Jump to content

MBAM will not start "can't find mbam.exe"


rwbubba
 Share

Recommended Posts

Hi,

My computer w/winxp pro was infected Wednesday with Vundo and Rogue Agent from one Google click.

I was not able to run my installed Malwarebytes ("can't find mbam.exe" message)

but Super Antispyware ran and found 18 items and quarantined them.

Malwarebytes still will not run.

I then ran Norton and it showed no infections.

from the forum:

The fix(s)

If you already have MBAM installed on your computer.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan allow MBAM to remove what it had found then reboot.

Goodbye SystemSecurity

I can't find the MBAM.exe file to rename it to run Malwarebytes.

On my computer, these are the Folders in C:\Programs files\Malwarebytes

languages

changes

license

mbam 60KB

mbam.dll 160KB

mbamext.dll 72KB

mbamgui 412KB

mbamservice 264KB

ssubtmr6.dll 44KB

unins000 80KB

unins000 684KB

unins000 12KB

vbalsgrid6.ocx 484KB

zlib.dll 80KB

Where do I find the mbam.exe to change it or will I not be able to?

Tried double clicking on a couple of the above folders but

the pop up asked for a input of what to use to open it with a warning.

I did not proceed not having an idea of what I was doing.

The "Fix" above from the forum website seemed easy enough but I'm stuck.

Do I need to try a different "Fix"?

Damage left from trojans, that I can see, is my wall paper is missing,

at start up an error message stating C:\windows\system32\gebuhobo.dll module

could not be found, and I'm unable to run Malwarebytes.

Would setting system restore to the day before infection work?

No, I am not a advanced PC user. :-)

Thank you for any assistance or suggestions in advance to bail me out.

Ron

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply.

-screen317

Hi, Thank you for the help instructions. I ran the program with this copied result:

Running from: C:\Documents and Settings\Ronald Wroblewski\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Ronald Wroblewski\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Link to post
Share on other sites

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

----------------------------------------------

Hi Criss,

I figured out the Combofix program (after a few mistakes by me) and the resulting Log is below.

I will next learn the HijackThis program and get a Log from it.

Ron

ComboFix 09-10-12.03 - Ronald Wroblewski 10/13/2009 13:32.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1633 [GMT -4:00]

Running from: c:\documents and settings\Ronald Wroblewski\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ronald Wroblewski\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk

c:\recycler\NPROTECT

c:\windows\Downloaded Program Files\Temp

.

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-12-26 04:43 . 2009-12-26 04:43 -------- d-----w- c:\documents and settings\Ronald Wroblewski\Application Data\Malwarebytes

2009-12-26 04:43 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-26 04:43 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-26 04:43 . 2009-12-26 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-26 04:43 . 2009-10-09 19:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-09 04:38 . 2009-10-09 04:38 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-10-09 04:37 . 2009-10-09 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-22 05:34 . 2009-09-22 05:34 -------- d-----w- c:\program files\Microsoft Money 2006

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-13 17:37 . 2008-12-26 21:49 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-09 05:15 . 2004-12-05 14:52 19304 ----a-w- c:\documents and settings\Ronald Wroblewski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-09 04:44 . 2004-12-15 00:59 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-26 05:34 . 2005-02-10 23:15 -------- d-----w- c:\program files\Starry Night Pro 4

2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\{0B53EE43-1B66-4594-BCE3-C92D9F19BAAE}.dat

2008-12-26 21:51 . 2008-12-26 21:51 32 --sha-w- c:\windows\{0EB162E2-7841-4159-98C8-CF85884187D5}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\{38096ED9-4C64-40F8-8198-4515568B6CA4}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\{7C73F17E-FF2E-4AC6-8D0D-BA55403E558E}.dat

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\{B151CA0D-0CCC-4E9D-86EE-AFF4C902462F}.dat

2008-12-26 21:55 . 2008-12-26 21:55 32 --sha-w- c:\windows\{C881981A-FCA6-42A6-8CCA-6B1D8AC8BF9A}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\{E852F6C7-0B8F-479F-BFE3-383D501AF3E9}.dat

2009-07-08 17:37 . 2009-07-08 17:37 27136 --sha-w- c:\windows\system32\jeyanoyu.dll

2009-07-08 17:37 . 2009-07-08 17:37 1011437 --sha-w- c:\windows\system32\sofigeda.exe

2008-12-26 21:55 . 2008-12-26 21:55 32 --sha-w- c:\windows\system32\{353E46A0-B1DC-4952-A318-D91F23E8717F}.dat

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\system32\{7115A433-7E44-41AB-80FD-9737CB764223}.dat

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\system32\{A35C3B82-9280-4E38-8363-FEB15AEA6A85}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\system32\{A912BAE6-460A-487D-A419-CB6F41681ECA}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\system32\{AAC77418-A2B1-4EBD-98F4-264BC93B7F82}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\system32\{BA367961-C1F1-41C9-B7CA-7E4FE10E6983}.dat

2008-12-26 21:51 . 2008-12-26 21:51 32 --sha-w- c:\windows\system32\{EF7989FB-5D34-45D9-9878-881877D378FC}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]

"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-12 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"washindex"="c:\program files\Washer\washidx.exe" [2001-04-02 64512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 19:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk

backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UPS"=3 (0x3)

"mnmsrvc"=3 (0x3)

"WZCSVC"=2 (0x2)

"Themes"=2 (0x2)

"GhostStartService"=2 (0x2)

"Schedule"=2 (0x2)

"wscsvc"=2 (0x2)

"ERSvc"=2 (0x2)

"SENS"=2 (0x2)

"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 GhPciScan;GhostPciScanner;c:\program files\Norton SystemWorks\Norton Ghost\GhPciScan.sys [8/14/2002 4:11 PM 5632]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 2:50 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 55024]

R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [12/26/2008 5:53 PM 135168]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

.

Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-08-20 03:24]

2008-12-26 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2002-08-30 02:30]

2008-12-26 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-26 14:04]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-didiyapik - c:\windows\system32\gebuhobo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 13:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1214440339-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3260)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Messenger\msmsgs.exe

.

**************************************************************************

.

Completion time: 2009-10-13 13:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-13 17:39

Pre-Run: 38,533,447,680 bytes free

Post-Run: 38,467,825,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

181

Link to post
Share on other sites

----------------------------------------------

Hi Criss,

I figured out the Combofix program (after a few mistakes by me) and the resulting Log is below.

I will next learn the HijackThis program and get a Log from it.

Ron

ComboFix 09-10-12.03 - Ronald Wroblewski 10/13/2009 13:32.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1633 [GMT -4:00]

Running from: c:\documents and settings\Ronald Wroblewski\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ronald Wroblewski\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk

c:\recycler\NPROTECT

c:\windows\Downloaded Program Files\Temp

.

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))

.

2009-12-26 04:43 . 2009-12-26 04:43 -------- d-----w- c:\documents and settings\Ronald Wroblewski\Application Data\Malwarebytes

2009-12-26 04:43 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-26 04:43 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-26 04:43 . 2009-12-26 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-26 04:43 . 2009-10-09 19:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-09 04:38 . 2009-10-09 04:38 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-10-09 04:37 . 2009-10-09 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-22 05:34 . 2009-09-22 05:34 -------- d-----w- c:\program files\Microsoft Money 2006

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-13 17:37 . 2008-12-26 21:49 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-09 05:15 . 2004-12-05 14:52 19304 ----a-w- c:\documents and settings\Ronald Wroblewski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-09 04:44 . 2004-12-15 00:59 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-26 05:34 . 2005-02-10 23:15 -------- d-----w- c:\program files\Starry Night Pro 4

2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\{0B53EE43-1B66-4594-BCE3-C92D9F19BAAE}.dat

2008-12-26 21:51 . 2008-12-26 21:51 32 --sha-w- c:\windows\{0EB162E2-7841-4159-98C8-CF85884187D5}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\{38096ED9-4C64-40F8-8198-4515568B6CA4}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\{7C73F17E-FF2E-4AC6-8D0D-BA55403E558E}.dat

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\{B151CA0D-0CCC-4E9D-86EE-AFF4C902462F}.dat

2008-12-26 21:55 . 2008-12-26 21:55 32 --sha-w- c:\windows\{C881981A-FCA6-42A6-8CCA-6B1D8AC8BF9A}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\{E852F6C7-0B8F-479F-BFE3-383D501AF3E9}.dat

2009-07-08 17:37 . 2009-07-08 17:37 27136 --sha-w- c:\windows\system32\jeyanoyu.dll

2009-07-08 17:37 . 2009-07-08 17:37 1011437 --sha-w- c:\windows\system32\sofigeda.exe

2008-12-26 21:55 . 2008-12-26 21:55 32 --sha-w- c:\windows\system32\{353E46A0-B1DC-4952-A318-D91F23E8717F}.dat

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\system32\{7115A433-7E44-41AB-80FD-9737CB764223}.dat

2008-12-26 21:54 . 2008-12-26 21:54 32 --sha-w- c:\windows\system32\{A35C3B82-9280-4E38-8363-FEB15AEA6A85}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\system32\{A912BAE6-460A-487D-A419-CB6F41681ECA}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\system32\{AAC77418-A2B1-4EBD-98F4-264BC93B7F82}.dat

2008-12-26 21:53 . 2008-12-26 21:53 32 --sha-w- c:\windows\system32\{BA367961-C1F1-41C9-B7CA-7E4FE10E6983}.dat

2008-12-26 21:51 . 2008-12-26 21:51 32 --sha-w- c:\windows\system32\{EF7989FB-5D34-45D9-9878-881877D378FC}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]

"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-12 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

"washindex"="c:\program files\Washer\washidx.exe" [2001-04-02 64512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 19:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Background Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Background Monitor.lnk

backup=c:\windows\pss\EPSON Background Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"UPS"=3 (0x3)

"mnmsrvc"=3 (0x3)

"WZCSVC"=2 (0x2)

"Themes"=2 (0x2)

"GhostStartService"=2 (0x2)

"Schedule"=2 (0x2)

"wscsvc"=2 (0x2)

"ERSvc"=2 (0x2)

"SENS"=2 (0x2)

"iPod Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 GhPciScan;GhostPciScanner;c:\program files\Norton SystemWorks\Norton Ghost\GhPciScan.sys [8/14/2002 4:11 PM 5632]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 2:50 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 55024]

R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [12/26/2008 5:53 PM 135168]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]

.

Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2002-08-20 03:24]

2008-12-26 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2002-08-30 02:30]

2008-12-26 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-26 14:04]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-didiyapik - c:\windows\system32\gebuhobo.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 13:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1214440339-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(804)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3260)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\NORTON~1\SPEEDD~1\NOPDB.EXE

c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Messenger\msmsgs.exe

.

**************************************************************************

.

Completion time: 2009-10-13 13:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-13 17:39

Pre-Run: 38,533,447,680 bytes free

Post-Run: 38,467,825,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

181

-------------------------------------------------

Hi, This is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:27:55 PM, on 10/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Ronald Wroblewski"

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229148405203

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {656FAD09-4DE3-4C34-9600-0928C855FD7A} (AxTaskList Class) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--

End of file - 7561 bytes

Link to post
Share on other sites

  • Staff

Hi,

Try reinstalling MBAM now.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Try reinstalling MBAM now.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

-----------------------------------------------------------

Hi Criss,

I deleted the non fuctional Malwarebytes program and the newly downloaded one was installed successfully and Files were updated. Following instructions, I was not sure when I should run this progam, so, I didn't and moved on to the next steps and ran the F-Secure scanning program then the Security Check program. Results are posted below. A couple of minnor problems I bumped into that may help in diagnoise are that: Windows cannot now open my stored pdf files, and resetting my monitor to turn off in 10 minutes does not work (monitor stays on) anymore.

Thank you for your continued help.

Ron

Scanning Report

Thursday, October 15, 2009 00:40:44 - 01:23:54

Computer name: P4

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

24 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

Trojan.Vundo.GPR (spyware)

System (Disinfected)

Joke.Winshoot.A (spyware)

System (Disinfected)

Joke.Stupid.A (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

Joke.Geschenk (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

System (Disinfected)

Trojan.Vundo.GPR (virus)

C:\WINDOWS\SYSTEM32\JEYANOYU.DLL (Not cleaned)

Joke.Stupid.A (virus)

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\ATT1.EXE (Not cleaned)

Joke.Geschenk (virus)

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\COKEGIFT.EXE (Not cleaned)

Joke.Winshoot.A (virus)

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\GUN.EXE (Not cleaned)

Joke.Stupid.A (virus)

C:\BACKUP DRIVE\WINDOWS\DESKTOP\DOWN LOAD FILES\ATT1.EXE (Renamed & Submitted)

Joke.Geschenk (virus)

C:\BACKUP DRIVE\WINDOWS\DESKTOP\DOWN LOAD FILES\COKEGIFT.EXE (Renamed & Submitted)

Joke.Winshoot.A (virus)

C:\BACKUP DRIVE\WINDOWS\DESKTOP\DOWN LOAD FILES\GUN.EXE (Renamed & Submitted)

Joke.Stupen.B (virus)

C:\BACKUP DRIVE\WINDOWS\DESKTOP\DOWN LOAD FILES\SHORTYRUMOR.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 68216

System: 5006

Not scanned: 7

Actions:

Disinfected: 16

Renamed: 4

Deleted: 0

Not cleaned: 4

Submitted: 4

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Spybot - Search & Destroy

SUPERAntiSpyware Free Edition

HijackThis 2.0.2

Java 6 Update 13

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Norton SystemWorks Norton AntiVirus navapsvc.exe

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

--------------------------------------------------------------------------------

Link to post
Share on other sites

  • Staff

Hi,

Please go to VirusTotal, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\JEYANOYU.DLL

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\ATT1.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\COKEGIFT.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\GUN.EXE

Next, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=27430

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\WINDOWS\SYSTEM32\JEYANOYU.DLL

Leave any comments, further information about this file, or contact information: From screen317

Repeat with this file:

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\ATT1.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\COKEGIFT.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\GUN.EXE

Post the results in your reply.

After that, update MBAM, run a Quick Scan, and post its log.

-screen317

Link to post
Share on other sites

Hi,

Please go to VirusTotal, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\JEYANOYU.DLL

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\ATT1.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\COKEGIFT.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\GUN.EXE

Next, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.php?showtopic=27430

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\WINDOWS\SYSTEM32\JEYANOYU.DLL

Leave any comments, further information about this file, or contact information: From screen317

Repeat with this file:

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\ATT1.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\COKEGIFT.EXE

C:\DOCUMENTS AND SETTINGS\RONALD WROBLEWSKI\DESKTOP\DOWN LOAD FILES\GUN.EXE

Post the results in your reply.

After that, update MBAM, run a Quick Scan, and post its log.

-screen317

---------------------------------------------------------------------

Hi Chris,

I went to the two linked websites in your last reply, and followed the instructions,

browsing for the 4 specified files at each one, and they were no where to be found.

I tried the Windows search to include hidden files for the same files

and received "search is complete, no results to display".

Two of these files I remember as being simple "games".

The cokegift.exe opened with a box to receive your cokeacola gift.

Clicking on it mearly opened up the CD rom drive bay door.

The gun.exe when opened allowed clicking of your mouse to put

fake bullet holes upon your screen with the sound of a pistol shot.

Both were installed at least 5 years ago and are now missing.

I just updated MBAM and did a quick scan. Results are below.

--------------------------------------------

Malwarebytes' Anti-Malware 1.41

Database version: 2982

Windows 5.1.2600 Service Pack 3

10/18/2009 10:15:31 PM

mbam-log-2009-10-18 (22-15-18).txt

Scan type: Quick Scan

Objects scanned: 91643

Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\sofigeda.exe (Trojan.Dropper) -> No action taken.

----------------------------------------------

Thank you for your help,

Ron

Link to post
Share on other sites

  • Staff

Hi,

Thanks for letting me know.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

Hi,

Thanks for letting me know.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

In the meantime, see if you can open PDF files with Sumatra:

http://blog.kowalczyk.info/software/sumatrapdf/index.html

Let me know if it works while I look into the Adobe error.

-screen317

-------------------------------------------------------

Hi Chris,

The Sumatra PDF program installed and is working fine.

Running the Adobe Installer from my desktop, the Adobe Reader gives the same "Verify sufficent access to that key" warning and "could not complete install".

Going to Adobe for the 1402 problem @ http://kb2.adobe.com/cps/329/329137.html they offer a solution.

At the very end, this statement.

The 1402 Windows Installer error occurs when the Windows Installer is unable to read a particular registry key. Installation may fail because the Acrobat installer attempts to clean up registry keys of previous versions of Acrobat to avoid conflicts with Acrobat plug-ins and add-ins for third-party software. Error 1406 occurs when the installer cannot successfully write a registry key essential for installation.

The steps in brief:

Solution 1: Remove all previous versions of Acrobat, and then reinstall.

Solution 2: Set permissions to their defaults in the registry.

3: ??

Solution 4: Remove spyware.

Solution 5: Check your system for viruses.

Solution 6: Disable Webroot Spy Sweeper.

I have to add this question. Under "Add-Remove programs" I deleted all Adobe Readers.

Looking in "Program Files\Adobe" there is a "Acrobat 7.0" file and "Acrobat 7.0" Folder.

They both contain files and folders. Are they the problem ?

Are these Readers that should be deleted directly from "Program Files\Adobe" ?

Do you feel that we have the Virus attacks and repairs concluded and this down loading of Adobe Reader is a Adobe problem and this would be the proper way to proceed ?

Ron

Link to post
Share on other sites

-------------------------------------------------------

Hi Chris,

The Sumatra PDF program installed and is working fine.

Running the Adobe Installer from my desktop, the Adobe Reader gives the same "Verify sufficent access to that key" warning and "could not complete install".

Going to Adobe for the 1402 problem @ http://kb2.adobe.com/cps/329/329137.html they offer a solution.

At the very end, this statement.

The 1402 Windows Installer error occurs when the Windows Installer is unable to read a particular registry key. Installation may fail because the Acrobat installer attempts to clean up registry keys of previous versions of Acrobat to avoid conflicts with Acrobat plug-ins and add-ins for third-party software. Error 1406 occurs when the installer cannot successfully write a registry key essential for installation.

The steps in brief:

Solution 1: Remove all previous versions of Acrobat, and then reinstall.

Solution 2: Set permissions to their defaults in the registry.

3: ??

Solution 4: Remove spyware.

Solution 5: Check your system for viruses.

Solution 6: Disable Webroot Spy Sweeper.

I have to add this question. Under "Add-Remove programs" I deleted all Adobe Readers.

Looking in "Program Files\Adobe" there is a "Acrobat 7.0" file and "Acrobat 7.0" Folder.

They both contain files and folders. Are they the problem ?

Are these Readers that should be deleted directly from "Program Files\Adobe" ?

Do you feel that we have the Virus attacks and repairs concluded and this down loading of Adobe Reader is a Adobe problem and this would be the proper way to proceed ?

Ron

-----------------------------------------------------------

Hi Chris,

I looked at Adobe's Fix for error 1402 (Step 2: Set permissions to their defaults in the registry).

Although their instructions seem well documented, I can't follow them well enough to complete them.

All the prievious Adobe versions just downloaded to the computer fine.

If their "Solution" is what is needed to install Adobe Reader 9.x, I guess I'll be doing without it.

If you don't have a easier way, I guess Sumatra will be my Reader.

After getting slammed with a batch of Vundo, Roque Agent, etc. by clicking one Google link with Windows Firewall and Norton AV doing nothing to prevent it, or even telling me it was downloaded, what do I need running to protect my computer? Maybe the pay version of Malwarebytes? Another firewall program? Is there a Forum Topic that covers this?

Thank you for all your assistance.

Ron

Link to post
Share on other sites

  • Staff

Hi,

Yes the infections have been cleared and it appears as though only the Adobe issue remains. I have stopped using Adobe in the past due to problems like these, and Sumatra has served me well. ;)

You can take this up with Adobe if you'd like.

I would recommend uninstalling Norton and following these recommendations (I would highly recommend the paid version of MBAM, since it has realtime protection):

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. :blink:

All of the following are excellent free antiviruses. Be sure to only install one.

AVG

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Hi,

Yes the infections have been cleared and it appears as though only the Adobe issue remains. I have stopped using Adobe in the past due to problems like these, and Sumatra has served me well. :blush:

You can take this up with Adobe if you'd like.

I would recommend uninstalling Norton and following these recommendations (I would highly recommend the paid version of MBAM, since it has realtime protection):

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. :)

All of the following are excellent free antiviruses. Be sure to only install one.

AVG

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

----------------------------------------------

Hi Chris,

This experience with this virus attack I had will be remembered.

More so, my great experience of this form.

Your time and effort with me to get the MBAM program to work again,

and with your guidance to remove the problems from my computer is very much appreciated.

I will now follow all of your recommended advice to avoid a infection in the future.

Thank you very much for all your help.

Ron

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.