Jump to content

Malwarebytes won't run

Recommended Posts

Hello -

I have tried to rename the Malware installer, and the exe file, although the program stops shortly after it starts.

I downloaded ComboFix on another computer and renamed it before saving it and I get an error message Access denied, you need Administrative privileges to run this tool (I am an admin)

I have also tried to run HiJack this and avira with no luck so far.

I have also replaced the registry.

I guess I need a new starting point.



Link to post
Share on other sites

Hello akacraig,

What is the Windows version-edition ? Does this have an antivirus program installed?

Hold off on any run of MBAM and certainly do NOT run Combofix without my guidance.

I need some sort of log to proceed forward. See if you can get a report from RootRepeal.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.


Go >> here <<

and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.

Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.





Hidden Services

Stealth Objects

You will then be asked which drive to scan.

Check C: (or the drive your operating system is installed on if not C) and click Ok again.

The scan will start.

It will take a little while so please be patient. When the scan has finished, click on Save Report.

Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

When you have done this, please copy and paste it in this thread.

Link to post
Share on other sites

Hi Maurice -

Thanks for the help.

The OS is windows xp pro.

I had Spybot Search and Destroy, and Symantec Client security installed. Now I have Avira installed, but can't get it to run a report.

I ran FixPolicies, no problem, however when I tried to extract RootRepeal it said program is already in use.


Link to post
Share on other sites

2 points. 1) Please only use the ADDReply at bottom of screen when starting a reply. Try to not use the "Reply button {it makes for very long posts}

2) Main issue. We have got to get some log from this system. Otherwise, we cannot proceed with diagnosis.

3) Try this

Look for (locate) the hijackthis.exe and RENAME it to something like FINDIT.exe

Typically the program is installed in C:\Program Files\Trend Micro\HijackThis folder

Then run FINDIT to get a HJT log

I do not need a Avira report. But if it has "flagged" specific files or folders, jot those down and provide those details here.

Link to post
Share on other sites

Two other things I have noticed.

1) When I restart I get an error Tapi.nfo - specific module could not be found.

2) In task manager I found a process called BAsfIpM running under system. It seems suspicious to me.

OK got RootRepeal to run, but only for a short time. The first thing on the screen was C:\hiberfil.sys then many files with an Allocation size mismatch, then it quite.

Now when I try to rerun RootRepeal Windows cannot access the specific path or file. You may not have the appropriate permissions to access the item.



Link to post
Share on other sites

May I ask again that you use the ADDReply button

basfipm.exe is a process which is installed alongside Broadcom communications hardware.

Stop trying to self-diagnose.

Kindly see about getting a report from HijackThis.

and if you are having a tough time with RootRepeal, logff and Restart system fresh.

Then run RootRepeal.exe

Link to post
Share on other sites

Using My Computer {Windows Explorer} look at this folder C:\Program Files\Trend Micro\HijackThis

Look for a file named hijacthis.log

If there, use NOTEPAD to Open it. Copy all lines and Paste into a reply here.

If and only if you cannot find it, logoff and Restart system, and right away Tap & retap on F8 function key

When you see Advanced BootUp Options, select Safe mode with Networking

Then retry the Findit {Hijackthis} again

You should also do this

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or


Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Please include the following logs in your next reply:




Link to post
Share on other sites

Hi Maurice -

Sorry for being so annoying.

I tried to find a log file from HiJack this with no luck.

Then I downloaded the DDS file on a non infected computer and put it on a USB drive.

Next I booted in safe mode with networking. Still I can run both RootRepeal and HiJack this, but they crash before the scan is complete.

Finally still in Safe Mode with Networking I tried DDS and the command line opens, but it never starts.



Link to post
Share on other sites

Hi Maurice -

I found a partial results from RootRepeal. It was in My Documents folder. Sorry I was looking in the Trend Micro folder.

ROOTREPEAL © AD, 2007-2009


Scan Start Time: 2009/08/24 15:10

Program Version: Version

Windows Version: Windows XP SP2


Hidden/Locked Files


Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: c:\system volume information\efadata\sdmys_57e84a1fbe7cf5f448919483

Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\system volume information\efadata\sdmys_57e84a1fbe7cf5f4736f5d09

Status: Allocation size mismatch (API: 131072, Raw: 0)

Path: c:\system volume information\efadata\sdmys_ad5e2f7c30e8000a45645dfe

Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: c:\system volume information\efadata\sdmys_ad5e2f7c30e8000a64e1d8cd

Status: Allocation size mismatch (API: 131072, Raw: 0)

Path: C:\WINDOWS\system32\eventlog.dll

Status: Locked to the Windows API!

Link to post
Share on other sites

Set aside the RootRepeal for now. If the program is running, exit / close out of it. The log copy is only partial and should have had a lot more ..... if it had ever completed.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!


If you are a casual viewer, do NOT try this on your system!

If you are not akacraig and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.


Close any of your open programs while you run these tools.

Very carefully start with this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.


Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3



* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.


RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

Link to post
Share on other sites

Hi Maurice -

I stopped after a successful run of ERUNT.

I got to here "Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files. "

Under tools I only have

Map Network Drive

Disconnect Network Drive




Link to post
Share on other sites

Hi Maurice -

It worked!

When I ran Combo-Fix I was in safe mode with everything turned off. Also in Safemode I had no internet connection so I skipped the back up. When Combo-Fix rebooted the machine Aviro started.

Here is the log you have so patiently waited for.

It is named log.txt



Combofix log follows Craig, always Copy & Paste your logs In-line into text of reply box.

ComboFix 09-08-25.01 - chobart 08/25/2009 19:46.1.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.322 [GMT -7:00]

Running from: c:\documents and settings\CHobart\Desktop\Combo-Fix2.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))








c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\chobart\My Documents\ZbThumbnail.info




c:\program files\Windows Antivirus Pro

c:\program files\Windows Antivirus Pro\tmp\images\i1.gif

c:\program files\Windows Antivirus Pro\tmp\images\i2.gif

c:\program files\Windows Antivirus Pro\tmp\images\i3.gif

c:\program files\Windows Antivirus Pro\tmp\images\j1.gif

c:\program files\Windows Antivirus Pro\tmp\images\j2.gif

c:\program files\Windows Antivirus Pro\tmp\images\j3.gif

c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif

c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif

c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif

c:\program files\Windows Antivirus Pro\tmp\images\l1.gif

c:\program files\Windows Antivirus Pro\tmp\images\l2.gif

c:\program files\Windows Antivirus Pro\tmp\images\l3.gif

c:\program files\Windows Antivirus Pro\tmp\images\pix.gif

c:\program files\Windows Antivirus Pro\tmp\images\t1.gif

c:\program files\Windows Antivirus Pro\tmp\images\t2.gif

c:\program files\Windows Antivirus Pro\tmp\images\up1.gif

c:\program files\Windows Antivirus Pro\tmp\images\up2.gif

c:\program files\Windows Antivirus Pro\tmp\images\w1.gif

c:\program files\Windows Antivirus Pro\tmp\images\w11.gif

c:\program files\Windows Antivirus Pro\tmp\images\w2.gif

c:\program files\Windows Antivirus Pro\tmp\images\w3.gif

c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg

c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif

c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif

c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif








































----- BITS: Possible infected sites -----


Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))




((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))


2009-08-26 02:52 . 2009-08-26 02:53 -------- d-----w- c:\documents and settings\TEMP

2009-08-25 22:42 . 2009-08-25 22:43 -------- d-----w- c:\program files\ERUNT

2009-08-25 18:15 . 2009-08-25 18:15 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys

2009-08-24 21:35 . 2009-08-24 21:53 -------- d-s---w- C:\Combo-Fix

2009-08-24 20:41 . 2009-08-24 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-24 18:11 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-24 18:11 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-24 18:11 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-24 18:11 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-24 18:11 . 2009-08-24 18:11 -------- d-----w- c:\program files\Avira

2009-08-24 18:11 . 2009-08-24 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-24 18:01 . 2009-08-25 22:38 -------- d-s---w- C:\ComboFix

2009-08-24 15:50 . 2009-08-24 15:50 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-08-22 14:29 . 2009-08-22 14:29 171840 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe

2009-08-22 14:29 . 2009-08-22 14:29 2855 ----a-w- c:\windows\svchast.PIF

2009-08-22 14:28 . 2009-08-22 14:28 -------- d--h--w- c:\windows\PIF

2009-08-22 06:50 . 2009-08-22 06:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help

2009-08-22 06:48 . 2009-08-22 06:49 -------- d-----w- c:\documents and settings\chobart\Local Settings\Application Data\Tific

2009-08-22 06:47 . 2009-08-22 06:47 -------- d-----w- c:\documents and settings\chobart\Application Data\Tific

2009-08-22 06:47 . 2009-08-22 06:47 -------- d-----w- c:\docume~1\CHobart\APPLIC~1\Tific

2009-08-22 06:41 . 2009-08-14 02:22 163192 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\IPSFFPlgn\components\IPSFFPl.dll

2009-08-22 06:38 . 2009-08-14 04:41 343600 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-08-22 06:38 . 2009-08-14 04:41 328056 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\IDSxpx86.sys

2009-08-22 06:38 . 2009-08-14 04:41 328056 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSxpx86.sys

2009-08-22 06:38 . 2009-08-14 04:41 470064 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\IDSvia64.sys

2009-08-22 06:38 . 2009-08-14 04:41 470064 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSVia64.sys

2009-08-22 06:38 . 2009-08-14 04:41 343600 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSVix86.sys

2009-08-22 06:38 . 2009-08-14 04:41 730488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\scxpx86.dll

2009-08-22 06:38 . 2009-08-14 04:41 730488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\Scxpx86.dll

2009-08-22 06:38 . 2009-08-14 04:41 486776 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\BinHub\idsxpx86.dll

2009-08-22 06:38 . 2009-08-14 04:41 486776 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSxpx86.dll

2009-08-22 06:38 . 2009-08-24 17:29 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\OCS\hsplayer.dll

2009-08-22 06:38 . 2009-08-14 17:41 892272 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\CLT\cltLMSx.dll

2009-08-22 06:37 . 2009-08-22 06:37 -------- d-----w- c:\windows\system32\drivers\NAV

2009-08-22 06:37 . 2009-08-22 06:37 -------- d-----w- c:\program files\Norton AntiVirus

2009-08-22 06:22 . 2009-08-22 06:22 -------- d-----w- c:\documents and settings\chobart\Application Data\Malwarebytes

2009-08-22 06:22 . 2009-08-22 06:22 -------- d-----w- c:\docume~1\CHobart\APPLIC~1\Malwarebytes

2009-08-22 06:21 . 2009-08-22 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-22 06:14 . 2009-08-22 06:14 -------- d-----w- c:\program files\Windows Sidebar

2009-08-22 06:13 . 2009-08-22 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-22 06:13 . 2009-08-22 06:37 -------- d-----w- c:\program files\NortonInstaller

2009-08-22 06:11 . 2009-08-22 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-22 05:36 . 2009-08-22 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2009-08-22 05:35 . 2009-08-22 05:35 -------- d-----w- c:\program files\Common Files\iS3

2009-08-22 05:35 . 2009-08-22 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-08-15 00:23 . 2009-08-15 00:23 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHRules.dll

2009-08-15 00:23 . 2009-08-15 00:23 1412496 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHEngine.dll

2009-08-15 00:23 . 2009-08-15 00:23 503344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHDrvx86.sys

2009-08-15 00:23 . 2009-08-15 00:23 636976 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHDrvx64.sys

2009-08-15 00:23 . 2009-08-15 00:23 590224 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\bbRGen.dll

2009-08-12 14:31 . 2009-08-12 14:31 -------- d-----w- c:\windows\ServicePackFiles

2009-08-05 05:42 . 2009-08-05 05:43 -------- d-----w- c:\documents and settings\chobart\Local Settings\Application Data\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2009-08-25 16:27 . 2008-10-02 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-22 06:49 . 2006-05-15 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-22 06:38 . 2009-08-22 06:14 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-08-22 06:38 . 2009-08-22 06:14 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-08-22 06:38 . 2006-05-15 21:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-08-22 06:38 . 2006-05-15 21:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-08-22 06:38 . 2006-05-15 21:29 -------- d-----w- c:\program files\Symantec

2009-08-21 21:34 . 2006-05-15 21:40 -------- d-----w- c:\program files\Google

2009-08-05 09:11 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-23 21:24 . 2006-05-15 21:33 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-07-17 18:55 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 09:18 . 2004-08-11 22:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-26 16:18 . 2004-08-11 22:00 659456 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:18 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-25 18:36 . 2004-08-11 22:00 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-11 22:00 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-11 22:00 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-11 22:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-11 22:00 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2004-08-11 22:00 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2004-08-11 22:00 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2004-08-11 22:00 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2004-08-11 22:00 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2004-08-11 22:00 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 18:36 . 2004-08-11 22:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-25 08:17 . 2004-08-11 22:00 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:17 . 2004-08-11 22:00 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:17 . 2004-08-11 22:00 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:17 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:17 . 2004-08-11 22:00 729600 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:17 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-22 11:49 . 2004-08-11 22:00 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2004-08-11 22:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2004-08-11 22:00 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2004-08-11 22:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-22 11:35 . 2004-08-11 22:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:55 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2004-08-11 22:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 11:50 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 11:50 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 19:55 . 2009-06-10 19:55 18186048 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us_v2.exe

2009-06-10 14:21 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-08 17:16 . 2009-05-31 17:49 18184984 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us.exe

2009-06-05 07:42 . 2004-08-11 22:11 655872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:27 . 2004-08-11 22:00 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-29 15:46 . 2009-04-28 04:33 18189072 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2152_us.exe

2007-01-19 18:31 . 2007-01-19 18:31 1515 ----a-w- c:\program files\heat and energy 2.txt

2006-09-11 15:08 . 2006-09-11 15:08 2484054 ----a-w- c:\program files\fatigue4.BMP


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]


"ShowLOMControl"="1 (0x1)" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-15 282624]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]

"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]


"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-29 113664]


@="FSFilter Activity Monitor"


"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"

"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\security center]



"EnableFirewall"= 0 (0x0)



"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.077\SymDS.sys [8/21/2009 11:38 PM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.077\SymEFA.sys [8/21/2009 11:38 PM 169008]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\BASHDefs\20090815.002\BHDrvx86.sys [8/14/2009 5:23 PM 503344]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.077\ccHPx86.sys [8/21/2009 11:38 PM 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.077\Ironx86.sys [8/21/2009 11:38 PM 114224]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/24/2009 11:11 AM 108289]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/21/2009 11:39 PM 102448]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/2/2006 1:08 AM 87936]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\Definitions\IPSDefs\20090813.001\IDSxpx86.sys [8/21/2009 11:38 PM 328056]

S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]

S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\\ccSvcHst.exe [8/21/2009 11:38 PM 126392]

S3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]

S3 poorepeal2;poorepeal2;\??\c:\windows\system32\drivers\poorepeal2.sys --> c:\windows\system32\drivers\poorepeal2.sys [?]

S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BASFND


Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-04 05:16]

2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1866874134-3719042735-974690538-2023Core.job

- c:\documents and settings\CHobart\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 16:22]

2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1866874134-3719042735-974690538-2023UA.job

- c:\documents and settings\CHobart\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 16:22]

2009-08-21 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 05:18]


- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - c:\program files\Winamp\wianmpa.exe

HKLM-Run-CmFlywaveName - c:\windows\System\CmFlywav.exe


------- Supplementary Scan -------


mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

FF - ProfilePath - c:\docume~1\CHobart\APPLIC~1\Mozilla\Firefox\Profiles\l7nikywv.default\

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.119\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\CHobart\Local Settings\Application Data\Google\Update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll


FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-25 19:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0



"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\\diMaster.dll\" /prefetch:1"


------------------------ Other Running Processes ------------------------







c:\program files\Avira\AntiVir Desktop\avguard.exe


c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Avira\AntiVir Desktop\update.exe



c:\program files\Apoint\ApntEx.exe

c:\program files\Apoint\hidfind.exe

c:\program files\iPod\bin\iPodService.exe




Completion time: 2009-08-26 20:04 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-26 03:03

Pre-Run: 62,098,202,624 bytes free

Post-Run: 61,595,635,712 bytes free

381 --- E O F --- 2009-08-13 17:12

Link to post
Share on other sites

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_16 from Sun Microsystems Inc.

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Go to folder C:\Program Files\Java\jre6\bin

double click on javacpl.exe the Java control panel applet.

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.


Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}


Using Internet Explorer browser only, go to ESET Online Scanner website:


  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here


    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

Reply with copy of Eset scan log, and tell me, How is the system now?

You ought now to be able to finish installing (if you did not before) and running MBAM and be able to run a quick scan.

Post a copy of the MBAM scan after it is done.

Link to post
Share on other sites

Hi Maurice -

Things seem to be working better.


Malwarebytes' Anti-Malware 1.40

Database version: 2706

Windows 5.1.2600 Service Pack 2

8/27/2009 10:52:54 AM

mbam-log-2009-08-27 (10-52-54).txt

Scan type: Full Scan (C:\|)

Objects scanned: 167005

Time elapsed: 58 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Locate where you saved Fixpolicies (from my 1st reply).

Find where you have Fix_Policies.cmd

and run it just once more.

I still need for you to run the Eset online scan. When done with that, copy and paste contents of that log.

Do keep in touch here. We will need to guide you to remove tools we used.

Link to post
Share on other sites

Hi Maurice -

This is the ESET Log.

C:\Documents and Settings\CHobart\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-63b886a4-2cab2212.class Java/TrojanDownloader.OpenStream.NAC trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\kvhwftjn.exe.vir Win32/TrojanDownloader.Small.ORV trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir Win32/TrojanDownloader.Small.ORV trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\wispex.html.vir Win32/Adware.WinAntiVirus application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AFH trojan cleaned by deleting - quarantined


Link to post
Share on other sites

Hello craig,

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:

    Drivers to delete:

  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.


Next, let's follow-up with a scan using Sysclean:

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

If the results are good, next pass we can start on the final cleanups & closure steps.

Link to post
Share on other sites

  • 5 weeks later...

This thread is closed due to lack of response. The procedures used here were specific to this system and only for this system. Do not apply them to another; doing so will likely damage your system.

If you are a casual observer and having same issues, please follow forum procedures and create your own New topic.

I'm infected - What do I do now?

Procedures to help resolve issues preventing MBAM from running

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.