Jump to content

Recommended Posts

I am unable to run Malwarebytes. The process monitor shows it loading and then it is shut down. HiJackThis can run if I boot windows from a CD but can't run it in Windows safemode or regular. Cannot update MS Security Essentials or Adaware except though manual updates. MSSE found a trojan rootkit in a WMA file on an external drive E. It removed it.

Trojan Downloader:ASX/Wimad.C

MSSE and Adaware now say system is clean but I know it isn't because MWB still won't load.

Rootrepeal show an MBR on the E drive but won't remove it. I suspect both C and E are both infected.

Any help is greatly appreciated.

- Steve

Link to post
Share on other sites

Here is the DDS file. The attachment only has the attach.txt. When I try to run the gmer it either crashes or after scanning for a bit, I get a services messages that a reboot is happening in 59 seconds.

DDS (Ver_10-03-17.01) - FAT32x86

Run by Liz at 11:41:32.98 on Mon 05/24/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.110 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

SVCHOST.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

SVCHOST.EXE

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Liz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Liz\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://dons.com/

uInternet Connection Wizard,ShellNext = iexplore

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s0eic1.exe /a "c:\windows\system32\E_SD.tmp"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

mRun: [nwiz] nwiz.exe /install

mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe

mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-05-24 17:21:13 0 ----a-w- c:\documents and settings\liz\defogger_reenable

2010-05-24 01:26:29 0 d-----w- c:\program files\Seagate

2010-05-24 01:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate

2010-05-24 01:25:28 0 d-sh--w- c:\windows\ftpcache

2010-05-24 01:11:39 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-23 18:27:56 0 d-----w- C:\Steve

2010-05-23 18:21:27 0 d-----w- c:\program files\Trend Micro

2010-05-22 21:34:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-22 21:33:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-22 21:33:09 0 d-----w- c:\program files\Lavasoft

2010-05-22 20:27:16 0 d-sh--w- C:\Recycled

2010-05-22 18:29:23 0 d-sha-r- C:\cmdcons

2010-05-22 18:26:48 98816 ----a-w- c:\windows\sed.exe

2010-05-22 18:26:48 77312 ----a-w- c:\windows\MBR.exe

2010-05-22 18:26:48 256512 ----a-w- c:\windows\PEV.exe

2010-05-22 18:26:48 161792 ----a-w- c:\windows\SWREG.exe

2010-05-22 17:35:28 49265 ----a-w- c:\windows\system32\jpicpl32.cpl

2010-05-22 17:20:22 0 d-----w- c:\windows\system32\appmgmt

2010-05-22 15:38:19 0 d--h--w- c:\windows\PIF

2010-05-21 23:12:22 0 d-----w- c:\docume~1\liz\applic~1\Malwarebytes

2010-05-21 23:11:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 23:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-21 23:11:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-21 23:11:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 15:05:31 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-17 15:05:31 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-17 15:05:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-05-16 01:21:33 221568 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2010-03-04 20:11:58 111 ----a-w- c:\program files\WS_FTP.LOG

2010-03-03 04:36:00 18702178 ----a-w- c:\program files\HB20100302203045.bkp

2010-02-25 17:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-02-01 21:26:56 98180904 ----a-w- c:\program files\iTunesSetup.exe

2005-12-21 03:59:36 349182 ----a-w- c:\program files\pow101m-upd.zip

2005-12-21 03:55:54 8922629 ----a-w- c:\program files\powsetup.exe

============= FINISH: 11:43:27.73 ===============

attach.zip

Link to post
Share on other sites

Hello Steve! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1

Please, uninstall the following applications:

  1. LimeWire 4.16.6
  2. J2SE Runtime Environment 5.0 Update 3

You can read, how to this in:

Step 2

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4

Delete your copy of RootRepeal and then:

Download RootRepeal Beta on your desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. RootRepeal log
  3. a new fresh DDS log only

Link to post
Share on other sites

Renamed file and rebooted. mbam (now firefox.exe) will still not run. ProcExp shows firefox.exe starting and then it closes about 15 seconds later. No window appears before it closes.

The rootrepeal you linked to is far different and smaller than the one I had already downloaded. When I run it it runs fine. I go to save the report file and it crashes and I get a rootrepeal.dmp and nothing is saved in the log file.

If I run the rootrepeal from Aug 2009, I get an error saying it couldn't read the boot sector.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/05/24 14:04

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEEFE4000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8C4E000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP141.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS

Address: 0xEDC6E000 Size: 9600 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEE546000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\Documents and Settings\NetworkService\ntuser.dat.LOG

Status: Size mismatch (API: 1024, Raw: 12288)

Path: C:\Documents and Settings\Administrator\ntuser.dat.LOG

Status: Size mismatch (API: 1024, Raw: 8192)

Path: C:\Documents and Settings\Liz\ntuser.dat.LOG

Status: Allocation size mismatch (API: 163840, Raw: 32768)

Path: C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG

Status: Size mismatch (API: 1024, Raw: 12288)

Path: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG

Status: Size mismatch (API: 1024, Raw: 61440)

Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG

Status: Allocation size mismatch (API: 65536, Raw: 32768)

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support\MPLog-05232010-191157.log

Status: Allocation size mismatch (API: 1441792, Raw: 458752)

Path: Volume E:\

Status: MBR Rootkit Detected!

Path: Volume E:\, Sector 1

Status: Sector mismatch

Path: Volume E:\, Sector 2

Status: Sector mismatch

Path: Volume E:\, Sector 3

Status: Sector mismatch

Path: Volume E:\, Sector 4

Status: Sector mismatch

Path: Volume E:\, Sector 5

Status: Sector mismatch

Path: Volume E:\, Sector 6

Status: Sector mismatch

Path: Volume E:\, Sector 7

Status: Sector mismatch

Path: Volume E:\, Sector 8

Status: Sector mismatch

Path: Volume E:\, Sector 9

Status: Sector mismatch

Path: Volume E:\, Sector 10

Status: Sector mismatch

Path: Volume E:\, Sector 11

Status: Sector mismatch

Path: Volume E:\, Sector 12

Status: Sector mismatch

Path: Volume E:\, Sector 13

Status: Sector mismatch

Path: Volume E:\, Sector 14

Status: Sector mismatch

Path: Volume E:\, Sector 15

Status: Sector mismatch

Path: Volume E:\, Sector 16

Status: Sector mismatch

Path: Volume E:\, Sector 17

Status: Sector mismatch

Path: Volume E:\, Sector 18

Status: Sector mismatch

Path: Volume E:\, Sector 19

Status: Sector mismatch

Path: Volume E:\, Sector 20

Status: Sector mismatch

Path: Volume E:\, Sector 21

Status: Sector mismatch

Path: Volume E:\, Sector 22

Status: Sector mismatch

Path: Volume E:\, Sector 23

Status: Sector mismatch

Path: Volume E:\, Sector 24

Status: Sector mismatch

Path: Volume E:\, Sector 25

Status: Sector mismatch

Path: Volume E:\, Sector 26

Status: Sector mismatch

Path: Volume E:\, Sector 27

Status: Sector mismatch

Path: Volume E:\, Sector 28

Status: Sector mismatch

Path: Volume E:\, Sector 29

Status: Sector mismatch

Path: Volume E:\, Sector 30

Status: Sector mismatch

Path: Volume E:\, Sector 31

Status: Sector mismatch

Path: Volume E:\, Sector 32

Status: Sector mismatch

Path: Volume E:\, Sector 33

Status: Sector mismatch

Path: Volume E:\, Sector 34

Status: Sector mismatch

Path: Volume E:\, Sector 35

Status: Sector mismatch

Path: Volume E:\, Sector 36

Status: Sector mismatch

Path: Volume E:\, Sector 37

Status: Sector mismatch

Path: Volume E:\, Sector 38

Status: Sector mismatch

Path: Volume E:\, Sector 39

Status: Sector mismatch

Path: Volume E:\, Sector 40

Status: Sector mismatch

Path: Volume E:\, Sector 41

Status: Sector mismatch

Path: Volume E:\, Sector 42

Status: Sector mismatch

Path: Volume E:\, Sector 43

Status: Sector mismatch

Path: Volume E:\, Sector 44

Status: Sector mismatch

Path: Volume E:\, Sector 45

Status: Sector mismatch

Path: Volume E:\, Sector 46

Status: Sector mismatch

Path: Volume E:\, Sector 47

Status: Sector mismatch

Path: Volume E:\, Sector 48

Status: Sector mismatch

Path: Volume E:\, Sector 49

Status: Sector mismatch

Path: Volume E:\, Sector 50

Status: Sector mismatch

Path: Volume E:\, Sector 51

Status: Sector mismatch

Path: Volume E:\, Sector 52

Status: Sector mismatch

Path: Volume E:\, Sector 53

Status: Sector mismatch

Path: Volume E:\, Sector 54

Status: Sector mismatch

Path: Volume E:\, Sector 55

Status: Sector mismatch

Path: Volume E:\, Sector 56

Status: Sector mismatch

Path: Volume E:\, Sector 57

Status: Sector mismatch

Path: Volume E:\, Sector 58

Status: Sector mismatch

Path: Volume E:\, Sector 59

Status: Sector mismatch

Path: Volume E:\, Sector 60

Status: Sector mismatch

Path: Volume E:\, Sector 61

Status: Sector mismatch

Path: Volume E:\, Sector 62

Status: Sector mismatch

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "Lbd.sys" at address 0xf878687e

#: 247 Function Name: NtSetValueKey

Status: Hooked by "Lbd.sys" at address 0xf8786bfe

==EOF==

Link to post
Share on other sites

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Success, I rebooted and ran rootrepeal and here is the report and the latest DDS report

ROOTREPEAL © AD, 2007-2010

==================================================

Report Save Time: 2010/05/24 14:15

Program Version: Version 2.0.0.0

Windows Version: Windows XP SP3

==================================================

DRIVERS

-------------------

File Invisible dump_atapi.sys 0xeefe4000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes

File Invisible dump_WMILIB.SYS 0xf8c4e000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes

File Invisible rootrepeal.sys 0xede87000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes

PROCESSES

-------------------

4 - System

172 - C:\PROGRAM FILES\MICROSOFT SECURITY ESSENTIALS\MSSECES.EXE

180 - C:\WINDOWS\SYSTEM32\WUAUCLT.EXE

184 - C:\PROGRAM FILES\SEAGATE\SEAGATEMANAGER\FREEAGENT STATUS\STXMENUMGR.EXE

236 - C:\WINDOWS\SYSTEM32\CTFMON.EXE

248 - C:\PROGRAM FILES\LOGMEIN\X86\LMIGUARDIAN.EXE

448 - C:\WINDOWS\SYSTEM32\SMSS.EXE

476 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE

516 - C:\WINDOWS\SYSTEM32\CSRSS.EXE

556 - C:\WINDOWS\SYSTEM32\WINLOGON.EXE

612 - C:\WINDOWS\SYSTEM32\SERVICES.EXE

624 - C:\WINDOWS\SYSTEM32\LSASS.EXE

792 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE

880 - C:\PROGRAM FILES\LOGMEIN\X86\LOGMEIN.EXE

928 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE

1004 - C:\PROGRAM FILES\MICROSOFT SECURITY ESSENTIALS\MSMPENG.EXE

1144 - C:\PROGRAM FILES\SEAGATE\SEAGATEMANAGER\SYNC\FREEAGENTSERVICE.EXE

1180 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE

1376 - C:\PROGRAM FILES\NERO\NERO 7\INCD\INCDSRV.EXE

1384 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE

1436 - C:\WINDOWS\EXPLORER.EXE

1492 - C:\WINDOWS\SYSTEM32\SVCHOST.EXE

1540 - C:\PROGRAM FILES\LOGMEIN\X86\RAMAINT.EXE

1628 - C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE

1760 - C:\WINDOWS\SYSTEM32\SPOOLSV.EXE

1944 - C:\PROGRAM FILES\LOGMEIN\X86\LOGMEINSYSTRAY.EXE

1956 - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S0EIC1.EXE

1976 - C:\PROGRAM FILES\NERO\NERO 7\INCD\NBHGUI.EXE

2040 - C:\PROGRAM FILES\NERO\NERO 7\INCD\INCD.EXE

2104 - C:\PROGRAM FILES\LOGMEIN\X86\LMIGUARDIAN.EXE

2132 - C:\WINDOWS\SYSTEM32\NVSVC32.EXE

2392 - C:\WINDOWS\SYSTEM32\WUAUCLT.EXE

2912 - C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE

3120 - C:\WINDOWS\SYSTEM32\ALG.EXE

3128 - C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE

3348 - C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE

3612 - F:\RootRepeal.exe

4016 - C:\Program Files\Lavasoft\Ad-Aware\ThreatWork.exe

FILES

-------------------

Mismatch C:\WINDOWS\TEMP\MpCmdRun.log, Size mismatch (API: 524288, Raw: 148062)

Sector E:\

Sector E:\

MBR E:\

STEALTH CODE

-------------------

HIDDEN SERVICES

-------------------

SSDT

-------------------

SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK

NtCreateKey Lbd.sys 0xf878687e

NtSetValueKey Lbd.sys 0xf8786bfe

SHADOW SSDT

-------------------

CALLBACKS

-------------------

*****************************************************************

DDS (Ver_10-03-17.01) - FAT32x86

Run by Liz at 14:32:41.40 on Mon 05/24/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.157 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

SVCHOST.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

SVCHOST.EXE

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\wuauclt.exe

F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://dons.com/

uInternet Connection Wizard,ShellNext = iexplore

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s0eic1.exe /a "c:\windows\system32\E_SD.tmp"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

mRun: [nwiz] nwiz.exe /install

mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe

mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-22 64288]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-17 47640]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-10-28 177280]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-05-24 17:21:13 0 ----a-w- c:\documents and settings\liz\defogger_reenable

2010-05-24 01:26:29 0 d-----w- c:\program files\Seagate

2010-05-24 01:26:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate

2010-05-24 01:25:28 0 d-sh--w- c:\windows\ftpcache

2010-05-24 01:11:39 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-23 18:27:56 0 d-----w- C:\Steve

2010-05-23 18:21:27 0 d-----w- c:\program files\Trend Micro

2010-05-22 21:34:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-22 21:33:34 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-22 21:33:09 0 d-----w- c:\program files\Lavasoft

2010-05-22 20:27:16 0 d-sh--w- C:\Recycled

2010-05-22 18:29:23 0 d-sha-r- C:\cmdcons

2010-05-22 18:26:48 98816 ----a-w- c:\windows\sed.exe

2010-05-22 18:26:48 77312 ----a-w- c:\windows\MBR.exe

2010-05-22 18:26:48 256512 ----a-w- c:\windows\PEV.exe

2010-05-22 18:26:48 161792 ----a-w- c:\windows\SWREG.exe

2010-05-22 17:35:28 49265 ----a-w- c:\windows\system32\jpicpl32.cpl

2010-05-22 17:20:22 0 d-----w- c:\windows\system32\appmgmt

2010-05-22 15:38:19 0 d--h--w- c:\windows\PIF

2010-05-21 23:12:22 0 d-----w- c:\docume~1\liz\applic~1\Malwarebytes

2010-05-21 23:11:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 23:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-21 23:11:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-21 23:11:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 15:05:31 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-17 15:05:31 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-17 15:05:31 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-05-16 01:21:33 221568 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2010-03-04 20:11:58 111 ----a-w- c:\program files\WS_FTP.LOG

2010-03-03 04:36:00 18702178 ----a-w- c:\program files\HB20100302203045.bkp

2010-02-25 17:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-02-01 21:26:56 98180904 ----a-w- c:\program files\iTunesSetup.exe

2005-12-21 03:59:36 349182 ----a-w- c:\program files\pow101m-upd.zip

2005-12-21 03:55:54 8922629 ----a-w- c:\program files\powsetup.exe

============= FINISH: 14:33:55.69 ===============

Link to post
Share on other sites

Here is the combo-fix report you requested.

ComboFix 10-05-24.03 - Liz 05/24/2010 14:49:40.3.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT -6:00]

Running from: F:\Combo-Fix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))

.

2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe

2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth

2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate

2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations

2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache

2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve

2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro

2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE

2010-05-22 21:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-22 21:33 . 2010-05-22 21:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-22 21:33 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft

2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF

2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes

2010-05-21 23:11 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-21 23:11 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG

2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp

2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2001-08-23 18:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe

2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip

2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-05-22_18.39.52 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-07-29 14:05 . 2008-07-29 14:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 12:07 . 2008-07-29 12:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2008-07-29 12:07 . 2008-07-29 12:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll

+ 2008-07-29 12:07 . 2008-07-29 12:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll

+ 2010-05-22 21:34 . 2010-02-04 15:53 64288 c:\windows\system32\DRVSTORE\lbd_B425E86B28F27CC7F4A0CAF275F9F2789F3C6909\Lbd.sys

+ 2003-06-30 07:13 . 2010-05-24 06:34 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2003-06-30 07:13 . 2008-12-29 18:06 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2003-06-30 07:13 . 2010-05-24 06:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2003-06-30 07:13 . 2008-12-29 18:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2003-06-30 07:13 . 2008-12-29 18:06 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-05-24 06:34 . 2010-05-24 06:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-05-22 21:33 . 2010-05-22 21:33 29926 c:\windows\Installer\{338F08AB-C262-42C7-B000-34DE1A475273}\_6FEFF9B68218417F98F549.exe

+ 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut3_3AA20A2C6BEF43A6A3B4F09C5D78D1D4.exe

+ 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut2_B7AA0888E8864144BA725EAA61DC15D5.exe

+ 2010-05-24 01:29 . 2010-05-24 01:29 50512 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\NewShortcut1_68F918D3F91F411B8936985CC2BD4192.exe

+ 2010-05-24 01:29 . 2010-05-24 01:29 87376 c:\windows\Installer\{2A30052B-831C-41D3-8044-3C0388066350}\ARPPRODUCTICON.exe

+ 2008-07-29 14:05 . 2008-07-29 14:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll

+ 2008-07-29 09:54 . 2008-07-29 09:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll

+ 2009-07-12 06:02 . 2009-07-12 06:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll

+ 2009-07-12 06:02 . 2009-07-12 06:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll

+ 2009-07-12 06:05 . 2009-07-12 06:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 09:54 . 2008-07-29 09:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2009-12-02 21:23 . 2009-12-02 21:23 149040 c:\windows\system32\drivers\MpFilter.sys

+ 2010-05-24 01:11 . 2010-05-24 01:12 272384 c:\windows\Installer\9b1ae.msi

+ 2010-05-24 01:11 . 2010-05-24 01:11 254976 c:\windows\Installer\9b1a8.msi

+ 2010-05-24 01:11 . 2010-05-24 01:11 301056 c:\windows\Installer\9b1a2.msi

+ 2010-05-22 21:33 . 2010-05-22 21:33 167424 c:\windows\Installer\96f029.msi

+ 2010-05-22 21:33 . 2010-05-22 21:33 236032 c:\windows\Installer\96f01b.msi

+ 2008-07-29 14:05 . 2008-07-29 14:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll

+ 2008-07-29 14:05 . 2008-07-29 14:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll

+ 2010-05-24 01:29 . 2010-05-24 01:29 3668992 c:\windows\Installer\9b412.msi

+ 2010-05-22 21:33 . 2010-05-22 21:33 1859072 c:\windows\Installer\96f024.msi

+ 2005-09-18 18:39 . 2010-04-30 17:51 32058312 c:\windows\system32\MRT.exe

- 2005-09-18 18:39 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"nwiz"="nwiz.exe" [2002-07-16 372736]

"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Reboot.exe [2002-3-20 382464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\Previews on Windows\\rteng6.exe"=

"c:\\Program Files\\Previews on Windows\\preorder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 3:34 PM 64288]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1228208]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP141

.

Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job

- c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23]

2010-05-24 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]

2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dons.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-24 14:58

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)

c:\windows\system32\wininet.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(532)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-05-24 15:02:25

ComboFix-quarantined-files.txt 2010-05-24 21:02

ComboFix2.txt 2010-05-22 20:13

ComboFix3.txt 2010-05-22 18:43

Pre-Run: 7,738,195,968 bytes free

Post-Run: 7,882,997,760 bytes free

- - End Of File - - C858E7682DFDFA77A8CF34A60AC724D6

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=51456

KillAll::

Collect::[8]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

After reboot started, Combo-fix restarted.

A program, SecurDisc also loaded, unsure if that is part of Combo-fix.

Then it says Combofix needs to submit malware for further analysis.

Here is the log file.

ComboFix 10-05-24.03 - Liz 05/24/2010 15:53:06.4.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.188 [GMT -6:00]

Running from: F:\Combo-Fix.exe

Command switches used :: F:\cfscript.txt

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\Reboot.exe

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))

.

2010-05-24 21:48 . 2010-05-25 09:40 -------- d-----w- C:\32788R22FWJFW

2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe

2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth

2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate

2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations

2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache

2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve

2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro

2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE

2010-05-22 21:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-22 21:33 . 2010-05-22 21:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-22 21:33 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft

2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF

2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes

2010-05-21 23:11 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-21 23:11 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG

2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp

2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2001-08-23 18:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe

2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip

2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"nwiz"="nwiz.exe" [2002-07-16 372736]

"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\Previews on Windows\\rteng6.exe"=

"c:\\Program Files\\Previews on Windows\\preorder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/22/2010 3:34 PM 64288]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1228208]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280]

.

Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job

- c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23]

2010-05-24 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]

2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:53]

2010-05-24 c:\windows\Tasks\MpIdleTask.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]

2010-05-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dons.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-24 16:12

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)

c:\windows\system32\wininet.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3488)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\System32\nvsvc32.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

.

**************************************************************************

.

Completion time: 2010-05-24 16:22:16 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-24 22:22

ComboFix2.txt 2010-05-24 21:02

ComboFix3.txt 2010-05-22 20:13

ComboFix4.txt 2010-05-22 18:43

Pre-Run: 7,901,478,912 bytes free

Post-Run: 7,865,499,648 bytes free

- - End Of File - - BBF61B39233E4069E82358992F241D7A

Upload was successful

Link to post
Share on other sites

Please do the following to see if it resolves the issue.

Temporarily disable your Anti-Virus and other security software while installing and running.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Link to post
Share on other sites

Delete your copy of ComboFix and:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.