Jump to content

Virus or Malware problem


Recommended Posts

I am working on a friend's laptop which has a virus or malware (actually I think many of both) on it. It will not allow any anti-virus or spyware programs to run. I am also unable to run hijackthis on this system either. It is a Dell Laptop w/ Windows XP Home Edition. I found a post which was similar on here and ran the items that were suggested which I will detail below. I will put the results in a seperate post.

Start with this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

* Double-click FixPolicies.exe.

* Click the "Install" button on the bottom toolbar of the box that will open.

* The program will create a new Folder called FixPolicies.

* Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.

* A black box will briefly appear and then close.

* This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe and really try to Rename it ALPHA.exe

IF unable to download it, use another pc to download and then transfer it to the DESKTOP

* Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.

* In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".

* Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.

* It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.

* Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!

* Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

* Run Security Check

* Follow the onscreen instructions inside of the command window.

* A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

* the contents of OTL.txt;

* the contents of Extras.txt ; and

* the contents of checkup.txt

Link to post
Share on other sites

This is the results of the scans.

OTL Report

OTL logfile created on: 10/3/2009 9:35:32 PM - Run 1

OTL by OldTimer - Version 3.0.18.2 Folder = C:\Documents and Settings\LON\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.07 Gb Available Physical Memory | 53.60% Memory free

2.60 Gb Paging File | 1.62 Gb Available in Paging File | 62.43% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 71.09 Gb Total Space | 55.96 Gb Free Space | 78.72% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: HOME

Current User Name: LON

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2005/08/04 05:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe

PRC - [2004/09/07 17:02:40 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2004/09/07 17:05:10 | 00,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2004/09/07 17:12:32 | 00,225,353 | ---- | M] (Intel

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I downloaded & ran ComboFix. It started to scan & then put up a dialog box which said:

ComboFix has detected the presence of rootkit activity and needs to reboot the machine kindly note down on paper, the name of each file. We may need it later

C:\WINDOWS\System32\drivers\gasfkyoriijeoy.sys

C:\WINDOWS\System32\gasfkyxwipftum.dll

C:\WINDOWS\System32\gasfkypulbqwhh.dat

C:\WINDOWS\System32\gasfkysdotobie.dll

C:\WINDOWS\System32\gasfkyqmhlrgwr.dat

C:\WINDOWS\System32\gasfkytetjlkii.dll

It then reboots and starts scanning again and pops up the same dialog box, and keeps going through that same cycle. Whatever is in this system will not allow HiJackThis to run.

Link to post
Share on other sites

Ok I think I got that stumbling block taken care of. Here are the logs you requested.

ComboFix Log

ComboFix 09-10-03.01 - LON 10/04/2009 9:35.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1550 [GMT -4:00]

Running from: c:\documents and settings\LON\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1356 [VPS 091003-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\aIx26.tmp

c:\documents and settings\All Users\Application Data\wuxuqoryq.bin

c:\documents and settings\All Users\Application Data\ypuqi.vbs

c:\documents and settings\All Users\Documents\agocivubo.com

c:\documents and settings\All Users\Documents\egirecusy.com

c:\documents and settings\LON\Application Data\etodopoxes.dll

c:\documents and settings\LON\Application Data\parapy.com

c:\documents and settings\LON\Local Settings\Application Data\judypoke.bat

c:\documents and settings\LON\Local Settings\Application Data\mijepysaq.pif

c:\documents and settings\LON\Local Settings\Application Data\ugik.vbs

c:\documents and settings\LON\Local Settings\Application Data\uxocalisa.inf

c:\documents and settings\LON\My Documents\backup.reg

C:\p2hhr.bat

c:\program files\Common Files\edefozyx.pif

c:\program files\Common Files\goti.dl

c:\program files\Common Files\ymapy.inf

c:\windows\akemita.vbs

c:\windows\awuyaraqesaci.dll

c:\windows\edixypido.pif

c:\windows\esohohob.exe

c:\windows\fizefy.ban

c:\windows\iwekil._dl

c:\windows\kyxesy.reg

c:\windows\qotygyxec.ban

c:\windows\sivolaz.dll

c:\windows\system32\bszip.dll

c:\windows\system32\drivers\gasfkyoriijeoy.sys

c:\windows\system32\eqog.bat

c:\windows\system32\gasfkypulbqwhh.dat

c:\windows\system32\gasfkyqmhlrgwr.dat

c:\windows\system32\gasfkysdotobie.dll

c:\windows\system32\gasfkytetjlkii.dll

c:\windows\system32\gasfkyxwipftum.dll

c:\windows\system32\images

c:\windows\system32\images\i1.gif

c:\windows\system32\images\i2.gif

c:\windows\system32\images\i3.gif

c:\windows\system32\images\j1.gif

c:\windows\system32\images\j2.gif

c:\windows\system32\images\j3.gif

c:\windows\system32\images\jj1.gif

c:\windows\system32\images\jj2.gif

c:\windows\system32\images\jj3.gif

c:\windows\system32\images\l1.gif

c:\windows\system32\images\l2.gif

c:\windows\system32\images\l3.gif

c:\windows\system32\images\pix.gif

c:\windows\system32\images\t1.gif

c:\windows\system32\images\t2.gif

c:\windows\system32\images\up1.gif

c:\windows\system32\images\up2.gif

c:\windows\system32\images\w1.gif

c:\windows\system32\images\w11.gif

c:\windows\system32\images\w2.gif

c:\windows\system32\images\w3.gif

c:\windows\system32\images\w3.jpg

c:\windows\system32\images\wt1.gif

c:\windows\system32\images\wt2.gif

c:\windows\system32\images\wt3.gif

c:\windows\system32\jegopy.dll

c:\windows\system32\neromes.bat

c:\windows\system32\system

c:\windows\system32\system\msxml4.dll

c:\windows\system32\system\msxml4r.dll

c:\windows\tanuvetu.dl

c:\windows\wubuq.vbs

c:\windows\yjataw.dl

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))

.

2009-10-04 13:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-04 13:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-04 13:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-04 13:17 . 2009-10-04 13:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-04 13:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-04 02:35 . 2009-10-04 10:46 0 ----a-r- c:\windows\Vpegikodurex.bin

2009-10-04 02:35 . 2009-10-04 10:46 120 ----a-w- c:\windows\Ttekisixejiguluk.dat

2009-10-04 02:35 . 2009-10-04 02:35 -------- d-----w- c:\documents and settings\LON\Local Settings\Application Data\{2D6CCB60-56E9-48C2-9DA5-77F0CA688A4F}

2009-10-04 01:14 . 2004-12-15 15:40 203264 ----a-w- c:\documents and settings\HijackThis.exe

2009-10-03 21:32 . 2009-10-03 21:31 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-10-03 21:28 . 2009-10-03 21:28 -------- d-----w- c:\documents and settings\LON\Local Settings\Application Data\Mozilla

2009-10-03 21:22 . 2009-10-03 21:32 -------- d-----w- c:\documents and settings\LON\.housecall6.6

2009-10-03 13:59 . 2009-10-03 13:59 -------- d-----w- c:\documents and settings\LON\Application Data\Malwarebytes

2009-10-03 13:59 . 2009-10-03 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-03 13:02 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-10-03 13:02 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-10-03 13:02 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-10-03 13:02 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-10-03 13:02 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-10-03 13:02 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-10-03 13:02 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-10-03 13:02 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-10-03 13:02 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe

2009-10-03 13:02 . 2009-10-03 13:02 -------- d-----w- c:\program files\Alwil Software

2009-10-03 12:47 . 2009-10-03 12:47 131 ----a-w- C:\deldll.bat

2009-10-03 11:52 . 2009-10-03 11:52 -------- d-----w- c:\program files\CCleaner

2009-10-01 00:01 . 2009-10-03 13:52 131731 ----a-w- c:\windows\system32\dbsinit.exe

2009-09-30 23:56 . 2009-09-30 23:56 19893 ----a-w- c:\windows\system32\ovoraqup.com

2009-09-30 23:56 . 2009-09-30 23:56 17389 ----a-w- c:\program files\Common Files\ebacunyn.dat

2009-09-30 23:56 . 2009-09-30 23:56 15041 ----a-w- c:\documents and settings\LON\Local Settings\Application Data\ohibesejyp.dat

2009-09-30 23:48 . 2009-09-30 23:48 80 ----a-w- C:\abcdefg.bat

2009-09-30 23:47 . 2009-09-30 23:47 12288 ----a-w- C:\qtpjjuur.exe

2009-09-30 23:47 . 2009-09-30 23:47 6144 ----a-w- C:\avjelge.exe

2009-09-08 20:14 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-04 13:00 . 2007-03-29 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-04 13:00 . 2007-03-29 01:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-04 12:47 . 2007-03-29 01:14 -------- d-----w- c:\program files\Lavasoft

2009-10-03 12:38 . 2005-10-17 20:23 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-03 12:38 . 2005-10-17 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-10-03 12:31 . 2005-10-17 20:39 -------- d-----w- c:\documents and settings\LON\Application Data\Symantec

2009-09-17 17:59 . 2008-04-27 17:08 -------- d-----w- c:\program files\Full Tilt Poker.Net

2009-09-03 00:28 . 2006-02-14 20:08 6836 ----a-w- c:\documents and settings\LON\Application Data\wklnhst.dat

2009-08-23 22:56 . 2005-10-17 20:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-21 15:21 . 2009-08-21 15:21 0 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat

2009-08-21 15:17 . 2009-08-21 15:16 -------- d-----w- c:\documents and settings\Guest\Application Data\Yahoo!

2009-08-21 15:13 . 2006-03-19 18:44 8224 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-06-29 3962184]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-08-06 20:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]

2009-06-29 13:55 3962184 ----a-w- c:\documents and settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-06-29 3962184]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-06-29 3962184]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-17 98304]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\LON\Start Menu\Programs\Startup\

Screen Saver Control.lnk - c:\windows\FSScrCtl.exe [2006-5-11 249344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-11-2 217088]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-17 24576]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-7 180224]

Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/3/2009 9:02 AM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2009 9:02 AM 20560]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1;localhost

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\LON\Application Data\Mozilla\Firefox\Profiles\lzihmgat.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: XULRunner: {2D6CCB60-56E9-48C2-9DA5-77F0CA688A4F} - c:\documents and settings\LON\Local Settings\Application Data\{2D6CCB60-56E9-48C2-9DA5-77F0CA688A4F}

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

HKLM-Run-Agetucaq - c:\windows\awuyaraqesaci.dll

HKLM-Run-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe

HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-04 09:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-675911192-754727625-3110675177-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3908)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\program files\Apoint\ApntEx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2009-10-04 9:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-04 13:49

Pre-Run: 60,326,719,488 bytes free

Post-Run: 60,215,324,672 bytes free

322 --- E O F --- 2009-10-01 18:44

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:26:45 AM, on 10/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\FSScrCtl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)

O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (file missing)

O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab

O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=26696
Collect::
C:\windows\Vpegikodurex.bin
c:\windows\Ttekisixejiguluk.dat
c:\windows\system32\dbsinit.exe
c:\windows\system32\ovoraqup.com
c:\program files\Common Files\ebacunyn.dat
c:\documents and settings\LON\Local Settings\Application Data\ohibesejyp.dat
C:\abcdefg.bat
C:\qtpjjuur.exe
C:\avjelge.exe
c:\documents and settings\LON\Local Settings\Application Data\CyberDefender\cdmyidd.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.