BLUV Posted January 9, 2010 ID:182087 Share Posted January 9, 2010 i been up all morning trying to get rid of the mbam bug, then the vundo trojan. I think I got it further along, but really will need help making sure and getting rid of this rootkit.tdss thing in Malwarebyts scan. It says it got rid of it, but keeps coming back. I am pasting logs below. Please advise.....Malwarebytes' Anti-Malware 1.44Database version: 3528Windows 6.0.6001 Service Pack 1Internet Explorer 7.0.6001.180001/9/2010 12:20:56 PMmbam-log-2010-01-09 (12-20-56).txtScan type: Quick ScanObjects scanned: 125655Time elapsed: 7 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.3 (BETA)Scan saved at 12:22:28 PM, on 1/9/2010Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18349)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Program Files\Internet Explorer\Iexplore.exeC:\Program Files\Symantec AntiVirus\VPTray.exeC:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\PC Hardware Manager\PCHardwareManager.exeC:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exeC:\Program Files\iTunes\iTunesHelper.exeC:\hp\support\hpsysdrv.exeC:\Program Files\HP\HP Software Update\hpwuSchd2.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Windows\system32\schtasks.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Windows\System32\rundll32.exeC:\Windows\Explorer.EXEC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\hp\kbd\kbd.exeC:\Windows\system32\mmc.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files\TrendMicro\HiJackThis\HiJackThis.exeC:\Program Files\Internet Explorer\Iexplore.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktopR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Link to post Share on other sites More sharing options...
kahdah Posted January 9, 2010 ID:182106 Share Posted January 9, 2010 Hello BLUVWelcome to Malwarebytes.=====================Download OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in bold%SYSTEMDRIVE%\*.exe/md5starteventlog.dllscecli.dllnetlogon.dllcngaudit.dllsceclt.dllntelogon.dlllogevent.dlliaStor.sysnvstor.sysatapi.sysIdeChnDr.sysviasraid.sysAGP440.sysvaxscsi.sysnvatabus.sysviamraid.sysnvata.sysnvgts.sysiastorv.sysViPrt.syseNetHook.dllahcix86.sysKR10N.sysnvstor32.sysahcix86s.sysnvrd32.sys /md5stop%systemroot%\*. /mp /sCREATERESTOREPOINT%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfilesCheck the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================Download the following GMER Rootkit Scanner from HereDownload the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on RunIt may take a minute to load and become available.If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKEDSectionsIAT/EATDrives/Partition other than Systemdrive (typically only C:\ should be checked)Show All (don't miss this one)Then click the Scan button & wait for it to finish.Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.Save it where you can easily find it, such as your desktop**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entriesClick OK and quit the GMER program.Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.Post that log in your next reply. Link to post Share on other sites More sharing options...
BLUV Posted January 9, 2010 Author ID:182121 Share Posted January 9, 2010 the GMER keeps giving me access denied errors.OTL Extras logfile created on: 1/9/2010 1:43:20 PM - Run 1OTL by OldTimer - Version 3.1.22.0 Folder = C:\Users\Barron\Desktop\fixWindows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstationInternet Explorer (Version = 7.0.6001.18000)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free7.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File freePaging file location(s): ?:\pagefile.sys [binary data]%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program FilesDrive C: | 456.67 Gb Total Space | 143.02 Gb Free Space | 31.32% Space Free | Partition Type: NTFSDrive D: | 9.09 Gb Total Space | 1.24 Gb Free Space | 13.66% Space Free | Partition Type: NTFSE: Drive not present or media not loadedF: Drive not present or media not loadedG: Drive not present or media not loadedH: Drive not present or media not loadedI: Drive not present or media not loadedDrive Z: | 1397.26 Gb Total Space | 898.99 Gb Free Space | 64.34% Space Free | Partition Type: NTFSComputer Name: BARRONHPCurrent User Name: BarronLogged in as Administrator.Current Boot Mode: NormalScan Mode: Current userCompany Name Whitelist: OffSkip Microsoft Files: OffFile Age = 30 DaysOutput = Minimal========== Extra Registry (SafeList) ==================== File Associations ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>].cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation).hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation).html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)========== Shell Spawning ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]batfile [open] -- "%1" %*cmdfile [open] -- "%1" %*comfile [open] -- "%1" %*cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)exefile [open] -- "%1" %*helpfile [open] -- Reg Error: Key error.hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)piffile [open] -- "%1" %*regfile [merge] -- Reg Error: Key error.scrfile [config] -- "%1"scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)scrfile [open] -- "%1" /Stxtfile [edit] -- Reg Error: Key error.Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)========== Security Center Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]"cval" = 0"UacDisableNotify" = 1"InternetSettingsDisableNotify" = 1"AutoUpdateDisableNotify" = 1"AntiVirusOverride" = 0"FirewallOverride" = 0"UpdatesDisableNotify" = 0"AntiVirusDisableNotify" = 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]"DisableMonitoring" = 1[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]"DisableMonitoring" = 1[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]"DisableMonitoring" = 1[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]"AntiVirusOverride" = 0"AntiSpywareOverride" = 0"FirewallOverride" = 1"VistaSp1" = Reg Error: Unknown registry data type -- File not found[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]"DisableNotifications" = 0"EnableFirewall" = 0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]"DisableNotifications" = 0"EnableFirewall" = 0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]"DisableNotifications" = 0"EnableFirewall" = 0========== Authorized Applications List ==================== Vista Active Open Ports Exception List ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]"{0EA4CDF1-37A5-492C-B850-F9EB809350DD}" = lport=2869 | protocol=6 | dir=in | app=system | "{126EEFCB-01AC-47A1-A67C-8DE427D8E3ED}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{1E69CE0E-4BAC-42FB-A346-A6A0F4B4C8B7}" = lport=2869 | protocol=6 | dir=in | app=system | "{27783CAE-D4A9-4DE4-8695-9774033977C4}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{33B5AB8B-3469-44B0-920C-EBF83B91E9EF}" = lport=50901 | protocol=6 | dir=in | name=adobe version cue cs3 server | "{39903167-E774-4A7F-93D4-C91EE5FB3A24}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{4F2E06BD-E532-40E4-81EA-CF22F2D88EDE}" = lport=10243 | protocol=6 | dir=in | app=system | "{64366C29-1199-4A01-A607-047D1480B467}" = rport=10243 | protocol=6 | dir=out | app=system | "{7C93EB40-DE4D-4C3E-B675-AD4ECC42AA7D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{81CE40DF-6DDF-4D16-83C8-7DC199CB3CC3}" = lport=50900 | protocol=6 | dir=in | name=adobe version cue cs3 server | "{9739FC7E-6F81-4651-83DC-DE3B5793C4C2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{A4FBBE23-9D03-4F57-A706-1E3B11472A0F}" = lport=3703 | protocol=6 | dir=in | name=adobe version cue cs3 server | "{CFC7F37B-6533-4B06-88BE-A3D5C43F1268}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{EDAE8803-DFA8-4C18-9A55-040D81669D67}" = lport=3704 | protocol=6 | dir=in | name=adobe version cue cs3 server | "{FAEFD631-E3CD-49F1-B27F-F54DE0D6D943}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | ========== Vista Active Application Exception List ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]"{0328E534-8BA5-4925-B3BB-823BDCCBFCB5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{182AC870-6A21-48FD-9064-F6A4E098C6AE}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | "{244C2AFE-BD45-4CC3-9C24-CEB8F3459490}" = protocol=17 | dir=in | app=c:\users\barron\appdata\roaming\mjusbsp\magicjack.exe | "{347FA16F-1731-4E74-9427-5C62E2D9028C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{3C968EBA-57A2-4DEA-B9C7-188B114662B1}" = protocol=6 | dir=out | app=system | "{47406078-2A86-450E-B9FD-9B3C695E9830}" = protocol=17 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe | "{4BD05824-F6B5-4E55-BB16-C5A25FCDDA97}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{4DBD05D7-454F-4FA1-80AD-8E94447D6808}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | "{54F7F4A9-5601-4250-AD84-EAC6B1F52336}" = protocol=6 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe | "{60C09EC3-AB74-4957-8683-124095238B03}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{631CD92A-A904-49C3-A55A-9718D16C8164}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe | "{67E3DEB7-FECD-4DE2-A524-FE0A6860EE90}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe | "{68C0063E-F9F6-4AA2-9AAB-39686004B316}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | "{698299EC-CB35-4B13-9622-63B30672FDAF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{6E45B5F5-F117-4873-B019-4B66776F589E}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe | "{73CB3D56-B66B-4EE4-9A62-67460745841D}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe | "{74738D7D-D57E-4847-8123-A2E0514C4A9E}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe | "{75EB1E98-4535-41DF-BE83-46BA51A22861}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{7BE77069-C0DE-41A7-9DE0-933D770BB97C}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe | "{7C01DB91-90F2-481D-9ACD-A69ACBD4E48A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | "{7CDB7FE3-440D-4C57-B35A-032D3A8A27C2}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | "{87C77762-82F5-470F-B961-DA4809914360}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{8B7C6D18-5753-45C1-A60F-B6747419B9DF}" = protocol=6 | dir=in | app=c:\users\barron\appdata\roaming\mjusbsp\magicjack.exe | "{8CC9988F-06F2-40D1-9425-8ABA4D722341}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{8F12D447-28C0-4B7F-B632-6371E582F0C2}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe | "{969EC665-3CF8-48A3-935E-ADF6592B22DF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{A6A8FDF0-C341-45F3-8108-328AFBA0FA68}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe | "{AAC507E2-EB7B-4043-BC65-391F4CF98A4B}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{C6B382AD-E51D-4BDF-A507-FFB7A4900559}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{C8A83726-7E5F-419B-AEFD-CD52421E1088}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{C94A164F-B7A4-4A1E-AFF9-EA87B6CC5284}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe | "{CBA85DE6-CAF1-4811-92D2-C1F62C4F1935}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{D792AD59-3E32-44D3-8B6E-69473D169C92}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | "{EA64FA37-03A7-4107-8E11-06226AB8B66F}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | "{F1D56D85-BD7F-4CF4-A8BB-C7EFB2080D44}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{F9F4F967-048A-4BC3-AFBB-D08ACAD80E6D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "TCP Query User{8EAC525F-1479-4CCF-9212-ABCF35A1A1AD}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | "UDP Query User{9803B26A-6ED5-49E6-A03F-A0178BC51B4E}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW® Graphics Suite X4"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3"{029B5901-1F27-4347-9923-E8ACC8F54E15}" = Snapfish Picture Mover"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = Bluetooth by hp 6.1.0.1203"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting"{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5"{0A47BAFF-D4FF-4BD3-96CA-02A22EA62722}" = HP Active Support Library"{0B99217C-2302-49C2-9429-EC26B66B1B7C}" = HP Photosmart Touch"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data"{0DDA7620-4F8B-43B3-8828-CA5EE292FA3B}" = HP Total Care Advisor"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive"{14779493-131D-4BAA-B87F-2999B347F6A9}" = NavisWorks Manage 2009"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets"{196AD67D-9180-4A8C-BE53-E7C68D80AE33}" = NavisWorks Freedom 2009"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 17"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2"{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4"{450063AA-643B-417C-8CF5-405BA3F4EF40}" = Autodesk Design Review 2009"{4A11206C-4377-49E8-911E-B11548658FF3}" = Revit Architecture 2008"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav"{4FC19392-E4A5-4CCB-B45A-AB7E8126D3C9}" = Microsoft Easy Assist"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In"{5783F2D7-6001-0409-0002-0060B0CE6BBA}" = AutoCAD 2008 - English"{596717E1-5508-4932-BDFA-8B33CC49295B}" = Windows Mobile 6.1 Professional Emulator Images - USA"{5E076CF2-EFED-43A2-A623-13E0D62EC7E0}" = Windows Server 2003 Administration Tools Pack"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3"{716B7BE7-6270-4D64-AB52-1870ED1A47B3}" = HP SmartCenter"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)"{775B9052-3517-47FA-817D-1BB28363D43A}" = muvee autoProducer 6.0"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles"{86170243-41F2-4B2E-9BD6-2F404B2C8E46}" = TWC Customer Controls"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection"{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}" = Adobe Flash Player 9 Plugin"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight"{8A7CAA24-7B23-410B-A7C3-F994B0944160}" = Microsoft Virtual PC 2007"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific"{A3A37DA6-70C0-497C-BCB1-148E9EC1D32E}" = Revit Architecture 2009 (AutoCAD Suite)"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Fran Link to post Share on other sites More sharing options...
kahdah Posted January 9, 2010 ID:182141 Share Posted January 9, 2010 Update mbam and run it again remove what it finds then post your log.By chance did you try to right click on gmer and choose run as administrator?If not try that.Post that log if you can get one. Link to post Share on other sites More sharing options...
BLUV Posted January 10, 2010 Author ID:182165 Share Posted January 10, 2010 Yes i tried loading that way as well...still access errors.Malwarebytes' Anti-Malware 1.44Database version: 3531Windows 6.0.6001 Service Pack 1Internet Explorer 7.0.6001.180001/9/2010 4:16:43 PMmbam-log-2010-01-09 (16-16-43).txtScan type: Quick ScanObjects scanned: 126049Time elapsed: 6 minute(s), 38 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:\\?\globalroot\systemroot\System32\H8SRTtemmrdsxxp.dll (Trojan.Vundo) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:\\?\globalroot\systemroot\System32\H8SRTtemmrdsxxp.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2010 ID:182174 Share Posted January 10, 2010 One or more of the identified infections is a backdoor trojan or rootkit.This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. Link to post Share on other sites More sharing options...
BLUV Posted January 10, 2010 Author ID:182183 Share Posted January 10, 2010 Lets please continue to clen....Thank you. Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2010 ID:182190 Share Posted January 10, 2010 We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. Link to post Share on other sites More sharing options...
BLUV Posted January 10, 2010 Author ID:182197 Share Posted January 10, 2010 I tried that earlier and I keep gettin:ComboFix has stopped workingI cant get it to loade for some reason. Also tried run as administrator. Link to post Share on other sites More sharing options...
BLUV Posted January 10, 2010 Author ID:182201 Share Posted January 10, 2010 I tried that earlier and I keep gettin:ComboFix has stopped workingI cant get it to loade for some reason. Also tried run as administrator.also,when i rename the file and load, it will say, some files can not be created. Please close all applications...etc... Link to post Share on other sites More sharing options...
BLUV Posted January 10, 2010 Author ID:182335 Share Posted January 10, 2010 Are we going to continue? Please advise.... Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2010 ID:182378 Share Posted January 10, 2010 Are we going to continue? Please advise.... Did you not think I was going to get back to you?I do other things besides help with malware removal.I will post to you when I can please be patient.Download RootRepeal from one of the following locations:Location 1 (Zip File) Location 2 (Zip File)Location 3 (RAR File) Location 4 (Zip File) Location 5 (RAR File) Unzip it to your Desktop.Double click RootRepeal.exe to start the programClick on the Report tab at the bottom of the program windowClick the Scan buttonIn the Select Scan dialog, check:DriversFilesProcessesStealth ObjectsHidden Services[*]Click the OK button[*]In the next dialog, select all drives showing[*]Click OK to start the scanNote: The scan should not take very long. DO NOT run any other programs while the scan is running[*]When the scan is complete, the Save Report button will become available[*]Click this and save the report to your Desktop as RootRepeal.txt[*]Go to File, then Exit to close the programPlease copy and paste the report into your Post. Link to post Share on other sites More sharing options...
BLUV Posted January 10, 2010 Author ID:182564 Share Posted January 10, 2010 Sir....I haven't a clue what you do or who you are. I asked a question and I appreciate you understand my position. I will be more than happy to pay you for your time. But, don't assume that I know what your schedule is. It's the first time I have posted on this site. My only goal is to fix the issue with you, if you're willing, or with another source.With that said, I have been running this scan for more than 4 hours. It's still going, but wansn't sureif this is suppose to run this long.. Please advise. Link to post Share on other sites More sharing options...
kahdah Posted January 10, 2010 ID:182574 Share Posted January 10, 2010 Payment is not needed I don't mind helping but it has to be done when I can do it I will return to the log as soon as I possibly can.As I said above please be patient.Please stop the root repeal scan and post the log that pops up please. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 30, 2010 ID:191523 Share Posted January 30, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts