Support Forum for TrojanHunter anti-malware remover and other products, including freeware

Welcome, Guest. Please Login or Register.

Search

Members

Login

Register

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   help please

« Previous topic | Next topic »

Pages: 1 2 3 4

Notify of replies

Send Topic

Author

Topic: help please (Read 4602 times)

Thomas
Full Member

Gender:

Posts: 233

help please
« on: Aug 22^nd, 2009, 5:02pm »

hey tom i can not reformat my pc it says it can not find mup.sys but i have it in my driver folder

ComboFix 09-08-22.06 - Compaq_Owner 08/22/2009 17:27.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.102 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 15:04 . 2009-08-22 21:17117760----a-w-c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-22 15:03 . 2009-08-22 15:03--------d-----w-c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 15:02 . 2009-08-22 15:22--------d-----w-c:\program files\SUPERAntiSpyware
2009-08-22 15:02 . 2009-08-22 15:02--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-08-22 15:01 . 2009-08-22 15:01--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2009-08-20 08:22 . 2009-08-20 08:2273216----a-w-c:\windows\system32\dllcache\setup50.exe
2009-08-19 04:46 . 2009-08-19 04:46--------d-----w-c:\documents and settings\All Users\Application Data\IObit
2009-08-19 03:44 . 2009-08-19 03:44--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\Yahoo!
2009-08-19 03:42 . 2009-08-22 08:15--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\IObit
2009-08-19 03:42 . 2009-08-19 04:46--------d-----w-c:\program files\IObit
2009-08-18 01:47 . 2009-08-18 01:47--------d-----w-c:\windows\speech
2009-08-15 01:47 . 2009-08-15 01:47--------d-----w-c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Yahoo
2009-08-15 01:30 . 2009-08-15 01:47--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-15 01:30 . 2009-05-26 23:50607472----a-w-c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-08-15 01:30 . 2009-08-19 05:29--------d-----w-c:\program files\Yahoo!
2009-08-09 00:42 . 2009-08-09 00:51--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\TeamViewer
2009-08-09 00:41 . 2009-08-09 00:41--------d-----w-c:\program files\TeamViewer
2009-08-09 00:40 . 2009-08-09 00:40--------d-----w-c:\documents and settings\Compaq_Owner\temp
2009-08-04 19:16 . 2009-08-04 19:16152576----a-w-c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 06:18 . 2009-08-06 19:24--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\YTK Enhanced
2009-08-03 06:18 . 2009-08-06 19:24987994----a-w-c:\documents and settings\Compaq_Owner\Application Data\YTK Enhanced\unins000.exe
2009-08-03 06:17 . 2009-08-03 06:35--------d-----w-c:\program files\YTK Enhanced
2009-07-31 16:17 . 2009-07-31 16:1747360----a-w-c:\windows\system32\drivers\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 21:17 . 2009-04-11 01:09--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2009-08-22 15:13 . 2009-04-10 23:57--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2009-08-21 09:42 . 2009-04-25 08:57300680----a-w-c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-19 21:15 . 2009-04-11 00:58--------d-----w-c:\program files\TrojanHunter 5.1
2009-08-10 22:20 . 2009-04-15 23:53--------d-----w-c:\program files\Microsoft Silverlight
2009-08-10 00:37 . 2009-04-11 00:2955656----a-w-c:\windows\system32\drivers\avgntflt.sys
2009-08-04 19:17 . 2005-08-08 22:19--------d-----w-c:\program files\Java
2009-07-25 09:23 . 2009-04-11 00:06411368----a-w-c:\windows\system32\deploytk.dll
2009-07-14 00:35 . 2009-07-14 00:35--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\Windows Search
2009-07-03 17:09 . 2004-08-04 12:00915456----a-w-c:\windows\system32\wininet.dll
2009-07-02 13:59 . 2009-07-02 11:59--------d-----w-c:\documents and settings\Compaq_Owner\Application Data\Wireshark
2009-07-02 11:55 . 2009-07-02 11:54--------d-----w-c:\program files\Wireshark
2009-07-02 11:55 . 2009-07-02 11:55--------d-----w-c:\program files\WinPcap
2009-07-01 19:40 . 2009-04-11 16:02--------d-----w-c:\program files\Winamp
2009-06-29 16:09 . 2009-06-29 16:09--------d-----w-c:\documents and settings\All Users\Application Data\Tarma Installer
2009-06-29 16:08 . 2009-06-29 16:0981920--s---r-c:\documents and settings\All Users\Application Data\Tarma Installer\{D6B25B8D-0566-42B1-A23D-7576138435D6}\Setup.exe
2009-06-27 00:46 . 2009-06-27 00:462112----a-w-c:\windows\system32\drivers\kxrmsghookdrv.sys
2009-06-24 06:42 . 2009-06-24 06:42--------d-----w-c:\program files\Digital Asphyxia
2009-06-16 14:36 . 2004-08-04 12:0081920----a-w-c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00119808----a-w-c:\windows\system32\t2embed.dll
2009-06-10 00:35 . 2009-06-10 00:35152576----a-w-c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 22:34 . 2009-06-08 22:34321536----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\engine_vx.dll
2009-06-08 22:34 . 2009-06-08 22:3418724----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\bass.dll
2009-06-08 22:34 . 2009-06-08 22:3426200----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\qwadjb.dll
2009-06-08 22:34 . 2009-06-08 22:3416952----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\1eaadjc.dll
2009-06-08 22:34 . 2009-06-08 22:3415416----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\rsaadjd.dll
2009-06-08 22:34 . 2009-06-08 22:3414392----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\kfgresk.dll
2009-06-08 22:34 . 2009-06-08 22:3413984----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\mjcriu.dll
2009-06-08 22:34 . 2009-06-08 22:3410808----atw-c:\documents and settings\Compaq_Owner\Application Data\Microsoft\peaadje.dll
2009-06-03 19:09 . 2004-08-04 12:001291264----a-w-c:\windows\system32\quartz.dll
2009-05-28 11:03 . 2009-04-11 00:0032800----a-w-c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 04:24 . 2008-05-27 02:18350208----a-w-c:\windows\system32\mssph.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"THGuard"="c:\program files\TrojanHunter 5.1\THGuard.exe" [2009-04-11 1056928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-08-20 943888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05356352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Digital Asphyxia\\Y!TunnelPro 2.5\\YTPro.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\VC Sync\\VCSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\YTK Enhanced\\YTKE.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/10/2009 8:29 PM 108289]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/21/2009 12:28 AM 305936]
R3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 6:30 PM 95232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S0 gzsrgbl;gzsrgbl;c:\windows\system32\drivers\ifrcr.sys --> c:\windows\system32\drivers\ifrcr.sys [?]
S3 devkxrmsghookdrv;kX-Ray Msg Hook Enum Drv;c:\windows\system32\drivers\kxrmsghookdrv.sys [6/26/2009 8:46 PM 2112]
S3 KMD;ProcInspect;\??\c:\documents and settings\Compaq_Owner\Desktop\kX-Ray\KMD.sys --> c:\documents and settings\Compaq_Owner\Desktop\kX-Ray\KMD.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-22 c:\windows\Tasks\AWC AutoCare.job
- c:\program files\IObit\Advanced SystemCare 3\AutoCare.exe [2009-08-19 19:11]

2009-08-22 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-08-19 19:35]

2009-08-22 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-08-19 14:15]

2009-08-22 c:\windows\Tasks\User_Feed_Synchronization-{31D4BDED-654E-4816-B55F-1833 525DC237}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405 &bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405 &bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

************************************************************************ **

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df ,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,f1,87,4c,a8,d5,47,47,b7,57, a4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df ,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,f1,87,4c,a8,d5,47,47,b7,57, a4,\

[HKEY_LOCAL_MACHINE\software\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}]
@DACL=(02 0000)
@SACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\��|��|��A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-22 17:38
ComboFix-quarantined-files.txt 2009-08-22 21:38

Pre-Run: 51,558,359,040 bytes free
Post-Run: 51,567,017,984 bytes free

173--- E O F ---2009-06-10 01:22

IP Logged

Windows 7 Home Premium (64 Bit)
Yahoo! Messenger Version 11.0.0 Build 2014
Y!TunnelPro Version 2.6 Build 736
YTK Enhanced Version 2.6 Build 108
Mozilla Firefox Version 8.0 (Beta)
Internet Explorer Version 9.0.8112.16421
TrojanHunter Version 5.3 Build 994
HijackThis Version 2.0 Build 4
Wireless
avast! Free Antivirus
Malwarebytes' Anti-Malware
SUPERAntiSpyware Professional

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #1 on: Aug 22^nd, 2009, 5:19pm »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:58 PM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_U S&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.1\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1239838906640
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5113 bytes

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #2 on: Aug 22^nd, 2009, 5:47pm »

i know this log report is little bit old

TrojanHunter Scan Report - Saved 2009-06-03 07:04

Warning: Executable file with double extensions found: C:\Program Files\Avira\AntiVir Desktop\aecore.dll.tmp
Warning: Executable file with double extensions found: C:\Program Files\Avira\AntiVir Desktop\aepack.dll.tmp
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Silverlight\2.0.40115.0\System.Net.dll
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Silverlight\2.0.40115.0\System.ServiceModel.Web.dll
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Silverlight\2.0.40115.0\System.Xml.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll
Warning: Unable to unpack UPX-packed file C:\Program Files\uTorrent\uTorrent.exe
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b0 3f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f 11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Mic rosoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\Sys tem.IO.Log.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Net\3.5.0.0__b03f5f7f11d50a3a\System .Net.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad 364e35\System.ServiceModel.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System .XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_43d446d0\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_b86d496c\System.Xml.dll
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa. dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll
Found trojan file: C:\WINDOWS\system32\drivers\ifrcr.sys (Hoax.Agent.114)
Warning: Unable to unpack UPX-packed file D:\I386\SYSTEM32\drivers\USBUHCI.SYS
Warning: Unable to unpack UPX-packed file D:\MiniNT\system32\drivers\USBUHCI.SYS
Quarantined file C:\WINDOWS\system32\drivers\ifrcr.sys

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #3 on: Aug 22^nd, 2009, 5:53pm »

here is 2 scan log that r few days old

IObit Security 360

OS:Windows XP
Version:0.3.1.20
Define Version:1083
Time:8/19/2009 12:59:23 AM

|Name|Type|Description|ID|
Disabled.SecurityCenter - Removed, Registry Data, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center Value=AntiVirusDisableNotify, 6-554
Disabled.SecurityCenter - Removed, Registry Data, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center Value=UpdatesDisableNotify, 6-556
Tracking Cookies - Removed, Cookies, Cookie:compaq_owner@quantserve.com/, 7-2083

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #4 on: Aug 22^nd, 2009, 5:53pm »

IObit Security 360

OS:Windows XP
Version:0.3.1.20
Define Version:1127
Time:8/20/2009 4:14:13 AM

|Name|Type|Description|ID|
Disabled.SecurityCenter - Removed, Registry Data, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center Value=UpdatesDisableNotify, 6-14
Win32.Aliser.8364 - Quarantined, File, C:\Program Files\Outlook Express\setup50.exe, 12-528
Win32.Aliser.8364 - Quarantined, File, C:\WINDOWS\$NtServicePackUninstall$\setup50.exe, 12-528
Win32.Stanit - Quarantined, File, C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe, 12-671
Win32.Aliser.8364 - Quarantined, File, C:\WINDOWS\ServicePackFiles\i386\setup50.exe, 12-528
Backdoor.Autorun - Quarantined, File, C:\WINDOWS\Debug\Setup\Backup\INTPPM_Backup.bak, 9-6052
Win32.Aliser.8364 - Quarantined, File, C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BAC KUP$\System\migrate.exe, 12-955
Worm.Rbot - Quarantined, File, D:\I386\SYSTEM32\drivers\mup.sys, 12-599
Worm.Rbot - Quarantined, File, D:\MiniNT\system32\drivers\mup.sys, 12-599
Trojan.Spy - Quarantined, File, D:\I386\Apps\APP19901\src\install\Worldwide-Compaq\progfiles\Apps\hpunin stall.exe, 12-367
Trojan.Spy - Quarantined, File, D:\I386\Apps\APP19901\src\install\Worldwide-Compaq\progfiles\Apps\onplay .exe, 12-367

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: help please
« Reply #5 on: Aug 23^rd, 2009, 12:00am »

What exactly are you trying to do? Reformat and rebuild your computer?

1. Your Hijackthis log is showing no infections.

2. As far as the TrojanHunter scan report, the item below was a valid action by TH because ifrcr.sys is a malicious file.

Quote:

Quarantined file C:\WINDOWS\system32\drivers\ifrcr.sys

The scan report is so old that it is meaningless. It is a report made in June 2009.

3. If you look at the second IOBIT360 log, it looks to me that it removed several valid files...such as mup.sys. In fact, it looks all the items it quarantined are actually False Positives and are valid files. I recommend that you unquarantine these files via IOBIT360. I am referring to this log

Quote:

IOBIT360 is beta software and its actions should be examined closely before letting it quarantine items.

If you are going to use this beta software, then you should be in close communications with their development team via their forum at http://forums.iobit.com/

IP Logged

______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #6 on: Aug 23^rd, 2009, 4:50am »

i did unquarantine all that 360 quarantine but everytime i try reformat my pc it says it can not find mup.sys but it in my driver folder if your good at fixing pc or looking at them can you look at my pc tom

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: help please
« Reply #7 on: Aug 23^rd, 2009, 5:43am »

I'm afraid that I cannot help you on this problem. I do not know how I could look at your system to assist you. Maybe the developers at IOBIT can assist based on what IOBIT360 would have removed that is causing this problem for you.

Very sorry Sad

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #8 on: Aug 23^rd, 2009, 6:05am »

on Aug 23^rd, 2009, 5:43am, siliconman01 wrote:

I'm afraid that I cannot help you on this problem. �I do not know how I could look at your system to assist you. �Maybe the developers at IOBIT can assist based on what IOBIT360 would have removed that is causing this problem for you. �

Very sorry � Sad

thanks for the help tom Grin

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #9 on: Aug 23^rd, 2009, 3:26pm »

hey tom trojanhunter guard error pops up saying it can not take a snapshot of the running program and when this happen i can not open nothing

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: help please
« Reply #10 on: Aug 24^th, 2009, 12:09am »

Hmmm... I do not recognize the terminology that you have provided concerning THGuard. Would you please post the exact message that appears when this happens. Is THGuard stating that it has detected an infection in memory and is trying to remove it?

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #11 on: Aug 24^th, 2009, 12:45am »

on Aug 24^th, 2009, 12:09am, siliconman01 wrote:

Hmmm... I do not recognize the terminology that you have provided concerning THGuard. �Would you please post the exact message that appears when this happens. Is THGuard stating that it has detected an infection in memory and is trying to remove it? �

if it happen again i will

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #12 on: Aug 26^th, 2009, 12:54am »

i manage get a screen shot of this

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: help please
« Reply #13 on: Aug 26^th, 2009, 1:30am »

This means that something is preventing THGuard.exe from being able to retrieve the list of programs that are running in memory when THGuard.exe attempts to scan memory every 15 seconds.

It could mean that you have a memory failure problem or that some other program is interfering/conflicting with THGuard.exe. I suspect that it is the conflict issue.

Did this start happening after you installed IOBit360 on your system? And does IOBit360 have a real-time component running in memory all the time?

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help please
« Reply #14 on: Aug 26^th, 2009, 1:31am »

on Aug 26^th, 2009, 1:30am, siliconman01 wrote:

This means that something is preventing THGuard.exe from being able to retrieve the list of programs that are running in memory when THGuard.exe attempts to scan memory every 15 seconds. �

It could mean that you have a memory failure problem or that some other program is interfering/conflicting with THGuard.exe. �I suspect that it is the conflict issue. �

Did this start happening after you installed IOBit360 on your system? �And does IOBit360 have a real-time component running in memory all the time?

yes and i do not know and this only happen when im sleeping

« Last Edit: Aug 26^th, 2009, 1:32am by Thomas »

IP Logged

Pages: 1 2 3 4

Notify of replies

Send Topic


« Previous topic \| Next topic »