Jump to content

MBAM Won't run


Jake227

Recommended Posts

I posted this somewhere else on here, but apparantly I needed to move it to this area, so here it goes.

What my computer is doing:

OK, so I have the Google Redirect Virus thing. Basically, when I google anything and click on the link, I get redirected to another page trying to sell me something. Also, my computer runs very slow and my background is gone and is now replaced by something stating I need to restore my active desktop. The only way I can run anything is to run the programs from my task manager.

What I have done to try and fix it:

I ran AVG and it found and deleted some stuff, but apparantly that didn't do anything. From what I have read on various places online, MBAM seems to be the thing to use but it won't work. I can download it and update it but once I try to run it, it starts for about 2 seconds and then stops. So, Everyone says to rename the file to something else. Well, I have tried that and it doesn't work. When I try to run it, there is a message stating that it cannot find the correct path to the program. I have tried this in safe mode also with no success.

Any Help is appreciated!!!!!

Link to post
Share on other sites

  • Replies 58
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Nope, we're just busy as heck.

Please run the following and post back the log.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Please post a status update.

OK, so I ran Combofix and when it got done a box popped up that said: "ComboFix has detected Rootkit activety and needs to reboot the machine." It also posted this log which it said to write down:

C:\Windows\system32\drivers\gasfkywejwswrr.sys

C:\Windows\system32\gasfkyildkoskr.dll

C:\Windows\system32\gasfkyskljrxmh.dat

C:\Windows\system32\gasfkydvbeaiwe.dll

C:\Windows\system32\gasfkysdeunspf.dat

C:\Windows\system32\gasfkypupempew.dll

C:\Windows\system32\drivers\TDSSmhxt.sys

C:\Windows\system32\TDSSofxh.dll

C:\Windows\system32\TDSSosvd.dat

C:\Windows\system32\TDSSnrsr.dll

C:\Windows\system32\TDSSriqp.dll

C:\Windows\system32\TDSScfum.dll

C:\Windows\system32\TDSSfxwp.dll

C:\Windows\system32\TDSSnmxh.log

C:\Windows\system32\TDSSsbhc.dll

C:\Windows\system32\TDSSrhym.dll

C:\Windows\system32\TDSSmhxt.log

C:\Windows\system32\drivers\UACcfubrfvdjbnykmx.sys

C:\Windows\system32\UACbwreurntigfqjwq.dll

C:\Windows\system32\UACoewxlthwmcjjmlq.dat

C:\Windows\system32\UACcnxnosshoxdboew.dll

C:\Windows\system32\UACwxbmituweksxouh.dll

C:\Windows\system32\UACsmmetrumggegrdy.dll

C:\Windows\system32\UACvglnrjejxrisxqf.dll

C:\Windows\system32\UACvyvoyxijqrisvmb.log

C:\Windows\system32\UACpxwkgwrrvgmlay.log

C:\Windows\system32\UACbpicrudkglropak.log

Link to post
Share on other sites

Yes! I am still here! Sorry, I have been out of town for a couple days and did not have access to a computer. I am at my work computer right now, so sometime this weekend I will post the full Combofix log. Depending on how my home computer is running I might not be able to be in contact again until Monday morning, but hopefully I can get the log posted this weekend and we can go from there.

thanks!!!

Link to post
Share on other sites

No problem I'm leaving now to go out of town for the weekend. I'll check back with you on Monday.

Here is the log:

ComboFix 09-09-27.05 - Jake 10/01/2009 19:07.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.194 [GMT -4:00]

Running from: c:\documents and settings\Jake\My Documents\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

ADS - windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jake\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\Jake\Application Data\PCenter

c:\documents and settings\Jake\Application Data\PCenter\dbases\cg.dat

c:\documents and settings\Jake\Application Data\PCenter\dbases\mw.dat

c:\documents and settings\Jake\Application Data\PCenter\dbases\rd.dat

c:\documents and settings\Jake\Application Data\PCenter\dbases\sc.dat

c:\documents and settings\Jake\Application Data\PCenter\dbases\sm.dat

c:\documents and settings\Jake\Application Data\PCenter\dbases\sp.dat

c:\documents and settings\Jake\Application Data\PCenter\keys\cg.key

c:\documents and settings\Jake\Application Data\PCenter\keys\rd.key

c:\documents and settings\Jake\Application Data\PCenter\keys\sc.key

c:\documents and settings\Jake\Application Data\PCenter\keys\sp.key

c:\documents and settings\Jake\Application Data\PCenter\temp\settings.ini

c:\documents and settings\Jake\Application Data\PCenter\temp\spfilter

c:\documents and settings\Jake\Local Settings\Application Data\{1F5616EC-D791-4B2B-9F93-4308EA225F1F}

c:\documents and settings\Jake\Local Settings\Application Data\{1F5616EC-D791-4B2B-9F93-4308EA225F1F}\chrome.manifest

c:\documents and settings\Jake\Local Settings\Application Data\{1F5616EC-D791-4B2B-9F93-4308EA225F1F}\chrome\content\_cfg.js

c:\documents and settings\Jake\Local Settings\Application Data\{1F5616EC-D791-4B2B-9F93-4308EA225F1F}\chrome\content\c.js

c:\documents and settings\Jake\Local Settings\Application Data\{1F5616EC-D791-4B2B-9F93-4308EA225F1F}\chrome\content\overlay.xul

c:\documents and settings\Jake\Local Settings\Application Data\{1F5616EC-D791-4B2B-9F93-4308EA225F1F}\install.rdf

c:\documents and settings\Jake\Local Settings\Temporary Internet Files\musa.dll

c:\documents and settings\Jake\Local Settings\Temporary Internet Files\onufu.sys

c:\documents and settings\Jake\Local Settings\Temporary Internet Files\xezyz._dl

c:\documents and settings\Jake\Local Settings\Temporary Internet Files\ykal.lib

c:\documents and settings\Jake\Start Menu\Advanced Virus Remover.lnk

c:\documents and settings\Jake\Start Menu\Programs\Total Security

c:\documents and settings\Jake\Start Menu\Programs\Total Security\Total Security 2009.lnk

c:\program files\SafetyCenter

c:\program files\SafetyCenter\main.ico

c:\program files\SafetyCenter\new.exe

c:\program files\SafetyCenter\protector.exe

c:\program files\SafetyCenter\sound.wav

c:\program files\SafetyCenter\start.exe

c:\windows\elycemuhow.dll

c:\windows\Installer\27535a.msi

c:\windows\Installer\28a9cf.msi

c:\windows\mizos.exe

c:\windows\msa.exe

c:\windows\nogabiqa.reg

c:\windows\system32\__c004DCB2.dat

c:\windows\system32\41.exe

c:\windows\system32\6to4v32.dll

c:\windows\system32\AVR09.exe

c:\windows\system32\certstore.dat

c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk

c:\windows\system32\critical_warning.html

c:\windows\system32\drivers\a5e9576b.sys

c:\windows\system32\drivers\gasfkywejwswrr.sys

c:\windows\system32\drivers\smss.exe

c:\windows\system32\drivers\str.sys

c:\windows\system32\drivers\TDSSmhxt.sys

c:\windows\system32\drivers\UACcfubrfvdjbnykmx.sys

c:\windows\system32\drivers\UACd.sys

c:\windows\system32\drivers\zbpsbizg.sys

c:\windows\system32\dyfxwpuhkxq.dll-uninst.exe

c:\windows\system32\gasfkydvbeaiwe.dll

c:\windows\system32\gasfkyildkoskr.dll

c:\windows\system32\gasfkypupempew.dll

c:\windows\system32\gasfkysdeunspf.dat

c:\windows\system32\gasfkyskljrxmh.dat

c:\windows\system32\hupetetu.dll

c:\windows\system32\Iasex.dll

c:\windows\system32\iexplore.exe

c:\windows\system32\jegugore.dll

c:\windows\system32\lesufuya.dll

c:\windows\system32\lezaromo.dll

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\makatulo.dll

c:\windows\system32\mndisk.sys

c:\windows\system32\pebapehe.dll

c:\windows\system32\pygalihez.bat

c:\windows\system32\qbhkpsjxfbiqwizpd.exe

c:\windows\system32\sdra64.exe

c:\windows\system32\TDSScfum.dll

c:\windows\system32\TDSSfxwp.dll

c:\windows\system32\TDSSmhxt.log

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSnrsr.dll

c:\windows\system32\TDSSofxh.dll

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\TDSSrhym.dll

c:\windows\system32\TDSSriqp.dll

c:\windows\system32\TDSSsbhc.dll

c:\windows\system32\UACbpicrudkglropak.log

c:\windows\system32\UACbwreurntigfqjwq.dll

c:\windows\system32\UACcnxnosshoxdboew.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkpxwkgwrrvgmlay.log

c:\windows\system32\UACoewxlthwmcjjmlq.dat

c:\windows\system32\UACsmmetrumggegrdy.dll

c:\windows\system32\UACvglnrjejxrisxqf.dll

c:\windows\system32\UACvyvoyxijqrisvmb.log

c:\windows\system32\UACwxbmituweksxouh.dll

c:\windows\system32\ubafosy.vbs

c:\windows\system32\ukojudi.vbs

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\Temp\~7.Dll

c:\windows\vykoc.dll

c:\windows\ybelaxaz.inf

c:\windows\system32\drivers\beep.sys . . . is infected!!

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gasfkyftivkyxu

-------\Legacy_gasfkyftivkyxu

-------\Service_TDSSserv

-------\Legacy_TDSSserv

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_6TO4

-------\Legacy_IAS

-------\Legacy_MNDISK

-------\Legacy_WDGUGMCUNSPR

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_6to4

-------\Service_Ias

-------\Service_mndisk

((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))

.

2009-09-28 23:20 . 2009-09-28 23:20 0 ----a-r- c:\windows\win32k.sys

2009-09-28 23:06 . 2009-09-28 23:06 40448 ----a-w- C:\oppm.exe

2009-09-28 23:06 . 2009-09-28 23:06 19456 ----a-w- C:\mpwhp.exe

2009-09-28 23:06 . 2009-09-28 23:06 48640 ----a-w- C:\pgbjh.exe

2009-09-28 23:06 . 2009-09-28 23:06 52736 ----a-w- C:\tfrfhvbl.exe

2009-09-28 23:06 . 2009-09-28 23:06 81920 ----a-w- C:\jqre.exe

2009-09-28 23:06 . 2009-09-28 23:06 51712 ----a-w- C:\taqhtl.exe

2009-09-16 23:09 . 2009-09-16 23:09 2198 ----a-w- C:\fqh8C61s.bat

2009-09-16 23:04 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-16 23:04 . 2009-09-16 23:04 -------- d-----w- c:\program files\boot

2009-09-16 23:04 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-12 20:24 . 2009-09-12 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-12 20:24 . 2009-09-12 20:24 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-12 20:24 . 2009-09-12 20:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-12 20:24 . 2009-10-01 23:10 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-12 20:24 . 2009-09-12 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-12 20:24 . 2009-09-16 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-12 20:24 . 2009-09-12 20:24 -------- d-----w- c:\program files\AVG

2009-09-12 19:53 . 2009-09-15 00:07 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-12 08:28 . 2001-08-18 02:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll

2009-09-12 08:28 . 2001-08-18 02:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll

2009-09-12 08:28 . 2001-08-18 02:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll

2009-09-12 08:28 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\kbdkor.dll

2009-09-12 08:28 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll

2009-09-12 08:28 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101c.dll

2009-09-12 08:28 . 2001-08-17 18:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll

2009-09-12 08:28 . 2001-08-17 18:55 5632 ----a-w- c:\windows\system32\kbd103.dll

2009-09-12 08:28 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll

2009-09-12 08:28 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101b.dll

2009-09-12 08:28 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll

2009-09-12 08:28 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll

2009-09-12 07:52 . 2009-09-12 07:52 -------- d-----w- C:\spoolerlogs

2009-09-12 07:20 . 2009-09-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\16018434

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-17 01:35 . 2009-06-17 01:35 89088 --sha-w- c:\windows\system32\zomejuhe.dll

2009-09-16 22:53 . 2008-01-06 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-16 22:53 . 2008-01-06 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-15 22:43 . 2009-06-15 22:43 89088 --sha-w- c:\windows\system32\wofovelo.dll

2009-09-15 00:05 . 2008-10-10 07:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-12 20:24 . 2008-01-06 23:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-08 05:07 . 2009-07-12 16:24 -------- d-----w- c:\documents and settings\Jake\Application Data\Azureus

2009-09-08 04:41 . 2009-07-12 16:24 -------- d-----w- c:\documents and settings\Jake\Application Data\TuneUpMedia

2009-09-02 03:18 . 2009-07-12 16:24 -------- d-----w- c:\program files\TuneUpMedia

2009-08-14 10:58 . 2009-09-12 19:53 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-05 09:01 . 2001-08-18 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 16:21 . 2008-01-07 00:50 233472 ------w- c:\windows\system32\wmpdxm.dll

2008-10-19 06:16 . 2008-10-19 06:16 19333 ----a-w- c:\program files\Common Files\poloq._dl

2008-10-19 06:16 . 2008-10-19 06:16 11260 ----a-w- c:\program files\Common Files\faqunin._dl

2009-06-13 21:50 . 2009-06-13 21:50 50176 --sha-w- c:\windows\system32\soyabodu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88f4c019-2d4e-43a2-a9a2-7211cb0d093a}]

2009-06-13 21:50 50176 --sha-w- c:\windows\system32\soyabodu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-04-25 94208]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-25 77824]

"Persistence"="c:\windows\System32\igfxpers.exe" [2005-04-25 114688]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-12 2007832]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"wabegipan"="c:\windows\system32\zomejuhe.dll" [2009-09-17 89088]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-07-25 90112]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-07-25 2806272]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{bcfb8bee-f224-41cf-9222-376f3d9c5209}"= "c:\windows\system32\zomejuhe.dll" [2009-09-17 89088]

"{c24a5b7d-d331-4c68-8540-baf53cb1d58b}"= "c:\windows\system32\zomejuhe.dll" [2009-09-17 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"duholumok"= {bcfb8bee-f224-41cf-9222-376f3d9c5209} - c:\windows\system32\zomejuhe.dll [2009-09-17 89088]

"nesosuyuz"= {c24a5b7d-d331-4c68-8540-baf53cb1d58b} - c:\windows\system32\zomejuhe.dll [2009-09-17 89088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-12 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5ktxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8moxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8xpxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/12/2009 4:24 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/12/2009 4:24 PM 108552]

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [7/12/2009 12:23 PM 464264]

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/12/2009 12:23 PM 234888]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/12/2009 4:24 PM 297752]

S0 ati5ktxx;ati5ktxx;c:\windows\system32\Drivers\ati5ktxx.sys --> c:\windows\system32\Drivers\ati5ktxx.sys [?]

S0 ati8moxx;ati8moxx;c:\windows\system32\Drivers\ati8moxx.sys --> c:\windows\system32\Drivers\ati8moxx.sys [?]

S0 ati8xpxx;ati8xpxx;c:\windows\system32\Drivers\ati8xpxx.sys --> c:\windows\system32\Drivers\ati8xpxx.sys [?]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/12/2009 4:24 PM 908056]

S2 wdgugmcunspr;wdgugmcunspr;\??\c:\windows\system32\drivers\zbpsbizg.sys --> c:\windows\system32\drivers\zbpsbizg.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.woodtv.com/Global/category.asp?C=2274&nav=menu44_1

uSearchMigratedDefaultURL = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://www.google.com/

mSearchMigratedDefaultURL = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{5673FCC3-3696-0865-74F2-117813C380D9} - c:\windows\system32\dyfxwpuhkxq.dll

BHO-{56B8280A-6D80-1802-E8DB-A34F0271D3CD} - c:\windows\system32\cbbwzzomphqmhza.dll

HKCU-Run-wblogon - c:\windows\system32\algg.exe

HKCU-Run-agent.exe - c:\program files\PCenter\agent.exe

HKLM-Run-Ddotetoxic - c:\windows\eqiwujoxuce.dll

HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe

HKLM-Run-hesunobosi - makatulo.dll

SharedTaskScheduler-{85953128-a0e7-4169-98d0-1aec62be280c} - c:\windows\system32\ribenepo.dll

SharedTaskScheduler-{8a266baa-709f-4b37-ae33-89ed4755d76d} - c:\windows\system32\hoyuvuki.dll

SSODL-vatasukaf-{85953128-a0e7-4169-98d0-1aec62be280c} - c:\windows\system32\ribenepo.dll

Notify-miqngs - miqngs.dll

SafeBoot-TDSSmhxt.sys

AddRemove-qbhkpsjxfbiqwizpd - c:\windows\system32\qbhkpsjxfbiqwizpd.exe

AddRemove-{2C769867-EB84-D1B7-2459-9E1C887FCB1A} - c:\windows\system32\dyfxwpuhkxq.dll-uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-01 19:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3680)

c:\windows\system32\WININET.dll

c:\windows\system32\zomejuhe.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgtray.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-10-01 19:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-01 23:34

Pre-Run: 96,094,203,904 bytes free

Post-Run: 96,604,721,152 bytes free

319 --- E O F --- 2009-09-12 08:54

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
wdgugmcunspr
File::
c:\windows\system32\drivers\zbpsbizg.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 03

Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

STEP 04

Update your AVG Anti-Virus to the latest version and run a Full Scan and let me know if it finds anything.

Link to post
Share on other sites

OK, I can't disable my AVG active scanning. When I try to open it it just states that "Security Tool has detected malware in it" and it doesn't open. I can open it up in safe mode, but it has a different looking screen and doesn't show anywhere where I can disable the scanning. Can I run Combofix anyway? Is there another way to stop the active scanning? Also, I have tried removing it from Add/remove programs but I can't remove it either. It just states that there was an error removing it.

Link to post
Share on other sites

OK, I am unable to run MBAM still. I didn't try it in safe mode because the instructions said not to, so I don't know if I should try that or not. Also, I can't run AVG either. I was able to run Combofix again and ESET. I have the 2 logs poted below. Should I try to run MBAM in safe mode? even if I try I'm pretty positive it won't work. Anyway, here are the logs:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=aeab838c71fd00478e1566c441f381e3

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-10-07 11:33:20

# local_time=2009-10-07 07:33:20 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=769 62 0 1 385773015625000

# compatibility_mode=1026 21 83 95 21713401250000

# scanned=40638

# found=59

# cleaned=0

# scan_time=1288

C:\mpwhp.exe a variant of Win32/Kryptik.AFJ trojan 00000000000000000000000000000000 I

C:\taqhtl.exe a variant of Win32/Kryptik.AMH trojan 00000000000000000000000000000000 I

C:\tfrfhvbl.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I

C:\Documents and Settings\Jake\Application Data\3867386240\3867386240.exe a variant of Win32/Kryptik.ARW trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\new.exe.vir Win32/Adware.SafetyCenter.A application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\protector.exe.vir Win32/Adware.SafetyCenter.A application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\SafetyCenter\start.exe.vir Win32/Adware.SafetyCenter.A application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\msa.exe.vir a variant of Win32/Kryptik.ADD trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\critical_warning.html.vir Win32/TrojanDownloader.FakeAlert.ADG trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\gasfkypupempew.dll.vir Win32/Olmarik.MF trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\hupabubi.dll.vir a variant of Win32/Adware.Virtumonde.NFQ application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\hupetetu.dll.vir a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\Iasex.dll.vir a variant of Win32/Routmo.H trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\jegugore.dll.vir a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\lesufuya.dll.vir a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\lezaromo.dll.vir a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\makatulo.dll.vir a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\pebapehe.dll.vir a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\rudagitu.dll.vir a variant of Win32/Adware.Virtumonde.NFQ application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\tikufozi.exe.vir a variant of Win32/Kryptik.ARW trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\winupdate.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\drivers\a5e9576b.sys.vir Win32/Rustock.NKU trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\drivers\gasfkywejwswrr.sys.vir a variant of Win32/Olmarik.LZ trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\windows\system32\drivers\UACd.sys.vir a variant of Win32/Olmarik.HI trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP297\A0045257.sys:1 Win32/Agent.QBG trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP297\A0046246.sys:1 Win32/Agent.QBG trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP297\A0047246.sys:1 Win32/Agent.QBG trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP300\A0058251.sys a variant of Win32/Olmarik.LZ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP300\A0058254.dll Win32/Olmarik.MF trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058299.exe Win32/Adware.SafetyCenter.A application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058300.exe Win32/Adware.SafetyCenter.A application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058301.exe Win32/Adware.SafetyCenter.A application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058306.exe a variant of Win32/Kryptik.ADD trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058312.sys Win32/Rustock.NKU trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058314.sys a variant of Win32/Olmarik.HI trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058317.dll a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058318.dll a variant of Win32/Routmo.H trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058320.dll a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058321.dll a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058322.dll a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058323.dll a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058325.dll a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058332.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0058336.dll a variant of Win32/Kryptik.YQ trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0059344.dll a variant of Win32/Adware.Virtumonde.NFQ application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0059345.dll a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0060548.dll a variant of Win32/Adware.Virtumonde.NFQ application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0060549.dll a variant of Win32/Adware.Virtumonde.NFQ application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{CC4AE0D7-85DA-4270-AB39-AA47EB3FF710}\RP301\A0060550.exe a variant of Win32/Kryptik.ARW trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\soyabodu.dll a variant of Win32/Kryptik.AJK trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\wofovelo.dll a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.ADM trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8TIZGPYJ\atuuiima[1].htm a variant of Win32/Kryptik.AFJ trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8TIZGPYJ\elyii[1].txt Win32/TrojanDownloader.Small.NFA trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\STE3CT6N\lbblzmzax[1].htm a variant of Win32/Kryptik.AMH trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\STE3CT6N\SetupAdvancedVirusRemover[1].exe Win32/Adware.AdvancedVirusRemover application 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SXEFKPEV\rkhueef[1].htm Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WT6VKHUR\aesdfghjgf[1].dll Win32/Adware.CoreguardAntivirus application 00000000000000000000000000000000 I

COMBOFIX LOG:

ComboFix 09-10-06.04 - Jake 10/07/2009 18:45.3.2 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.373 [GMT -4:00]

Running from: c:\documents and settings\Jake\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jake\Desktop\CFscript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\windows\system32\drivers\zbpsbizg.sys"

.

"c:\program files\internet explorer\iexplore.exe ... is infected"

((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))

.

2009-10-02 00:07 . 2009-10-02 00:07 -------- d-----w- c:\documents and settings\Jake\Application Data\3867386240

2009-09-12 20:24 . 2009-09-12 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-12 20:24 . 2009-10-07 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-12 07:20 . 2009-09-12 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\16018434

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\drivers\tcpip.sys ... is infected !!

((((((((((((((((((((((((((((( SnapShot@2009-10-01_23.31.46 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-25 77824]

"Persistence"="c:\windows\System32\igfxpers.exe" [2005-04-25 114688]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-12 2007832]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"3867386240"="c:\documents and settings\Jake\Application Data\3867386240\3867386240.exe" [2009-10-02 1047588]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-07-25 90112]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-07-25 2806272]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-12 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5ktxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8moxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8xpxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/12/2009 4:24 PM 108552]

S0 ati5ktxx;ati5ktxx;c:\windows\system32\Drivers\ati5ktxx.sys --> c:\windows\system32\Drivers\ati5ktxx.sys [?]

S0 ati8moxx;ati8moxx;c:\windows\system32\Drivers\ati8moxx.sys --> c:\windows\system32\Drivers\ati8moxx.sys [?]

S0 ati8xpxx;ati8xpxx;c:\windows\system32\Drivers\ati8xpxx.sys --> c:\windows\system32\Drivers\ati8xpxx.sys [?]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/12/2009 4:24 PM 335240]

S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [7/12/2009 12:23 PM 464264]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/12/2009 12:23 PM 234888]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/12/2009 4:24 PM 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/12/2009 4:24 PM 297752]

.

Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.woodtv.com/Global/category.asp?C=2274&nav=menu44_1

uSearchMigratedDefaultURL = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://www.google.com/

mSearchMigratedDefaultURL = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-wabegipan - c:\windows\system32\pufuyada.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-07 18:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: ~,10time:~,-3machine was rebootedCombobatch-by

ComboFix-quarantined-files.txt 2009-10-07 22:51

ComboFix2.txt 2009-10-07 02:40

ComboFix3.txt 2009-10-01 23:34

Pre-Run: 96,658,231,296 bytes free

Post-Run: 96,676,413,440 bytes free

112 --- E O F --- 2009-09-12 08:54

Link to post
Share on other sites

  • Root Admin

Yes,

Please run the following now and post back the log.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.