Jump to content

Malwarebytes won't run, tried all fixes, please help!


Recommended Posts

I can't get MAlwarebytes to run, and I've tried all the recommended fixes (renaming, changing extensions, starting in Safe-mode, downloading and running Avira) AVG and Avira both idetifiy the trojans, but neither can get rid of them. I downloaded Hijack This and ran the system scan and save to log file I am posting it here, as advised, but I couldn't post the Malwarebytes scan and file, because I can't run it. Your help is appreciated! Please let me know if there is someththing else I need to post:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:26:52 AM, on 11/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070305

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070305

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

First, go to the Control Panel -> Add/Remove Programs and remove anything to do with My Web Search!

I need to see the log report of the threat detections Avira finds but cannot successfully remove - That is very important information.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • Click the Empty Selected button.
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT) by double-clicking the desktop shortcut and choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [fezegekim] Rundll32.exe "c:\windows\system32\fukupari.dll",a

O20 - AppInit_DLLs: cru629.dat c:\windows\system32\fudosegi.dll gakujode.dll c:\windows\system32\fukupari.dll

O21 - SSODL: mokihepej - {c0b19538-6e92-433e-bf21-28a4b739914f} - c:\windows\system32\fudosegi.dll (file missing)

O21 - SSODL: suyivisij - {3c6843f5-b3b9-47b1-b8ce-4f406f05583b} - c:\windows\system32\fukupari.dll

O22 - SharedTaskScheduler: jugezatag - {c0b19538-6e92-433e-bf21-28a4b739914f} - c:\windows\system32\fudosegi.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {3c6843f5-b3b9-47b1-b8ce-4f406f05583b} - c:\windows\system32\fukupari.dll

O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)

Close HJT.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • After the automatic "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  • Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a full Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARKQ.txt, ARK.txt (if complete scan was run), and C:\Combofix.txt

Also post log report of the threat detections Avira found, and a new HJT log.

Link to post
Share on other sites

"Hi and Welcome to the Malwarebytes' forum.

First, go to the Control Panel -> Add/Remove Programs and remove anything to do with My Web Search!

I need to see the log report of the threat detections Avira finds but cannot successfully remove - That is very important information."

Thanks for the reply. I went to Add/Remove Programs, and there is nothing showing up that refers to My Web Search. I remember it showing up on my computer a long time ago, but I thought I had deleted it. If it's not showing up there, is there another way to delete it, or should I just move on to the next steps?

Also, shouls I post the Avira log report here and wait for another reply before I move on to the next steps, or should I just continue after I post?

Thanks!!!

Link to post
Share on other sites

This is the report from the Avira scan. I don't know if you needed the whole report, but I wasn't sure what to leave out, so I posted the whole thing.

Avira AntiVir Personal

Report file date: Saturday, November 07, 2009 13:13

Scanning for 1562564 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : DJM9DMC1

Version information:

BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 22:36:14

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 19:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 20:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 19:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 21:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 18:21:42

ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 07:08:01

ANTIVIR3.VDF : 7.1.5.19 139776 Bytes 7/23/2009 16:36:13

Engineversion : 8.2.0.228

AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 22:31:50

AESCRIPT.DLL : 8.1.2.18 442746 Bytes 7/23/2009 18:59:39

AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 18:59:39

AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 18:59:39

AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 22:31:50

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 18:59:39

AEHEUR.DLL : 8.1.0.143 1864055 Bytes 7/23/2009 18:59:39

AEHELP.DLL : 8.1.5.3 233846 Bytes 7/23/2009 18:59:39

AEGEN.DLL : 8.1.1.50 352629 Bytes 7/23/2009 18:59:39

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 23:32:40

AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 18:59:39

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 23:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 17:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 19:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 23:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 19:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/25/2009 00:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 19:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/29/2009 00:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 17:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 19:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/16/2009 00:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 19:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Saturday, November 07, 2009 13:13

Starting search for hidden objects.

'82195' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'jucheck.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'Marker.exe' - '1' Module(s) have been scanned

Scan process 'Aware.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'opera.exe' - '1' Module(s) have been scanned

Scan process 'tcsd_win32.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'SMARTBoardTools.exe' - '1' Module(s) have been scanned

Scan process 'rapimgr.exe' - '1' Module(s) have been scanned

Scan process 'SSScheduler.exe' - '1' Module(s) have been scanned

Scan process 'AutoUpdate.exe' - '1' Module(s) have been scanned

Scan process 'DLG.exe' - '1' Module(s) have been scanned

Scan process 'SMARTBoardService.exe' - '1' Module(s) have been scanned

Scan process 'wcescomm.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'spnsrvnt.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgtray.exe' - '1' Module(s) have been scanned

Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'apdproxy.exe' - '1' Module(s) have been scanned

Scan process 'ApntEx.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'point32.exe' - '1' Module(s) have been scanned

Scan process 'hidfind.exe' - '1' Module(s) have been scanned

Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned

Scan process 'quickset.exe' - '1' Module(s) have been scanned

Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned

Scan process 'docmgr.exe' - '1' Module(s) have been scanned

Scan process 'stsystra.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'Apoint.exe' - '1' Module(s) have been scanned

Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'avgnsx.exe' - '1' Module(s) have been scanned

Scan process 'avgrsx.exe' - '1' Module(s) have been scanned

Scan process 'DataServer.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'Crypserv.exe' - '1' Module(s) have been scanned

Scan process 'avgwdsvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'scardsvr.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

69 processes with 69 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '77' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137200.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137201.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137202.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137203.DLL

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137204.DLL

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137205.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137206.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137207.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137208.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137209.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137210.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137211.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137212.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137213.DLL

[DETECTION] Is the TR/Killav.28714 Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137214.DLL

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137215.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137216.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137217.dll

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137218.scr

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137219.SCR

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137220.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137221.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137222.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137223.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137225.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137226.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137227.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137228.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137230.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137231.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137232.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137233.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP221\A0142913.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP221\A0142926.sys

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP221\A0142927.sys

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163703.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163704.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163759.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163760.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163761.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163762.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP251\A0163765.dll

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP253\A0163909.dll

[WARNING] The file could not be opened!

C:\WINDOWS\Temp\b9140f2a-2408-4629-a9b2-ae62b910e9f2.tmp

[0] Archive type: CAB (Microsoft)

--> cndcnv.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

[WARNING] No further files can be extracted from this archive. The archive will be closed

Beginning disinfection:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137200.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4b26f76b.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137201.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4b26f76c.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137202.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4a881d5d.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137203.DLL

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4a8b1505.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137204.DLL

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4a8c3c7d.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137205.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4a8f3425.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137206.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4a8a2dcd.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137207.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '484806a5.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137208.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48490efd.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137209.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4857f635.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137210.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4854fe4d.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137211.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4855e785.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137212.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4852efdd.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137213.DLL

[DETECTION] Is the TR/Killav.28714 Trojan

[NOTE] The file was moved to '4853d715.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137214.DLL

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4b26f76d.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137215.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4851c766.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137216.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485ec0be.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137217.dll

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485fc8f6.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137218.scr

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485cb00e.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137219.SCR

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485db846.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137220.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485aa19e.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137221.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485ba9d6.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137222.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '485891ee.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137223.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48599926.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137225.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a6817e.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137226.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a78ab6.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137227.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a472ce.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137228.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a57a06.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137230.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a2625e.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137231.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a36b96.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137232.EXE

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a053ae.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP214\A0137233.DLL

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48a15be6.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP221\A0142913.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[NOTE] The file was moved to '48ae433e.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP221\A0142926.sys

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48af4b76.qua'!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP221\A0142927.sys

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '48ac348e.qua'!

End of the scan: Saturday, November 07, 2009 14:39

Used time: 1:25:20 Hour(s)

The scan has been done completely.

9270 Scanned directories

494995 Files were scanned

35 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

35 Files were moved to quarantine

0 Files were renamed

10 Files cannot be scanned

494950 Files not concerned

17555 Archives were scanned

12 Warnings

37 Notes

82195 Objects were scanned with rootkit scan

0 Hidden objects were found

Link to post
Share on other sites

Thanks - just keep going - My Web Search is the least of your problems!

Of the 35 files that Avira detected this is the only one which may be a cause for concern:

C:\WINDOWS\Temp\b9140f2a-2408-4629-a9b2-ae62b910e9f2.tmp

The rest are System Volume Information trash gen detections. Any threats in System Volume Information, which consist of System Restore Data, are not active, and therefore they are NOT a concern until the final cleaning steps when we'll purge them.

Trash gen implies a false (harmless) detection planted there by one of the Rogue (Fake) Security programs that abound so that program can flag them in its phony scan report, in an attempt to appear legitimate.

So continue with the rest of the instructions please.

Link to post
Share on other sites

Ok...I did everything. I was not able to run the anti-rootkit program, because it kept getting hung up. The quick scan at the very beginning wouldn't finish, and then it kept saying "not responding". So I went ahead and did the Combo fix, which I'm going to post here. I will be right back to post the new hijack this log.

ComboFix 09-11-08.03 - owner 11/08/2009 15:28.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.471 [GMT -8:00]

Running from: c:\documents and settings\owner\Desktop\fixit.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bafovube.dll

c:\windows\system32\bokeneja.dll

c:\windows\system32\delidubu.dll

c:\windows\system32\fuzoyalu.dll

c:\windows\system32\gakujode.dll

c:\windows\system32\hovogove.dll

c:\windows\system32\kivobimo.dll

c:\windows\system32\pibijozi.dll

c:\windows\system32\sobalofe.dll

c:\windows\system32\ziwemiga.dll

c:\windows\Tasks\cyeiwhhk.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYWEBSEARCHSERVICE

-------\Legacy_NWCWORKSTATION

-------\Service_MyWebSearchService

-------\Service_NWCWorkstation

((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))

.

2009-11-08 22:59 . 2009-11-08 22:59 291328 ----a-w- C:\ARK.exe

2009-11-07 23:57 . 2009-11-07 23:57 -------- d-----w- c:\program files\Trend Micro

2009-11-07 21:05 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-07 21:05 . 2009-07-29 00:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-07 21:05 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-07 21:05 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-07 21:05 . 2009-11-07 21:05 -------- d-----w- c:\program files\Avira

2009-11-07 21:05 . 2009-11-07 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-07 00:52 . 2009-11-07 00:52 -------- d-----w- c:\program files\applica

2009-11-06 21:45 . 2009-11-07 22:48 -------- d-----w- c:\program files\yesican

2009-11-06 21:36 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-06 21:36 . 2009-11-06 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-06 21:36 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-06 20:03 . 2009-11-06 20:14 -------- d-----w- c:\program files\woohoo

2009-11-06 04:33 . 2009-10-22 03:09 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

2009-11-06 01:12 . 2009-11-06 20:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-10-17 21:19 . 2009-10-17 21:19 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe

2009-10-13 00:33 . 2009-10-13 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-10 06:58 . 2009-10-10 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-10-10 06:58 . 2009-10-10 06:58 -------- d-----w- c:\program files\McAfee Security Scan

2009-10-10 06:58 . 2009-10-10 06:58 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-10-10 06:58 . 2009-10-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-08 21:53 . 2007-03-05 11:08 51473 ----a-w- c:\windows\system32\nvModes.dat

2009-11-08 19:24 . 2007-03-05 11:36 62776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-06 04:31 . 2009-05-25 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-11 14:18 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-17 19:50 . 2009-05-25 16:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-17 19:50 . 2009-05-25 16:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-17 19:50 . 2007-06-07 18:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-13 20:57 . 2009-08-13 20:57 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-07 20:39 . 2009-08-07 20:39 89088 --sha-w- c:\windows\system32\fukupari.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-21 213936]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-19 1519616]

"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-5 24576]

EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512]

McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2009-4-8 9723904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 19:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\SMART Technologies\\SMART Board Drivers\\SMARTSNMPAgent.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=

"c:\\Program Files\\SMART Technologies\\SMART Board Drivers\\Aware.exe"=

"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/25/2009 8:16 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/25/2009 8:16 AM 108552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/7/2009 1:05 PM 108289]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/25/2009 8:16 AM 297752]

S2 DesignSpooler;Pulse Design Spooler;c:\program files\Tajima\DGML By Pulse 12\DesignSpooler.exe [12/3/2007 2:19 PM 1384493]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [4/15/2009 3:30 PM 1048576]

S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [4/15/2009 3:27 PM 1236992]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Search

FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\j5mc3kgz.default\

FF - prefs.js: network.proxy.type - 2

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{2ea1f11d-f6d1-4d01-b324-49f778f46948} - pibijozi.dll

HKLM-Run-fezegekim - c:\windows\system32\hovogove.dll

HKLM-Run-husejipuhu - sobalofe.dll

SharedTaskScheduler-{f63a2e83-9279-4ccf-a9f1-9413aae64b4c} - c:\windows\system32\hovogove.dll

SSODL-ruyefijuk-{f63a2e83-9279-4ccf-a9f1-9413aae64b4c} - c:\windows\system32\hovogove.dll

AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-08 15:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(964)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(708)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\crypserv.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

c:\windows\system32\rundll32.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Apoint\HidFind.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\program files\SMART Technologies\SMART Board Drivers\Aware.exe

c:\program files\SMART Technologies\SMART Board Drivers\Marker.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\windows\system32\wscntfy.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-11-08 15:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-08 23:43

Pre-Run: 36,466,593,792 bytes free

Post-Run: 36,371,595,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E81425DDC976CE22005BA536BCC09910

Link to post
Share on other sites

And here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:55:10 PM, on 11/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Aware.exe

C:\Program Files\SMART Technologies\SMART Board Drivers\Marker.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070305

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

OK - very good. Your computer should be running much better now, though there are still a couple items to remove.

Do you know what this folder is, and do you need it?:

c:\program files\woohoo

After we remove the additional infection components, we can try the antirootkit again. I have a feeling the infection may have been blocking it. Just let me know you answer to the above.

Another problem - you are running two antiviruses concurrrently - AVG and AVira:

Examples entries from your log:

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

You must remove one of them - I personally prefer Avira over AVG

Link to post
Share on other sites

While waiting for further instructions, I went to uninstall AVG from my computer. There are two checkboxes where it asks if I want to remove 1) user settings and 2)include items from the virus vault? Should I check the boxes to remove these things?

Remove both of those.

*slightly embarrassed* When I was trying to get MAlwarebytes to run by renaming it, this was one of my re-name attempts. Wanted to make sure I would remember it.

Not embarrassing at all -it seems very plausible to me!

We have a couple more items combofix identified to remove that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

File::
c:\windows\system32\fukupari.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (fixit.exe)

This will cause ComboFix to run again.

Please post back the log that opens when it finishes (C:\Combofix.txt).

Now MBAM should be unblocked:

Uninstall MBAM and then download and reinstall it normally. First, update it and then attempt to run a scan. If successful, remove all threats found, and post back the log MBAM generates.

Link to post
Share on other sites

"Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!"

Does this include turning off the firewall?

"Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix."

Not sure how to do this...not even sure which tasks are scheduled to run automatically on reboot.

Link to post
Share on other sites

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!"

Does this include turning off the firewall?

If it didn't interfere the first time you ran Combofix, then it should be OK if you don't turn it off.

"Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix."

Not sure how to do this...not even sure which tasks are scheduled to run automatically on reboot.

I included that because you do not want background activity running that can interfere with Combofix, Normally you can look to see if you have any autoscheduled scans in your security programs, to verify that. But this step is just a precaution and you should be OK running Combofix without going overboard with all these precautions (just don't start a scan or a chkdsk before running it!) - so give it a go with the script!

Link to post
Share on other sites

Here's the Combofix log (I'm doing the uninstall/re-download/run next):

ComboFix 09-11-08.03 - owner 11/08/2009 17:58.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.609 [GMT -8:00]

Running from: c:\documents and settings\owner\Desktop\fixit.exe

Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\fukupari.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\fukupari.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYWEBSEARCHSERVICE

-------\Legacy_NWCWORKSTATION

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))

.

2009-11-08 22:59 . 2009-11-08 22:59 291328 ----a-w- C:\ARK.exe

2009-11-07 23:57 . 2009-11-07 23:57 -------- d-----w- c:\program files\Trend Micro

2009-11-07 21:05 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-11-07 21:05 . 2009-07-29 00:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-11-07 21:05 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-11-07 21:05 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-11-07 21:05 . 2009-11-07 21:05 -------- d-----w- c:\program files\Avira

2009-11-07 21:05 . 2009-11-07 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-11-07 00:52 . 2009-11-07 00:52 -------- d-----w- c:\program files\applica

2009-11-06 21:45 . 2009-11-07 22:48 -------- d-----w- c:\program files\yesican

2009-11-06 21:36 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-06 21:36 . 2009-11-06 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-06 21:36 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-06 20:03 . 2009-11-06 20:14 -------- d-----w- c:\program files\woohoo

2009-11-06 01:12 . 2009-11-06 20:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-10-13 00:33 . 2009-10-13 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-10 06:58 . 2009-10-10 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-10-10 06:58 . 2009-10-10 06:58 -------- d-----w- c:\program files\McAfee Security Scan

2009-10-10 06:58 . 2009-10-10 06:58 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-10-10 06:58 . 2009-10-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-08 21:53 . 2007-03-05 11:08 51473 ----a-w- c:\windows\system32\nvModes.dat

2009-11-08 19:24 . 2007-03-05 11:36 62776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 14:18 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-11 23:00 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2004-08-11 23:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-13 20:57 . 2009-08-13 20:57 152576 ----a-w- c:\documents and settings\owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-08_23.37.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-11-09 02:06 . 2009-11-09 02:06 16384 c:\windows\temp\Perflib_Perfdata_664.dat

+ 2004-08-11 23:00 . 2009-11-08 23:41 72134 c:\windows\system32\perfc009.dat

- 2004-08-11 23:00 . 2009-11-08 22:54 72134 c:\windows\system32\perfc009.dat

+ 2004-08-11 23:00 . 2009-11-08 23:41 443034 c:\windows\system32\perfh009.dat

- 2004-08-11 23:00 . 2009-11-08 22:54 443034 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-21 213936]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-19 1519616]

"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-5 24576]

EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512]

McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardTools.exe [2009-4-8 9723904]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\SMART Technologies\\SMART Board Drivers\\SMARTSNMPAgent.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=

"c:\\Program Files\\SMART Technologies\\SMART Board Drivers\\Aware.exe"=

"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/7/2009 1:05 PM 108289]

S2 DesignSpooler;Pulse Design Spooler;c:\program files\Tajima\DGML By Pulse 12\DesignSpooler.exe [12/3/2007 2:19 PM 1384493]

S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Board Drivers\SMARTSNMPAgent.exe [4/15/2009 3:30 PM 1048576]

S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\SMART Board Drivers\WebServer.exe [4/15/2009 3:27 PM 1236992]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &Search

FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\j5mc3kgz.default\

FF - prefs.js: network.proxy.type - 2

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-08 18:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(956)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(4068)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\crypserv.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

c:\program files\SMART Technologies\SMART Board Drivers\SMARTBoardService.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\progra~1\MICROS~4\rapimgr.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\program files\SMART Technologies\SMART Board Drivers\Aware.exe

c:\program files\SMART Technologies\SMART Board Drivers\Marker.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-11-09 18:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-09 02:12

ComboFix2.txt 2009-11-08 23:43

Pre-Run: 36,579,819,520 bytes free

Post-Run: 36,546,203,648 bytes free

- - End Of File - - 6475657E51519983C6EC54496AFECA45

Link to post
Share on other sites

ok finally finished reloading mbam and running the scan. There were 12 infections...here's the log:

Malwarebytes' Anti-Malware 1.41

Database version: 3130

Windows 5.1.2600 Service Pack 3

11/8/2009 7:15:15 PM

mbam-log-2009-11-08 (19-15-15).txt

Scan type: Full Scan (C:\|)

Objects scanned: 252361

Time elapsed: 47 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gakujode.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\kivobimo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\pibijozi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\sobalofe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ziwemiga.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0164265.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0164267.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0164268.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0164269.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP254\A0164270.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Everything looks good now!!

The only new items found by MBAM were My Web Search related:

Files Infected:

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted

successfully.

The rest of the files flagged do NOT represent active threats because they are in Combofix Quarantine or C:\System Volume Information which is system restore data.

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 17, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 17, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "JRE 6 Update 17

This special release provides a few key fixes", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 17 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. Ifhe Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

-

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\fixit.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.