Mbam.exe deleted and cant run HJT

[dividend]

Hello,

Yesterday I discovered that I was getting random popups about every 5 minutes when on the net. It turned off my automatic updates and I can't turn them back on and when I open up control panel it opens a pop up for a product called "registry defender." I had MB but it deleted the exe and I can download but not run HJT. Any help would be greatly appreciated. Thanks.

[miekiemoes]

Hi,

To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:

http://www.malwarebytes.org/forums/index.php?showtopic=29028

Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.

Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.

After reboot, post the malwarebytes log together with a new HijackThislog.

[dividend]

Hi again, I attempted this as you instructed but when I try to launch the renamed file it says I cannot access path, file or that I do not have appropriate permissions to access it.

[miekiemoes]

Hi,

It looks like you're dealing with the infection that replaces some Windows related files with their own version..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[dividend]

Alright I downloaded ComboFix and disabled any listed interfering programs, but I got the same message about not being allowed to access the path, file when I tried to run it.

[miekiemoes]

Hi,

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run (Combofix in this case)

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).

Let me know if Combofix works then. If so, post the Combofix log in your next reply.

[dividend]

That link does not work for me.

[dividend]

I was waiting for your reply and messing around with comboFix. I finally right clicked on it and went to properties and was able to unblock it and then run it so here's the log:

ComboFix 09-10-26.06 - Paul 10/27/2009 17:05.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.726 [GMT -7:00]

Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\besehevi.dll

c:\windows\system32\bisomasu.dll

c:\windows\system32\putabami.dll

c:\windows\system32\sikafemu.exe

c:\windows\system32\vebikosi.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.100

hxxp://81.222.236.97

Infected copy of c:\windows\SYSTEM32\DRIVERS\vaxscsi.sys was found and disinfected

Restored copy from - Kitty ate it

.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))

.

2009-10-27 23:54 . 2009-10-27 23:54 -------- d--h--w- c:\windows\PIF

2009-10-26 02:23 . 2009-10-26 02:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat

2009-10-26 02:23 . 2009-10-26 02:23 108059 ----a-w- c:\windows\system32\drivers\klin.dat

2009-10-26 02:22 . 2009-10-28 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-10-26 02:22 . 2009-10-26 02:22 -------- d-----w- c:\program files\Kaspersky Lab

2009-10-26 01:37 . 2009-10-26 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-10-26 01:35 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe

2009-10-26 01:33 . 2009-10-26 01:36 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-21 03:34 . 2009-10-21 03:34 219664 ----a-w- c:\windows\system32\klogon.dll

2009-10-15 04:18 . 2009-10-15 04:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys

2009-10-13 02:31 . 2009-10-13 02:31 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Blizzard Entertainment

2009-10-03 02:39 . 2009-10-03 02:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys

2009-09-30 01:34 . 2009-09-30 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-30 01:29 . 2009-09-30 01:31 -------- d-----w- c:\program files\QuickTime

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-27 23:47 . 2008-01-26 04:32 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 2

2009-10-27 23:41 . 2005-07-03 02:16 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-10-27 04:08 . 2005-01-20 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-27 02:29 . 2009-08-07 01:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-26 01:40 . 2009-03-02 06:07 -------- d-----w- c:\program files\AVG

2009-10-18 19:17 . 2009-08-28 23:25 -------- d-----w- c:\program files\World of Warcraft

2009-10-10 20:43 . 2007-07-01 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-09-30 04:39 . 2005-08-18 16:56 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer

2009-09-30 01:35 . 2007-03-21 00:43 -------- d-----w- c:\program files\iTunes

2009-09-30 01:34 . 2005-10-06 03:37 -------- d-----w- c:\program files\iPod

2009-09-30 01:34 . 2007-07-01 17:29 -------- d-----w- c:\program files\Common Files\Apple

2009-09-26 06:12 . 2009-09-26 06:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf

2009-09-26 06:12 . 2009-09-26 06:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf

2009-09-26 06:10 . 2009-09-26 06:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf

2009-09-26 06:06 . 2009-09-26 06:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf

2009-09-26 06:06 . 2009-09-26 06:06 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2009-09-14 21:42 . 2009-09-14 21:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys

2009-09-11 14:18 . 2009-01-27 19:05 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 21:54 . 2009-08-07 01:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 21:53 . 2009-08-07 01:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 02:01 . 2009-09-10 02:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat

2009-09-05 17:27 . 2006-08-21 00:58 -------- d-----w- c:\documents and settings\Paul\Application Data\FrostWire

2009-09-04 21:03 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 22:29 . 2009-09-01 22:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys

2009-08-29 07:36 . 2004-02-07 01:05 832512 ------w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2002-08-29 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-29 05:34 . 2009-08-29 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-08-29 02:42 . 2008-09-10 04:15 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-08-29 02:42 . 2008-01-26 06:44 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-08-29 00:24 . 2009-08-29 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard

2009-08-29 00:23 . 2009-08-28 23:34 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-26 08:00 . 2002-08-29 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-21 16:55 . 2003-11-29 03:43 67240 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-17 19:37 . 2009-08-17 19:37 1837296 ----a-w- c:\windows\system32\WUDFUpdate_01009.dll

2009-08-17 19:37 . 2009-08-17 19:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

2009-08-11 04:30 . 2009-05-01 19:46 83419 ----a-w- c:\windows\War3Unin.dat

2009-08-07 02:24 . 2004-08-13 16:49 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 02:24 . 2004-08-13 16:49 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 02:24 . 2004-08-13 16:49 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 02:24 . 2002-08-29 10:00 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-07 02:24 . 2002-08-29 10:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 02:23 . 2004-08-13 16:49 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 02:23 . 2002-08-29 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:01 . 2003-10-09 00:38 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 03:44 . 2009-01-27 19:05 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2009-01-27 19:05 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-07-31 17:33 . 2009-07-31 17:33 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll

2003-11-04 17:52 . 2003-11-04 17:52 86084 ------w- c:\program files\PyWinTypes23.dll

2003-11-04 17:52 . 2003-11-04 17:52 32829 ------w- c:\program files\win32process.pyd

2003-10-24 21:57 . 2003-10-24 21:57 61528 ------w- c:\program files\win32api.pyd

2003-10-03 04:03 . 2003-10-03 04:03 57400 ------w- c:\program files\_sre.pyd

2003-10-03 04:02 . 2003-10-03 04:02 974908 ------w- c:\program files\python23.dll

2005-09-16 01:26 . 2005-07-26 03:52 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

"Google Update"="c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-26 110592]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"AceGain LiveUpdate"=c:\program files\AceGain\LiveUpdate\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=

"c:\\Program Files\\Valve\\Steam\\Steam.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\pbii\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Alias\\Maya6.0\\bin\\maya.exe"=

"c:\\Program Files\\Alias\\Maya6.0\\bin\\mayabatch.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\pbii\\half-life 2\\hl2.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\pbii\\half-life 2 deathmatch\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\pbii\\day of defeat source\\hl2.exe"=

"c:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\pbii\\source sdk base\\hl2.exe"=

"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\pbii\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Mozilla Firefox 3 Beta 2\\firefox.exe"=

"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Documents and Settings\\Paul\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\Directcd.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [10/14/2009 9:18 PM 36880]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 2:52 AM 114688]

R2 AsfAlrt;AsfAlrt;c:\windows\SYSTEM32\DRIVERS\Asfalrt.sys [12/18/2002 2:31 AM 36064]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/7/2007 9:41 PM 24652]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [9/14/2009 2:42 PM 32272]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\SYSTEM32\DRIVERS\klmouflt.sys [10/2/2009 7:39 PM 19472]

S2 aliasdocserver;Alias Documentation Server;c:\program files\Alias\Maya6.0\docs\Wrapper.exe [2/26/2005 7:32 PM 110592]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3418009867-2576406779-322095304-1008Core.job

- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:40]

2009-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3418009867-2576406779-322095304-1008UA.job

- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\ehc01ur9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=

FF - plugin: c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox 3 Beta 2\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox 3 Beta 2\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{263b9719-d20f-481c-afbf-a424c5d4bf7b} - rumepopo.dll

HKLM-Run-pugohewah - c:\windows\system32\tifakapu.dll

SharedTaskScheduler-{7e5351b6-9c86-4752-8091-556d61e730af} - c:\windows\system32\tifakapu.dll

SSODL-dorimosej-{7e5351b6-9c86-4752-8091-556d61e730af} - c:\windows\system32\tifakapu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-27 17:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1504)

c:\windows\system32\WININET.dll

c:\windows\system32\nview.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.exe

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\MsPMSPSv.exe

c:\combofix\CF12464.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\combofix\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-28 17:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-28 00:22

ComboFix2.txt 2009-10-26 01:19

Pre-Run: 23,757,987,840 bytes free

Post-Run: 23,791,181,824 bytes free

- - End Of File - - D9E8649ADAECCA8E3F8BC3C64DF0E96D

[miekiemoes]

Hi,

This looks OK again.

There may be some other programs that still don't want to run, so in that case, you have to unlock them as you did before with Combofix, or use fr33.exe.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  

Let me know in your next reply how things are now.

[dividend]

I did as you instructed and /uninstall ComboFix and deleted viewpoint and it seems to be Ok. I then ran MB which found and deleted about 5 things I believe Vundo related. I ran it again and it found zero. I have no more popups and my automatic updates stays on so I guess I'm in the clear. I hope thats it. Thank you so very much for your time and help I greatly appreciate it.

[dividend]

It was virtumonde not vundo. If that makes any difference.

[miekiemoes]

Vundo and Virtumundo are the same.

Good to hear everything is OK again. Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.