Jump to content

malware.trace and backdoor.bot - will not go away!


Recommended Posts

Hi about a month ago my laptop (XP-pro, SP3) got nailed. It came to my attention with "Antivirus Soft" ransomware and after managing to get rid of that and a few other things malware.trace and backdoor.bot keep showing up after reboot. Ad-aware and Spybot Search & Destroy don't pick up on these.... can someone help me?

Thanks!

Here is mylatest mbam-log:

Malwarebytes' Anti-Malware 1.44

Database version: 3902

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/23/2010 12:40:25 PM

mbam-log-2010-03-23 (12-40-25).txt

Scan type: Quick Scan

Objects scanned: 132407

Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Looks like there's still another malicious component present which reinstalls above keys again.

Anyway, let's have a look and do the following...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Here is the combofix log:

ComboFix 10-03-23.04 - User_2 03/24/2010 17:11:12.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.196 [GMT 1:00]

Running from: c:\documents and settings\User_2\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\NPROTECT

.

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))

.

2010-03-24 14:23 . 2010-03-24 14:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-24 14:23 . 2010-03-24 14:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-23 11:25 . 2010-03-23 11:25 439816 ----a-w- c:\documents and settings\User_2\Application Data\Real\Update\setup3.10\setup.exe

2010-03-22 10:46 . 2010-03-22 10:46 -------- d-----w- c:\documents and settings\User_2\Application Data\Office Genuine Advantage

2010-03-10 16:36 . 2010-03-10 16:36 -------- d-sh--w- c:\documents and settings\User_2\IETldCache

2010-03-10 16:36 . 2010-03-10 16:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-10 15:07 . 2010-03-10 15:10 -------- dc-h--w- c:\windows\ie8

2010-02-22 18:04 . 2010-02-22 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-22 23:05 . 2007-09-24 20:33 45755 ----a-w- C:\report.zip

2010-03-22 16:47 . 2009-08-18 18:17 -------- d-----w- c:\documents and settings\User_2\Application Data\vlc

2010-02-22 18:06 . 2010-02-18 08:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-22 16:13 . 2010-02-22 16:12 -------- d-----w- c:\program files\eQUEST 3-63

2010-02-19 14:37 . 2008-04-11 20:04 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-18 08:55 . 2010-02-18 08:55 -------- d-----w- c:\documents and settings\User_2\Application Data\Malwarebytes

2010-02-18 08:54 . 2010-02-18 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-17 22:03 . 2008-03-20 16:47 -------- d-----w- c:\documents and settings\User_2\Application Data\Skype

2010-02-17 16:34 . 2008-03-20 16:48 -------- d-----w- c:\documents and settings\User_2\Application Data\skypePM

2010-02-09 22:01 . 2009-05-31 18:40 -------- d-----w- c:\documents and settings\User_2\Application Data\gtk-2.0

2010-02-05 09:39 . 2010-02-05 09:39 251376 ----a-w- c:\documents and settings\User_2\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-02-01 10:52 . 2010-02-06 17:45 15424 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe

2010-02-01 09:59 . 2007-09-17 21:12 -------- d-----w- c:\program files\Google

2010-01-10 15:06 . 2010-01-10 15:06 32660 ---ha-w- c:\windows\system32\mlfcache.dat

2010-01-07 15:07 . 2010-02-18 08:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2010-02-18 08:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 1980-01-01 07:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]

"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-01-10 106551]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-17 344064]

"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2005-02-17 94208]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-06 185896]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msulgj32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^User_2^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]

path=c:\documents and settings\User_2\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk

backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]

2003-01-17 08:32 20480 ------w- c:\program files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]

2007-04-27 09:33 243248 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-11-22 04:01 133104 ----atw- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]

2006-10-02 17:19 94208 ----a-w- c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPMN]

2003-02-17 07:30 32835 ------w- c:\program files\ThinkPad\Utilities\TpKmapMn.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Documents and Settings\\User_2\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Documents and Settings\\User_2\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\User_2\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2009 9:33 PM 64160]

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2/17/2003 7:26 PM 62279]

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [4/16/2009 6:27 PM 181120]

R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [4/16/2009 6:27 PM 51072]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/13/2007 7:57 AM 15360]

R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [1/10/2003 12:56 AM 4538]

S2 gupdate1c9c160c7c0bca0;Google Update Service (gupdate1c9c160c7c0bca0);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 3:36 AM 133104]

S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [1/10/2003 1:05 AM 5493]

S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2/17/2003 7:32 PM 19670]

S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2/7/2003 6:57 AM 109708]

S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [1/10/2003 12:59 AM 8333]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 3:49 PM 1028432]

S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [1/3/2005 5:49 AM 368896]

S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [1/3/2005 5:32 AM 114944]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [1/3/2005 5:32 AM 53248]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/21/2004 6:33 PM 21888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\BMMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-08-13 08:32]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 02:36]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 02:36]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3193395728-2679048581-2876867887-1005Core.job

- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 04:01]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3193395728-2679048581-2876867887-1005UA.job

- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 04:01]

2010-03-24 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-03-24 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-08-13 16:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: bcbsaconnect.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/

FF - component: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - plugin: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\documents and settings\User_2\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\User_2\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

BHO-{6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - (no file)

HKLM-Run-UC_SMB - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-24 17:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(500)

c:\windows\system32\SynTPFcs.dll

c:\windows\system32\ieframe.dll

c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-24 17:26:20

ComboFix-quarantined-files.txt 2010-03-24 16:26

Pre-Run: 1,261,944,832 bytes free

Post-Run: 1,529,810,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 440E31E050FB5A487EF1B76276BCF44E

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Collect::[8]

c:\windows\system32\msulgj32.exe

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\\windows\\system32\\userinit.exe,"

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

OK, this is the log file from the second combofix run after dragging the CFScript:

ComboFix 10-03-23.04 - User_2 03/24/2010 18:50:40.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.205 [GMT 1:00]

Running from: c:\documents and settings\User_2\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User_2\Desktop\CFScript.txt

* Created a new restore point

file zipped: c:\windows\system32\msulgj32.exe

.

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))

.

2010-03-24 14:23 . 2010-03-24 14:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-24 14:23 . 2010-03-24 14:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-23 11:25 . 2010-03-23 11:25 439816 ----a-w- c:\documents and settings\User_2\Application Data\Real\Update\setup3.10\setup.exe

2010-03-22 10:46 . 2010-03-22 10:46 -------- d-----w- c:\documents and settings\User_2\Application Data\Office Genuine Advantage

2010-03-10 16:36 . 2010-03-10 16:36 -------- d-sh--w- c:\documents and settings\User_2\IETldCache

2010-03-10 16:36 . 2010-03-10 16:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-10 15:07 . 2010-03-10 15:10 -------- dc-h--w- c:\windows\ie8

2010-02-22 18:04 . 2010-02-22 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-22 23:05 . 2007-09-24 20:33 45755 ----a-w- C:\report.zip

2010-03-22 16:47 . 2009-08-18 18:17 -------- d-----w- c:\documents and settings\User_2\Application Data\vlc

2010-02-22 18:06 . 2010-02-18 08:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-22 16:13 . 2010-02-22 16:12 -------- d-----w- c:\program files\eQUEST 3-63

2010-02-19 14:37 . 2008-04-11 20:04 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-18 08:55 . 2010-02-18 08:55 -------- d-----w- c:\documents and settings\User_2\Application Data\Malwarebytes

2010-02-18 08:54 . 2010-02-18 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-17 22:03 . 2008-03-20 16:47 -------- d-----w- c:\documents and settings\User_2\Application Data\Skype

2010-02-17 16:34 . 2008-03-20 16:48 -------- d-----w- c:\documents and settings\User_2\Application Data\skypePM

2010-02-09 22:01 . 2009-05-31 18:40 -------- d-----w- c:\documents and settings\User_2\Application Data\gtk-2.0

2010-02-05 09:39 . 2010-02-05 09:39 251376 ----a-w- c:\documents and settings\User_2\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-02-01 10:52 . 2010-02-06 17:45 15424 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe

2010-02-01 09:59 . 2007-09-17 21:12 -------- d-----w- c:\program files\Google

2010-01-10 15:06 . 2010-01-10 15:06 32660 ---ha-w- c:\windows\system32\mlfcache.dat

2010-01-07 15:07 . 2010-02-18 08:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2010-02-18 08:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 1980-01-01 07:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-03-24_16.21.32 )))))))))))))))))))))))))))))))))))))))))

.

- 2002-09-27 00:22 . 2010-03-24 15:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2002-09-27 00:22 . 2010-03-24 17:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2002-09-27 00:22 . 2010-03-24 17:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2002-09-27 00:22 . 2010-03-24 15:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2002-09-27 00:22 . 2010-03-24 17:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2002-09-27 00:22 . 2010-03-24 15:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-03-10 16:36 . 2010-03-24 17:37 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2010-03-10 16:36 . 2010-03-24 15:57 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]

"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-01-10 106551]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-17 344064]

"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2005-02-17 94208]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-06 185896]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msulgj32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^User_2^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]

path=c:\documents and settings\User_2\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk

backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]

2003-01-17 08:32 20480 ------w- c:\program files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]

2007-04-27 09:33 243248 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-11-22 04:01 133104 ----atw- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]

2006-10-02 17:19 94208 ----a-w- c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPMN]

2003-02-17 07:30 32835 ------w- c:\program files\ThinkPad\Utilities\TpKmapMn.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Documents and Settings\\User_2\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Documents and Settings\\User_2\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\User_2\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2009 9:33 PM 64160]

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2/17/2003 7:26 PM 62279]

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [4/16/2009 6:27 PM 181120]

R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [4/16/2009 6:27 PM 51072]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/13/2007 7:57 AM 15360]

R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [1/10/2003 12:56 AM 4538]

S2 gupdate1c9c160c7c0bca0;Google Update Service (gupdate1c9c160c7c0bca0);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 3:36 AM 133104]

S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [1/10/2003 1:05 AM 5493]

S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2/17/2003 7:32 PM 19670]

S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2/7/2003 6:57 AM 109708]

S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [1/10/2003 12:59 AM 8333]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 3:49 PM 1028432]

S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [1/3/2005 5:49 AM 368896]

S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [1/3/2005 5:32 AM 114944]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [1/3/2005 5:32 AM 53248]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/21/2004 6:33 PM 21888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-24 c:\windows\Tasks\BMMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-08-13 08:32]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 02:36]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 02:36]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3193395728-2679048581-2876867887-1005Core.job

- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 04:01]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3193395728-2679048581-2876867887-1005UA.job

- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 04:01]

2010-03-24 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-03-24 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-08-13 16:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: bcbsaconnect.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/

FF - component: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - plugin: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\documents and settings\User_2\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\User_2\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-24 19:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(4084)

c:\windows\system32\SynTPFcs.dll

c:\windows\system32\ieframe.dll

c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-03-24 19:06:16

ComboFix-quarantined-files.txt 2010-03-24 18:06

ComboFix2.txt 2010-03-24 16:26

Pre-Run: 1,527,021,568 bytes free

Post-Run: 1,482,878,976 bytes free

- - End Of File - - 4764985AB76AF1450F358E504F8575C8

Upload was successful

Link to post
Share on other sites

  • Staff

Hmmm,

The Collect:: command should have removed the file as well.

First of all, I didn't get a file uploaded as I requested before:

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

Instead, please send me the file via mail. Send it to miekeATmalwarebytes.org (replace AT with @)

In the subject of the mail, write "requested via forum"

Then we'll take care of the rest.

Let me know in this thread once you sent me the file, this is important.

Thanks.

Link to post
Share on other sites

  • Staff

Hi,

Thank you for the file. I'm still puzzled why Combofix didn't remove it since the collect command should also remove the file.

Anyway, let's give this another try and do next..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\msulgj32.exe

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\\windows\\system32\\userinit.exe,"

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

OK here is the second combofix log file:

ComboFix 10-03-23.04 - User_2 03/25/2010 19:49:38.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.288 [GMT 1:00]

Running from: c:\documents and settings\User_2\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User_2\Desktop\CFScript.txt

FILE ::

"c:\windows\system32\msulgj32.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\msulgj32.exe

.

((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))

.

2010-03-24 14:23 . 2010-03-24 14:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-24 14:23 . 2010-03-24 14:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-23 11:25 . 2010-03-23 11:25 439816 ----a-w- c:\documents and settings\User_2\Application Data\Real\Update\setup3.10\setup.exe

2010-03-22 10:46 . 2010-03-22 10:46 -------- d-----w- c:\documents and settings\User_2\Application Data\Office Genuine Advantage

2010-03-10 16:36 . 2010-03-10 16:36 -------- d-sh--w- c:\documents and settings\User_2\IETldCache

2010-03-10 16:36 . 2010-03-10 16:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-10 15:07 . 2010-03-10 15:10 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-25 16:54 . 2009-08-18 18:17 -------- d-----w- c:\documents and settings\User_2\Application Data\vlc

2010-03-25 10:35 . 2007-09-24 20:33 44370 ----a-w- C:\report.zip

2010-02-22 18:06 . 2010-02-18 08:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-22 18:04 . 2010-02-22 18:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-22 16:13 . 2010-02-22 16:12 -------- d-----w- c:\program files\eQUEST 3-63

2010-02-19 14:37 . 2008-04-11 20:04 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-18 08:55 . 2010-02-18 08:55 -------- d-----w- c:\documents and settings\User_2\Application Data\Malwarebytes

2010-02-18 08:54 . 2010-02-18 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-17 22:03 . 2008-03-20 16:47 -------- d-----w- c:\documents and settings\User_2\Application Data\Skype

2010-02-17 16:34 . 2008-03-20 16:48 -------- d-----w- c:\documents and settings\User_2\Application Data\skypePM

2010-02-09 22:01 . 2009-05-31 18:40 -------- d-----w- c:\documents and settings\User_2\Application Data\gtk-2.0

2010-02-05 09:39 . 2010-02-05 09:39 251376 ----a-w- c:\documents and settings\User_2\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-02-01 10:52 . 2010-02-06 17:45 15424 ----a-w- c:\documents and settings\All Users\Application Data\Lenovo\MessageCenterPlus\LocalRepository\Messages\MCPToLTT2\LTTCheck.exe

2010-02-01 09:59 . 2007-09-17 21:12 -------- d-----w- c:\program files\Google

2010-01-10 15:06 . 2010-01-10 15:06 32660 ---ha-w- c:\windows\system32\mlfcache.dat

2010-01-07 15:07 . 2010-02-18 08:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 15:07 . 2010-02-18 08:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:50 . 1980-01-01 07:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-03-24_16.21.32 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-09-27 00:22 . 2010-03-24 17:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2002-09-27 00:22 . 2010-03-24 15:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2002-09-27 00:22 . 2010-03-24 17:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2002-09-27 00:22 . 2010-03-24 15:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-03-10 16:36 . 2010-03-24 17:37 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2010-03-10 16:36 . 2010-03-24 15:57 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]

"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-01-10 106551]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-17 344064]

"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2005-02-17 94208]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-06 185896]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^User_2^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]

path=c:\documents and settings\User_2\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk

backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]

2003-01-17 08:32 20480 ------w- c:\program files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]

2007-04-27 09:33 243248 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-11-22 04:01 133104 ----atw- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]

2006-10-02 17:19 94208 ----a-w- c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPMN]

2003-02-17 07:30 32835 ------w- c:\program files\ThinkPad\Utilities\TpKmapMn.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Documents and Settings\\User_2\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Documents and Settings\\User_2\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\User_2\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2009 9:33 PM 64160]

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2/17/2003 7:26 PM 62279]

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [4/16/2009 6:27 PM 181120]

R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [4/16/2009 6:27 PM 51072]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/13/2007 7:57 AM 15360]

R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [1/10/2003 12:56 AM 4538]

S2 gupdate1c9c160c7c0bca0;Google Update Service (gupdate1c9c160c7c0bca0);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 3:36 AM 133104]

S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [1/10/2003 1:05 AM 5493]

S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2/17/2003 7:32 PM 19670]

S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2/7/2003 6:57 AM 109708]

S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [1/10/2003 12:59 AM 8333]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 3:49 PM 1028432]

S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\drivers\semwl5.SYS [1/3/2005 5:49 AM 368896]

S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [1/3/2005 5:32 AM 114944]

S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [1/3/2005 5:32 AM 53248]

S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [12/21/2004 6:33 PM 21888]

.

Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\BMMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2007-08-13 08:32]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 02:36]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 02:36]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3193395728-2679048581-2876867887-1005Core.job

- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 04:01]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3193395728-2679048581-2876867887-1005UA.job

- c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 04:01]

2010-03-25 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-03-25 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-08-13 16:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: bcbsaconnect.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/

FF - component: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - plugin: c:\documents and settings\User_2\Application Data\Mozilla\Firefox\Profiles\wlhqqj73.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\documents and settings\User_2\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\User_2\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\User_2\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-25 19:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\tphklock.dll

c:\windows\system32\notifyf2.dll

.

Completion time: 2010-03-25 19:58:15

ComboFix-quarantined-files.txt 2010-03-25 18:58

ComboFix2.txt 2010-03-24 18:10

ComboFix3.txt 2010-03-24 16:26

Pre-Run: 1,520,259,072 bytes free

Post-Run: 1,476,337,664 bytes free

- - End Of File - - FA0086661677CE8F48E0764191CDA9AE

Link to post
Share on other sites

cool. here is the scan log:

Malwarebytes' Anti-Malware 1.44

Database version: 3914

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/25/2010 10:39:58 PM

mbam-log-2010-03-25 (22-39-58).txt

Scan type: Quick Scan

Objects scanned: 130045

Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

I assume a next scan comes up clean now?

Also, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Good to hear :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.