akacraig Posted August 24, 2009 ID:114274 Share Posted August 24, 2009 Hello - I have tried to rename the Malware installer, and the exe file, although the program stops shortly after it starts. I downloaded ComboFix on another computer and renamed it before saving it and I get an error message Access denied, you need Administrative privileges to run this tool (I am an admin)I have also tried to run HiJack this and avira with no luck so far. I have also replaced the registry. I guess I need a new starting point. Thanks!Craig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2009 ID:114602 Share Posted August 25, 2009 Hello akacraig,What is the Windows version-edition ? Does this have an antivirus program installed?Hold off on any run of MBAM and certainly do NOT run Combofix without my guidance.I need some sort of log to proceed forward. See if you can get a report from RootRepeal.Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from >>> here <<< Double-click FixPolicies.exe. Click the "Install" button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. A black box will briefly appear and then close. This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.=Go >> here <<and download RootRepeal and SAVE to your Desktop. Doubleclick RootRepeal.exe icon on your Desktop. Click on the Report tab at bottom of window and then click on Scan button. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.DriversFilesProcessesSSDTHidden ServicesStealth ObjectsYou will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread. Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114648 Share Posted August 25, 2009 Hi Maurice - Thanks for the help. The OS is windows xp pro. I had Spybot Search and Destroy, and Symantec Client security installed. Now I have Avira installed, but can't get it to run a report. I ran FixPolicies, no problem, however when I tried to extract RootRepeal it said program is already in use. Craig Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114650 Share Posted August 25, 2009 Two other things I have noticed. 1) When I restart I get an error Tapi.nfo - specific module could not be found. 2) In task manager I found a process called BAsfIpM running under system. It seems suspicious to me. Thanks!Craig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2009 ID:114654 Share Posted August 25, 2009 2 points. 1) Please only use the ADDReply at bottom of screen when starting a reply. Try to not use the "Reply button {it makes for very long posts}2) Main issue. We have got to get some log from this system. Otherwise, we cannot proceed with diagnosis.3) Try thisLook for (locate) the hijackthis.exe and RENAME it to something like FINDIT.exeTypically the program is installed in C:\Program Files\Trend Micro\HijackThis folderThen run FINDIT to get a HJT logI do not need a Avira report. But if it has "flagged" specific files or folders, jot those down and provide those details here. Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114657 Share Posted August 25, 2009 Two other things I have noticed. 1) When I restart I get an error Tapi.nfo - specific module could not be found. 2) In task manager I found a process called BAsfIpM running under system. It seems suspicious to me. OK got RootRepeal to run, but only for a short time. The first thing on the screen was C:\hiberfil.sys then many files with an Allocation size mismatch, then it quite. Now when I try to rerun RootRepeal Windows cannot access the specific path or file. You may not have the appropriate permissions to access the item. Thanks!Craig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2009 ID:114666 Share Posted August 25, 2009 May I ask again that you use the ADDReply buttonbasfipm.exe is a process which is installed alongside Broadcom communications hardware. Stop trying to self-diagnose.Kindly see about getting a report from HijackThis.and if you are having a tough time with RootRepeal, logff and Restart system fresh.Then run RootRepeal.exe Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114668 Share Posted August 25, 2009 Hello Maurice - I can get HJT to run as findit, however the report only stays on the screen for seconds, then it closes. Is there something specific I can look for before the screen closes?Thanks!Craig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2009 ID:114675 Share Posted August 25, 2009 Using My Computer {Windows Explorer} look at this folder C:\Program Files\Trend Micro\HijackThisLook for a file named hijacthis.logIf there, use NOTEPAD to Open it. Copy all lines and Paste into a reply here.If and only if you cannot find it, logoff and Restart system, and right away Tap & retap on F8 function keyWhen you see Advanced BootUp Options, select Safe mode with NetworkingThen retry the Findit {Hijackthis} againYou should also do thisDownload DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or http://www.forospyware.com/sUBs/ddsDisable any script blocker if your antivirus/antimalware has it.Then double click dds.scr to run the tool.When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. When done, DDS will open two (2) logs: DDS.txt Attach.txt[*]Save both reports to your desktop.Please include the following logs in your next reply:hijackthis.logDDS.txtAttach.txt Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114676 Share Posted August 25, 2009 Hi Maurice - Sorry about being so lame about the reply button. Update: I can run both RootRepeal and HiJack this, but only for a short time. The programs quit before a log report can be saved. Thanks!Craig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2009 ID:114678 Share Posted August 25, 2009 Slow down just a bit. Read my prior reply. Do your best to get some report.Also, have plenty of patience. I am a volunteer and I am not online at all hours. Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114696 Share Posted August 25, 2009 Hi Maurice - Sorry for being so annoying.I tried to find a log file from HiJack this with no luck.Then I downloaded the DDS file on a non infected computer and put it on a USB drive. Next I booted in safe mode with networking. Still I can run both RootRepeal and HiJack this, but they crash before the scan is complete. Finally still in Safe Mode with Networking I tried DDS and the command line opens, but it never starts. Cheers!Craig Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114703 Share Posted August 25, 2009 Hi Maurice - I found a partial results from RootRepeal. It was in My Documents folder. Sorry I was looking in the Trend Micro folder. ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/08/24 15:10Program Version: Version 1.3.5.0Windows Version: Windows XP SP2==================================================Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!Path: c:\system volume information\efadata\sdmys_57e84a1fbe7cf5f448919483Status: Allocation size mismatch (API: 8192, Raw: 0)Path: c:\system volume information\efadata\sdmys_57e84a1fbe7cf5f4736f5d09Status: Allocation size mismatch (API: 131072, Raw: 0)Path: c:\system volume information\efadata\sdmys_ad5e2f7c30e8000a45645dfeStatus: Allocation size mismatch (API: 8192, Raw: 4096)Path: c:\system volume information\efadata\sdmys_ad5e2f7c30e8000a64e1d8cdStatus: Allocation size mismatch (API: 131072, Raw: 0)Path: C:\WINDOWS\system32\eventlog.dllStatus: Locked to the Windows API! Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 25, 2009 ID:114710 Share Posted August 25, 2009 Set aside the RootRepeal for now. If the program is running, exit / close out of it. The log copy is only partial and should have had a lot more ..... if it had ever completed.You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!If you are a casual viewer, do NOT try this on your system! If you are not akacraig and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.Very carefully start with this:1. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.=Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. =Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsIf you have a prior copy of Combofix, delete it now !Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on Combo-Fix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.------------------------------------------------------- A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.=RE-Enable your AntiVirus and AntiSpyware applications.Reply with copy of C:\Combofix.txt Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114714 Share Posted August 25, 2009 Hi Maurice - Thanks for the help. I will post a reply late this afternoon. Craig Link to post Share on other sites More sharing options...
akacraig Posted August 25, 2009 Author ID:114847 Share Posted August 25, 2009 Hi Maurice - I stopped after a successful run of ERUNT. I got to here "Set Windows to show all files and all folders.On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed."CHECK" (turn on) Display the contents of system folders.Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.Next, un-check Hide extensions for known file types.Next un-check Hide protected operating system files. "Under tools I only have Map Network Drive Disconnect Network Drive SynchronizeThanks!Craig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 26, 2009 ID:114956 Share Posted August 26, 2009 Craig,Please go foward then, and get and run Combofix Link to post Share on other sites More sharing options...
akacraig Posted August 26, 2009 Author ID:115007 Share Posted August 26, 2009 Hi Maurice - It worked!When I ran Combo-Fix I was in safe mode with everything turned off. Also in Safemode I had no internet connection so I skipped the back up. When Combo-Fix rebooted the machine Aviro started. Here is the log you have so patiently waited for. It is named log.txtCheers!CraigCombofix log follows Craig, always Copy & Paste your logs In-line into text of reply box.ComboFix 09-08-25.01 - chobart 08/25/2009 19:46.1.1 - NTFSx86 NETWORKMicrosoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.322 [GMT -7:00]Running from: c:\documents and settings\CHobart\Desktop\Combo-Fix2.exeAV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\CHobart\LOCALS~1\Temp\csrss.exec:\docume~1\CHobart\LOCALS~1\Temp\lsass.exec:\docume~1\CHobart\LOCALS~1\Temp\services.exec:\docume~1\CHobart\LOCALS~1\Temp\svchost.exec:\docume~1\CHobart\LOCALS~1\Temp\taskmgr.exec:\docume~1\CHobart\LOCALS~1\Temp\winlogon.exec:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\documents and settings\chobart\My Documents\ZbThumbnail.infoC:\kvhwftjn.exeC:\LOG46.tmpC:\p2hhr.batc:\program files\Windows Antivirus Proc:\program files\Windows Antivirus Pro\tmp\images\i1.gifc:\program files\Windows Antivirus Pro\tmp\images\i2.gifc:\program files\Windows Antivirus Pro\tmp\images\i3.gifc:\program files\Windows Antivirus Pro\tmp\images\j1.gifc:\program files\Windows Antivirus Pro\tmp\images\j2.gifc:\program files\Windows Antivirus Pro\tmp\images\j3.gifc:\program files\Windows Antivirus Pro\tmp\images\jj1.gifc:\program files\Windows Antivirus Pro\tmp\images\jj2.gifc:\program files\Windows Antivirus Pro\tmp\images\jj3.gifc:\program files\Windows Antivirus Pro\tmp\images\l1.gifc:\program files\Windows Antivirus Pro\tmp\images\l2.gifc:\program files\Windows Antivirus Pro\tmp\images\l3.gifc:\program files\Windows Antivirus Pro\tmp\images\pix.gifc:\program files\Windows Antivirus Pro\tmp\images\t1.gifc:\program files\Windows Antivirus Pro\tmp\images\t2.gifc:\program files\Windows Antivirus Pro\tmp\images\up1.gifc:\program files\Windows Antivirus Pro\tmp\images\up2.gifc:\program files\Windows Antivirus Pro\tmp\images\w1.gifc:\program files\Windows Antivirus Pro\tmp\images\w11.gifc:\program files\Windows Antivirus Pro\tmp\images\w2.gifc:\program files\Windows Antivirus Pro\tmp\images\w3.gifc:\program files\Windows Antivirus Pro\tmp\images\w3.jpgc:\program files\Windows Antivirus Pro\tmp\images\wt1.gifc:\program files\Windows Antivirus Pro\tmp\images\wt2.gifc:\program files\Windows Antivirus Pro\tmp\images\wt3.gifc:\windows\ppp3.datc:\windows\ppp4.datc:\windows\system\Flywave.dllc:\windows\system32\~.exec:\windows\system32\bennuar.oldc:\windows\system32\bincd32.datc:\windows\system32\dddesot.dllc:\windows\system32\drivers\fad.sysc:\windows\system32\imagesc:\windows\system32\images\i1.gifc:\windows\system32\images\i2.gifc:\windows\system32\images\i3.gifc:\windows\system32\images\j1.gifc:\windows\system32\images\j2.gifc:\windows\system32\images\j3.gifc:\windows\system32\images\jj1.gifc:\windows\system32\images\jj2.gifc:\windows\system32\images\jj3.gifc:\windows\system32\images\l1.gifc:\windows\system32\images\l2.gifc:\windows\system32\images\l3.gifc:\windows\system32\images\pix.gifc:\windows\system32\images\t1.gifc:\windows\system32\images\t2.gifc:\windows\system32\images\up1.gifc:\windows\system32\images\up2.gifc:\windows\system32\images\w1.gifc:\windows\system32\images\w11.gifc:\windows\system32\images\w2.gifc:\windows\system32\images\w3.gifc:\windows\system32\images\w3.jpgc:\windows\system32\images\wt1.gifc:\windows\system32\images\wt2.gifc:\windows\system32\images\wt3.gifc:\windows\system32\msxml71.dllc:\windows\system32\sonhelp.htmc:\windows\system32\sysnet.datc:\windows\system32\tajf83ikdmf.dllc:\windows\system32\wispex.html----- BITS: Possible infected sites -----hxxp://definitions.symantec.comInfected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\dllcache\eventlog.dll .((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 ))))))))))))))))))))))))))))))).2009-08-26 02:52 . 2009-08-26 02:53 -------- d-----w- c:\documents and settings\TEMP2009-08-25 22:42 . 2009-08-25 22:43 -------- d-----w- c:\program files\ERUNT2009-08-25 18:15 . 2009-08-25 18:15 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys2009-08-24 21:35 . 2009-08-24 21:53 -------- d-s---w- C:\Combo-Fix2009-08-24 20:41 . 2009-08-24 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-08-24 18:11 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-08-24 18:11 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-08-24 18:11 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-08-24 18:11 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-08-24 18:11 . 2009-08-24 18:11 -------- d-----w- c:\program files\Avira2009-08-24 18:11 . 2009-08-24 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-08-24 18:01 . 2009-08-25 22:38 -------- d-s---w- C:\ComboFix2009-08-24 15:50 . 2009-08-24 15:50 -------- d--h--w- c:\windows\system32\GroupPolicy2009-08-22 14:29 . 2009-08-22 14:29 171840 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe2009-08-22 14:29 . 2009-08-22 14:29 2855 ----a-w- c:\windows\svchast.PIF2009-08-22 14:28 . 2009-08-22 14:28 -------- d--h--w- c:\windows\PIF2009-08-22 06:50 . 2009-08-22 06:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help2009-08-22 06:48 . 2009-08-22 06:49 -------- d-----w- c:\documents and settings\chobart\Local Settings\Application Data\Tific2009-08-22 06:47 . 2009-08-22 06:47 -------- d-----w- c:\documents and settings\chobart\Application Data\Tific2009-08-22 06:47 . 2009-08-22 06:47 -------- d-----w- c:\docume~1\CHobart\APPLIC~1\Tific2009-08-22 06:41 . 2009-08-14 02:22 163192 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\IPSFFPlgn\components\IPSFFPl.dll2009-08-22 06:38 . 2009-08-14 04:41 343600 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\IDSvix86.sys2009-08-22 06:38 . 2009-08-14 04:41 328056 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\IDSxpx86.sys2009-08-22 06:38 . 2009-08-14 04:41 328056 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSxpx86.sys2009-08-22 06:38 . 2009-08-14 04:41 470064 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\IDSvia64.sys2009-08-22 06:38 . 2009-08-14 04:41 470064 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSVia64.sys2009-08-22 06:38 . 2009-08-14 04:41 343600 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSVix86.sys2009-08-22 06:38 . 2009-08-14 04:41 730488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\scxpx86.dll2009-08-22 06:38 . 2009-08-14 04:41 730488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\Scxpx86.dll2009-08-22 06:38 . 2009-08-14 04:41 486776 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\idsxpx86.dll2009-08-22 06:38 . 2009-08-14 04:41 486776 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSxpx86.dll2009-08-22 06:38 . 2009-08-24 17:29 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\OCS\hsplayer.dll2009-08-22 06:38 . 2009-08-14 17:41 892272 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\CLT\cltLMSx.dll2009-08-22 06:37 . 2009-08-22 06:37 -------- d-----w- c:\windows\system32\drivers\NAV2009-08-22 06:37 . 2009-08-22 06:37 -------- d-----w- c:\program files\Norton AntiVirus2009-08-22 06:22 . 2009-08-22 06:22 -------- d-----w- c:\documents and settings\chobart\Application Data\Malwarebytes2009-08-22 06:22 . 2009-08-22 06:22 -------- d-----w- c:\docume~1\CHobart\APPLIC~1\Malwarebytes2009-08-22 06:21 . 2009-08-22 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-08-22 06:14 . 2009-08-22 06:14 -------- d-----w- c:\program files\Windows Sidebar2009-08-22 06:13 . 2009-08-22 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller2009-08-22 06:13 . 2009-08-22 06:37 -------- d-----w- c:\program files\NortonInstaller2009-08-22 06:11 . 2009-08-22 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton2009-08-22 05:36 . 2009-08-22 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard2009-08-22 05:35 . 2009-08-22 05:35 -------- d-----w- c:\program files\Common Files\iS32009-08-22 05:35 . 2009-08-22 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!2009-08-15 00:23 . 2009-08-15 00:23 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHRules.dll2009-08-15 00:23 . 2009-08-15 00:23 1412496 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHEngine.dll2009-08-15 00:23 . 2009-08-15 00:23 503344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHDrvx86.sys2009-08-15 00:23 . 2009-08-15 00:23 636976 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHDrvx64.sys2009-08-15 00:23 . 2009-08-15 00:23 590224 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\bbRGen.dll2009-08-12 14:31 . 2009-08-12 14:31 -------- d-----w- c:\windows\ServicePackFiles2009-08-05 05:42 . 2009-08-05 05:43 -------- d-----w- c:\documents and settings\chobart\Local Settings\Application Data\Temp.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-25 16:27 . 2008-10-02 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater2009-08-22 06:49 . 2006-05-15 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec2009-08-22 06:38 . 2009-08-22 06:14 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF2009-08-22 06:38 . 2009-08-22 06:14 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT2009-08-22 06:38 . 2006-05-15 21:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL2009-08-22 06:38 . 2006-05-15 21:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS2009-08-22 06:38 . 2006-05-15 21:29 -------- d-----w- c:\program files\Symantec2009-08-21 21:34 . 2006-05-15 21:40 -------- d-----w- c:\program files\Google2009-08-05 09:11 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-23 21:24 . 2006-05-15 21:33 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-07-17 18:55 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 09:18 . 2004-08-11 22:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll2009-06-26 16:18 . 2004-08-11 22:00 659456 ----a-w- c:\windows\system32\wininet.dll2009-06-26 16:18 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll2009-06-25 18:36 . 2004-08-11 22:00 95744 ----a-w- c:\windows\system32\mqsec.dll2009-06-25 18:36 . 2004-08-11 22:00 661504 ----a-w- c:\windows\system32\mqqm.dll2009-06-25 18:36 . 2004-08-11 22:00 517120 ----a-w- c:\windows\system32\mqsnap.dll2009-06-25 18:36 . 2004-08-11 22:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll2009-06-25 18:36 . 2004-08-11 22:00 471552 ----a-w- c:\windows\system32\mqutil.dll2009-06-25 18:36 . 2004-08-11 22:00 47104 ----a-w- c:\windows\system32\mqdscli.dll2009-06-25 18:36 . 2004-08-11 22:00 225280 ----a-w- c:\windows\system32\mqoa.dll2009-06-25 18:36 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\mqtrig.dll2009-06-25 18:36 . 2004-08-11 22:00 177152 ----a-w- c:\windows\system32\mqrt.dll2009-06-25 18:36 . 2004-08-11 22:00 16896 ----a-w- c:\windows\system32\mqise.dll2009-06-25 18:36 . 2004-08-11 22:00 138240 ----a-w- c:\windows\system32\mqad.dll2009-06-25 18:36 . 2004-08-11 22:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll2009-06-25 08:17 . 2004-08-11 22:00 59392 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:17 . 2004-08-11 22:00 56320 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:17 . 2004-08-11 22:00 168448 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:17 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:17 . 2004-08-11 22:00 729600 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:17 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-22 11:49 . 2004-08-11 22:00 19968 ----a-w- c:\windows\system32\mqbkup.exe2009-06-22 11:49 . 2004-08-11 22:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe2009-06-22 11:49 . 2004-08-11 22:00 4608 ----a-w- c:\windows\system32\mqsvc.exe2009-06-22 11:48 . 2004-08-11 22:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys2009-06-22 11:35 . 2004-08-11 22:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys2009-06-16 14:55 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll2009-06-16 14:55 . 2004-08-11 22:00 82432 ----a-w- c:\windows\system32\fontsub.dll2009-06-12 11:50 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe2009-06-12 11:50 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe2009-06-10 19:55 . 2009-06-10 19:55 18186048 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us_v2.exe2009-06-10 14:21 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll2009-06-10 06:32 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll2009-06-08 17:16 . 2009-05-31 17:49 18184984 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us.exe2009-06-05 07:42 . 2004-08-11 22:11 655872 ----a-w- c:\windows\system32\mstscax.dll2009-06-03 19:27 . 2004-08-11 22:00 1290752 ----a-w- c:\windows\system32\quartz.dll2009-05-29 15:46 . 2009-04-28 04:33 18189072 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2152_us.exe2007-01-19 18:31 . 2007-01-19 18:31 1515 ----a-w- c:\program files\heat and energy 2.txt2006-09-11 15:08 . 2006-09-11 15:08 2484054 ----a-w- c:\program files\fatigue4.BMP.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ShowLOMControl"="1 (0x1)" [X]"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-15 282624]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-29 113664][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]@="FSFilter Activity Monitor"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe""SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"67:UDP"= 67:UDP:DHCP Discovery ServiceR0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.077\SymDS.sys [8/21/2009 11:38 PM 328752]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.077\SymEFA.sys [8/21/2009 11:38 PM 169008]R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHDrvx86.sys [8/14/2009 5:23 PM 503344]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.077\ccHPx86.sys [8/21/2009 11:38 PM 501888]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.077\Ironx86.sys [8/21/2009 11:38 PM 114224]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 11:11 AM 108289]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/21/2009 11:39 PM 102448]R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/2/2006 1:08 AM 87936]R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSxpx86.sys [8/21/2009 11:38 PM 328056]S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.0.0.119\ccSvcHst.exe [8/21/2009 11:38 PM 126392]S3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]S3 poorepeal2;poorepeal2;\??\c:\windows\system32\drivers\poorepeal2.sys --> c:\windows\system32\drivers\poorepeal2.sys [?]S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]--- Other Services/Drivers In Memory ---*NewlyCreated* - BASFND.Contents of the 'Scheduled Tasks' folder2009-08-26 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-04 05:16]2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1866874134-3719042735-974690538-2023Core.job- c:\documents and settings\CHobart\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 16:22]2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1866874134-3719042735-974690538-2023UA.job- c:\documents and settings\CHobart\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 16:22]2009-08-21 c:\windows\Tasks\WGASetup.job- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 05:18].- - - - ORPHANS REMOVED - - - -HKLM-Run-WinampAgent - c:\program files\Winamp\wianmpa.exeHKLM-Run-CmFlywaveName - c:\windows\System\CmFlywav.exe.------- Supplementary Scan -------.mStart Page = hxxp://www.google.commSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlFF - ProfilePath - c:\docume~1\CHobart\APPLIC~1\Mozilla\Firefox\Profiles\l7nikywv.default\FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\IPSFFPlgn\components\IPSFFPl.dllFF - plugin: c:\documents and settings\CHobart\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dllFF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll---- FIREFOX POLICIES ----FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-25 19:55Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.0.0.119\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.0.0.119\diMaster.dll\" /prefetch:1".------------------------ Other Running Processes ------------------------.c:\windows\system32\WLTRYSVC.EXEc:\windows\system32\BCMWLTRY.EXEc:\windows\system32\LEXBCES.EXEc:\windows\system32\LEXPPS.EXEc:\windows\system32\scardsvr.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\windows\system32\BAsfIpM.exec:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Dell\NicConfigSvc\NicConfigSvc.exec:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exec:\windows\system32\wdfmgr.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\program files\Avira\AntiVir Desktop\update.exec:\windows\system32\rundll32.exec:\windows\system32\igfxsrvc.exec:\program files\Apoint\ApntEx.exec:\program files\Apoint\hidfind.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2009-08-26 20:04 - machine was rebootedComboFix-quarantined-files.txt 2009-08-26 03:03Pre-Run: 62,098,202,624 bytes freePost-Run: 61,595,635,712 bytes free381 --- E O F --- 2009-08-13 17:12 Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 26, 2009 ID:115243 Share Posted August 26, 2009 De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.htmlYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"Click the "Download" button to the right.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xmlWhen all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc.Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:Go to folder C:\Program Files\Java\jre6\bindouble click on javacpl.exe the Java control panel applet.Click Advanced Tab. Expand the Miscellaneous item.UN-check the line Java quick starterIf you want to also un-check the "Check for updates automatically" you may:Click the Update tab. un-check the line if it is checked.Press Apply then OK. Close the applet when done.=Take out the trash (temporary files & temporary internet files) Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.Start ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser, do this also:Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program. ATF-Cleaner should be run per the above in every user-login account {User Profile} = Using Internet Explorer browser only, go to ESET Online Scanner website:http://www.eset.com/onlinescan/Accept the Terms of Use and press Start button;Approve the install of the required ActiveX Control, then follow on-screen instructions;Enable (check) the Remove found threats option, and run the scan.After the scan completes, the Details tab in the Results window will display what was found and removed. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.Look at contents of this file using Notepad or Wordpad.The Frequently Asked Questions for ESET Online Scanner can be viewed herehttp://www.eset.com/onlinescan/cac4.php?page=faqFrom ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner. Otherwise the scan will take twice as long to do: everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result. It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner. (And the prompt re-enabling when finished.) If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.Reply with copy of Eset scan log, and tell me, How is the system now?You ought now to be able to finish installing (if you did not before) and running MBAM and be able to run a quick scan.Post a copy of the MBAM scan after it is done. Link to post Share on other sites More sharing options...
akacraig Posted August 27, 2009 Author ID:115790 Share Posted August 27, 2009 Hi Maurice - Things seem to be working better.CraigMalwarebytes' Anti-Malware 1.40Database version: 2706Windows 5.1.2600 Service Pack 28/27/2009 10:52:54 AMmbam-log-2009-08-27 (10-52-54).txtScan type: Full Scan (C:\|)Objects scanned: 167005Time elapsed: 58 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 27, 2009 ID:115827 Share Posted August 27, 2009 Locate where you saved Fixpolicies (from my 1st reply).Find where you have Fix_Policies.cmdand run it just once more.I still need for you to run the Eset online scan. When done with that, copy and paste contents of that log.Do keep in touch here. We will need to guide you to remove tools we used. Link to post Share on other sites More sharing options...
akacraig Posted August 28, 2009 Author ID:116223 Share Posted August 28, 2009 Hi Maurice - This is the ESET Log.C:\Documents and Settings\CHobart\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-63b886a4-2cab2212.class Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantinedC:\Qoobox\Quarantine\C\kvhwftjn.exe.vir Win32/TrojanDownloader.Small.ORV trojan cleaned by deleting - quarantinedC:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan cleaned by deleting - quarantinedC:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir Win32/TrojanDownloader.Small.ORV trojan cleaned by deleting - quarantinedC:\Qoobox\Quarantine\C\WINDOWS\system32\wispex.html.vir Win32/Adware.WinAntiVirus application cleaned by deleting - quarantinedC:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AFH trojan cleaned by deleting - quarantinedCraig Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2009 ID:116538 Share Posted August 29, 2009 Hello craig,Download The Avenger by Swandog46 from here.Unzip/extract it to a folder on your desktop.Double click on avenger.exe to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:c:\windows\svchast.exeDrivers to delete:AntipPro2009_100AntipyProexIn the avenger window, click the Paste Script from Clipboard icon, button. Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.=Next, let's follow-up with a scan using Sysclean:Please download and run the Trend Micro Sysclean Package on your computer.NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.Trend Micro Damage Cleanup EngineMake sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1stBasically there are 3 parts that need to be downloaded and SAVED from these links:Sysclean PackageVirus Pattern Files that will be a LPTxxx.ZIP fileSpyware Pattern Files this is a SSAPIPTNxxx.ZIPCreate a brand new folder to copy these files to.As an example: C:\DCEThen open each of the zipped archive files and copy their contents to C:\DCECopy the file sysclean.com to the new folder C:\DCE as well.Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in VistaIf the results are good, next pass we can start on the final cleanups & closure steps. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 27, 2009 ID:134018 Share Posted September 27, 2009 This thread is closed due to lack of response. The procedures used here were specific to this system and only for this system. Do not apply them to another; doing so will likely damage your system.If you are a casual observer and having same issues, please follow forum procedures and create your own New topic.I'm infected - What do I do now?Procedures to help resolve issues preventing MBAM from running Link to post Share on other sites More sharing options...
Recommended Posts