Steve Pierce
-
Posts
26 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Steve Pierce
-
-
The MBAM service is running
Window 8.1
I tried running install, that failed. I ran the MBAM removal tool, that appears to work, it tells me to reboot, when I reboot, MBAM is still there. Running MBAM uninstall from Control Panel does not work
Client was recently scammed by Microsoft tech virus. Called 800 number, permitted remote control, thought better of it and disconnected and immediately powered down computer.
I ran AVG Rescue CD from bootable USB. Found search.me and adware. Installed and Ran malwarebytes, found similar problem but no virus' or trojans.
Removed all suspect files found by AVG and MBAM
However Now getting Cannot Connect to Service when MBAM starts and suspecting something more serious is wrong
-
What do I do about defogger. We didn't undo any of the changes it made.
-
I think we are good to go. Thanks!
- Steve
-
Yes, MSSE came back clean scanning both C and E Drive.
-
Malwarebytes completed its scan. Found another file. Cleaned and removed it. Rebooted and re-ran Malwarebytes and it finished clean this morning.
Rebooted. Security Essentials was able to run and successfully update. First time that has worked in a while. MSSE is running now. We will post results.
File found was ccun.dat in /document and settings/liz/localsettings/temp/ccun.dat
AVG said it was Trojan Horse PSW.Generic 7.ccdy.
Problem was found using AVG Rescue CD and booting from the CD. Scan was slow, took about 4 hours but found the file. We renamed, rebooted then deleted the file. We then found the registry entry and removed it as well. It was in Drivers32/midi9 and the file was called with a command ccun.dat 2yAPFDOFNF.
Removed the registry entry, scanned for any other occurences, emptied the trash and then rebooted.
Success.
-
Success, I found the offending file. I will send details in a bit.
-
www.virustotal.com results:
c:\program files\HB20100302203045.bkp 17MB file This is a file used with a database and this is a backup file.
Results 0/41 0% hits
http://www.virustotal.com/analisis/a802801...b067-1274821905
c:\program files\powsetup.exe 8.51MB Order processing system
Results 0/41 0%
http://www.virustotal.com/analisis/172148b...8026-1274822230
I don't think either of these files are infected.
-
MBAM still does not run. It opens and closes immediately.
-
Yes I chastised the owner as well for installing AVG without telling me.
It got put on without my knowing about it. I put a sign on the computer, not to be touched except by me, that should stop this from happening again.
- Steve
-
ComboFix 10-05-24.07 - Liz 05/25/2010 12:11:08.5.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.174 [GMT -6:00]
Running from: c:\steve\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.
2010-05-25 05:44 . 2010-05-25 05:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-25 05:44 . 2010-05-25 05:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-25 05:43 . 2010-05-25 05:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-25 05:43 . 2010-05-25 05:43 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-25 05:43 . 2010-05-25 05:43 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-25 05:43 . 2010-05-25 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-25 05:36 . 2010-05-25 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-24 22:59 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 22:59 . 2010-05-24 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 22:59 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe
2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth
2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate
2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations
2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache
2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve
2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro
2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE
2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft
2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF
2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes
2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG
2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp
2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe
2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip
2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe
.
((((((((((((((((((((((((((((( SnapShot_2010-05-24_20.58.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2010-05-25 05:36 . 2010-05-25 05:36 424448 c:\windows\Installer\2ad7b9.msi
+ 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 16:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"nwiz"="nwiz.exe" [2002-07-16 372736]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-25 05:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Previews on Windows\\rteng6.exe"=
"c:\\Program Files\\Previews on Windows\\preorder.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2010 11:43 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2010 11:44 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/24/2010 11:36 PM 308064]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [5/24/2010 11:43 PM 430152]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AVG9WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
.
Contents of the 'Scheduled Tasks' folder
2010-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job
- c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23]
2010-05-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
2010-05-25 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]
2010-05-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dons.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 12:21
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\wininet.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-05-25 12:24:52
ComboFix-quarantined-files.txt 2010-05-25 18:24
ComboFix2.txt 2010-05-24 22:25
ComboFix3.txt 2010-05-24 21:02
ComboFix4.txt 2010-05-22 20:13
ComboFix5.txt 2010-05-25 18:09
Pre-Run: 7,496,663,040 bytes free
Post-Run: 7,528,448,000 bytes free
- - End Of File - - 6346CD006B94E3F751F68A588CD98DF0
-
Ran mbr.exe. The program didn't prompt me for any questions. It launched a quick DOS box and closed.
Here is the log file.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
-
Rootrepeal is still showing an MBR on the E drive.
Rootkitbuster from Trend will not run. MBAM will not run.
HiJackThis does work.
-
OK MSSE is now loading after a reboot. I am still having problems with DNS redirect. MSSE and WindowsUpdate will not update.
I added the exclusions to MSSE and then rebooted.
MBAM loads, I see the screen for about 2 seconds and then it closes.
-
Sadly, no joy.
MBAM still starts and immediately closes. A new problem is now when I start MSSE, it closes immediately as well. So I can't add the exclusions in MSSE for MBAM.
- Steve
-
MBAM still doesn't load and I still have real-time scanning turned off.
-
After reboot started, Combo-fix restarted.
A program, SecurDisc also loaded, unsure if that is part of Combo-fix.
Then it says Combofix needs to submit malware for further analysis.
Here is the log file.
ComboFix 10-05-24.03 - Liz 05/24/2010 15:53:06.4.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.188 [GMT -6:00]
Running from: F:\Combo-Fix.exe
Command switches used :: F:\cfscript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
file zipped: c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.
2010-05-24 21:48 . 2010-05-25 09:40 -------- d-----w- C:\32788R22FWJFW
2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe
2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth
2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate
2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations
2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache
2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve
2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro
2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE
2010-05-22 21:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-22 21:33 . 2010-05-22 21:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-22 21:33 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft
2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF
2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes
2010-05-21 23:11 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 23:11 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG
2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp
2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2001-08-23 18:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe
2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip
2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"nwiz"="nwiz.exe" [2002-07-16 372736]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Previews on Windows\\rteng6.exe"=
"c:\\Program Files\\Previews on Windows\\preorder.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 3:34 PM 64288]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1228208]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280]
.
Contents of the 'Scheduled Tasks' folder
2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job
- c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23]
2010-05-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:53]
2010-05-24 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]
2010-05-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dons.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 16:12
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\wininet.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-05-24 16:22:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-24 22:22
ComboFix2.txt 2010-05-24 21:02
ComboFix3.txt 2010-05-22 20:13
ComboFix4.txt 2010-05-22 18:43
Pre-Run: 7,901,478,912 bytes free
Post-Run: 7,865,499,648 bytes free
- - End Of File - - BBF61B39233E4069E82358992F241D7A
Upload was successful
-
Ran script. During Combo-fix, computer suddenly executed a shut down and froze.
Do you want me to re-run the script?
-
-
File upload with Google Chrone wouldn't work. Uploaded with IE and it worked. Cheers! - Steve
-
OK, file has been uploaded but the web page threw an error after uploading.
-
Here is the combo-fix report you requested.
ComboFix 10-05-24.03 - Liz 05/24/2010 14:49:40.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT -6:00]
Running from: F:\Combo-Fix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.
2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe
2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth
2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate
2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations
2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache
2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve
2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro
2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE
2010-05-22 21:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-22 21:33 . 2010-05-22 21:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-22 21:33 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft
2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF
2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes
2010-05-21 23:11 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 23:11 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG
2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp
2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2001-08-23 18:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe
2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip
2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-05-22_18.39.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 14:05 . 2008-07-29 14:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 12:07 . 2008-07-29 12:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2010-05-22 21:34 . 2010-02-04 15:53 64288 c:\windows\system32\DRVSTORE\lbd_B425E86B28F27CC7F4A0CAF275F9F2789F3C6909\Lbd.sys
+ 2003-06-30 07:13 . 2010-05-24 06:34 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-06-30 07:13 . 2008-12-29 18:06 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-06-30 07:13 . 2010-05-24 06:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-06-30 07:13 . 2008-12-29 18:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-06-30 07:13 . 2008-12-29 18:06 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-24 06:34 . 2010-05-24 06:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-22 21:33 . 2010-05-22 21:33 29926 c:\windows\Installer\{338F08AB-C262-42C7-B000-34DE1A475273}\_6FEFF9B68218417F98F549.exe
+ 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut3_3AA20A2C6BEF43A6A3B4F09C5D78D1D4.exe
+ 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut2_B7AA0888E8864144BA725EAA61DC15D5.exe
+ 2010-05-24 01:29 . 2010-05-24 01:29 50512 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut1_68F918D3F91F411B8936985CC2BD4192.exe
+ 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\ARPPRODUCTICON.exe
+ 2008-07-29 14:05 . 2008-07-29 14:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 09:54 . 2008-07-29 09:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 09:54 . 2008-07-29 09:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-12-02 21:23 . 2009-12-02 21:23 149040 c:\windows\system32\drivers\MpFilter.sys
+ 2010-05-24 01:11 . 2010-05-24 01:12 272384 c:\windows\Installer\9b1ae.msi
+ 2010-05-24 01:11 . 2010-05-24 01:11 254976 c:\windows\Installer\9b1a8.msi
+ 2010-05-24 01:11 . 2010-05-24 01:11 301056 c:\windows\Installer\9b1a2.msi
+ 2010-05-22 21:33 . 2010-05-22 21:33 167424 c:\windows\Installer\96f029.msi
+ 2010-05-22 21:33 . 2010-05-22 21:33 236032 c:\windows\Installer\96f01b.msi
+ 2008-07-29 14:05 . 2008-07-29 14:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 14:05 . 2008-07-29 14:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2010-05-24 01:29 . 2010-05-24 01:29 3668992 c:\windows\Installer\9b412.msi
+ 2010-05-22 21:33 . 2010-05-22 21:33 1859072 c:\windows\Installer\96f024.msi
+ 2005-09-18 18:39 . 2010-04-30 17:51 32058312 c:\windows\system32\MRT.exe
- 2005-09-18 18:39 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"nwiz"="nwiz.exe" [2002-07-16 372736]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2002-3-20 382464]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Previews on Windows\\rteng6.exe"=
"c:\\Program Files\\Previews on Windows\\preorder.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 3:34 PM 64288]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1228208]
--- Other Services/Drivers In Memory ---
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job
- c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23]
2010-05-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dons.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 14:58
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\wininet.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-24 15:02:25
ComboFix-quarantined-files.txt 2010-05-24 21:02
ComboFix2.txt 2010-05-22 20:13
ComboFix3.txt 2010-05-22 18:43
Pre-Run: 7,738,195,968 bytes free
Post-Run: 7,882,997,760 bytes free
- - End Of File - - C858E7682DFDFA77A8CF34A60AC724D6
-
Success, I rebooted and ran rootrepeal and here is the report and the latest DDS report
ROOTREPEAL © AD, 2007-2010
==================================================
Report Save Time: 2010/05/24 14:15
Program Version: Version 2.0.0.0
Windows Version: Windows XP SP3
==================================================
DRIVERS
-------------------
File Invisible dump_atapi.sys 0xeefe4000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes
File Invisible dump_WMILIB.SYS 0xf8c4e000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes
File Invisible rootrepeal.sys 0xede87000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes
PROCESSES
-------------------
4 - System
172 - C:\PROGRAM FILES\MICROSOFT SECURITY ESSENTIALS\MSSECES.EXE
180 - C:\WINDOWS\SYSTEM32\WUAUCLT.EXE
184 - C:\PROGRAM FILES\SEAGATE\SEAGATEMANAGER\FREEAGENT STATUS\STXMENUMGR.EXE
236 - C:\WINDOWS\SYSTEM32\CTFMON.EXE
248 - C:\PROGRAM FILES\LOGMEIN\X86\LMIGUARDIAN.EXE
448 - C:\WINDOWS\SYSTEM32\SMSS.EXE
476 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE
516 - C:\WINDOWS\SYSTEM32\CSRSS.EXE
556 - C:\WINDOWS\SYSTEM32\WINLOGON.EXE
612 - C:\WINDOWS\SYSTEM32\SERVICES.EXE
624 - C:\WINDOWS\SYSTEM32\LSASS.EXE
792 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE
880 - C:\PROGRAM FILES\LOGMEIN\X86\LOGMEIN.EXE
928 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1004 - C:\PROGRAM FILES\MICROSOFT SECURITY ESSENTIALS\MSMPENG.EXE
1144 - C:\PROGRAM FILES\SEAGATE\SEAGATEMANAGER\SYNC\FREEAGENTSERVICE.EXE
1180 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1376 - C:\PROGRAM FILES\NERO\NERO 7\INCD\INCDSRV.EXE
1384 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1436 - C:\WINDOWS\EXPLORER.EXE
1492 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE
1540 - C:\PROGRAM FILES\LOGMEIN\X86\RAMAINT.EXE
1628 - C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
1760 - C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
1944 - C:\PROGRAM FILES\LOGMEIN\X86\LOGMEINSYSTRAY.EXE
1956 - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S0EIC1.EXE
1976 - C:\PROGRAM FILES\NERO\NERO 7\INCD\NBHGUI.EXE
2040 - C:\PROGRAM FILES\NERO\NERO 7\INCD\INCD.EXE
2104 - C:\PROGRAM FILES\LOGMEIN\X86\LMIGUARDIAN.EXE
2132 - C:\WINDOWS\SYSTEM32\NVSVC32.EXE
2392 - C:\WINDOWS\SYSTEM32\WUAUCLT.EXE
2912 - C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE
3120 - C:\WINDOWS\SYSTEM32\ALG.EXE
3128 - C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
3348 - C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE
3612 - F:\RootRepeal.exe
4016 - C:\Program Files\Lavasoft\Ad-Aware\ThreatWork.exe
FILES
-------------------
Mismatch C:\WINDOWS\TEMP\MpCmdRun.log, Size mismatch (API: 524288, Raw: 148062)
Sector E:\
Sector E:\
MBR E:\
STEALTH CODE
-------------------
HIDDEN SERVICES
-------------------
SSDT
-------------------
SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK
NtCreateKey Lbd.sys 0xf878687e
NtSetValueKey Lbd.sys 0xf8786bfe
SHADOW SSDT
-------------------
CALLBACKS
-------------------
*****************************************************************
DDS (Ver_10-03-17.01) - FAT32x86
Run by Liz at 14:32:41.40 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.157 [GMT -6:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
SVCHOST.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
F:\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://dons.com/
uInternet Connection Wizard,ShellNext = iexplore
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s0eic1.exe /a "c:\windows\system32\E_SD.tmp"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /install
mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-22 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-17 47640]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-10-28 177280]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
=============== Created Last 30 ================
2010-05-24 17:21:13 0 ----a-w- c:\documents and settings\liz\defogger_reenable
2010-05-24 01:26:29 0 d-----w- c:\program files\Seagate
2010-05-24 01:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-05-24 01:25:28 0 d-sh--w- c:\windows\ftpcache
2010-05-24 01:11:39 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-23 18:27:56 0 d-----w- C:\Steve
2010-05-23 18:21:27 0 d-----w- c:\program files\Trend Micro
2010-05-22 21:34:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-22 21:33:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-22 21:33:09 0 d-----w- c:\program files\Lavasoft
2010-05-22 20:27:16 0 d-sh--w- C:\Recycled
2010-05-22 18:29:23 0 d-sha-r- C:\cmdcons
2010-05-22 18:26:48 98816 ----a-w- c:\windows\sed.exe
2010-05-22 18:26:48 77312 ----a-w- c:\windows\MBR.exe
2010-05-22 18:26:48 256512 ----a-w- c:\windows\PEV.exe
2010-05-22 18:26:48 161792 ----a-w- c:\windows\SWREG.exe
2010-05-22 17:35:28 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-05-22 17:20:22 0 d-----w- c:\windows\system32\appmgmt
2010-05-22 15:38:19 0 d--h--w- c:\windows\PIF
2010-05-21 23:12:22 0 d-----w- c:\docume~1\liz\applic~1\Malwarebytes
2010-05-21 23:11:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 23:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 23:11:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 23:11:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 15:05:31 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-17 15:05:31 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-17 15:05:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-16 01:21:33 221568 ------w- c:\windows\system32\MpSigStub.exe
==================== Find3M ====================
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-04 20:11:58 111 ----a-w- c:\program files\WS_FTP.LOG
2010-03-03 04:36:00 18702178 ----a-w- c:\program files\HB20100302203045.bkp
2010-02-25 17:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-01 21:26:56 98180904 ----a-w- c:\program files\iTunesSetup.exe
2005-12-21 03:59:36 349182 ----a-w- c:\program files\pow101m-upd.zip
2005-12-21 03:55:54 8922629 ----a-w- c:\program files\powsetup.exe
============= FINISH: 14:33:55.69 ===============
-
Renamed file and rebooted. mbam (now firefox.exe) will still not run. ProcExp shows firefox.exe starting and then it closes about 15 seconds later. No window appears before it closes.
The rootrepeal you linked to is far different and smaller than the one I had already downloaded. When I run it it runs fine. I go to save the report file and it crashes and I get a rootrepeal.dmp and nothing is saved in the log file.
If I run the rootrepeal from Aug 2009, I get an error saying it couldn't read the boot sector.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/24 14:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEFE4000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C4E000 Size: 8192 File Visible: No Signed: -
Status: -
Name: PROCEXP141.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
Address: 0xEDC6E000 Size: 9600 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE546000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 12288)
Path: C:\Documents and Settings\Administrator\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 8192)
Path: C:\Documents and Settings\Liz\ntuser.dat.LOG
Status: Allocation size mismatch (API: 163840, Raw: 32768)
Path: C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 12288)
Path: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
Status: Size mismatch (API: 1024, Raw: 61440)
Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
Status: Allocation size mismatch (API: 65536, Raw: 32768)
Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\MPLog-05232010-191157.log
Status: Allocation size mismatch (API: 1441792, Raw: 458752)
Path: Volume E:\
Status: MBR Rootkit Detected!
Path: Volume E:\, Sector 1
Status: Sector mismatch
Path: Volume E:\, Sector 2
Status: Sector mismatch
Path: Volume E:\, Sector 3
Status: Sector mismatch
Path: Volume E:\, Sector 4
Status: Sector mismatch
Path: Volume E:\, Sector 5
Status: Sector mismatch
Path: Volume E:\, Sector 6
Status: Sector mismatch
Path: Volume E:\, Sector 7
Status: Sector mismatch
Path: Volume E:\, Sector 8
Status: Sector mismatch
Path: Volume E:\, Sector 9
Status: Sector mismatch
Path: Volume E:\, Sector 10
Status: Sector mismatch
Path: Volume E:\, Sector 11
Status: Sector mismatch
Path: Volume E:\, Sector 12
Status: Sector mismatch
Path: Volume E:\, Sector 13
Status: Sector mismatch
Path: Volume E:\, Sector 14
Status: Sector mismatch
Path: Volume E:\, Sector 15
Status: Sector mismatch
Path: Volume E:\, Sector 16
Status: Sector mismatch
Path: Volume E:\, Sector 17
Status: Sector mismatch
Path: Volume E:\, Sector 18
Status: Sector mismatch
Path: Volume E:\, Sector 19
Status: Sector mismatch
Path: Volume E:\, Sector 20
Status: Sector mismatch
Path: Volume E:\, Sector 21
Status: Sector mismatch
Path: Volume E:\, Sector 22
Status: Sector mismatch
Path: Volume E:\, Sector 23
Status: Sector mismatch
Path: Volume E:\, Sector 24
Status: Sector mismatch
Path: Volume E:\, Sector 25
Status: Sector mismatch
Path: Volume E:\, Sector 26
Status: Sector mismatch
Path: Volume E:\, Sector 27
Status: Sector mismatch
Path: Volume E:\, Sector 28
Status: Sector mismatch
Path: Volume E:\, Sector 29
Status: Sector mismatch
Path: Volume E:\, Sector 30
Status: Sector mismatch
Path: Volume E:\, Sector 31
Status: Sector mismatch
Path: Volume E:\, Sector 32
Status: Sector mismatch
Path: Volume E:\, Sector 33
Status: Sector mismatch
Path: Volume E:\, Sector 34
Status: Sector mismatch
Path: Volume E:\, Sector 35
Status: Sector mismatch
Path: Volume E:\, Sector 36
Status: Sector mismatch
Path: Volume E:\, Sector 37
Status: Sector mismatch
Path: Volume E:\, Sector 38
Status: Sector mismatch
Path: Volume E:\, Sector 39
Status: Sector mismatch
Path: Volume E:\, Sector 40
Status: Sector mismatch
Path: Volume E:\, Sector 41
Status: Sector mismatch
Path: Volume E:\, Sector 42
Status: Sector mismatch
Path: Volume E:\, Sector 43
Status: Sector mismatch
Path: Volume E:\, Sector 44
Status: Sector mismatch
Path: Volume E:\, Sector 45
Status: Sector mismatch
Path: Volume E:\, Sector 46
Status: Sector mismatch
Path: Volume E:\, Sector 47
Status: Sector mismatch
Path: Volume E:\, Sector 48
Status: Sector mismatch
Path: Volume E:\, Sector 49
Status: Sector mismatch
Path: Volume E:\, Sector 50
Status: Sector mismatch
Path: Volume E:\, Sector 51
Status: Sector mismatch
Path: Volume E:\, Sector 52
Status: Sector mismatch
Path: Volume E:\, Sector 53
Status: Sector mismatch
Path: Volume E:\, Sector 54
Status: Sector mismatch
Path: Volume E:\, Sector 55
Status: Sector mismatch
Path: Volume E:\, Sector 56
Status: Sector mismatch
Path: Volume E:\, Sector 57
Status: Sector mismatch
Path: Volume E:\, Sector 58
Status: Sector mismatch
Path: Volume E:\, Sector 59
Status: Sector mismatch
Path: Volume E:\, Sector 60
Status: Sector mismatch
Path: Volume E:\, Sector 61
Status: Sector mismatch
Path: Volume E:\, Sector 62
Status: Sector mismatch
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf878687e
#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf8786bfe
==EOF==
-
Here is the DDS file. The attachment only has the attach.txt. When I try to run the gmer it either crashes or after scanning for a bit, I get a services messages that a reboot is happening in 59 seconds.
DDS (Ver_10-03-17.01) - FAT32x86
Run by Liz at 11:41:32.98 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.110 [GMT -6:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Liz\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://dons.com/
uInternet Connection Wizard,ShellNext = iexplore
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s0eic1.exe /a "c:\windows\system32\E_SD.tmp"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /install
mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2010-05-24 17:21:13 0 ----a-w- c:\documents and settings\liz\defogger_reenable
2010-05-24 01:26:29 0 d-----w- c:\program files\Seagate
2010-05-24 01:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-05-24 01:25:28 0 d-sh--w- c:\windows\ftpcache
2010-05-24 01:11:39 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-23 18:27:56 0 d-----w- C:\Steve
2010-05-23 18:21:27 0 d-----w- c:\program files\Trend Micro
2010-05-22 21:34:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-22 21:33:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-22 21:33:09 0 d-----w- c:\program files\Lavasoft
2010-05-22 20:27:16 0 d-sh--w- C:\Recycled
2010-05-22 18:29:23 0 d-sha-r- C:\cmdcons
2010-05-22 18:26:48 98816 ----a-w- c:\windows\sed.exe
2010-05-22 18:26:48 77312 ----a-w- c:\windows\MBR.exe
2010-05-22 18:26:48 256512 ----a-w- c:\windows\PEV.exe
2010-05-22 18:26:48 161792 ----a-w- c:\windows\SWREG.exe
2010-05-22 17:35:28 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-05-22 17:20:22 0 d-----w- c:\windows\system32\appmgmt
2010-05-22 15:38:19 0 d--h--w- c:\windows\PIF
2010-05-21 23:12:22 0 d-----w- c:\docume~1\liz\applic~1\Malwarebytes
2010-05-21 23:11:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 23:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 23:11:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 23:11:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 15:05:31 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-17 15:05:31 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-17 15:05:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-16 01:21:33 221568 ------w- c:\windows\system32\MpSigStub.exe
==================== Find3M ====================
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-04 20:11:58 111 ----a-w- c:\program files\WS_FTP.LOG
2010-03-03 04:36:00 18702178 ----a-w- c:\program files\HB20100302203045.bkp
2010-02-25 17:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-01 21:26:56 98180904 ----a-w- c:\program files\iTunesSetup.exe
2005-12-21 03:59:36 349182 ----a-w- c:\program files\pow101m-upd.zip
2005-12-21 03:55:54 8922629 ----a-w- c:\program files\powsetup.exe
============= FINISH: 11:43:27.73 ===============
Cannot Connect to Service MBAM fails to load
in Malwarebytes for Windows Support Forum
Posted
Fix worked, thanks. Perhaps MBAM could detect when F-Secure is running and post a note about how to fix this. I spent a long night testing, installing, reinstalling, removing, and more along with documenting everything before I submitted a ticket. Thanks again - Steve