Link to home
Start Free TrialLog in
Avatar of thinktechsolutions
thinktechsolutionsFlag for United States of America

asked on

b.exe virus keeps making windows restart

I opened up an email containing a video and accidently click yes to install plugins. After that my computer has been unusable everytime I try to go in to windows my computer keeps restarting. i can access safe mode and I have ran the malwarebytes program and here is what it deleted.
Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\howard bronstein\local settings\Temp\an1qDZzi.exe.part (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Now I ran the hijack this program and this is what it found

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:33 PM, on 6/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;192.16
8.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: avgrsstarter - C:\Windows\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

is there any suggestions thank you
Avatar of HainKurt
HainKurt
Flag of Canada image
open is safe mode/vga mode/command line only mode and delete it...
Avatar of HainKurt
HainKurt
Flag of Canada image
fix it with HiJack or use SpyBot Search & Destroy application to remove it...
Avatar of adminpps
adminpps
Flag of United States of America image
thinktechsolutions,

     Since you ran the Hijack this scan, have you tried starting the machine normally? Your Malwarebytes log shows that the infections seem to have been taken care of. HijackThis always generates a relatively large log, and not everything is a virus. One thing you should look out for are the R1 entries at the top, double checking to make sure you have the right pages set as your home destination, otherwise you could be redirected and reinfected.

-EZS
Avatar of thinktechsolutions
thinktechsolutions
Flag of United States of America image

ASKER

I think I may have found the culpirt it is c:\windows\system32\drivers\str.sys I have tried using killbox and it says it deleted it but when ever I ran malware bytes again it comes back up again saying rootkit.agent c:\windows\system32\drivers\str.sys
ASKER CERTIFIED SOLUTION
Avatar of adminpps
adminpps
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Adam Leinss
Adam Leinss
Flag of United States of America image
You might want to do a system restore back to a fews days before the infection, then run the scan....that way the rootkit wouldn't get autoloaded and you should be able to clean up the "dead wood"
Avatar of thinktechsolutions
thinktechsolutions
Flag of United States of America image

ASKER

unfortantly I can't do a format reinstall I have to many programs that I need to do work and can't get those programs back until I head out of state again. I have tried to use system restore and it keeps saying restored failed no matter how many days,weeks,months.
Avatar of adminpps
adminpps
Flag of United States of America image
In that case, you can try doing it manually, like I mentioned, or you can try combofix. Be warned, combofix is a BEAST of a program, and WILL delete anything infected that it finds, including system files. It gets rid of infections, including rootkits, but might leave you unable to boot. I've used it, and personally, have never had a problem with it, but you can never be sure. It's a coin toss. Try manually first, imo.

Make sure you read the instructions carefully.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


-EZS
Avatar of thinktechsolutions
thinktechsolutions
Flag of United States of America image

ASKER

I did check msconfig and its not there any other suggestions thank you
Avatar of thinktechsolutions
thinktechsolutions
Flag of United States of America image

ASKER

ok I ran the combo fix after reading the instructions here is what it did I restarted the computer and I still have the same problem



, ComboFix 09-06-09.01 - Howard Bronstein 06/09/2009 17:00.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1764 [GMT -4:00]
Running from: c:\documents and settings\Howard Bronstein\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg

.
(((((((((((((((((((((((((   Files Created from 2009-05-09 to 2009-06-09  )))))))))))))))))))))))))))))))
.

2009-06-09 19:54 . 2009-06-09 19:54      325896      ----a-w-      c:\windows\system32\drivers\avgldx86.sys
2009-06-09 19:54 . 2009-06-09 19:54      11952      ----a-w-      c:\windows\system32\avgrsstx.dll
2009-06-09 19:54 . 2009-06-09 19:54      108552      ----a-w-      c:\windows\system32\drivers\avgtdix.sys
2009-06-09 19:54 . 2009-06-09 19:54      27784      ----a-w-      c:\windows\system32\drivers\avgmfx86.sys
2009-06-09 19:54 . 2009-06-09 19:54      --------      d-----w-      c:\windows\system32\drivers\Avg
2009-06-09 19:54 . 2009-06-09 19:54      --------      d-----w-      c:\program files\AVG
2009-06-09 19:54 . 2009-06-09 19:54      --------      d-----w-      c:\documents and settings\All Users\Application Data\avg8
2009-06-09 19:43 . 2009-06-09 19:43      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-09 19:36 . 2009-06-09 19:36      --------      d-----w-      c:\program files\Trend Micro
2009-06-09 19:11 . 2009-06-09 19:11      --------      d-----w-      C:\!KillBox
2009-06-09 18:58 . 2009-06-09 18:57      102664      ----a-w-      c:\windows\system32\drivers\tmcomm.sys
2009-06-09 18:57 . 2009-06-09 18:58      --------      d-----w-      c:\documents and settings\Howard Bronstein\.housecall6.6
2009-06-09 18:42 . 2009-06-09 18:42      --------      d-----w-      c:\program files\Common Files\Wise Installation Wizard
2009-06-09 18:24 . 2009-06-09 18:24      3371383      ----a-w-      c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-09 18:24 . 2009-06-09 18:24      --------      d-----w-      c:\documents and settings\Howard Bronstein\Application Data\Malwarebytes
2009-06-09 18:24 . 2009-05-26 17:19      19096      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-06-09 18:24 . 2009-05-26 17:20      40160      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 18:24 . 2009-06-09 18:24      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-06-09 18:24 . 2009-06-09 18:24      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-08 22:46 . 2009-06-09 13:56      664      ----a-w-      c:\windows\system32\d3d9caps.dat
2009-06-08 19:25 . 2009-06-08 19:25      --------      d-----w-      c:\windows\LastGood
2009-06-08 18:44 . 2009-06-08 18:44      --------      d-----w-      c:\windows\LastGood.Tmp
2009-06-08 17:49 . 2009-06-08 17:49      71168      ----a-w-      c:\windows\system32\drivers\fuwnapctpbp.sys
2009-06-06 19:33 . 2009-06-06 19:33      270588      ----a-w-      C:\Chi_Roster_pg1.zip
2009-06-06 19:15 . 2009-06-06 20:35      --------      d-----w-      C:\rostersr
2009-05-31 17:04 . 2009-05-31 17:04      488004      ----a-w-      C:\handbk.zip
2009-05-21 14:15 . 2009-06-09 17:31      11881378      ----a-w-      c:\windows\image.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 19:25 . 2006-04-30 20:53      --------      d-----w-      c:\program files\PowerArchiver
2009-06-08 20:38 . 2006-04-29 16:29      --------      d-----w-      c:\program files\Procomm Plus
2009-06-08 19:30 . 2007-06-25 18:01      --------      d-----w-      c:\documents and settings\All Users\Application Data\Trend Micro
2009-06-08 19:27 . 2008-12-16 21:55      90112      ----a-w-      c:\windows\DUMP564d.tmp
2009-05-25 12:34 . 2008-11-22 20:35      --------      d-----w-      c:\program files\AOL 9.1
2009-05-21 20:22 . 2006-04-29 17:02      6686      --sha-w-      c:\windows\system32\KGyGaAvL.sys
2009-05-21 20:22 . 2006-04-29 17:02      104      --sh--r-      c:\windows\system32\F1AA137C3F.sys
2009-05-19 20:22 . 2006-04-29 16:28      --------      d-----w-      c:\program files\Microsoft Visual FoxPro 7
2009-04-20 20:57 . 2007-07-10 14:03      --------      d-----w-      c:\documents and settings\Howard Bronstein\Application Data\U3
2009-04-13 21:54 . 2009-04-13 21:54      12250999      ----a-w-      C:\cdv4.0.zip
2009-04-11 12:56 . 2009-04-11 12:56      1878984      ----a-w-      c:\documents and settings\Howard Bronstein\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-03-30 20:14 . 2009-03-30 20:13      54616149      ----a-w-      C:\aqup34.zip
2009-03-14 14:50 . 2009-03-14 14:50      340      ----a-w-      c:\windows\~my00000.DAT
2008-11-30 22:05 . 2008-11-30 22:05      5120      --sha-w-      c:\program files\Thumbs.db
2006-11-19 21:37 . 2007-04-30 19:30      39031      ----a-w-      c:\program files\C_Wendy_Pattersontest2.jpg
2006-05-08 21:09 . 2006-04-30 14:29      88      --sh--r-      c:\windows\system32\3F7C13AAF1.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" [2003-03-31 28672]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-09 1947928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-09 19:54      11952      ----a-w-      c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51      24638      ----a-w-      c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146679555\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/9/2009 3:54 PM 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/9/2009 3:54 PM 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/9/2009 3:54 PM 298776]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 5:18 AM 14336]
S2 xutnblaf;xutnblaf;c:\windows\system32\drivers\fuwnapctpbp.sys [6/8/2009 1:49 PM 71168]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVG8WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-01-21 05:38]

2009-06-07 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-04-26 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;192.168.0.1;<local>
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Howard Bronstein\Application Data\Mozilla\Firefox\Profiles\bnj00xox.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 16:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-09 16:04
ComboFix-quarantined-files.txt  2009-06-09 20:04

Pre-Run: 96,301,330,432 bytes free
Post-Run: 96,334,045,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
timeout=2
Default=multi(0)disk(0)rdisk(0)partition(2)\Windows
[Operating Systems]


175      --- E O F ---      2008-12-23 22:39
Avatar of Adam Leinss
Adam Leinss
Flag of United States of America image
Did you try a system restore point from safe mode?  It sometimes does not work within normal mode.
Avatar of adminpps
adminpps
Flag of United States of America image
Well, combofix seems to have gotten rid of str.sys and a few other nasties. How is the computer working now?

-EZS
Avatar of adminpps
adminpps
Flag of United States of America image
Disregard my above comment, I didn't pay attention to the top >.>

I looked over the MalwareBytes log again, and it seems to have nabbed str.sys the first time. For some reason, it's either reinfecting you or you're getting bad results on the programs as well. Are you still connecting to the internet when you log on? If yes, cancel all internet connections, start the computer in the diagnostic mode from msconfig and try running the scanners again. If the viruses are imbedding into your processes, this is a good way to get them out.

-EZS
Avatar of thinktechsolutions
thinktechsolutions
Flag of United States of America image

ASKER

Thankyou for providing me the link they had a program on there called unhackme it found a rootkit called catchme.sys funny name but after I removed that everything thing worked perfect