c:\windows\system32\drivers\sdkrfib.sys –> c:\windows\system32\drivers\sdkrfib.sys [?]
S0 mbrme;mbrme;c:\windows\system32\drivers\jlljugeg.sys –> c:\windows\system32\drivers\jlljugeg.sys [?]
S0 mqafxk;mqafxk;c:\windows\system32\drivers\tccdzls.sys –> c:\windows\system32\drivers\tccdzls.sys [?]
S0 qjlg;qjlg;c:\windows\system32\drivers\bouurj.sys –> c:\windows\system32\drivers\bouurj.sys [?]
S0 ttzn;ttzn;c:\windows\system32\drivers\awerclwe.sys –> c:\windows\system32\drivers\awerclwe.sys [?]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton antivirus\savrtpel.sys –> c:\program files\norton antivirus\SAVRTPEL.SYS [?]
S3 CCCP106;D-Link CIF Webcam;c:\windows\system32\drivers\cccp106.sys [2004-10-17 227200]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20060201.021\naven g.sys –> c:\progra~1\common~1\symant~1\virusd~1\20060201.021\NAVENG.Sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20060201.021\nav ex15.sys –> c:\progra~1\common~1\symant~1\virusd~1\20060201.021\NavEx15.Sys

[?]
S3 SAVRT;SAVRT;\??\c:\program files\norton antivirus\savrt.sys –> c:\program files\norton antivirus\SAVRT.SYS [?]
S4 994D46E4DC061202;994D46E4DC061202;\??\c:\windows\system32\994d46e4dc061202\ 994d46e4dc061202 –>

c:\windows\system32\994d46e4dc061202\994D46E4DC061202 [?]
S4 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" –> c:\program files\lavasoft\ad-aware\aawservice.exe [?]
S4 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" –> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S4 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" –> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
S4 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" –> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
S4 Logical Disk Manager (dmserver) ;Logical Disk Manager (dmserver) ;c:\program files\tinyproxy\tinyproxy.exe –> c:\program files\tinyproxy\tinyproxy.exe [?]
S4 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton antivirus\navapsvc.exe" –> c:\program files\norton antivirus\navapsvc.exe [?]
S4 SAVScan;SAVScan;"c:\program files\norton antivirus\savscan.exe" –> c:\program files\norton antivirus\SAVScan.exe [?]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\sbserv.exe –> c:\progra~1\common~1\symant~1\script~1\SBServ.exe [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe –> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe

[?]

=============== Created Last 30 ================

2009-01-11 01:31 <DIR> –d—– C:\resycled
2009-01-11 01:21 <DIR> –d—– C:\~ErdUserProfile.$$$
2008-12-28 01:04 <DIR> –d—– c:\program files\tintinyproxyy
2008-12-27 14:33 <DIR> –d—– c:\program files\Norton Security Scan
2008-12-27 13:46 <DIR> –d—– C:\malware
2008-12-25 00:53 <DIR> –d—– c:\docume~1\ryan\applic~1\PCToolsFirewallPlus
2008-12-25 00:53 <DIR> –d—– c:\docume~1\ryan\applic~1\PCToolsSpamMonitorPlus
2008-12-24 02:35 <DIR> –d—– c:\program files\Browser Defender
2008-12-24 02:35 <DIR> –d—– c:\program files\common files\PC Tools
2008-12-24 02:35 <DIR> –d—– c:\program files\PC Tools Internet Security
2008-12-24 02:35 <DIR> –d—– c:\docume~1\ryan\applic~1\PC Tools
2008-12-24 02:35 <DIR> –d—– c:\docume~1\alluse~1\applic~1\PC Tools
2008-12-24 02:05 61,440 a——- c:\windows\system32\drivers\ldznxx.sys
2008-12-21 21:43 <DIR> –d—– c:\docume~1\ryan\applic~1\Malwarebytes
2008-12-21 20:34 <DIR> –d—– C:\VundoFix Backups
2008-12-21 19:56 <DIR> –d—– c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-12-21 19:53 <DIR> –d—– C:\New Folder
2008-12-21 12:48 <DIR> –d—– c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-20 17:29 <DIR> –d—– c:\program files\Malwarebytes’ Anti-Malware
2008-12-19 00:47 <DIR> –d—– C:\!KillBox
2008-12-16 01:31 <DIR> –d-h— c:\windows\system32\GroupPolicy
2008-12-16 00:11 <DIR> –d—– C:\test
2008-12-15 23:39 1,648,353 a–sh— c:\windows\system32\ctcxraop.ini
2008-12-15 23:38 268 a—h— C:\sqmdata00.sqm
2008-12-15 23:38 244 a—h— C:\sqmnoopt00.sqm
2008-12-15 23:28 70,144 a——- c:\windows\system32\tuvWopnn.dll
2008-12-15 00:08 26,112 a——- c:\windows\system32\stu2.exe
2008-12-14 20:45 <DIR> –d—– C:\hijackthis
2008-12-14 20:13 1,649,533 a–sh— c:\windows\system32\kehartqs.ini
2008-12-14 20:11 662,351 a–sh— c:\windows\system32\fgPooUtv.ini2
2008-12-14 20:11 662,351 a–sh— c:\windows\system32\fgPooUtv.ini
2008-12-14 17:04 441 a——- c:\windows\system32\TDSSmtvd.dat

==================== Find3M ====================

2008-12-15 00:08 8,704 a——- c:\windows\system32\userinit.exe
2008-10-23 07:36 286,720 a——- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a——- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a——- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a——- c:\windows\system32\muweb.dll
2005-12-20 19:27 2,235,149 a——- c:\docume~1\ryan\applic~1\Install.dat
2004-03-11 12:27 40,960 a——- c:\program files\Uninstall_CDS.exe

============= FINISH: 1:55:59.91 ===============

here is the attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/17/2004 11:51:29 PM
System Uptime: 1/11/2009 1:32:19 AM (0 hours ago)

Motherboard: ECS | | L7S7A2
Processor: AMD Athlon(tm) XP 1900 | Slot-1 | 1466/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 16.947 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1058: 12/22/2008 5:54:46 PM - System Checkpoint
RP1059: 12/23/2008 5:58:21 PM - System Checkpoint
RP1060: 12/24/2008 2:35:03 AM - Removed Ad-Aware
RP1061: 12/27/2008 11:12:21 AM - Software Distribution Service 3.0
RP1062: 12/27/2008 11:16:41 AM - Windows Defender Checkpoint
RP1063: 12/27/2008 12:29:15 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Apple Software Update
ArcSoft PhotoImpression
ArcSoft VideoImpression 1.6
Azureus
BitComet 1.06
BitTorrent 3.4.2
Bonjour
C-Media WDM Audio Driver
CCleaner (remove only)
D-Link CIF Webcam
Direct Show Ogg Vorbis Filter (remove only)
DVD Solution
EncFlac 1.1.2
EncVorbis 1.1
FinePixViewer Ver.4.3
FUJIFILM USB Driver
GetDiz 3.0
Half-Life
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
InCD
InFlac 1.1.1
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Shockwave Player
Malwarebytes’ Anti-Malware
Matroska Pack (remove only)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C 2005 Redistributable
mIRC
Mozilla Firefox (3.0.4)
Multimedia Launcher
Nero OEM
Net MD Simple Burner
NVIDIA Drivers
Panda ActiveScan
PowerDVD
PowerProducer
QuickTime
RealPlayer
Scorched3D 40.1d
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sierra Utilities
Skype™ 3.8
Steam
TeamSpeak 2 RC2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Ventrilo Client
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
WebEx
WebFldrs XP
Winamp (remove only)
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRamTurbo Free 2.6
WinRAR archiver
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

1/8/2009 5:49:14 PM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: SAVRTPEL
1/8/2009 5:49:07 PM, error: Service Control Manager [7028] - The 994D46E4DC061202

Registry key denied access to SYSTEM account programs so the Service Control Manager took

ownership of the Registry key.
1/8/2009 5:49:07 PM, error: Service Control Manager [7028] - The Cfg Registry key denied

access to SYSTEM account programs so the Service Control Manager took ownership of the

Registry key.
1/8/2009 5:45:44 PM, error: DCOM [10005] - DCOM got error "84" attempting to start the

service EventSystem with arguments "" in order to run the server:

{1BE1F766-5536-11D1-B726-00C04FB926AF}
1/8/2009 5:41:29 PM, error: Service Control Manager [7000] - The PC Tools Security Service

service failed to start due to the following error: The service did not respond to the start or control

request in a timely fashion.
1/8/2009 5:41:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds)

waiting for the PC Tools Security Service service to connect.
1/8/2009 5:39:30 PM, error: Service Control Manager [7026] - The following boot-start or

system-start driver(s) failed to load: AmdK7 eeCtrl Fips SAVRTPEL
1/8/2009 5:29:14 PM, error: Service Control Manager [7034] - The PC Tools Security Service

service terminated unexpectedly. It has done this 1 time(s).
1/8/2009 5:29:14 PM, error: Service Control Manager [7022] - The PC Tools Security Service

service hung on starting.
1/8/2009 5:23:06 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and

unusable. Please run the chkdsk utility on the volume C:.
1/8/2009 5:13:36 PM, error: Service Control Manager [7022] - The Windows Image Acquisition

(WIA) service hung on starting.
1/11/2009 1:32:46 AM, error: WinDefend [2004] - Windows Defender has encountered an error

trying to load signatures and will attempt reverting back to a known-good set of signatures.

Signatures Attempted: Current Error Code: 0×8050a001 Error description: The

program can’t find definition files that help detect unwanted software. Check for updates to the

definition files, and then try again. For information on installing updates, see Help and Support.

Signatures loading: Backup Loading signature version: 1.0.0.0 Loading engine version:

1.1.4205.0
1/11/2009 1:35:05 AM, error: DCOM [10005] - DCOM got error "58" attempting to start the

service wuauserv with arguments "" in order to run the server:

{E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

Download ComboFix by sUBs from here, saving the file to your desktop.

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows
Double click ComboFix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

i ran combo fix and here is the log

ComboFix 09-01-10.02 - ryan 2009-01-11 2:47:47.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.368 [GMT -5:00]
Running from: c:\documents and settings\ryan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\ryan\Application Data\Install.dat
c:\program files\tintinyproxyy\tinyproxy.exe
c:\program files\tinyproxy\tinyproxy.exe
c:\windows\system32\ctcxraop.ini
c:\windows\system32\fgPooUtv.ini
c:\windows\system32\fgPooUtv.ini2
c:\windows\system32\kehartqs.ini
.
—- Previous Run ——-
.
C:\autorun.inf
c:\program files\Mozilla Firefox\components\iamfamous.dll
C:\resycled
c:\resycled\boot.com
c:\windows\system32\drivers\msqpdxelqncqnn.sys
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\msqpdxawvljquh.dll
c:\windows\system32\TDSShrxx.dll
c:\windows\system32\TDSSkhyp.log
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll

—– BITS: Possible infected sites —–

hxxp://k6l.org
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

——-\Service_TDSSSERV.SYS
——-\Legacy_TDSSSERV.SYS
——-\Service_MSQPDXSERV.SYS
——-\Legacy_LOGICAL_DISK_MANAGER_(DMSERVER)_
——-\Legacy_PLUG_AND_PLAY_(PLUGPLAY)_
——-\Service_Logical Disk Manager (dmserver)
——-\Service_Plug and Play (PlugPlay)

((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-11 01:21 . 2009-01-11 01:21 <DIR> d——– C:\~ErdUserProfile.$$$
2008-12-28 01:04 . 2009-01-11 02:49 <DIR> d——– c:\program files\tintinyproxyy
2008-12-27 14:33 . 2009-01-11 01:31 <DIR> d——– c:\program files\Norton Security Scan
2008-12-27 13:54 . 2008-12-27 13:54 <DIR> d——– c:\documents and settings\LocalService\Application Data\PCToolsSpamMonitorPlus
2008-12-27 13:54 . 2008-12-27 13:54 <DIR> d——– c:\documents and settings\LocalService\Application Data\PCToolsFirewallPlus
2008-12-27 13:46 . 2009-01-11 01:31 <DIR> d——– C:\malware
2008-12-25 00:53 . 2008-12-25 00:53 <DIR> d——– c:\documents and settings\ryan\Application Data\PCToolsSpamMonitorPlus
2008-12-25 00:53 . 2008-12-25 00:53 <DIR> d——– c:\documents and settings\ryan\Application Data\PCToolsFirewallPlus
2008-12-24 02:35 . 2009-01-11 01:31 <DIR> d——– c:\program files\PC Tools Internet Security
2008-12-24 02:35 . 2008-12-24 02:35 <DIR> d——– c:\program files\Common Files\PC Tools
2008-12-24 02:35 . 2008-12-24 02:35 <DIR> d——– c:\program files\Browser Defender
2008-12-24 02:35 . 2008-12-24 02:35 <DIR> d——– c:\documents and settings\ryan\Application Data\PC Tools
2008-12-24 02:35 . 2008-12-25 00:53 <DIR> d——– c:\documents and settings\All Users\Application Data\PC Tools
2008-12-24 02:05 . 2008-12-24 02:05 61,440 –a—— c:\windows\system32\drivers\ldznxx.sys
2008-12-21 21:43 . 2008-12-21 21:43 <DIR> d——– c:\documents and settings\ryan\Application Data\Malwarebytes
2008-12-21 20:34 . 2008-12-21 20:34 <DIR> d——– C:\VundoFix Backups
2008-12-21 19:56 . 2008-12-21 19:56 <DIR> d——– c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-21 19:53 . 2008-12-21 19:55 <DIR> d——– C:\New Folder
2008-12-21 19:31 . 2009-01-11 01:44 <DIR> d-a—— c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 13:02 . 2008-12-21 13:02 <DIR> d——– c:\documents and settings\Administrator.GEKO-4XVBHOO2IJ\Application Data\Malwarebytes
2008-12-21 12:48 . 2008-12-21 12:48 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:29 . 2008-12-21 12:44 <DIR> d——– c:\program files\Malwarebytes’ Anti-Malware
2008-12-19 00:47 . 2008-12-24 01:43 <DIR> d——– C:\!KillBox
2008-12-16 01:31 . 2008-12-16 01:31 <DIR> d–h—– c:\windows\system32\GroupPolicy
2008-12-16 01:13 . 2008-12-20 06:13 <DIR> d——– c:\documents and settings\Administrator.GEKO-4XVBHOO2IJ\Application Data\webex
2008-12-16 00:11 . 2009-01-11 01:31 <DIR> d——– C:\test
2008-12-15 23:38 . 2008-12-15 23:38 268 –ah—– C:\sqmdata00.sqm
2008-12-15 23:38 . 2008-12-15 23:38 244 –ah—– C:\sqmnoopt00.sqm
2008-12-15 23:29 . 2008-12-16 01:00 <DIR> d——– c:\documents and settings\Administrator.GEKO-4XVBHOO2IJ\Contacts
2008-12-15 23:28 . 2008-12-15 23:28 70,144 –a—— c:\windows\system32\tuvWopnn.dll
2008-12-15 00:08 . 2008-04-13 19:12 26,112 –a—— c:\windows\system32\stu2.exe
2008-12-14 20:45 . 2008-12-27 13:41 <DIR> d——– C:\hijackthis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 19:36 ——— d—–w c:\program files\Common Files\Symantec Shared
2008-12-27 19:15 ——— d—–w c:\program files\CCleaner
2008-12-24 07:35 ——— d—–w c:\program files\Lavasoft
2008-12-24 07:35 ——— d—–w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 06:49 ——— d—–w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-16 07:23 ——— d—–w c:\program files\DivX
2008-12-16 07:19 ——— d—–w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 07:07 ——— d—–w c:\documents and settings\All Users\Application Data\avg8
2008-12-14 21:34 ——— d—–w c:\documents and settings\ryan\Application Data\Skype
2008-12-14 21:09 ——— d—–w c:\documents and settings\ryan\Application Data\skypePM
2008-12-05 03:29 ——— d—–w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 03:25 ——— d—–w c:\documents and settings\ryan\Application Data\Lavasoft
2008-12-05 02:43 ——— d—–w c:\program files\Common Files\Apple
2008-12-05 02:42 ——— d—–w c:\program files\Symantec
2008-12-05 02:36 ——— d—–w c:\program files\Norton AntiVirus
2008-12-05 02:35 ——— d—–w c:\documents and settings\All Users\Application Data\Symantec
2008-11-20 04:44 ——— d—–w c:\program files\BitComet
2008-11-17 22:38 ——— d–h–w c:\program files\InstallShield Installation Information
2008-11-17 06:21 ——— d—–w c:\program files\Common Files\Sony Shared
2004-03-11 17:27 40,960 —-a-w c:\program files\Uninstall_CDS.exe
2008-12-16 06:13 27,976 —-a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-16 06:13 126,360 —-a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-16 06:13 46,408 —-a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-12-16 06:13 98,712 —-a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
–a—— 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a—— 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
–a—— 2005-12-10 03:06 7311360 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
–a—— 2005-12-10 03:06 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a—— 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
——— 2002-02-04 22:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a—— 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra—— 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
——— 2005-09-14 20:44 65536 c:\windows\UMStor\Res.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
–a—— 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
–a—— 2005-12-10 03:06 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0×2)
"SPBBCSvc"=3 (0×3)
"NPFMntor"=2 (0×2)
"navapsvc"=2 (0×2)
"ccSetMgr"=2 (0×2)
"ccPwdSvc"=3 (0×3)
"ccEvtMgr"=3 (0×3)
"SBService"=2 (0×2)
"Bonjour Service"=2 (0×2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\geko_star\\day of defeat\\hl.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\geko_star\\half-life\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"6881:UDP"= 6881:UDP:Azureus
"8317:TCP"= 8317:TCP:BitComet 8317 TCP
"8317:UDP"= 8317:UDP:BitComet 8317 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 bnrgaeki;bnrgaeki;c:\windows\system32\drivers\gmlewlbr.sys –> c:\windows\system32\drivers\gmlewlbr.sys [?]
S0 ezmevcc;ezmevcc;c:\windows\system32\drivers\ltqca.sys –> c:\windows\system32\drivers\ltqca.sys [?]
S0 flkuzsm;flkuzsm;c:\windows\system32\drivers\ndnjk.sys –> c:\windows\system32\drivers\ndnjk.sys [?]
S0 gvrwpn;gvrwpn;c:\windows\system32\drivers\yvhr.sys –> c:\windows\system32\drivers\yvhr.sys [?]
S0 hgidlvrp;hgidlvrp;c:\windows\system32\drivers\erst.sys –> c:\windows\system32\drivers\erst.sys [?]
S0 ingzlb;ingzlb;c:\windows\system32\drivers\sdkrfib.sys –> c:\windows\system32\drivers\sdkrfib.sys [?]
S0 mbrme;mbrme;c:\windows\system32\drivers\jlljugeg.sys –> c:\windows\system32\drivers\jlljugeg.sys [?]
S0 mqafxk;mqafxk;c:\windows\system32\drivers\tccdzls.sys –> c:\windows\system32\drivers\tccdzls.sys [?]
S0 qjlg;qjlg;c:\windows\system32\drivers\bouurj.sys –> c:\windows\system32\drivers\bouurj.sys [?]
S0 ttzn;ttzn;c:\windows\system32\drivers\awerclwe.sys –> c:\windows\system32\drivers\awerclwe.sys [?]
S3 CCCP106;D-Link CIF Webcam;c:\windows\system32\drivers\cccp106.sys [2004-10-17 227200]
S4 994D46E4DC061202;994D46E4DC061202;\??\c:\windows\system32\994D46E4DC061202\ 994D46E4DC061202 –> c:\windows\system32\994D46E4DC061202\994D46E4DC061202 [?]

— Other Services/Drivers In Memory —

*Deregistered* - InCDrec
.
Contents of the ‘Scheduled Tasks’ folder

2008-12-19 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 19:12]

2009-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-12-27 c:\windows\Tasks\Norton Security Scan for ryan.job
- c:\program files\Norton Security Scan\Nss.exe []

2008-12-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)
MSConfigStartUp-8c30d3b8 - c:\windows\system32\poarxctc.dll
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Cognac - c:\docume~1\ADMINI~1.GEK\LOCALS~1\Temp\~tmpb.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\ADMINI~1.GEK\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-MSFox - c:\docume~1\ADMINI~1.GEK\LOCALS~1\Temp\a.exe
MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl

.
——- Supplementary Scan ——-
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\ryan\Application Data\Mozilla\Firefox\Profiles\nl5xa3gh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://handsomeboys.org/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 02:51:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet012\Services\994D46E4DC061202]
"ImagePath"="\??\c:\windows\system32\994D46E4DC061202\994D46E4DC061202"
.
———————— Other Running Processes ————————
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-11 2:54:35 - machine was rebooted [ryan]
ComboFix-quarantined-files.txt 2009-01-11 07:54:30

Pre-Run: 18,098,692,096 bytes free
Post-Run: 18,113,437,696 bytes free

256 — E O F — 2008-12-12 22:56:37

Related Posts:

written by lina \\ tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

Leave a Reply

You must be logged in to post a comment.