Jump to content

Recommended Posts

I've been fighting malware/viruses for the past 3 weeks using Malwarebytes, McAfee Antivirus, Spybot, Microsoft Malicious Software Removal Tool and yesterday and today Kaspersky - today I ran full scans using all but Spybot (ran Spybot yesterday) with no infections detected on any of them. The only thing I'm still troubled with is google redirects - due to virus? Microsoft technician told me that the google toolbar has been experiencing problems and to use bing.com for searches. Can I assume my computer is clean? Last monday I had a call from my bank alerting me of an attempted fraudulent wire transfer - unsuccessful thankfully but I am very paranoid now with all that has occurred! Any recommendations? Thanks in advance for your help!

Link to post
Share on other sites

  • Replies 101
  • Created
  • Last Reply

Top Posters In This Topic

Hello cgrammie2! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

The only thing I'm still troubled with is google redirects - due to virus?

Yes, your system is still infected.

Microsoft technician told me that the google toolbar has been experiencing problems and to use bing.com for searches.

Typically, in their style.

Can I assume my computer is clean?

I'm not sure. Please follow these instructions and post the resaults in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Hello cgrammie2! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Yes, your system is still infected.

Typically, in their style.

I'm not sure. Please follow these instructions and post the resaults in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Yes, it's a legitimate. :)

Hello again Borislav - Help!

Once again when I typed in http://www.malwarebytes.org/mbam-download.php I've been redirected to yet another website. First it was majorgeeks.com and now it's http://fileforum.betanews.com/detail/Malwa...tes-AntiMalware. Is this a legitimate site to download as you instructed? I'm sorry to be so paranoid but I've had too many problems for weeks now! I can't seem to even get past step one in trying to clean up my computer. Please let me know as soon as possible (I realize there's a huge time difference).

Link to post
Share on other sites

Yes, it's a legitimate too. :)

Hello!

I have progressed to the disable CD-ROM Emulation step - however DeFogger did not prompt me to reboot my machine - I've been waiting about 10 minutes. Here is the log.

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 05:34 on 01/06/2010 (Linda Cross)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

what is my next step? Thank you!

Link to post
Share on other sites

I have completed these steps and in a new post sent in the logs as instructed. please let me know what to do next. Should I re-enable DeFogger? I won't proceed until hearing from you. I'll be going out of town Thursday (for several days) and would like to have this cleaned up before then if possible. My roommate has no computer knowledge and won't be able to work on this in my absence.

Link to post
Share on other sites

I have completed these steps and in a new post sent in the logs as instructed. please let me know what to do next. Should I re-enable DeFogger? I won't proceed until hearing from you. I'll be going out of town Thursday (for several days) and would like to have this cleaned up before then if possible. My roommate has no computer knowledge and won't be able to work on this in my absence.

I have one more concern - I've just received a red alert from the Kaspersky removal tool on my computer indicating a malicious object has been detected. Is it safe to go ahead and run the scan with everything else I've been working on today (see my previous posts)? Thank you!!

Link to post
Share on other sites

Where? What about GMER log? What about DDS log witth Attach.txt?

You post Defogger log only.

My apologies! This is info I posted yesterday -

This is the most recent Malwarebytes log I have - dated 5/24/10 - despite the fact that I've run scans almost daily - in fact I ran a full scan this morning - no log - no infections detected. My most recent mbam logs were directed to C:\Program Files\Malwarebytes' Antimalware\mbam-log-2010-05-24 (19-14-05) - sorry there are no more recent mbam logs - I know this info no longer applies. Thank you for your help! DDS and GMER logs follow below.

-------------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4140

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/24/2010 7:14:05 PM

mbam-log-2010-05-24 (19-14-05).txt

Scan type: Full scan (C:\|)

Objects scanned: 214792

Time elapsed: 1 hour(s), 6 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Data Protection (Rogue.DataProtection) -> No action taken.

Files Infected:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2009\A0293236.dll (Malware.Packer.Gen) -> No action taken.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2011\A0293390.dll (Malware.Packer.Gen) -> No action taken.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2011\A0293391.dll (Malware.Packer.Gen) -> No action taken.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2011\A0293395.exe (Malware.Packer.Gen) -> No action taken.

----------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Linda Cross at 9:43:09.06 on Tue 06/01/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.199 [GMT -7:00]

AV: Data Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Documents and Settings\Linda Cross\Desktop\Virus Removal Tool1\setup_9.0.0.722_01.06.2010_09-31[1]\setup_9.0.0.722_01.06.2010_09-31[1].exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Linda Cross\Local Settings\Temporary Internet Files\Content.IE5\V4J5P2X8\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://phoenix.cox.net/cci/home

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: H - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

StartupFolder: c:\docume~1\lindac~1\startm~1\programs\startup\setup_~2.lnk - c:\documents and settings\linda cross\desktop\virus removal tool1\setup_9.0.0.722_01.06.2010_09-31[1]\startup.exe

StartupFolder: c:\docume~1\lindac~1\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\linda cross\desktop\virus removal tool\setup_9.0.0.722_28.05.2010_11-31\startup.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: alpineaccess.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: musicmatch.com\online

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238559981937

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5957/mcfscan.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

mASetup: {33E00BF6-D344-4362-838B-2F9790234042} - rundll32 qfoneu71.dll,laspi

============= SERVICES / DRIVERS ===============

R0 00164472;00164472 Boot Guard Driver;c:\windows\system32\drivers\00164472.sys [2010-5-28 37392]

R0 11906432;11906432 Boot Guard Driver;c:\windows\system32\drivers\11906432.sys [2010-5-31 37392]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-10-5 385536]

R1 00164471;00164471;c:\windows\system32\drivers\00164471.sys [2010-5-28 128016]

R1 11906431;11906431;c:\windows\system32\drivers\11906431.sys [2010-5-31 128016]

R1 bfbe;bfbe;c:\windows\system32\bfbe.sys [2010-4-21 75264]

R1 setup_9.0.0.722_01.06.2010_09-31[1]drv;setup_9.0.0.722_01.06.2010_09-31[1]drv;c:\windows\system32\drivers\1190643.sys [2010-5-31 315408]

R1 setup_9.0.0.722_28.05.2010_11-31drv;setup_9.0.0.722_28.05.2010_11-31drv;c:\windows\system32\drivers\0016447.sys [2010-5-28 315408]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-12 203280]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-5-12 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-5-12 144704]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-5-12 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-16 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-5 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-5 40552]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S1 MpKsla3c22b50;MpKsla3c22b50;\??\c:\windows\system32\mpenginestore\mpksla3c22b50.sys --> c:\windows\system32\mpenginestore\MpKsla3c22b50.sys [?]

S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-5 34248]

S3 utqxodiy;AVZ Kernel Driver;c:\windows\system32\drivers\utqxodiy.sys [2010-6-1 7168]

=============== Created Last 30 ================

2010-06-01 12:34:50 0 ----a-w- c:\documents and settings\linda cross\defogger_reenable

2010-06-01 07:14:37 7168 ----a-w- c:\windows\system32\drivers\utqxodiy.sys

2010-06-01 06:56:46 37392 ----a-w- c:\windows\system32\drivers\11906432.sys

2010-06-01 06:56:46 315408 ----a-w- c:\windows\system32\drivers\1190643.sys

2010-06-01 06:56:46 128016 ----a-w- c:\windows\system32\drivers\11906431.sys

2010-05-28 17:52:33 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cafe8e8cb9d7e2.mof

2010-05-28 08:18:40 37392 ----a-w- c:\windows\system32\drivers\00164472.sys

2010-05-28 08:18:40 315408 ----a-w- c:\windows\system32\drivers\0016447.sys

2010-05-28 08:18:40 128016 ----a-w- c:\windows\system32\drivers\00164471.sys

2010-05-28 07:35:09 0 d-----w- C:\ea

2010-05-24 22:27:36 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS

2010-05-24 19:59:52 0 d-----w- c:\windows\system32\MpEngineStore

2010-05-22 12:50:35 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 21:02:22 10218 ----a-w- c:\windows\system32\rof

2010-05-20 21:02:21 67584 ----a-w- c:\windows\system32\klgd.bmp

2010-05-20 12:47:38 7304 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-05-20 01:55:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard

2010-05-20 01:55:10 7000064 ---ha-w- C:\SZKGFS.dat

2010-05-20 01:53:50 0 d-----w- c:\program files\common files\iS3

2010-05-20 01:53:48 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-05-17 21:28:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-17 21:28:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-17 00:54:32 0 ----a-w- C:\debug

2010-05-17 00:40:39 112 ----a-w- c:\docume~1\alluse~1\applic~1\JOJr2m.dat

2010-05-15 19:13:29 0 d-----w- c:\program files\RegWork

2010-05-12 17:14:47 13169 ----a-w- c:\windows\system32\Config.MPF

2010-05-12 16:28:51 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-05-12 16:28:02 0 d-----w- c:\program files\common files\McAfee

2010-05-12 13:52:53 0 d-----w- C:\mb

2010-05-12 13:40:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-05-11 06:32:42 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-04-29 02:51:30 10752 ----a-w- C:\exefix_xp.com

2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-21 17:15:23 75264 ----a-w- c:\windows\system32\bfbe.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2008-07-26 20:59:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072620080727\index.dat

============= FINISH: 9:47:02.21 ===============

Attach.txt.zip ( 11.17K ) Number of downloads: 4

29 May 2010

--------------------------------------------------

After GMER completed I clicked on Internet Explorer so that I could post the logs - a blue screen appeared with the following information:

STOP.c0000145 {Application Error} the application failed to initialize properly (0xc0000005). Click on OK to terminate the application.

Beginning dump of physical memory

Physical memory dump complete. Contact your system administrator or technical support group for futher assistance.

At this point I restarted my machine and received the following error message:

Microsoft Windows error message -

The system has recovered from a serious error. A log of this error has been created - for more information click here. The is the information that came up when I clicked:

Error signature

BC Code: c0000145

BCP1: C0000005

BCP2: 00000000

BCP3: 00000000

BCP4: 00000000

OS Ver: 5_1_2600

SP: 3_0

PRODUCT: 768_1

To view technical information about the error report, click here:

Error Report Contents:

The following files will be included in this error report:

c:\DOCUME~1\LINDAC~1\Temp\WERaff5.dir00\Mini060110-01.dmp

c:\DOCUME~1\LINDAC~1\Temp\WERaff5.dir00\sysdata

Link to post
Share on other sites

Your database version of Malwarebytes' Anti-Malware is 4140 , but the current is 4163 , so please:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log with Attach.txt

Link to post
Share on other sites

Your database version of Malwarebytes' Anti-Malware is 4140 , but the current is 4163 , so please:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log with Attach.txt

Hello -

I have updated my Malwarebytes to the latest version and have run 3 quick scans this morning. Still no logs. Here are two messages I receive:

1) Windows can't find s:mbamlog.txt. Make sure you typed the name correctly and then try again. To search for a file click the start button and then click search.

2) The scan completed successfully. No malicious items were detected. A log file has been saved to the logs folder.

I'll be running DDS as instructed to get a fresh log but I need your help to resolve the mbam log problem. Thank you!

Link to post
Share on other sites

Please do the following to see if it resolves the issue.

Temporarily disable your Anti-Virus and other security software while installing and running.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Link to post
Share on other sites

Please do the following to see if it resolves the issue.

Temporarily disable your Anti-Virus and other security software while installing and running.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

-------------------------------

Hello!

Here are fresh logs as requested (sending GMER log in a separate post). I will be leaving tomorrow (Thursday) for several days and unable to respond further until I return. I will contact you again at that time. Please let me know what my next step will be and when to re-enable DeFogger. Thank you for your help!

--------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4165

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/2/2010 4:20:38 PM

mbam-log-2010-06-02 (16-20-38).txt

Scan type: Quick scan

Objects scanned: 144591

Time elapsed: 14 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Linda Cross at 19:28:04.21 on Wed 06/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -7:00]

AV: Data Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Linda Cross\Local Settings\Temporary Internet Files\Content.IE5\S9DAR1JF\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://phoenix.cox.net/cci/home

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

mURLSearchHooks: H - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\lindac~1\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\linda cross\desktop\virus removal tool\setup_9.0.0.722_28.05.2010_11-31\startup.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: alpineaccess.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: musicmatch.com\online

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238559981937

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5957/mcfscan.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

mASetup: {33E00BF6-D344-4362-838B-2F9790234042} - rundll32 qfoneu71.dll,laspi

============= SERVICES / DRIVERS ===============

R0 00164472;00164472 Boot Guard Driver;c:\windows\system32\drivers\00164472.sys [2010-5-28 37392]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-10-5 385536]

R1 00164471;00164471;c:\windows\system32\drivers\00164471.sys [2010-5-28 128016]

R1 bfbe;bfbe;c:\windows\system32\bfbe.sys [2010-4-21 75264]

R1 setup_9.0.0.722_28.05.2010_11-31drv;setup_9.0.0.722_28.05.2010_11-31drv;c:\windows\system32\drivers\0016447.sys [2010-5-28 315408]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-12 203280]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-5-12 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-5-12 144704]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-2 38224]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-5-12 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-16 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-5 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-5 40552]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S1 MpKsla3c22b50;MpKsla3c22b50;\??\c:\windows\system32\mpenginestore\mpksla3c22b50.sys --> c:\windows\system32\mpenginestore\MpKsla3c22b50.sys [?]

S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-5 34248]

S3 utqxodiy;AVZ Kernel Driver;c:\windows\system32\drivers\utqxodiy.sys [2010-6-1 7168]

=============== Created Last 30 ================

2010-06-02 23:04:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-02 23:04:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-01 12:34:50 0 ----a-w- c:\documents and settings\linda cross\defogger_reenable

2010-06-01 07:14:37 7168 ----a-w- c:\windows\system32\drivers\utqxodiy.sys

2010-05-28 17:52:33 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cafe8e8cb9d7e2.mof

2010-05-28 08:18:40 37392 ----a-w- c:\windows\system32\drivers\00164472.sys

2010-05-28 08:18:40 315408 ----a-w- c:\windows\system32\drivers\0016447.sys

2010-05-28 08:18:40 128016 ----a-w- c:\windows\system32\drivers\00164471.sys

2010-05-28 07:35:09 0 d-----w- C:\ea

2010-05-24 22:27:36 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS

2010-05-24 19:59:52 0 d-----w- c:\windows\system32\MpEngineStore

2010-05-22 12:50:35 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 21:02:22 10218 ----a-w- c:\windows\system32\rof

2010-05-20 21:02:21 67584 ----a-w- c:\windows\system32\klgd.bmp

2010-05-20 12:47:38 7304 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-05-20 01:55:16 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard

2010-05-20 01:55:10 7000064 ---ha-w- C:\SZKGFS.dat

2010-05-20 01:53:50 0 d-----w- c:\program files\common files\iS3

2010-05-20 01:53:48 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-05-17 00:54:32 0 ----a-w- C:\debug

2010-05-17 00:40:39 112 ----a-w- c:\docume~1\alluse~1\applic~1\JOJr2m.dat

2010-05-15 19:13:29 0 d-----w- c:\program files\RegWork

2010-05-12 17:14:47 13155 ----a-w- c:\windows\system32\Config.MPF

2010-05-12 16:28:51 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-05-12 16:28:02 0 d-----w- c:\program files\common files\McAfee

2010-05-12 13:52:53 0 d-----w- C:\mb

2010-05-12 13:40:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-05-11 06:32:42 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-04-29 02:51:30 10752 ----a-w- C:\exefix_xp.com

2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-21 17:15:23 75264 ----a-w- c:\windows\system32\bfbe.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2008-07-26 20:59:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072620080727\index.dat

============= FINISH: 19:31:30.76 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 5/11/2003 6:17:18 PM

System Uptime: 6/2/2010 12:52:42 PM (7 hours ago)

Motherboard: Dell Computer Corporation | | 07W080

Processor: Intel® Pentium® 4 CPU 2.20GHz | Socket 478 | 2193/400mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 56 GiB total, 39.103 GiB free.

D: is CDROM ()

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2000: 5/15/2010 12:01:39 PM - System Checkpoint

RP2001: 5/15/2010 12:13:28 PM - Installed RegWork.

RP2002: 5/16/2010 1:06:57 PM - System Checkpoint

RP2003: 5/16/2010 8:22:15 PM - Removed RegWork.

RP2004: 5/17/2010 5:41:45 PM - Installed SUPERAntiSpyware Free Edition

RP2005: 5/19/2010 6:11:31 PM - System Checkpoint

RP2006: 5/19/2010 6:53:37 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.

RP2007: 5/19/2010 7:20:33 PM - Removed SUPERAntiSpyware Free Edition

RP2008: 5/20/2010 6:37:00 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

RP2009: 5/21/2010 8:04:06 AM - System Checkpoint

RP2010: 5/22/2010 8:27:42 AM - System Checkpoint

RP2011: 5/23/2010 9:18:17 AM - System Checkpoint

RP2012: 5/24/2010 9:59:23 AM - System Checkpoint

RP2013: 5/24/2010 4:01:48 PM - Software Distribution Service 3.0

RP2014: 5/25/2010 4:12:58 PM - Software Distribution Service 3.0

RP2015: 5/26/2010 7:21:19 PM - System Checkpoint

RP2016: 5/27/2010 10:24:28 PM - Software Distribution Service 3.0

RP2017: 5/28/2010 10:48:39 AM - Printer Driver Microsoft Office Document Image Writer Installed

RP2018: 5/29/2010 11:49:20 AM - System Checkpoint

RP2019: 5/30/2010 1:07:57 PM - System Checkpoint

RP2020: 5/31/2010 1:44:05 PM - System Checkpoint

RP2021: 6/1/2010 1:19:11 AM - Software Distribution Service 3.0

RP2022: 6/2/2010 9:54:15 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Reader 8.2.2

Adobe Shockwave Player

Adobe

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

---------------------------------------

Hello Borislav -

I am leaving for several days and won't be able to try this combofix until I return. PLEASE do not close out my ticket. I will respond back to you when I return. Thanks!

Link to post
Share on other sites

Thanks for update! ;)

Don't worry!

Hello again - I am back now and trying to download combofix as instructed above but McAfee has prevented the download twice. This is the message I receive:

McAfee has automatically blocked and removed a Trojan.

About this Trojan

Detected: Artemis!356606F6A226 (Trojan), Artemis!356606F6A226 (Trojan)

Location: C:\Documents and Settings\Linda Cross\Local Settings\Temporary Internet Files\Content.IE5\RKI0RCF4\ComboFix[1].exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.

Please let me know how to proceed from here. Thank you!

Link to post
Share on other sites

Please disable your McAfee and try again with ComboFix.

I have disabled McAfee and renamed ComboFix to Combo-Fix (which has been saved to my desktop). I am now proceeding with disabling my other anti-virus and anti-malware programs. I am trying to disable Spybot Teatimer - I have unchecked the "Resident TeamTimer" (Protection of overall system settings) active." box. I clicked on the "System Startup" icon to uncheck the "TeaTimer" box - there is no TeaTimer box listed here and no prompts to "OK". Should I be doing something else at this point?

My instructions then instruct me to:

"Please download ResetTeaTimer.zip and save to your Desktop. Extract(unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entried set by TeaTimer and keep it from restoring them upon reactivation." Where do I download ResetTeaTimer.zip from to save to my desktop? Do I do this step before or after running Combo-Fix? I have exited out of Spybot but have not restarted my computer yet. Would it be simpler to just uninstall Spybot and reinstall later?

I have the free version of Malwarebytes - how do I disable it? Uninstall and reinstall later?

I am uncertain about these things because I don't have much experience. Thank you for your help!

Link to post
Share on other sites

1. Will be much easier if you uninstall SpyBot for now.

2. Free version of MBAM is without Real-Time protection, so you don't need to disable it.

Hello - finally able to run combofix - sorry for the delay - had serious family emergency. Here is the combofix log. Please let me know my next step. Thank you for your help!

----------------------------------------------------------------------------------------------------------

ComboFix 10-06-14.02 - Linda Cross 06/14/2010 22:28:58.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -7:00]

Running from: c:\documents and settings\Linda Cross\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Linda Cross\GoToAssistDownloadHelper.exe

c:\windows\system\IMPLODE.DLL

c:\windows\system32\fsc.txt

c:\windows\system32\ide.txt

c:\windows\system32\klgd.bmp

c:\windows\system32\qks.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PRAGMAbwqvrnmbpx

-------\Service_PRAGMAbwqvrnmbpx

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))

.

2010-06-15 03:09 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\99274762.sys

2010-06-15 03:09 . 2009-10-10 06:31 315408 ----a-w- c:\windows\system32\drivers\9927476.sys

2010-06-15 03:09 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\99274761.sys

2010-06-08 22:39 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 23:04 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-02 23:04 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-01 07:14 . 2010-06-02 05:23 7168 ----a-w- c:\windows\system32\drivers\utqxodiy.sys

2010-05-28 07:35 . 2010-05-28 07:35 -------- d-----w- C:\ea

2010-05-24 22:27 . 2010-05-24 22:27 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS

2010-05-24 19:59 . 2010-05-24 22:30 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-22 12:50 . 2010-06-15 05:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 01:55 . 2010-05-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2010-05-20 01:55 . 2010-05-20 01:55 7000064 ---ha-w- C:\SZKGFS.dat

2010-05-20 01:53 . 2010-05-20 01:53 -------- d-----w- c:\program files\Common Files\iS3

2010-05-20 01:53 . 2010-05-20 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-15 05:50 . 2009-10-06 03:46 -------- d-----w- c:\program files\McAfee

2010-06-15 05:20 . 2007-12-09 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-12 13:09 . 2007-10-02 20:17 -------- d-----w- c:\program files\My Kazaa Gold

2010-06-02 23:04 . 2010-04-29 03:23 -------- d-----w- c:\documents and settings\Linda Cross\Application Data\Malwarebytes

2010-06-02 23:04 . 2010-04-30 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-02 23:04 . 2010-04-29 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-02 04:51 . 2009-10-06 05:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-05-20 17:09 . 2010-05-15 19:13 -------- d-----w- c:\program files\RegWork

2010-05-20 13:28 . 2010-05-20 12:47 7304 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-05-20 01:56 . 2010-05-20 01:57 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll

2010-05-19 18:36 . 2010-05-17 00:40 112 ----a-w- c:\documents and settings\All Users\Application Data\JOJr2m.dat

2010-05-13 12:57 . 2009-12-21 14:13 -------- d-----w- c:\program files\VoiceScribe

2010-05-12 18:21 . 2009-10-20 21:18 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 17:15 . 2009-10-06 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-12 16:28 . 2010-05-12 16:28 -------- d-----w- c:\program files\Common Files\McAfee

2010-05-12 16:28 . 2003-04-30 15:31 -------- d-----w- c:\program files\McAfee.com

2010-05-12 13:40 . 2010-05-12 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-12 05:27 . 2003-05-12 01:18 105656 -c--a-w- c:\documents and settings\Linda Cross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-11 06:01 . 2008-05-10 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-05-06 10:41 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-08-29 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 22:18 . 2003-12-31 00:10 -------- d-----w- c:\program files\Watchtower

2010-04-29 13:00 . 2010-04-29 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Bomgar-SCC-4BD91594

2010-04-29 02:51 . 2010-04-29 02:51 10752 ----a-w- C:\exefix_xp.com

2010-04-28 00:10 . 2004-03-25 01:45 -------- d-----w- c:\program files\Lexmark X1100 Series

2010-04-27 23:47 . 2010-04-27 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-25 23:39 . 2010-04-16 23:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-21 17:15 . 2010-04-21 17:15 75264 ----a-w- c:\windows\system32\bfbe.sys

2010-04-20 05:30 . 2002-08-29 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 06:29 . 2010-04-17 06:29 49152 ----a-r- c:\documents and settings\Linda Cross\Application Data\Microsoft\Installer\{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}\Icon49FA793C.exe

2010-04-16 23:43 . 2010-04-16 23:43 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-16 23:25 . 2009-10-20 21:09 -------- d-----w- c:\program files\Windows Defender

.

<pre>
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\Windows Defender\msascui .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

c:\documents and settings\Linda Cross\Start Menu\Programs\Startup\

setup_9.0.0.722_12.06.2010_23-38[1].lnk - c:\documents and settings\Linda Cross\Desktop\Virus Removal Tool\setup_9.0.0.722_12.06.2010_23-38[1]\startup.exe [2010-6-14 72208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"c:\\WINDOWS\\SYSTEM32\\java.exe"=

"c:\\Program Files\\360Share\\Gui\\360Share.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 99274762;99274762 Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\99274762.sys [6/14/2010 8:09 PM 37392]

R1 99274761;99274761;c:\windows\SYSTEM32\DRIVERS\99274761.sys [6/14/2010 8:09 PM 128016]

R1 bfbe;bfbe;c:\windows\SYSTEM32\bfbe.sys [4/21/2010 10:15 AM 75264]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/12/2010 9:33 AM 203280]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S1 MpKsla3c22b50;MpKsla3c22b50;\??\c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys --> c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys [?]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 utqxodiy;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiy.sys [6/1/2010 12:14 AM 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{33E00BF6-D344-4362-838B-2F9790234042}]

qfoneu71.dll [N/A]

.

Contents of the 'Scheduled Tasks' folder

c:\windows\Tasks\At101.job

2010-06-12 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-15 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-06-14 c:\windows\Tasks\User_Feed_Synchronization-{0BF8426D-E159-4E88-8E75-FD433358A530}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://phoenix.cox.net/cci/home

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: alpineaccess.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: musicmatch.com\online

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-14 22:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,13,62,e7,0a,32,1f,4d,90,78,a8,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,13,62,e7,0a,32,1f,4d,90,78,a8,\

[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4020)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2010-06-14 23:00:49 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-15 06:00

ComboFix2.txt 2010-04-29 05:12

Pre-Run: 41,579,347,968 bytes free

Post-Run: 41,625,673,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - FA0EA906B45D96D267D4806D5E264A5C

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.