Jump to content

Malwarebytes, HijackThis, anti-malware programs won't run


Recommended Posts

I see similar posts from other people, but haven't been able to leverage them to solve my problem. Several programs (Malwarebytes, AdAware, RegistryFix, GMER, HijackThis) will not run on my XP SP2 system. Symptoms are the same in all cases: I install program, launch program, start a scan, and program closes within seconds, and cannot be re-opened unless I uninstall / reinstall. Renaming the executables and installers does not help (I've tried with all of these programs).

Can anyone point me in the right direction? Thanks!

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

But use this version: http://download.bleepingcomputer.com/sUBs/...x++/sVchost.com (this is a modified version of Combofix since normal Combofix won't work in your case)

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I followed your instructions, including deactivation of Avira's antivirus and firewall facilities.

One question before getting to the results:

Combofix asked if I had Windows XP Home Edition. I believe I said "No," because I have the Professional edition (SP2). However, when it installed the Recovery Console, the messages on screen referred to installation of the Recovery Console for Windows XP Home Edition. Do I need to uninstall Recovery Console for Home Edition, and manually install the version for Professional?

Combofix ran without errors, and deleted and restored some files. I can quickly see these improvements:

1) GMER no longer shows the strange DLL (\\?\globalroot\Device\__max++>\289A8304.x86.dll) that had been attached to several processes, which is good.

2) I had not been able to start a command window (CMD.EXE), and now I can.

3) MS Outlook had not been able to load MS Word as my editor, and now it can.

I don't know if everything is perfect, but this is a big improvement! Thanks!

Combofix log follows. I look forward to your conclusions.

===

ComboFix Beta_09-08-18.01 - Kevin Thompson 08/18/2009 12:02.1.2 - NTFSx86

Running from: c:\program files\Combofix\sVchost.com

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}

FW: Avira Firewall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\Pre11.tmp

c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\Pre1A.tmp

c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\Pre1D.tmp

c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\webex.ini

c:\program files\FunWebProducts

c:\windows\Downloaded Program Files\Install.inf

c:\windows\Fonts\WPHV07NB.TTF

c:\windows\Installer\19608d8.msi

c:\windows\Installer\1e615.msi

c:\windows\Installer\7ce8c.msi

c:\windows\system32\sonhelp.htm

c:\windows\system32\tapi.nfo

Infected copy of c:\windows\system32\scecli.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\scecli.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\system32\dllcache\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))

.

2009-08-18 19:05 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe

2009-08-18 18:45 . 2009-08-18 18:55 -------- d-----w- c:\program files\Combofix

2009-08-16 20:27 . 2009-08-16 20:27 185344 ----a-w- c:\windows\system32\drivers\KeDetective130.sys

2009-08-16 19:56 . 2009-08-18 07:09 -------- d-----w- c:\program files\gmerprogram

2009-08-16 19:09 . 2009-08-16 20:50 -------- d-----w- c:\program files\KernDet

2009-08-16 19:07 . 2009-08-16 19:57 -------- d-----w- c:\program files\RadIns

2009-08-16 04:35 . 2009-08-18 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2009-08-16 04:05 . 2009-08-18 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-16 03:21 . 2009-08-16 03:23 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-08-16 02:44 . 2004-08-04 07:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2009-08-16 02:44 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2009-08-16 02:44 . 2001-08-18 05:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2009-08-16 02:42 . 2004-08-04 05:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys

2009-08-16 02:41 . 2001-08-17 20:28 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys

2009-08-16 02:40 . 2001-08-17 19:51 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys

2009-08-16 02:39 . 2001-08-17 19:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys

2009-08-16 02:38 . 2001-08-17 20:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys

2009-08-16 02:37 . 2004-08-04 07:56 73796 -c--a-w- c:\windows\system32\dllcache\slserv.exe

2009-08-16 02:36 . 2001-08-17 20:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys

2009-08-16 02:35 . 2001-08-18 05:36 26624 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll

2009-08-16 02:34 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys

2009-08-16 02:33 . 2001-08-17 19:11 35328 -c--a-w- c:\windows\system32\dllcache\pcntpci5.sys

2009-08-16 02:32 . 2001-08-17 19:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys

2009-08-16 02:31 . 2001-08-17 19:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys

2009-08-16 02:30 . 2001-08-17 19:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys

2009-08-16 02:29 . 2001-08-18 05:36 242176 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll

2009-08-16 02:28 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2009-08-16 02:27 . 2001-08-17 20:28 44863 -c--a-w- c:\windows\system32\dllcache\hsf_soar.sys

2009-08-16 02:26 . 2001-08-17 20:28 907456 -c--a-w- c:\windows\system32\dllcache\hcf_msft.sys

2009-08-16 02:25 . 2001-08-18 05:36 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll

2009-08-16 02:24 . 2001-08-17 21:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys

2009-08-16 02:23 . 2001-08-17 19:19 93952 -c--a-w- c:\windows\system32\dllcache\cwcwdm.sys

2009-08-16 02:22 . 2001-08-17 20:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys

2009-08-16 02:21 . 2004-08-04 05:29 30671 -c--a-w- c:\windows\system32\dllcache\ati1raxx.sys

2009-08-14 22:12 . 2009-08-16 03:13 -------- d-----w- c:\program files\RooRevealer

2009-08-14 21:33 . 2009-08-14 21:33 -------- d-----w- c:\program files\TM

2009-08-14 21:28 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-14 21:28 . 2009-08-16 22:42 -------- d-----w- c:\program files\mb

2009-08-14 21:28 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-13 02:17 . 2009-08-13 18:36 -------- d-----w- c:\program files\tool

2009-08-12 20:26 . 2009-08-12 20:26 -------- d-----w- c:\program files\RootRepeal

2009-08-12 05:15 . 2009-08-18 03:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-12 05:15 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe

2009-08-12 05:15 . 2009-08-18 03:23 -------- d-----w- c:\program files\Lavasoft

2009-08-11 09:12 . 2009-08-11 09:12 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Avira

2009-08-11 08:18 . 2009-05-08 21:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys

2009-08-11 08:18 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-11 08:18 . 2009-02-24 20:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys

2009-08-11 08:18 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-11 08:18 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-11 08:18 . 2009-08-14 19:46 -------- d-----w- c:\program files\Avira

2009-08-11 08:18 . 2009-08-11 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-11 04:15 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-10 23:07 . 2009-08-10 23:07 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Malwarebytes

2009-08-10 23:07 . 2009-08-10 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-10 19:12 . 2009-08-10 19:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion

2009-08-10 04:09 . 2009-08-10 04:09 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\UClick

2009-08-10 01:12 . 2009-08-10 01:12 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-10 01:10 . 2009-08-10 01:11 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}(2)

2009-08-10 00:52 . 2009-07-15 18:48 29000 ----a-w- c:\windows\system32\uxtuneup(2).dll

2009-08-10 00:52 . 2009-08-10 00:52 361288 ----a-w- c:\windows\system32\TuneUpDefragService(2).exe

2009-08-10 00:52 . 2009-08-10 00:52 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\TuneUp Software

2009-08-10 00:51 . 2009-08-10 01:11 -------- d-----w- c:\program files\TuneUp Utilities 2009

2009-08-10 00:51 . 2009-08-10 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software

2009-08-09 23:10 . 2009-08-09 23:10 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\URSoft

2009-08-09 23:00 . 2009-08-09 23:00 -------- d-----w- c:\program files\VS Revo Group

2009-08-09 02:13 . 2009-08-09 02:13 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\SUPERAntiSpyware.com

2009-08-09 01:52 . 2009-08-10 01:12 -------- d-----w- c:\program files\Norton Support

2009-08-08 23:41 . 2009-08-09 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-08 23:41 . 2009-08-09 00:15 -------- d-----w- c:\program files\NOS

2009-08-08 07:13 . 2009-08-10 17:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft

2009-08-08 07:11 . 2009-08-08 07:11 -------- d-sh--w- C:\found.000

2009-08-04 11:03 . 2009-08-04 11:04 108945018 ----a-w- C:\F_1249383830.reg

2009-07-31 00:10 . 2009-07-31 00:12 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Super-Cow

2009-07-31 00:07 . 2008-10-10 11:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2009-07-31 00:07 . 2008-10-10 11:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2009-07-31 00:07 . 2008-10-10 11:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll

2009-07-31 00:07 . 2008-10-27 17:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll

2009-07-31 00:07 . 2008-10-27 17:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll

2009-07-31 00:07 . 2008-10-27 17:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll

2009-07-31 00:07 . 2008-10-27 17:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll

2009-07-31 00:02 . 2009-07-31 00:02 -------- d-----w- c:\program files\Disney Interactive Studios

2009-07-30 03:52 . 2009-07-30 03:52 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\ERS G-Studio

2009-07-26 21:04 . 2009-07-26 21:04 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\Big Fish Games

2009-07-26 21:03 . 2009-07-26 21:03 -------- d-----w- c:\program files\Tasty Planet

2009-07-26 21:01 . 2009-07-26 21:01 -------- d-----w- c:\program files\Supercow

2009-07-26 20:55 . 2009-07-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games

2009-07-26 20:55 . 2009-07-26 20:55 -------- d-----w- c:\program files\Jigs@w Puzzle 2

2009-07-26 20:53 . 2009-07-26 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeFromParadise2

2009-07-26 20:52 . 2009-07-28 02:42 -------- d-----w- c:\program files\Escape From Paradise 2 - A Kingdom's Quest

2009-07-25 03:31 . 2009-07-26 21:52 -------- d-----w- c:\program files\Pet Pals Animal Doctor

2009-07-25 02:41 . 2009-07-25 02:41 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\ERS G-Studio

2009-07-25 01:24 . 2009-07-25 01:25 -------- d-----w- c:\program files\Many Years Ago

2009-07-21 22:19 . 2009-07-21 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy

2009-07-21 04:22 . 2009-07-21 05:42 -------- d-----w- c:\program files\World of Goo

2009-07-20 06:12 . 2009-07-20 06:12 -------- d-----w- c:\temp\org

2009-07-20 00:53 . 2009-07-20 00:53 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\UClick

2009-07-20 00:53 . 2009-07-20 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\UClick

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-18 19:09 . 2008-03-15 23:02 -------- d-----w- c:\program files\IDrive

2009-08-18 09:28 . 2007-05-22 20:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-18 05:16 . 2007-03-29 04:10 -------- d-----w- c:\program files\WinHex

2009-08-18 05:00 . 2007-11-17 17:40 -------- d-----w- c:\program files\Yahoo!

2009-08-18 03:40 . 2009-06-14 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner

2009-08-18 03:23 . 2007-09-30 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-17 06:44 . 2007-04-04 07:59 59160 ----a-w- c:\documents and settings\Kevin Thompson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-14 20:12 . 2008-11-17 20:47 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-08-14 19:25 . 2007-03-26 04:22 -------- d-----w- c:\program files\Metapad

2009-08-12 03:55 . 2008-07-05 18:40 -------- d-----w- c:\program files\Ranch Rush

2009-08-11 07:57 . 2007-03-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-11 07:52 . 2008-10-09 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-11 07:44 . 2007-03-29 03:35 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Skype

2009-08-11 07:20 . 2007-03-26 04:19 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-11 02:57 . 2008-12-05 23:47 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\skypePM

2009-08-10 18:34 . 2009-02-02 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-10 17:47 . 2007-07-27 01:48 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\Skype

2009-08-10 17:38 . 2008-12-18 05:44 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\skypePM

2009-08-10 04:08 . 2007-05-26 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2009-08-10 03:37 . 2008-10-18 06:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-10 03:26 . 2008-10-09 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-08 23:36 . 2007-03-26 02:55 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-08 07:36 . 2008-04-10 02:16 -------- d-----w- c:\program files\NSecurityScan

2009-08-08 02:15 . 2009-05-14 21:04 -------- d-----w- c:\program files\Sony Online Entertainment

2009-08-07 22:06 . 2007-12-04 00:00 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\DivX

2009-07-31 00:02 . 2007-03-25 23:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-19 05:01 . 2009-07-19 03:18 -------- d-----w- c:\program files\Avalon

2009-07-18 23:49 . 2008-02-07 05:22 -------- d-----w- c:\program files\Nancy Drew - Legend of the Crystal Skull - Strategy Guide

2009-07-18 23:11 . 2007-04-05 23:36 -------- d-----w- c:\program files\The Learning Company

2009-07-17 20:48 . 2009-06-11 20:00 -------- d-----w- c:\program files\Mahjong Towers Eternity

2009-07-16 22:37 . 2007-04-14 19:47 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\PlayFirst

2009-07-10 22:15 . 2008-12-26 17:36 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\PlayFirst

2009-07-10 22:15 . 2008-01-24 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst

2009-07-10 04:56 . 2009-07-10 04:56 -------- d-----w- c:\program files\Emerald City Confidential

2009-07-03 04:21 . 2009-07-03 04:21 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\InstallShield

2009-06-27 19:50 . 2009-02-01 03:11 -------- d-----w- c:\program files\Hidden Secrets - The Nightmare

2009-06-27 03:01 . 2007-04-14 19:25 19 ----a-w- c:\windows\popcinfo.dat

2009-06-21 01:42 . 2007-06-30 14:20 -------- d-----w- c:\program files\Professor Fizzwizzle and the Molten Mystery

2009-06-03 05:37 . 2009-06-03 05:37 390664 ----a-w- c:\documents and settings\Kevin Thompson\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

2008-06-01 16:43 . 2008-06-01 16:43 0 ----a-w- c:\program files\temp01

2009-04-30 04:05 . 2009-04-30 04:05 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-04-30 04:05 . 2009-04-30 04:05 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-04-30 04:06 . 2009-04-30 04:06 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2009-04-30 04:06 . 2009-04-30 04:06 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue Registry Booster2"="c:\program files\Uniblue\RegistryBooster2\RegistryBooster.exe" [2007-04-23 1645088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-03-16 01:15 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]

backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]

backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]

backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]

backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Skype.lnk]

backup=c:\windows\pss\Skype.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Thompson^Start Menu^Programs^Startup^IDrive Tray.lnk]

backup=c:\windows\pss\IDrive Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Thompson^Start Menu^Programs^Startup^QuickShelf 2000.lnk]

backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Thompson^Start Menu^Programs^Startup^SDK Tray Menu.lnk]

backup=c:\windows\pss\SDK Tray Menu.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\e-Campaign 6\\eCampaign.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]

R3 CAIQ;CAIQ;c:\docume~1\KEVINT~1\LOCALS~1\Temp\CAIQ.exe [x]

R3 OTTFRYC;OTTFRYC;c:\docume~1\KEVINT~1\LOCALS~1\Temp\OTTFRYC.exe [x]

R3 PNDLXZPOW;PNDLXZPOW;c:\docume~1\KEVINT~1\LOCALS~1\Temp\PNDLXZPOW.exe [x]

R3 SDTHelper;Helper driver for SDT-Tool;c:\program files\RadIns\sdthlpr.sys [2009-05-22 13385]

R3 WLOOTXIUDBSJWSMCL;WLOOTXIUDBSJWSMCL;c:\docume~1\KEVINT~1\LOCALS~1\Temp\WLOOTXIUDBSJWSMCL.exe [x]

R4 JJLRGHIFYZEAAVXMKIE;JJLRGHIFYZEAAVXMKIE;c:\docume~1\KEVINT~1\LOCALS~1\Temp\JJLRGHIFYZEAAVXMKIE.exe [x]

S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2009-05-08 97608]

S2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [2009-05-11 388865]

S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-05-11 194817]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-05-12 434945]

S2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [2008-03-14 128464]

S2 Perforce;Perforce;c:\progra~1\Perforce\p4s.exe [2007-08-08 978944]

S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2009-02-24 69632]

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-RRT-Auto - c:\documents and settings\Kevin Thompson\Desktop\RRT.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZRfox000

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab

DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} - hxxp://www.digimeld.com/download/digimeldOcx.CAB

FF - ProfilePath - c:\documents and settings\Kevin Thompson\Application Data\Mozilla\Firefox\Profiles\wxgsy5sq.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/r/ch

FF - plugin: c:\progra~1\SONYON~1\npsoe.dll

FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJPI142_14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-18 12:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1208)

c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(7896)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Olympus\DeviceDetector\DM1Service.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Perforce\p4s.exe

c:\windows\system32\locator.exe

c:\program files\IDrive\IDriveETray.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-18 12:15 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-18 19:15

Pre-Run: 243,556,720,640 bytes free

Post-Run: 244,896,313,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

388 --- E O F --- 2009-01-14 08:18

Link to post
Share on other sites

  • Staff

Hi,

The recovery console installed fine here, so no worries. :(

Go to start > run and copy and paste next commands in the field, one by one and hit enter after each command:

sc delete CAIQ

sc delete OTTFRYC

sc delete PNDLXZPOW

sc delete WLOOTXIUDBSJWSMCL

sc delete JJLRGHIFYZEAAVXMKIE

Then,

* Go to start > run and copy and paste next command in the field:

"c:\program files\Combofix\sVchost.com" /u

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Mieke,

The service deletion and Combofix uninstall worked without problems. I decided to do some scanning to see if anything else was left, and here's what I've found so far.

1) GMER hung my system about eight hours (!) into its Files scan. I saw these error dialogs

Windows - Application Error

The application failed to initialize peroperly (0xc0000017). click on OK to terminate the application."

My mouse wouldn't work, but alt-tabbing to the dialog leg me hit Enter to click the OK button. This led me to the next dialog,

Windows was unable to save all the data for the file \Device\HarddiskVolume1\Documents and Settings\MyAccount\Local Settings. The data has been lost. This error may be caused by a failure of your computer hardware or network."

Same alt-tab approach got me through two more dialogs of the same type, but with different directories, namely:

C:\Windows\System32

$BitMap (I think; I didn't write the whole path, and can't find this directory now)

After this, I had to hit the power switch in order to reboot.

Next I ran Malwarebytes Quick Scan, which produced this log:

Malwarebytes' Anti-Malware 1.40
Database version: 2627
Windows 5.1.2600 Service Pack 2

8/18/2009 11:08:31 PM
mbam-log-2009-08-18 (23-08-26).txt

Scan type: Quick Scan
Objects scanned: 110079
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Any thoughts on actions needed at this point?

I may run a Malwarebytes full scan overnight. If it succeeds, I'll post results.

Thanks!

Link to post
Share on other sites

I updated MBAM. The log from a full scan follows. I look forward to your thoughts.

Thanks!

Malwarebytes' Anti-Malware 1.40
Database version: 2658
Windows 5.1.2600 Service Pack 2

8/19/2009 2:32:41 PM
mbam-log-2009-08-19 (14-32-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 477942
Time elapsed: 2 hour(s), 53 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP738\A0140735.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP742\A0141791.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP742\A0141792.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP742\A0141793.exe (Adware.MyWeb) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP742\A0141794.exe (Adware.MyWeb) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP742\A0141795.nfo (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP753\A0149282.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP753\A0149283.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP753\A0149284.exe (Adware.MyWeb) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP755\A0149769.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP755\A0149771.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP755\A0149768.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP756\A0151945.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP758\A0157172.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP758\A0157371.exe (Adware.MyWeb) -> No action taken.
C:\System Volume Information\_restore{3823982D-D5D1-4198-9D26-D5E7F702A163}\RP758\A0157389.nfo (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

  • Staff

Hi,

As long as you don't select these leftovers for removal, they will stay, so please select and let mbam quarantine them.

Then reboot.

Also, no need for the full scan though. The quick scan is actually more powerful, smarter and way faster :(

Let me know in your next reply how things are now.

Link to post
Share on other sites

I quarantined, rebooted, deleted quarantine contents, had Malwarebytes perform the quick scan, and now see no infections:

Malwarebytes' Anti-Malware 1.40
Database version: 2659
Windows 5.1.2600 Service Pack 2

8/19/2009 4:07:25 PM
mbam-log-2009-08-19 (16-07-25).txt

Scan type: Quick Scan
Objects scanned: 111186
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Looks good! Is there anything else I should do, or does this wrap things up?

Thanks!

Link to post
Share on other sites

  • Staff

This looks OK here <_<

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Glad I could help <_<

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.