Sorry, posted this in the wrong section. Could a moderator please move it to the appropriate forum? Thank you.
So, yesterday, the opening of CSI: Miami season 8 was on and the parents were hogging the television, so I went online to watch it, and ended up getting a fake Flash Player installation.
I stupidly ran it to see just how legit it was, and my installed Comodo Antivirus told me that MSA.EXE, B.EXE, and C.EXE were all trying to do unauthorized actions. I blocked every one of them, and when I went back to the folder to delete the fake Flash Player installer, it was gone.
I thought nothing of it, and ran a Comodo AV scan last night, which came up with zero threats, so I turned off my computer and went to bed.
This morning, I went to university and booted up Chrome to log into the wireless, then went to FireFox to start working on my assignment. The FireFox.exe process loaded, but closed almost immediately after. I tried it again, and the same thing happened. At the end of class, I turned off my machine, hoping it might clear it up. Before it shut down, it gave me a notification that "CUccPlatform" was not responding, so I just hit end task.
Went on break after class and booted up my machine, and FireFox would still not boot. It was at this point that I noticed Windows Live Messenger (which I have enabled to run on startup) was a running process but did not display a window or anything.
I'm a fair bit computer-savvy so I decided to try a few things with FireFox. I renamed it to ff3.exe instead of firefox.exe, and it ran perfectly. This is when I realized I probably had a virus, and related it back to yesterday when I downloaded that file.
I quickly went to the internet and to my Firewall log files to find the cause of the problem. I quickly found C:\WINDOWS\msa.exe (which I found on Google was a piece of malware), and deleted it. I also found the C:\Documents and Settings\USER\Local Settings\Temp\b.exe (and c.exe) and deleted them both.
Thinking I was oh so clever, I started FireFox again (using firefox.exe), but the same problem occurred.
At this point, I was getting a little fed up, so I just used Chrome for the rest of my school day and ran ClamWin Antivirus in the background. It came across a few viral files which I swiftly deleted.
The same problem still existed, so I went back to good old Google, and found MalwareByte's Anti-Malware program, and downloaded it. Immediately after starting a Full Scan, the program terminated and I was unable to run it again (something about invalid permissions--as if I'm not the administrator or something).
Continuing on my witch hunt, I tried HiJackThis! (which I have used with success in the past on my desktop). Same problem--halfway through the scan, it just shuts down and I am unable to run it again.
Attempting once again to rectify the issue, I used Comodo to block all access to the HiJackThis.exe file, and even renamed it Blablabla.exe to see if that could throw the virus off.
Nope; didn't work either.
I've also tried the DDS tool and GMER. They both crash upon completion as well.
Throughout this process I also ended up looking through all my registry keys. I found a few that were mentioned online, namely one named NordPull, and one named poprock. I didn't find any startup keys starting msa.exe or anything suspicious, nor is there anything odd in my Active Processes list.
So basically, it's now been almost 12 hours of frustration, I'm at my wit's end here, and I'm hoping someone can steer me in the right direction. This'll sure teach me to watch TV online... :P
to perform an online scan. Please use Internet Explorer as it uses ActiveX.
Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Check (tick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt.
If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.
Follow the instructions on the site. When downloaded, click on – Check for updates – Button.
Under Configuration and Preferences, click the Preferences button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked:
Close browsers before scanning Scan for tracking cookies Terminate memory threats before quarantining. Ignore System Restore/Volume Information on ME and XP Please leave the others unchecked.
On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive. On the right, under Complete Scan, choose Perform Complete Scan. Click Next to start the scan. Please be patient while it scans your computer. After the scan is complete a summary box will appear. Click OK. Make sure everything in the white box has a check next to it, then click Next. It will quarantine what it found and if it asks if you want to reboot, click NO.
When the scan have finished ->
Click Preferences . Click the Statistics/Logs tab . Under Scanner Logs , double-click SUPERAntiSpyware Scan Log . It will open in your default text editor (such as Notepad/Wordpad).
Save the logfile to desktop
Click close and close again to exit the program.
Reboot, if needed.
Post Superantispyware log, along with C:\Program Files\esetonlinescanner\log.txt.
Adware.Tracking Cookie C:\Documents and Settings\Eric\Cookies\eric@atdmt.txt C:\Documents and Settings\Eric\Cookies\eric@atdmt.txt C:\Documents and Settings\Eric\Cookies\eric@atwola.txt
Hope this helps!
PS: I did attempt to run FireFox and MSN again, and still no luck. Wasn't sure if I would be able to or not yet. ;) PPS: When I rebooted my computer, the same CUccPlatform application was frozen. PPPS: If I don't reply tonight, my apologies! Have to head off to university in the morn'. :|
OTL.TXT OTL logfile created on: 9/23/2009 10:22:42 AM - Run 1 OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Eric\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free 4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 110.94 Gb Total Space | 66.10 Gb Free Space | 59.58% Space Free | Partition Type: NTFS Drive D: | 110.94 Gb Total Space | 107.71 Gb Free Space | 97.09% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded
Computer Name: ERIC-LTOP Current User Name: Eric Logged in as Administrator.
Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard
EXTRAS.TXT OTL Extras logfile created on: 9/23/2009 10:22:42 AM - Run 1 OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Eric\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free 4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 110.94 Gb Total Space | 66.10 Gb Free Space | 59.58% Space Free | Partition Type: NTFS Drive D: | 110.94 Gb Total Space | 107.71 Gb Free Space | 97.09% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded
Computer Name: ERIC-LTOP Current User Name: Eric Logged in as Administrator.
Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR "{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3 "{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3 "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting "{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger "{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support "{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard "{1389C6A4-4965-4AEC-9175-08B54A10FA48}" = Microsoft SQL Server 2005 Mobile [ENU] Developer Tools "{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2 "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8 "{24aab420-4e30-4496-9739-3e216f3de6ae}" = Python 2.6.2 "{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2 "{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 15 "{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition "{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3 "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) "{2F353D44-73BB-4971-B31D-F7642E9E9531}" = Macromedia Flash MX 2004 "{31A5ED9F-E07B-4F6E-8179-27325BAAC502}" = AuthenTec Fingerprint Sensor Minimum Install "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Acer Crystal Eye Webcam Video Class Camera "{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform "{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{437AB8E0-FB69-4222-B280-A64F3DE22591}" = Microsoft Visual Studio 2005 Professional Edition - ENU "{44D4AF75-6870-41F5-9181-662EA05507E1}" = Microsoft Document Explorer 2005 "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies "{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}" = Microsoft SQL Server Native Client "{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English) "{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3 "{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management "{5FEBF468-5AC2-4C66-AD80-DF85C085AA73}" = InterVideo WinDVD 8 "{625386A4-B6B6-4911-A6E8-23189C3F2D15}" = Microsoft .NET Compact Framework 2.0 "{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup "{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All "{6C531060-84FB-4F96-8F33-29DF020632EB}" = Microsoft .NET Compact Framework 1.0 SP3 Developer "{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings "{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}" = NTI Shadow "{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com "{78B75C6D-E53C-424C-BF83-4B63BD4A6682}" = Microsoft Device Emulator version 1.0 - ENU "{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver "{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3 "{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support "{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3 "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007 "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1) "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings "{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync "{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3 "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps "{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime "{A64A5576-D862-44F8-89DC-2B17FCC9B86E}" = Broadcom Gigabit Integrated Controller "{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye Webcam 2.0.8 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology "{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings "{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3 "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9 "{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser "{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP1 "{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0 "{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup "{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3 "{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3 "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer "{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries "{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CC016F21-3970-11DE-B878-005056806466}" = Google Earth "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1 "{D0ACE89D-EC7F-470F-80BE-4C98ED366B32}" = Acer Crystal Eye webcam Ver:1.1.62.623 "{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup "{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files "{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings "{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}" = Command & Conquer 3 "{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant "{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari "{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3 "{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call "{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility "Acer Acer Bio Protection 6.0.00.18" = Acer Bio Protection
ATA 6.0.00.18 "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3 "Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2 "Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings "AIM_6" = AIM 6 "Audacity_is1" = Audacity 1.2.6 "AutoItv3" = AutoIt v3.3.0.0 "Business Contact Manager" = Business Contact Manager for Outlook 2007 SP1 "ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.95.2 "CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com "COMODO Internet Security" = COMODO Internet Security "DAEMON Tools Toolbar" = DAEMON Tools Toolbar "FileZilla Client" = FileZilla Client 3.2.4.1 "Google Desktop" = Google Desktop "Google Updater" = Google Updater "GridVista" = Acer GridVista "Hamachi" = Hamachi 1.0.3.0 "HijackThis" = HijackThis 2.0.2 "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5 "InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2 "InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8 "InstallShield_{5FEBF468-5AC2-4C66-AD80-DF85C085AA73}" = InterVideo WinDVD 8 "InstallShield_{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}" = NTI Shadow "LManager" = Launch Manager "Messenger Plus! Live" = Messenger Plus! Live "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft Document Explorer 2005" = Microsoft Document Explorer 2005 "Microsoft SQL Server 2005" = Microsoft SQL Server 2005 "Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package "Microsoft Visual Studio 2005 Professional Edition - ENU" = Microsoft Visual Studio 2005 Professional Edition - ENU "mIRC" = mIRC "Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Notepad++" = Notepad++ "NVIDIA Drivers" = NVIDIA Drivers "OpenAL" = OpenAL "PROHYBRIDR" = 2007 Microsoft Office system "San Andreas Radio_is1" = San Andreas Radio V1.0 "SynTPDeinstKey" = Synaptics Pointing Device Driver "Taskbar Shuffle_is1" = Taskbar Shuffle version 2.5 "Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2 "TeamViewer 4" = TeamViewer 4 "ViewpointMediaPlayer" = Viewpoint Media Player "ViStart" = ViStart "Warzone 2100" = Warzone 2100 "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows Mobile Device Handbook" = Windows Mobile® Device Handbook "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR archiver "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "Xming_is1" = Xming 6.9.0.31 "Yahoo! Widget Engine" = Yahoo! Widgets
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Google Chrome" = Google Chrome
========== Last 10 Event Log Errors ==========
[ Application Events ] Error - 7/13/2029 6:14:16 PM | Computer Name = ERIC-LTOP | Source = crypt32 | ID = 131083 Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error - 7/13/2029 6:14:16 PM | Computer Name = ERIC-LTOP | Source = crypt32 | ID = 131083 Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error - 7/13/2029 6:14:16 PM | Computer Name = ERIC-LTOP | Source = crypt32 | ID = 131083 Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error - 7/13/2029 6:14:16 PM | Computer Name = ERIC-LTOP | Source = crypt32 | ID = 131083 Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error - 7/13/2009 7:45:17 PM | Computer Name = ERIC-LTOP | Source = Application Hang | ID = 1002 Description = Hanging application firefox.exe, version 1.9.1.3462, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 7/19/2009 10:27:52 PM | Computer Name = ERIC-LTOP | Source = Application Error | ID = 1000 Description = Faulting application ahv.exe, version 1.1.0.143, faulting module ahv.exe, version 1.1.0.143, fault address 0x00005773.
Error - 7/20/2009 1:53:09 AM | Computer Name = ERIC-LTOP | Source = Application Hang | ID = 1002 Description = Hanging application notepad++.exe, version 5.4.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 7/24/2009 8:52:19 PM | Computer Name = ERIC-LTOP | Source = Application Hang | ID = 1002 Description = Hanging application notepad++.exe, version 5.4.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/4/2009 11:19:53 PM | Computer Name = ERIC-LTOP | Source = Application Hang | ID = 1002 Description = Hanging application Skype.exe, version 4.1.0.136, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/4/2009 11:21:56 PM | Computer Name = ERIC-LTOP | Source = MsiInstaller | ID = 11722 Description = Product: Java(TM) 6 Update 15 -- Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action patchjre, location: C:\Program Files\Java\jre6\patchjre.exe, command: -s "C:\Program Files\Java\jre6"
[ System Events ] Error - 9/22/2009 6:49:37 PM | Computer Name = ERIC-LTOP | Source = Service Control Manager | ID = 7001 Description = The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31
Error - 9/22/2009 6:49:37 PM | Computer Name = ERIC-LTOP | Source = Service Control Manager | ID = 7001 Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31
Error - 9/22/2009 6:49:37 PM | Computer Name = ERIC-LTOP | Source = Service Control Manager | ID = 7001 Description = The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31
Error - 9/22/2009 6:49:37 PM | Computer Name = ERIC-LTOP | Source = Service Control Manager | ID = 7001 Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31
Error - 9/22/2009 6:49:37 PM | Computer Name = ERIC-LTOP | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AFD cmdGuard cmdHlp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
Error - 9/22/2009 6:49:48 PM | Computer Name = ERIC-LTOP | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 9/22/2009 6:53:20 PM | Computer Name = ERIC-LTOP | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 9/22/2009 6:53:32 PM | Computer Name = ERIC-LTOP | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
Error - 9/22/2009 6:53:59 PM | Computer Name = ERIC-LTOP | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 9/23/2009 12:27:32 AM | Computer Name = ERIC-LTOP | Source = Service Control Manager | ID = 7000 Description = The SASENUM service failed to start due to the following error: %%2
< End of report >
///////////////////////////
PS: Explorer.exe is crashing almost every time I try to open a folder of any kind. I have been using a 3rd-party program called Explorer++ to access files.
I downloaded and ran the program as per the provided instructions.
FireFox.exe will still not boot, and MSNMSGR.exe will still not provide a window. HijackThis! is still crashing after completion of the system scan.
During the process of using Dial-A-Fix, it gave me several popup windows saying that DLLs were corrupted or invalid. There must have been at least 20 popups during the whole process.
Any other suggestions?
PS: I have now been using FireFox (ff3.exe) for some online work and have noticed that I have the infamous Google redirect virus. I had this once before and don't remember how I fixed it... I think Comodo detected it that time. Not sure.
Double-click on the combofix icon found on your desktop.
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When finished, it will produce a logfile located at C:\combofix.txt.
[quote]ComboFix 09-09-23.02 - Eric 09/25/2009 0:12.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3067.2653 [GMT -6:00] Running from: c:\documents and settings\Eric\Desktop\Combo-Fix.exe AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B} FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
c:\documents and settings\All Users\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera c:\documents and settings\All Users\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk c:\windows\30DE01F0.x86.dll c:\windows\Suyin.reg
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\dllcache\eventlog.dll
[HKEY_USERS\S-1-5-21-2667730276-515693187-1579475875-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:84,9c,3e,3a,10,c9,0d,69,86,a8,ee,04,1c,bb,36,de,02,e7,2a,1d,59,37,b6, 59,da,c2,93,cb,99,bb,76,ba,71,2a,e7,3a,86,3f,13,94,81,f8,dc,eb,19,8c,3f,41,\ "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d . --------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1016) c:\program files\Acer\Acer Bio Protection\WinNotify.dll c:\program files\Acer\Acer Bio Protection\CustomRes.dll c:\windows\system32\ATSC70.DLL c:\windows\system32\ATSC70PBA.dll
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
316 --- E O F --- 2009-09-08 23:32
I am VERY glad to report that FireFox.exe has now booted properly. MSN Messenger is now working correctly, and Google is no longer redirecting me to adware sites! Thank you so much for your help, I can't tell you how happy I am to be free of that awful virus.
Please let me know if there is anything further I should do. But thank you again!
You should Create a New Restore Point to prevent possible reinfection from an old one. The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore Select Create a restore point, and Ok it. Next, go to Start > Run and type in cleanmgr Select the More options tab Choose the option to clean up system restore and OK it. This will remove all restore points except the new one you just created.
Click START then RUN
Now type Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
The above procedure will:
Delete the following: ComboFix and its associated files and folders. VundoFix backups, if present. The C:\Deckard folder, if present. The C:_OtMoveIt folder, if present. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required.
Currently it is Saturday, November 21, 2009 4:16 PM (GMT +1) There are a total of 73.034 posts in 17.116 threads. In the last 3 days there were 14 new threads and 71 reply posts. View Active Threads
Who's Online
This forum has 30334 registered members. Please welcome our newest member, sushil. 41 Guest(s), 0 Registered Member(s) are currently online. Details
|