Jump to content

Spyware Protect 2009 not allowing download of anti-malware software


Recommended Posts

Hi everyone.

Spyware Protect 2009 recently hit our computer, and after some severe trial and error (and renaming), I was able to get Malwarebytes to run a system scan and put a stop to those annoying pop-up "warnings" from the crudware.

Unfortunately, Firefox is still running obscenely slow (as if remnants of the malware are still around), and many pages are blocked entirely. Conveniently enough, tons of anti-malware software links (like ComboFix) also fail to work in this condition. This is highly frustrating.

Here's what I got right now--a working version of Malwarebytes, a headache, and a slow-running computer that can't make in-depth logs.

All I got is this, and it's a bit...simplistic:

Malwarebytes' Anti-Malware 1.32

Database version: 1616

Windows 5.1.2600 Service Pack 3

3/1/2009 9:53:49 PM

mbam-log-2009-03-01 (21-53-49).txt

Scan type: Quick Scan

Objects scanned: 59370

Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

What's a guy to do??

Many thanks in advance~

Link to post
Share on other sites

Many thanks for the assistance! After transferring the programs from a CD, the computer is running much more smoothly. Here's the updated log:

ComboFix 09-03-01.01 - HP_Owner 2009-03-02 11:56:01.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.204 [GMT -6:00]

Running from: c:\documents and settings\HP_Owner\Desktop\rrr.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\UAChwupmltv.sys

c:\windows\system32\UACaaqlgmey.dll

c:\windows\system32\UACaiwicsyq.dll

c:\windows\system32\UACkiwmlbnu.dll

c:\windows\system32\UACkvqpnsaw.dll

c:\windows\system32\UACnqpckvgs.log

c:\windows\system32\UACsuygujgk.dat

c:\windows\system32\UACxsworbkk.log

c:\windows\system32\UACxtkuvvhh.log

c:\windows\system32\winsrc.dll.tmp

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))

.

2009-03-01 15:39 . 2009-03-02 10:02 <DIR> d-------- c:\program files\Malwarebytes NEW

2009-03-01 15:19 . 2009-03-01 15:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-01 00:30 . 2009-03-01 00:30 16,896 --a------ c:\windows\syssvc.exe

2009-03-01 00:30 . 2009-03-01 00:30 16,896 --a------ c:\windows\svcho.exe

2009-02-28 23:58 . 2009-03-02 06:08 5,516 --a------ c:\windows\system32\uacinit.dll

2009-02-11 16:59 . 2009-02-21 16:27 664 --a------ c:\windows\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-17 18:26 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Move Networks

2009-02-01 15:44 51,983 ----a-w c:\windows\Sysvxd.exe

2009-02-01 03:11 --------- d-----w c:\documents and settings\HP_Owner\Application Data\teamspeak2

2009-01-06 03:05 --------- d-----w c:\program files\Symantec AntiVirus

2009-01-06 02:46 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-01-06 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-06 02:33 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-06 02:22 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-01-06 02:22 8,014 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-06 02:22 48,768 ----a-w c:\windows\system32\S32EVNT1.DLL

2009-01-06 02:22 110,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-06 02:22 --------- d-----w c:\program files\Symantec

2009-01-06 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-01-04 19:34 --------- d-----w c:\program files\Common Files\AOL

2009-01-04 02:41 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP

2009-01-04 02:40 --------- d-----w c:\program files\Viewpoint

2009-01-04 02:40 --------- d-----w c:\documents and settings\HP_Owner\Application Data\acccore

2009-01-04 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-01-04 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\acccore

2009-01-04 02:39 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-01-04 02:38 --------- d-----w c:\program files\AIM

2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll

2005-09-30 00:46 168 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat

2008-04-25 19:32 5,817,064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((( snapshot@2009-01-05_15.40.55.81 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-12-19 20:06:53 155,136 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\accicons.exe

+ 2009-03-02 00:08:01 155,136 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\accicons.exe

- 2008-12-19 20:06:53 22,528 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\bindico.exe

+ 2009-03-02 00:08:01 22,528 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\bindico.exe

- 2008-12-19 20:06:53 73,216 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\fpicon.exe

+ 2009-03-02 00:08:01 73,216 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\fpicon.exe

- 2008-12-19 20:06:52 28,160 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe

+ 2009-03-02 00:08:01 28,160 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe

- 2008-12-19 20:06:53 104,960 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\outicon.exe

+ 2009-03-02 00:08:01 104,960 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\outicon.exe

- 2008-12-19 20:06:53 11,264 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\PEicons.exe

+ 2009-03-02 00:08:01 11,264 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\PEicons.exe

- 2008-12-19 20:06:53 30,208 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\pptico.exe

+ 2009-03-02 00:08:01 30,208 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\pptico.exe

- 2008-12-19 20:06:52 35,328 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\wordicon.exe

+ 2009-03-02 00:08:01 35,328 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\wordicon.exe

- 2008-12-19 20:06:52 69,120 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\xlicons.exe

+ 2009-03-02 00:08:01 69,120 ----a-r c:\windows\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\xlicons.exe

- 2008-12-19 20:06:28 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-02-28 12:58:19 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2008-12-19 20:06:28 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-02-28 12:58:18 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2008-12-19 20:06:28 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-02-28 12:58:19 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2008-12-19 20:06:28 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-02-28 12:58:19 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2008-12-19 20:06:28 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-02-28 12:58:19 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2008-12-19 20:06:28 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-02-28 12:58:19 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2008-12-19 20:06:28 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-02-28 12:58:18 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2008-12-19 20:06:28 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-02-28 12:58:19 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2008-12-19 20:06:28 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-02-28 12:58:18 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2008-12-19 20:06:28 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-02-28 12:58:18 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe

+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

+ 2009-03-01 06:30:47 64,512 ----a-w c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common\09b660481.dll

- 2009-01-05 21:36:30 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-02 16:02:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-05 21:36:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-02 16:02:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-05 21:36:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-02 16:02:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Jsv"="c:\documents and settings\HP_Owner\Application Data\F?nts\m?config.exe" [?]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"rundll32.exe"="c:\documents and settings\HP_Owner\Application Data\Macromedia\Common\09b660481.dll" [2009-03-01 00:30 64512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 180269]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2006-10-23 40048]

"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]

"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]

"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"rundll32.exe"="c:\documents and settings\HP_Owner\Application Data\Macromedia\Common\09b660481.dll" [2009-03-01 00:30 64512]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

"svcho"="c:\windows\svcho.exe" [2009-03-01 16896]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

AutoTBar.exe [2003-09-30 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-10 738968]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 258048]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"wave1"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"midi1"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"mixer1"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"midi2"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"aux2"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"wave2"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"aux1"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

"mixer2"= c:\docume~1\HP_Owner\APPLIC~1\MACROM~1\Common\09b660481.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\WINDOWS\\system32\\lxdkcoms.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=

"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=

"c:\\Program Files\\Steam\\steamapps\\thekillerbeanz\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\WINDOWS\\svcho.exe"=

R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]

R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2008-04-06 99248]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-01-03 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-01 101936]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f4666b0-fa3e-11db-bf7e-0011d8e3f2b7}]

\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2d2a5b-fe50-11db-bf83-0011d8e3f2b7}]

\Shell\AutoRun\command - J:\LaunchU3.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-01 c:\windows\Tasks\At1.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At10.job

- c:\windows\system32\tMUU32am.exe []

2009-03-02 c:\windows\Tasks\At11.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At12.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At13.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At14.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At15.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At16.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At17.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At18.job

- c:\windows\system32\tMUU32am.exe []

2009-03-02 c:\windows\Tasks\At19.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At2.job

- c:\windows\system32\tMUU32am.exe []

2009-03-02 c:\windows\Tasks\At20.job

- c:\windows\system32\tMUU32am.exe []

2009-03-02 c:\windows\Tasks\At21.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At22.job

- c:\windows\system32\tMUU32am.exe []

2009-03-02 c:\windows\Tasks\At23.job

- c:\windows\system32\tMUU32am.exe []

2009-03-02 c:\windows\Tasks\At24.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At25.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At26.job

- c:\windows\system32\DDCuMl1x.exe []

2009-02-16 c:\windows\Tasks\At27.job

- c:\windows\system32\DDCuMl1x.exe []

2009-01-11 c:\windows\Tasks\At28.job

- c:\windows\system32\DDCuMl1x.exe []

2009-01-11 c:\windows\Tasks\At29.job

- c:\windows\system32\DDCuMl1x.exe []

2009-02-16 c:\windows\Tasks\At3.job

- c:\windows\system32\tMUU32am.exe []

2009-01-22 c:\windows\Tasks\At30.job

- c:\windows\system32\DDCuMl1x.exe []

2009-01-30 c:\windows\Tasks\At31.job

- c:\windows\system32\DDCuMl1x.exe []

2009-02-28 c:\windows\Tasks\At32.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At33.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At34.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-02 c:\windows\Tasks\At35.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At36.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At37.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At38.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At39.job

- c:\windows\system32\DDCuMl1x.exe []

2009-01-11 c:\windows\Tasks\At4.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At40.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At41.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At42.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-02 c:\windows\Tasks\At43.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-02 c:\windows\Tasks\At44.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-02 c:\windows\Tasks\At45.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-01 c:\windows\Tasks\At46.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-02 c:\windows\Tasks\At47.job

- c:\windows\system32\DDCuMl1x.exe []

2009-03-02 c:\windows\Tasks\At48.job

- c:\windows\system32\DDCuMl1x.exe []

2009-01-11 c:\windows\Tasks\At5.job

- c:\windows\system32\tMUU32am.exe []

2009-01-22 c:\windows\Tasks\At6.job

- c:\windows\system32\tMUU32am.exe []

2009-01-30 c:\windows\Tasks\At7.job

- c:\windows\system32\tMUU32am.exe []

2009-02-28 c:\windows\Tasks\At8.job

- c:\windows\system32\tMUU32am.exe []

2009-03-01 c:\windows\Tasks\At9.job

- c:\windows\system32\tMUU32am.exe []

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-realtehs - c:\documents and settings\HP_Owner\Application Data\Google\vgwsn871850.exe

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\nijfadja.default\

FF - prefs.js: browser.startup.homepage - hxxp://home.eatel.net/

FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\nijfadja.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-02 12:00:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3840908196-711090995-2060894044-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2009-03-02 12:03:27

ComboFix-quarantined-files.txt 2009-03-02 18:03:10

ComboFix2.txt 2009-01-05 21:42:05

Pre-Run: 107,361,542,144 bytes free

Post-Run: 107,433,955,328 bytes free

330 --- E O F --- 2008-12-22 00:07:57

Also, I ran ComboFix before running Malwarebytes again, so Malwarebytes picked out a single infected file afterwards:

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

So what's the next logical step?

Thanks again~

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\syssvc.exe
c:\windows\svcho.exe
c:\windows\system32\uacinit.dll
c:\windows\Sysvxd.exe
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common\09b660481.dll
c:\documents and settings\HP_Owner\Application Data\F?nts\m?config.exe
c:\documents and settings\HP_Owner\Application Data\Macromedia\Common\09b660481.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jsv"=-
"rundll32.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"=-
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"svcho"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"="wdmaud.drv"
"aux2"="wdmaud.drv"
"midi1"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"wave1"="wdmaud.drv"
"wave2"="wdmaud.drv"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f4666b0-fa3e-11db-bf7e-0011d8e3f2b7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2d2a5b-fe50-11db-bf83-0011d8e3f2b7}]

AtJob::

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Click on START - RUN and type in or copy / paste NETSH FIREWALL RESET (there is a space between each word) then hit the OK button.

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 04

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.