Jump to content

I can't run Malwarebytes


Recommended Posts

I was able to install Malwarebytes and run it, but it would never finish scanning my compute. It randomly closed. And now it wont even run. I tried deleting so I could re-install it but it wont let me. What should I do?

Here is my DDS if it helps:

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Administrator at 15:52:37.67 on 23/05/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.494 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

E:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: google.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Notify: abfccdaabacbaebae - c:\windows\system32\abfccdaabacbaebae.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: dbdaebfaabd - c:\windows\system32\dbdaebfaabd.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 abee;abee;c:\windows\system32\abee.sys [2010-2-24 74752]

S0 9dd87ff1c0a00cd33ae794ef189c9bd5;9dd87ff1c0a00cd33ae794ef189c9bd5;c:\windows\system32\9dd87ff1c0a00cd33ae794ef189c9bd5.sys [2009-11-25 39936]

S2 cceedecbdba;a0ae1af08bb7d89f925e787e628942d9;c:\windows\cceedecbdba.exe /s --> c:\windows\cceedecbdba.exe [?]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-22 38224]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-05-23 19:40:17 161808 ----a-w- c:\windows\system32\58243ceb0184d508b2328945ba6b0f72.exe

2010-05-23 19:40:17 161744 ----a-w- c:\windows\system32\ea36be3b4f3b46f422268d6a454ab996.exe

2010-05-23 18:56:16 161808 ----a-w- c:\windows\system32\7564a094846de6fe45f0768be42da50e.exe

2010-05-23 18:56:16 161744 ----a-w- c:\windows\system32\1c074fc28b7667728df9e75c90df6563.exe

2010-05-23 01:03:45 161808 ----a-w- c:\windows\system32\cdac5f7957a277a41918fdd6c4f4438b.exe

2010-05-23 01:03:45 161744 ----a-w- c:\windows\system32\be4be0bbd46d12153649e812b2964087.exe

2010-05-23 00:57:29 161808 ----a-w- c:\windows\system32\9a672b226b99be88d3bc7cda6da7b2f1.exe

2010-05-23 00:57:29 161744 ----a-w- c:\windows\system32\f4bc36c833e0c544203358cb56a52c40.exe

2010-05-22 23:45:33 161744 ----a-w- c:\windows\system32\e7786f1d2127a6fdc826138885bbe947.exe

2010-05-22 23:45:32 161808 ----a-w- c:\windows\system32\79495ec1930d692a6cbe98be3894cf93.exe

2010-05-22 23:31:36 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-05-22 23:31:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-22 23:31:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-22 23:31:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-22 23:27:06 0 d-----w- c:\windows\pss

2010-05-22 22:50:25 161744 ----a-w- c:\windows\system32\76fb8d4847103823f01429e172149467.exe

2010-05-22 22:50:24 161808 ----a-w- c:\windows\system32\4c15822b8f9602a056771e943746b62f.exe

2010-05-22 21:54:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-22 00:29:21 25 ----a-w- c:\windows\herjek.config

2010-05-19 14:55:23 161744 ----a-w- c:\windows\system32\44243da1fa630b169a3c532cc313352d.exe

2010-05-19 14:55:22 161808 ----a-w- c:\windows\system32\d6400322cf2cc1255822b542edf9cb4d.exe

2010-05-15 15:31:31 0 d-----w- c:\program files\iPod

2010-05-15 15:31:13 0 d-----w- c:\program files\iTunes

2010-05-15 15:26:48 0 d-----w- c:\program files\Bonjour

2010-05-01 18:40:26 161808 ----a-w- c:\windows\system32\50347c3b96d63f7e91b3931f39a2cfb4.exe

2010-05-01 18:40:26 161744 ----a-w- c:\windows\system32\1f5369b1835d69cb60276eed846cc3ab.exe

2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-04-18 18:26:49 165392 ----a-w- c:\windows\system32\8b73afdb2670a80242e2704b253d9b43.exe

2010-04-14 14:39:47 165392 ----a-w- c:\windows\system32\9aa868fa4c3bde6cbe07ea1dd74f9064.exe

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-04 13:23:52 56136 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-01 11:53:09 165392 ----a-w- c:\windows\system32\4d239df07d2150b42ab341bf009eb57d.exe

2010-03-31 01:58:04 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-03-31 01:58:04 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-03-31 01:58:04 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys

2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll

2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-03-29 20:44:36 165392 ----a-w- c:\windows\system32\04c377564875df4391f7804c8d25abe2.exe

2010-03-18 01:48:56 165392 ----a-w- c:\windows\system32\523c6f8ae049f0b8acd521b254b829ad.exe

2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll

2010-03-03 12:47:58 207888 ----a-w- c:\windows\system32\ef6742b929d2cec91376e1a4483cb2e4.exe

2010-03-03 12:47:57 282640 ----a-w- c:\windows\system32\18951487bcec6f277b19e7f8b2e3c155.exe

2010-03-03 12:47:57 124448 ----a-w- c:\windows\system32\7a171785566ada3f279e3e29d8ecdaed.exe

2010-02-24 14:15:48 74752 ------w- c:\windows\system32\abee.sys

============= FINISH: 15:53:39.50 ===============

Link to post
Share on other sites

Hello Jeny! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post all the logs that you can.

Link to post
Share on other sites

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 22:30:30.37 on 24/05/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.415 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

E:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: google.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Notify: abfccdaabacbaebae - c:\windows\system32\abfccdaabacbaebae.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: dbdaebfaabd - c:\windows\system32\dbdaebfaabd.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 abee;abee;c:\windows\system32\abee.sys [2010-2-24 74752]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

S0 9dd87ff1c0a00cd33ae794ef189c9bd5;9dd87ff1c0a00cd33ae794ef189c9bd5;c:\windows\system32\9dd87ff1c0a00cd33ae794ef189c9bd5.sys [2009-11-25 39936]

S2 cceedecbdba;a0ae1af08bb7d89f925e787e628942d9;c:\windows\cceedecbdba.exe /s --> c:\windows\cceedecbdba.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-22 38224]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-05-25 02:28:21 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-05-23 20:00:55 161808 ----a-w- c:\windows\system32\c5a521e4ebe23921a7f027e62f556b1f.exe

2010-05-23 20:00:55 161744 ----a-w- c:\windows\system32\c228d2bd2685649fa1299731d27197de.exe

2010-05-23 19:40:17 161808 ----a-w- c:\windows\system32\58243ceb0184d508b2328945ba6b0f72.exe

2010-05-23 19:40:17 161744 ----a-w- c:\windows\system32\ea36be3b4f3b46f422268d6a454ab996.exe

2010-05-23 18:56:16 161808 ----a-w- c:\windows\system32\7564a094846de6fe45f0768be42da50e.exe

2010-05-23 18:56:16 161744 ----a-w- c:\windows\system32\1c074fc28b7667728df9e75c90df6563.exe

2010-05-23 01:03:45 161808 ----a-w- c:\windows\system32\cdac5f7957a277a41918fdd6c4f4438b.exe

2010-05-23 01:03:45 161744 ----a-w- c:\windows\system32\be4be0bbd46d12153649e812b2964087.exe

2010-05-23 00:57:29 161808 ----a-w- c:\windows\system32\9a672b226b99be88d3bc7cda6da7b2f1.exe

2010-05-23 00:57:29 161744 ----a-w- c:\windows\system32\f4bc36c833e0c544203358cb56a52c40.exe

2010-05-22 23:45:33 161744 ----a-w- c:\windows\system32\e7786f1d2127a6fdc826138885bbe947.exe

2010-05-22 23:45:32 161808 ----a-w- c:\windows\system32\79495ec1930d692a6cbe98be3894cf93.exe

2010-05-22 23:31:36 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-05-22 23:31:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-22 23:31:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-22 23:31:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-22 23:27:06 0 d-----w- c:\windows\pss

2010-05-22 22:50:25 161744 ----a-w- c:\windows\system32\76fb8d4847103823f01429e172149467.exe

2010-05-22 22:50:24 161808 ----a-w- c:\windows\system32\4c15822b8f9602a056771e943746b62f.exe

2010-05-22 21:54:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-22 00:29:21 25 ----a-w- c:\windows\herjek.config

2010-05-19 14:55:23 161744 ----a-w- c:\windows\system32\44243da1fa630b169a3c532cc313352d.exe

2010-05-19 14:55:22 161808 ----a-w- c:\windows\system32\d6400322cf2cc1255822b542edf9cb4d.exe

2010-05-15 15:31:31 0 d-----w- c:\program files\iPod

2010-05-15 15:31:13 0 d-----w- c:\program files\iTunes

2010-05-15 15:26:48 0 d-----w- c:\program files\Bonjour

2010-05-01 18:40:26 161808 ----a-w- c:\windows\system32\50347c3b96d63f7e91b3931f39a2cfb4.exe

2010-05-01 18:40:26 161744 ----a-w- c:\windows\system32\1f5369b1835d69cb60276eed846cc3ab.exe

2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-04-18 18:26:49 165392 ----a-w- c:\windows\system32\8b73afdb2670a80242e2704b253d9b43.exe

2010-04-14 14:39:47 165392 ----a-w- c:\windows\system32\9aa868fa4c3bde6cbe07ea1dd74f9064.exe

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-04 13:23:52 56136 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-01 11:53:09 165392 ----a-w- c:\windows\system32\4d239df07d2150b42ab341bf009eb57d.exe

2010-03-31 01:58:04 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-03-31 01:58:04 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-03-31 01:58:04 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys

2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll

2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-03-29 20:44:36 165392 ----a-w- c:\windows\system32\04c377564875df4391f7804c8d25abe2.exe

2010-03-18 01:48:56 165392 ----a-w- c:\windows\system32\523c6f8ae049f0b8acd521b254b829ad.exe

2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll

2010-03-03 12:47:58 207888 ----a-w- c:\windows\system32\ef6742b929d2cec91376e1a4483cb2e4.exe

2010-03-03 12:47:57 282640 ----a-w- c:\windows\system32\18951487bcec6f277b19e7f8b2e3c155.exe

2010-03-03 12:47:57 124448 ----a-w- c:\windows\system32\7a171785566ada3f279e3e29d8ecdaed.exe

2010-02-24 14:15:48 74752 ------w- c:\windows\system32\abee.sys

============= FINISH: 22:31:36.81 ===============

Attach.zip

ark.zip

Link to post
Share on other sites

Step 1

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 2

Click here to download HJTInstall.exe

  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

In your next reply, please include these log(s) in this sequence:

  1. JavaRa log
  2. HiJackThis log

Link to post
Share on other sites

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed May 26 23:28:02 2010

Found and removed: C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_16

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

------------------------------------

Finished reporting.

I was not able to run Hijackthis...It wouldnt let me... I deleted the java files.

Link to post
Share on other sites

Step 1

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here
first.

I also need for you to download this program
to your desktop.


  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    Scan All Users
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Link to post
Share on other sites

I wasnt able to the Pre- HJT Post Instructions because the computer wouldnt let me run neither of the programs

Here are the logs Extras and OTL

OTL Extras logfile created on: 03/06/2010 06:46:07 p.m. - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = E:\

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 0000100A | Country: Guatemala | Language: ESG | Date Format: dd/MM/yyyy

638.00 Mb Total Physical Memory | 399.00 Mb Available Physical Memory | 63.00% Memory free

938.00 Mb Paging File | 770.00 Mb Available in Paging File | 82.00% Paging File free

Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.25 Gb Total Space | 12.43 Gb Free Space | 33.37% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 122.10 Mb Total Space | 10.62 Mb Free Space | 8.70% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JONATHAN-FF6718

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-606747145-2052111302-1177238915-500\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Multi File Downloader\MultiFileDownloader.exe" = C:\Program Files\Multi File Downloader\MultiFileDownloader.exe:*:Disabled:Multi File Downloader -- File not found

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"c:\documents and settings\administrator\local settings\application data\asam.exe" = c:\documents and settings\administrator\local settings\application data\asam.exe:*:Enabled:enable -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{15F4085A-BC98-4590-AFFD-03BBBE49524E}" = Garmin Communicator Plugin

"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java 6 Update 16

"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support

"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}" = EPSON Web-To-Page

"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour

"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules

"{90120000-0010-0C0A-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Spanish) 12

"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007

"{90120000-0015-0C0A-0000-0000000FF1CE}" = Microsoft Office Access MUI (Spanish) 2007

"{90120000-0016-0C0A-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Spanish) 2007

"{90120000-0018-0C0A-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Spanish) 2007

"{90120000-0019-0C0A-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Spanish) 2007

"{90120000-001A-0C0A-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Spanish) 2007

"{90120000-001B-0C0A-0000-0000000FF1CE}" = Microsoft Office Word MUI (Spanish) 2007

"{90120000-001F-0403-0000-0000000FF1CE}" = Microsoft Office Proof (Catalan) 2007

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-0416-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Brazil)) 2007

"{90120000-001F-042D-0000-0000000FF1CE}" = Microsoft Office Proof (Basque) 2007

"{90120000-001F-0456-0000-0000000FF1CE}" = Microsoft Office Proof (Galician) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-002C-0C0A-0000-0000000FF1CE}" = Microsoft Office Proofing (Spanish) 2007

"{90120000-0044-0C0A-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Spanish) 2007

"{90120000-006E-0C0A-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Spanish) 2007

"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2

"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9

"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers

"{D16A31F9-276D-4968-A753-FFEAC56995D0}" = Epson Print CD

"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater

"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"Auction Client" = Auction Client

"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter

"CNXT_AUDIO" = Conexant AC-Link Audio

"DivX Setup.divx.com" = DivX Setup

"EPSON Printer and Utilities" = EPSON Printer Software

"ie8" = Windows Internet Explorer 8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"PROPLUS" = Microsoft Office Professional Plus 2007

"SAMTRON V1JUNIO 2009" = SAMTRON V1

"TomTom HOME" = TomTom HOME 2.7.3.1894

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"WinRAR archiver" = Compresor WinRAR

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-606747145-2052111302-1177238915-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 30/05/2010 01:52:59 a.m. | Computer Name = JONATHAN-FF6718 | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 3313

Error - 30/05/2010 01:52:59 a.m. | Computer Name = JONATHAN-FF6718 | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 3313

Error - 02/06/2010 10:34:13 p.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 02/06/2010 10:34:14 p.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 03/06/2010 02:34:20 a.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 03/06/2010 06:34:34 a.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 03/06/2010 06:34:34 a.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 03/06/2010 10:34:40 a.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 03/06/2010 02:34:44 p.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 03/06/2010 06:34:49 p.m. | Computer Name = JONATHAN-FF6718 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

[ System Events ]

Error - 27/05/2010 08:25:08 p.m. | Computer Name = JONATHAN-FF6718 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 27/05/2010 08:34:28 p.m. | Computer Name = JONATHAN-FF6718 | Source = Ftdisk | ID = 262189

Description = The system could not sucessfully load the crash dump driver.

Error - 27/05/2010 08:34:28 p.m. | Computer Name = JONATHAN-FF6718 | Source = Ftdisk | ID = 262193

Description = Configuring the Page file for crash dump failed. Make sure there is

a page file on the boot partition and that is large enough to contain all physical

memory.

Error - 02/06/2010 10:20:44 p.m. | Computer Name = JONATHAN-FF6718 | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.1.4 on

the Network Card with network address 0014A57104BE.

Error - 02/06/2010 10:31:24 p.m. | Computer Name = JONATHAN-FF6718 | Source = Ftdisk | ID = 262189

Description = The system could not sucessfully load the crash dump driver.

Error - 02/06/2010 10:31:24 p.m. | Computer Name = JONATHAN-FF6718 | Source = Ftdisk | ID = 262193

Description = Configuring the Page file for crash dump failed. Make sure there is

a page file on the boot partition and that is large enough to contain all physical

memory.

Error - 02/06/2010 10:31:34 p.m. | Computer Name = JONATHAN-FF6718 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 02/06/2010 10:32:45 p.m. | Computer Name = JONATHAN-FF6718 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 02/06/2010 10:32:46 p.m. | Computer Name = JONATHAN-FF6718 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Fips Processor

Error - 02/06/2010 10:34:17 p.m. | Computer Name = JONATHAN-FF6718 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

< End of report >

OTL logfile created on: 03/06/2010 06:46:07 p.m. - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = E:\

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 0000100A | Country: Guatemala | Language: ESG | Date Format: dd/MM/yyyy

638.00 Mb Total Physical Memory | 399.00 Mb Available Physical Memory | 63.00% Memory free

938.00 Mb Paging File | 770.00 Mb Available in Paging File | 82.00% Paging File free

Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.25 Gb Total Space | 12.43 Gb Free Space | 33.37% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 122.10 Mb Total Space | 10.62 Mb Free Space | 8.70% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JONATHAN-FF6718

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/02 22:33:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- E:\OTL.exe

PRC - [2002/12/31 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/06/02 22:33:34 | 000,571,904 | ---- | M] (OldTimer Tools) -- E:\OTL.exe

MOD - [2002/12/31 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (cceedecbdba)

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/11/13 07:31:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

========== Driver Services (SafeList) ==========

DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2010/02/24 10:15:48 | 000,074,752 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\abee.sys -- (abee)

DRV - [2009/11/25 15:52:29 | 000,039,936 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\9dd87ff1c0a00cd33ae794ef189c9bd5.sys -- (9dd87ff1c0a00cd33ae794ef189c9bd5)

DRV - [2008/04/13 18:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2006/04/28 17:12:40 | 000,429,184 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2005/07/14 12:37:16 | 001,269,760 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/02/18 15:42:02 | 000,349,696 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)

DRV - [2005/02/18 15:41:18 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-606747145-2052111302-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-606747145-2052111302-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-606747145-2052111302-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

[2010/04/06 01:43:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2009/11/22 20:10:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2002/12/31 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found

O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)

O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)

O3 - HKU\S-1-5-21-606747145-2052111302-1177238915-500\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.

O3 - HKU\S-1-5-21-606747145-2052111302-1177238915-500\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)

O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-606747145-2052111302-1177238915-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: E&xportar a Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKU\S-1-5-21-606747145-2052111302-1177238915-500\..Trusted Domains: google.com ([www] https in Trusted sites)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\abfccdaabacbaebae: DllName - C:\WINDOWS\system32\abfccdaabacbaebae.dll - C:\WINDOWS\system32\abfccdaabacbaebae.dll ()

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\dbdaebfaabd: DllName - C:\WINDOWS\system32\dbdaebfaabd.dll - C:\WINDOWS\system32\dbdaebfaabd.dll ()

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/16 19:59:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2010/01/27 22:55:28 | 000,000,000 | -H-- | M] () - E:\autorun.inf -- [ FAT ]

O33 - MountPoints2\{27056d4c-9cca-11de-adc6-00163629d7fa}\Shell - "" = AutoRun

O33 - MountPoints2\{27056d4c-9cca-11de-adc6-00163629d7fa}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{27056d4c-9cca-11de-adc6-00163629d7fa}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found

O33 - MountPoints2\{d9572af0-da9e-11de-ae29-00163629d7fa}\Shell\AutoRun\command - "" = G:\SamsungSoftware\APPInst.exe -- File not found

O33 - MountPoints2\{e3c4ac2e-d71f-11de-ae1c-00163629d7fa}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/27 20:30:23 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\fd1f03378da8e8a6610d301257a689df.exe

[2010/05/27 20:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/27 15:38:27 | 000,000,000 | ---D | C] -- C:\MSIae2f3.tmp

[2010/05/27 15:38:26 | 000,000,000 | ---D | C] -- C:\MSIae063.tmp

[2010/05/24 22:34:52 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\ff1a707e0df21c20a381b6d4f0e0709a.exe

[2010/05/23 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2010/05/23 17:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2010/05/23 16:00:55 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\c5a521e4ebe23921a7f027e62f556b1f.exe

[2010/05/23 15:40:17 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\58243ceb0184d508b2328945ba6b0f72.exe

[2010/05/23 14:56:16 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\7564a094846de6fe45f0768be42da50e.exe

[2010/05/22 21:07:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Threat Expert

[2010/05/22 21:03:45 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\cdac5f7957a277a41918fdd6c4f4438b.exe

[2010/05/22 20:57:29 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\9a672b226b99be88d3bc7cda6da7b2f1.exe

[2010/05/22 19:45:32 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\79495ec1930d692a6cbe98be3894cf93.exe

[2010/05/22 19:31:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/05/22 19:31:28 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/22 19:31:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/05/22 19:31:20 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/22 19:27:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss

[2010/05/22 18:52:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/05/22 18:52:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/05/22 18:50:24 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\4c15822b8f9602a056771e943746b62f.exe

[2010/05/22 17:54:41 | 000,000,000 | ---D | C] -- C:\Program Files\old

[2010/05/22 17:00:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/05/22 16:49:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

[2010/05/21 20:25:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\dsdiqwrgo

[2010/05/19 10:55:22 | 000,161,808 | ---- | C] (Villlys Inc.) -- C:\WINDOWS\System32\d6400322cf2cc1255822b542edf9cb4d.exe

[2010/05/15 11:31:31 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/05/15 11:31:13 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2010/05/15 11:26:48 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2010/05/10 20:17:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/03 05:22:27 | 000,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/06/03 05:22:27 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/06/03 05:22:27 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/06/02 22:31:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/02 22:31:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/02 22:30:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/02 22:30:22 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/06/02 22:30:21 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/06/02 22:25:46 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Firefox.com.exe

[2010/05/30 01:13:00 | 000,001,148 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2052111302-1177238915-500UA.job

[2010/05/27 20:34:39 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/27 20:34:39 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/27 20:34:39 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/05/27 20:33:07 | 003,760,542 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/05/27 20:30:24 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\9bf222167bbc4a49c3491e5822ae37f4.exe

[2010/05/27 20:30:23 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\fd1f03378da8e8a6610d301257a689df.exe

[2010/05/24 22:34:52 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\ff1a707e0df21c20a381b6d4f0e0709a.exe

[2010/05/24 22:34:52 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\454f16868a63c6132eb35a8c5a500af0.exe

[2010/05/24 22:28:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/05/23 16:00:55 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\c5a521e4ebe23921a7f027e62f556b1f.exe

[2010/05/23 16:00:55 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\c228d2bd2685649fa1299731d27197de.exe

[2010/05/23 15:40:17 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\58243ceb0184d508b2328945ba6b0f72.exe

[2010/05/23 15:40:17 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\ea36be3b4f3b46f422268d6a454ab996.exe

[2010/05/23 15:22:49 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/05/23 14:56:16 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\7564a094846de6fe45f0768be42da50e.exe

[2010/05/23 14:56:16 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\1c074fc28b7667728df9e75c90df6563.exe

[2010/05/22 21:03:45 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\cdac5f7957a277a41918fdd6c4f4438b.exe

[2010/05/22 21:03:45 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\be4be0bbd46d12153649e812b2964087.exe

[2010/05/22 20:57:29 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\9a672b226b99be88d3bc7cda6da7b2f1.exe

[2010/05/22 20:57:29 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\f4bc36c833e0c544203358cb56a52c40.exe

[2010/05/22 19:45:33 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\e7786f1d2127a6fdc826138885bbe947.exe

[2010/05/22 19:45:32 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\79495ec1930d692a6cbe98be3894cf93.exe

[2010/05/22 19:31:31 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/22 18:50:25 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\76fb8d4847103823f01429e172149467.exe

[2010/05/22 18:50:24 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\4c15822b8f9602a056771e943746b62f.exe

[2010/05/21 20:29:21 | 000,000,025 | ---- | M] () -- C:\WINDOWS\herjek.config

[2010/05/21 20:27:50 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe

[2010/05/21 20:27:50 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\asam.exe

[2010/05/19 10:55:23 | 000,161,744 | ---- | M] () -- C:\WINDOWS\System32\44243da1fa630b169a3c532cc313352d.exe

[2010/05/19 10:55:22 | 000,161,808 | ---- | M] (Villlys Inc.) -- C:\WINDOWS\System32\d6400322cf2cc1255822b542edf9cb4d.exe

[2010/05/15 11:32:53 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/05/15 11:23:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/05/11 10:34:32 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\DivX Movies.lnk

[2010/05/11 10:34:23 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk

[2010/05/11 10:33:40 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk

[2010/05/10 20:22:04 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/05/09 09:13:02 | 000,001,096 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2052111302-1177238915-500Core.job

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/02 22:29:48 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Firefox.com.exe

[2010/05/27 20:30:24 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\9bf222167bbc4a49c3491e5822ae37f4.exe

[2010/05/24 22:34:52 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\454f16868a63c6132eb35a8c5a500af0.exe

[2010/05/24 22:28:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/05/23 16:00:55 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\c228d2bd2685649fa1299731d27197de.exe

[2010/05/23 15:40:17 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\ea36be3b4f3b46f422268d6a454ab996.exe

[2010/05/23 14:56:16 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\1c074fc28b7667728df9e75c90df6563.exe

[2010/05/22 21:03:45 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\be4be0bbd46d12153649e812b2964087.exe

[2010/05/22 20:57:29 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\f4bc36c833e0c544203358cb56a52c40.exe

[2010/05/22 19:45:33 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\e7786f1d2127a6fdc826138885bbe947.exe

[2010/05/22 19:31:31 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/22 18:50:25 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\76fb8d4847103823f01429e172149467.exe

[2010/05/21 20:29:21 | 000,000,025 | ---- | C] () -- C:\WINDOWS\herjek.config

[2010/05/21 20:28:50 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\asam.exe

[2010/05/21 20:27:49 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe

[2010/05/19 10:55:23 | 000,161,744 | ---- | C] () -- C:\WINDOWS\System32\44243da1fa630b169a3c532cc313352d.exe

[2010/05/15 11:32:53 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/05/11 10:34:32 | 000,001,493 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\DivX Movies.lnk

[2010/05/11 10:34:23 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk

[2010/05/11 10:33:40 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk

[2010/05/10 20:18:36 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/02/24 10:15:48 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\abee.sys

[2010/02/14 03:08:26 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2009/12/05 10:58:44 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\dbdaebfaabd.dll

[2009/11/25 15:52:29 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\9dd87ff1c0a00cd33ae794ef189c9bd5.sys

[2009/11/25 00:59:22 | 000,315,407 | ---- | C] () -- C:\WINDOWS\System32\abfccdaabacbaebae.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix 10-06-03.01 - Administrator 04/06/2010 19:07:24.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.440 [GMT -4:00]

Running from: E:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\install_flash_player.exe

c:\documents and settings\Administrator\Local Settings\Application Data\asam.exe

c:\documents and settings\Administrator\Local Settings\Application Data\dsdiqwrgo

c:\documents and settings\Administrator\Local Settings\Application Data\dsdiqwrgo\jhkheartssd.exe

c:\documents and settings\Administrator\Local Settings\Application Data\syssvc.exe

c:\windows\herjek.config

c:\windows\system\WINSPOOL.DRV

c:\windows\system32\abee.sys

c:\windows\system32\abfccdaabacbaebae.dll

c:\windows\system32\dbdaebfaabd.dll

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected

Restored copy from - Kitty had a snack :P

c:\windows\system32\msgsvc.dll . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_abee

-------\Service_abee

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))

.

2010-05-28 00:30 . 2010-05-28 00:30 161744 ----a-w- c:\windows\system32\9bf222167bbc4a49c3491e5822ae37f4.exe

2010-05-28 00:30 . 2010-05-28 00:30 161808 ----a-w- c:\windows\system32\fd1f03378da8e8a6610d301257a689df.exe

2010-05-28 00:21 . 2010-05-28 00:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-27 19:38 . 2010-05-27 19:38 -------- d-----w- C:\MSIae2f3.tmp

2010-05-27 19:38 . 2010-05-27 19:38 -------- d-----w- C:\MSIae063.tmp

2010-05-25 02:34 . 2010-05-25 02:34 161808 ----a-w- c:\windows\system32\ff1a707e0df21c20a381b6d4f0e0709a.exe

2010-05-25 02:34 . 2010-05-25 02:34 161744 ----a-w- c:\windows\system32\454f16868a63c6132eb35a8c5a500af0.exe

2010-05-23 21:50 . 2010-05-23 21:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-23 20:00 . 2010-05-23 20:00 161808 ----a-w- c:\windows\system32\c5a521e4ebe23921a7f027e62f556b1f.exe

2010-05-23 20:00 . 2010-05-23 20:00 161744 ----a-w- c:\windows\system32\c228d2bd2685649fa1299731d27197de.exe

2010-05-23 19:40 . 2010-05-23 19:40 161808 ----a-w- c:\windows\system32\58243ceb0184d508b2328945ba6b0f72.exe

2010-05-23 19:40 . 2010-05-23 19:40 161744 ----a-w- c:\windows\system32\ea36be3b4f3b46f422268d6a454ab996.exe

2010-05-23 18:56 . 2010-05-23 18:56 161808 ----a-w- c:\windows\system32\7564a094846de6fe45f0768be42da50e.exe

2010-05-23 18:56 . 2010-05-23 18:56 161744 ----a-w- c:\windows\system32\1c074fc28b7667728df9e75c90df6563.exe

2010-05-23 01:07 . 2010-05-23 01:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert

2010-05-23 01:03 . 2010-05-23 01:03 161808 ----a-w- c:\windows\system32\cdac5f7957a277a41918fdd6c4f4438b.exe

2010-05-23 01:03 . 2010-05-23 01:03 161744 ----a-w- c:\windows\system32\be4be0bbd46d12153649e812b2964087.exe

2010-05-23 00:57 . 2010-05-23 00:57 161808 ----a-w- c:\windows\system32\9a672b226b99be88d3bc7cda6da7b2f1.exe

2010-05-23 00:57 . 2010-05-23 00:57 161744 ----a-w- c:\windows\system32\f4bc36c833e0c544203358cb56a52c40.exe

2010-05-22 23:45 . 2010-05-22 23:45 161744 ----a-w- c:\windows\system32\e7786f1d2127a6fdc826138885bbe947.exe

2010-05-22 23:45 . 2010-05-22 23:45 161808 ----a-w- c:\windows\system32\79495ec1930d692a6cbe98be3894cf93.exe

2010-05-22 23:31 . 2010-05-22 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-05-22 23:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-22 23:31 . 2010-05-22 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-22 23:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-22 22:50 . 2010-05-22 22:50 161744 ----a-w- c:\windows\system32\76fb8d4847103823f01429e172149467.exe

2010-05-22 22:50 . 2010-05-22 22:50 161808 ----a-w- c:\windows\system32\4c15822b8f9602a056771e943746b62f.exe

2010-05-22 21:54 . 2010-05-28 00:17 -------- d-----w- c:\program files\old

2010-05-22 21:00 . 2010-05-23 18:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-22 00:30 . 2010-05-22 00:30 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-19 14:55 . 2010-05-19 14:55 161744 ----a-w- c:\windows\system32\44243da1fa630b169a3c532cc313352d.exe

2010-05-19 14:55 . 2010-05-19 14:55 161808 ----a-w- c:\windows\system32\d6400322cf2cc1255822b542edf9cb4d.exe

2010-05-15 15:31 . 2010-05-15 15:31 -------- d-----w- c:\program files\iPod

2010-05-15 15:31 . 2010-05-15 15:32 -------- d-----w- c:\program files\iTunes

2010-05-15 15:26 . 2010-05-15 15:26 -------- d-----w- c:\program files\Bonjour

2010-05-11 00:17 . 2010-05-11 00:21 -------- d-----w- c:\program files\Common Files\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-30 03:27 . 2009-09-08 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-05-23 19:22 . 2009-12-10 00:41 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-15 15:31 . 2009-08-22 00:51 -------- d-----w- c:\program files\Common Files\Apple

2010-05-15 15:25 . 2010-05-15 15:25 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-11 14:45 . 2010-04-19 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-05-11 14:45 . 2010-04-19 02:42 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-05-11 14:34 . 2010-05-11 14:34 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-05-11 14:34 . 2010-01-02 07:01 -------- d-----w- c:\program files\DivX

2010-05-11 14:34 . 2010-05-11 14:34 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-05-11 14:34 . 2010-05-11 14:34 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-05-11 14:34 . 2010-05-11 14:34 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-05-11 14:30 . 2010-05-11 14:30 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-05-11 14:30 . 2010-04-19 02:42 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-05-11 14:30 . 2010-04-19 02:42 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-05-10 03:36 . 2010-04-13 02:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks

2010-05-01 18:40 . 2010-05-01 18:40 161808 ----a-w- c:\windows\system32\50347c3b96d63f7e91b3931f39a2cfb4.exe

2010-05-01 18:40 . 2010-05-01 18:40 161744 ----a-w- c:\windows\system32\1f5369b1835d69cb60276eed846cc3ab.exe

2010-04-19 02:44 . 2010-04-19 02:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2010-04-19 02:42 . 2010-04-19 02:42 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

2010-04-19 02:40 . 2010-01-02 07:01 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-04-18 18:26 . 2010-04-18 18:26 165392 ----a-w- c:\windows\system32\8b73afdb2670a80242e2704b253d9b43.exe

2010-04-14 14:39 . 2010-04-14 14:39 165392 ----a-w- c:\windows\system32\9aa868fa4c3bde6cbe07ea1dd74f9064.exe

2010-04-13 02:52 . 2010-04-13 02:52 143976 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe

2010-04-13 02:52 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll

2010-04-10 15:52 . 2010-04-10 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-10 15:48 . 2010-04-10 15:47 -------- d-----w- c:\program files\QuickTime

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-06 05:17 . 2010-04-06 05:17 0 ----a-w- c:\windows\nsreg.dat

2010-04-04 13:23 . 2010-04-04 13:23 56136 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-01 11:53 . 2010-04-01 11:53 165392 ----a-w- c:\windows\system32\4d239df07d2150b42ab341bf009eb57d.exe

2010-03-31 01:58 . 2010-04-19 02:41 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-03-31 01:58 . 2010-04-19 02:41 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-03-31 01:58 . 2010-04-19 02:41 44944 ----a-w- c:\windows\system32\drivers\PxHelp20.sys

2010-03-31 01:58 . 2010-04-19 02:41 133616 ------w- c:\windows\system32\pxafs.dll

2010-03-31 01:58 . 2010-04-19 02:41 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-31 01:58 . 2010-04-19 02:41 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-03-29 20:44 . 2010-03-29 20:44 165392 ----a-w- c:\windows\system32\04c377564875df4391f7804c8d25abe2.exe

2010-03-18 01:48 . 2010-03-18 01:48 165392 ----a-w- c:\windows\system32\523c6f8ae049f0b8acd521b254b829ad.exe

2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-07-14 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2002-12-31 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-08-22 00:53 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 07:31 a.m. 92008]

S0 9dd87ff1c0a00cd33ae794ef189c9bd5;9dd87ff1c0a00cd33ae794ef189c9bd5;c:\windows\system32\9dd87ff1c0a00cd33ae794ef189c9bd5.sys [25/11/2009 03:52 p.m. 39936]

S2 cceedecbdba;a0ae1af08bb7d89f925e787e628942d9;c:\windows\cceedecbdba.exe /s --> c:\windows\cceedecbdba.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [22/05/2010 07:31 p.m. 38224]

.

Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2052111302-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 00:53]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2052111302-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 00:53]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: google.com\www

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-asam - c:\documents and settings\Administrator\Local Settings\Application Data\asam.exe

MSConfigStartUp-qshwgixr - c:\documents and settings\Administrator\Local Settings\Application Data\dsdiqwrgo\jhkheartssd.exe

MSConfigStartUp-UIUCU - c:\docume~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-04 19:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-2052111302-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,2c,4d,38,00,e2,ad,4a,b1,80,32,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,2c,4d,38,00,e2,ad,4a,b1,80,32,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2424)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-06-04 19:22:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-04 23:22

Pre-Run: 13,293,727,744 bytes free

Post-Run: 14,224,941,056 bytes free

- - End Of File - - 4A1860E1908C5B5CEDA50D782B140761

Link to post
Share on other sites

ComboFix 10-06-07.03 - Administrator 07/06/2010 22:12:35.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.373 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

Command switches used :: E:\WinXP_EN_HOM_BF.EXE

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.

((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))

.

2010-05-28 00:30 . 2010-05-28 00:30 161744 ----a-w- c:\windows\system32\9bf222167bbc4a49c3491e5822ae37f4.exe

2010-05-28 00:30 . 2010-05-28 00:30 161808 ----a-w- c:\windows\system32\fd1f03378da8e8a6610d301257a689df.exe

2010-05-28 00:21 . 2010-05-28 00:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-27 19:38 . 2010-05-27 19:38 -------- d-----w- C:\MSIae2f3.tmp

2010-05-27 19:38 . 2010-05-27 19:38 -------- d-----w- C:\MSIae063.tmp

2010-05-25 02:34 . 2010-05-25 02:34 161808 ----a-w- c:\windows\system32\ff1a707e0df21c20a381b6d4f0e0709a.exe

2010-05-25 02:34 . 2010-05-25 02:34 161744 ----a-w- c:\windows\system32\454f16868a63c6132eb35a8c5a500af0.exe

2010-05-23 21:50 . 2010-05-23 21:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-23 20:00 . 2010-05-23 20:00 161808 ----a-w- c:\windows\system32\c5a521e4ebe23921a7f027e62f556b1f.exe

2010-05-23 20:00 . 2010-05-23 20:00 161744 ----a-w- c:\windows\system32\c228d2bd2685649fa1299731d27197de.exe

2010-05-23 19:40 . 2010-05-23 19:40 161808 ----a-w- c:\windows\system32\58243ceb0184d508b2328945ba6b0f72.exe

2010-05-23 19:40 . 2010-05-23 19:40 161744 ----a-w- c:\windows\system32\ea36be3b4f3b46f422268d6a454ab996.exe

2010-05-23 18:56 . 2010-05-23 18:56 161808 ----a-w- c:\windows\system32\7564a094846de6fe45f0768be42da50e.exe

2010-05-23 18:56 . 2010-05-23 18:56 161744 ----a-w- c:\windows\system32\1c074fc28b7667728df9e75c90df6563.exe

2010-05-23 01:07 . 2010-05-23 01:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert

2010-05-23 01:03 . 2010-05-23 01:03 161808 ----a-w- c:\windows\system32\cdac5f7957a277a41918fdd6c4f4438b.exe

2010-05-23 01:03 . 2010-05-23 01:03 161744 ----a-w- c:\windows\system32\be4be0bbd46d12153649e812b2964087.exe

2010-05-23 00:57 . 2010-05-23 00:57 161808 ----a-w- c:\windows\system32\9a672b226b99be88d3bc7cda6da7b2f1.exe

2010-05-23 00:57 . 2010-05-23 00:57 161744 ----a-w- c:\windows\system32\f4bc36c833e0c544203358cb56a52c40.exe

2010-05-22 23:45 . 2010-05-22 23:45 161744 ----a-w- c:\windows\system32\e7786f1d2127a6fdc826138885bbe947.exe

2010-05-22 23:45 . 2010-05-22 23:45 161808 ----a-w- c:\windows\system32\79495ec1930d692a6cbe98be3894cf93.exe

2010-05-22 23:31 . 2010-05-22 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-05-22 23:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-22 23:31 . 2010-05-22 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-22 23:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-22 22:50 . 2010-05-22 22:50 161744 ----a-w- c:\windows\system32\76fb8d4847103823f01429e172149467.exe

2010-05-22 22:50 . 2010-05-22 22:50 161808 ----a-w- c:\windows\system32\4c15822b8f9602a056771e943746b62f.exe

2010-05-22 21:54 . 2010-05-28 00:17 -------- d-----w- c:\program files\old

2010-05-22 21:00 . 2010-05-23 18:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-22 00:30 . 2010-05-22 00:30 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-19 14:55 . 2010-05-19 14:55 161744 ----a-w- c:\windows\system32\44243da1fa630b169a3c532cc313352d.exe

2010-05-19 14:55 . 2010-05-19 14:55 161808 ----a-w- c:\windows\system32\d6400322cf2cc1255822b542edf9cb4d.exe

2010-05-15 15:31 . 2010-05-15 15:31 -------- d-----w- c:\program files\iPod

2010-05-15 15:31 . 2010-05-15 15:32 -------- d-----w- c:\program files\iTunes

2010-05-15 15:26 . 2010-05-15 15:26 -------- d-----w- c:\program files\Bonjour

2010-05-15 15:25 . 2010-05-15 15:25 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-11 14:34 . 2010-05-11 14:34 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-05-11 14:34 . 2010-05-11 14:34 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-05-11 14:34 . 2010-05-11 14:34 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-05-11 14:34 . 2010-05-11 14:34 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-05-11 14:33 . 2010-05-11 14:33 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-05-11 14:30 . 2010-05-11 14:30 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-05-11 00:17 . 2010-05-11 00:21 -------- d-----w- c:\program files\Common Files\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-30 03:27 . 2009-09-08 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-05-23 19:22 . 2009-12-10 00:41 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-15 15:31 . 2009-08-22 00:51 -------- d-----w- c:\program files\Common Files\Apple

2010-05-11 14:45 . 2010-04-19 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-05-11 14:45 . 2010-04-19 02:42 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-05-11 14:34 . 2010-01-02 07:01 -------- d-----w- c:\program files\DivX

2010-05-11 14:30 . 2010-04-19 02:42 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-05-11 14:30 . 2010-04-19 02:42 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-05-10 03:36 . 2010-04-13 02:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks

2010-05-01 18:40 . 2010-05-01 18:40 161808 ----a-w- c:\windows\system32\50347c3b96d63f7e91b3931f39a2cfb4.exe

2010-05-01 18:40 . 2010-05-01 18:40 161744 ----a-w- c:\windows\system32\1f5369b1835d69cb60276eed846cc3ab.exe

2010-04-19 02:44 . 2010-04-19 02:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2010-04-19 02:42 . 2010-04-19 02:42 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe

2010-04-19 02:41 . 2010-04-19 02:41 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe

2010-04-19 02:40 . 2010-04-19 02:40 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe

2010-04-19 02:40 . 2010-01-02 07:01 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-04-18 18:26 . 2010-04-18 18:26 165392 ----a-w- c:\windows\system32\8b73afdb2670a80242e2704b253d9b43.exe

2010-04-14 14:39 . 2010-04-14 14:39 165392 ----a-w- c:\windows\system32\9aa868fa4c3bde6cbe07ea1dd74f9064.exe

2010-04-13 02:52 . 2010-04-13 02:52 143976 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe

2010-04-13 02:52 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll

2010-04-10 15:52 . 2010-04-10 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-10 15:48 . 2010-04-10 15:47 -------- d-----w- c:\program files\QuickTime

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-06 05:17 . 2010-04-06 05:17 0 ----a-w- c:\windows\nsreg.dat

2010-04-04 13:23 . 2010-04-04 13:23 56136 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-01 11:53 . 2010-04-01 11:53 165392 ----a-w- c:\windows\system32\4d239df07d2150b42ab341bf009eb57d.exe

2010-03-31 01:58 . 2010-04-19 02:41 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-03-31 01:58 . 2010-04-19 02:41 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-03-31 01:58 . 2010-04-19 02:41 44944 ----a-w- c:\windows\system32\drivers\PxHelp20.sys

2010-03-31 01:58 . 2010-04-19 02:41 133616 ------w- c:\windows\system32\pxafs.dll

2010-03-31 01:58 . 2010-04-19 02:41 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-31 01:58 . 2010-04-19 02:41 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-03-29 20:44 . 2010-03-29 20:44 165392 ----a-w- c:\windows\system32\04c377564875df4391f7804c8d25abe2.exe

2010-03-18 01:48 . 2010-03-18 01:48 165392 ----a-w- c:\windows\system32\523c6f8ae049f0b8acd521b254b829ad.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-06-04_23.16.16 )))))))))))))))))))))))))))))))))))))))))

.

- 2002-12-31 12:00 . 2010-06-04 23:11 41238 c:\windows\system32\perfc009.dat

+ 2002-12-31 12:00 . 2010-06-04 23:21 41238 c:\windows\system32\perfc009.dat

+ 2002-12-31 12:00 . 2010-06-04 23:21 315076 c:\windows\system32\perfh009.dat

- 2002-12-31 12:00 . 2010-06-04 23:11 315076 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-07-14 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2002-12-31 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-08-22 00:53 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 07:31 a.m. 92008]

S0 9dd87ff1c0a00cd33ae794ef189c9bd5;9dd87ff1c0a00cd33ae794ef189c9bd5;c:\windows\system32\9dd87ff1c0a00cd33ae794ef189c9bd5.sys [25/11/2009 03:52 p.m. 39936]

S2 cceedecbdba;a0ae1af08bb7d89f925e787e628942d9;c:\windows\cceedecbdba.exe /s --> c:\windows\cceedecbdba.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [22/05/2010 07:31 p.m. 38224]

.

Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2052111302-1177238915-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 00:53]

2010-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2052111302-1177238915-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 00:53]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: google.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-07 22:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-2052111302-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,2c,4d,38,00,e2,ad,4a,b1,80,32,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,2c,4d,38,00,e2,ad,4a,b1,80,32,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2696)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-06-07 22:23:39 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-08 02:23

ComboFix2.txt 2010-06-04 23:22

Pre-Run: 14,421,250,048 bytes free

Post-Run: 14,389,649,408 bytes free

WinXP_EN_HOM_BF.EXE

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 45EAF6830478A36BD39232251AF0C580

Link to post
Share on other sites

Good! :)

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, OTL, GMER and JavaRa.

Step 4

Please uninstall your HiJackThis.

Step 5

Please download and install the latest version of Java from:

www.java.com/en

Step 6

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! ;)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.