Jump to content

Clean Up Rotkits/Redirects/Running Processes


Recommended Posts

Here's my brother-in-law's Dell Dimension 4600 - XP Pro - SP3 - plenty of disk space. He brought it to me as a couple of weeks ago something happened and all sorts of nonsense is going on. When IE or Chrome is launched, it goes to the correct web add but after about a minute or two another window appears advertising Newsmania or Stopzilla or Automaticsystemprofits.com and the list goes on.

I used MBAM. the bad guys blocked it so I used a randomly named copy found elsewhere here in the forums. I ran DDS and GMER - logs below. Then, with MBAM, I did a quick scan - found 12 baddies. Removed and rebooted. Baddies remained. I did a full scan. System hung - hard reset. Did full scan in safe mode. Found 12 baddies, remove and reboot. Did a quick scan in norm mode (since full scan won't complete in norm mode) and it found 2 more. Note: Before and during this process, I tried to update MBAM but got this error: <img src="http://img411.imageshack.us/img411/2103/mbamupdateerror62120106.png" alt="Image Hosted by ImageShack.us"/><br/>By <a target="_new" href="http://profile.imageshack.us/user/hoib">hoib</a> at 2010-06-22. Will have to tackle this later, I believe. So I used another computer to download MBAM's update and copies rules.ref to the proper location. Used Spybot which found pretty much the same items as MBAM and also failed to remove half of what it found.

I'm going to need some help now to continue cleaning as I'm out of options and need some expert help. Logs follow below. I'll stay engaged because the family needs this back pronto!

DDS (Ver_10-03-17.01) - NTFSx86

Run by mike dolphin at 18:41:58.45 on Mon 06/21/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.512 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\SnagitPortable.exe

C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\SnagIt32.exe

C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\TSCHelp.exe

C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\SnagPriv.exe

C:\Herb's Special Folder\SnagIt.10.0.0.788.Portable\SnagIt.10.0.0.788.Portable\App\Snagit\snagiteditor.exe

C:\Documents and Settings\mike dolphin\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: {dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [fimikeyuwa] Rundll32.exe "givobebe.dll",s

mRun: [nulamodiy] Rundll32.exe "c:\windows\system32\bahezido.dll",a

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191791640765

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191792277593

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: NavLogon - c:\windows\system32\NavLogon.dll

AppInit_DLLs: wudadefi.dll c:\windows\system32\nabehunu.dll c:\windows\system32\galabano.dll c:\windows\system32\nokafolu.dll c:\windows\system32\futavova.dll c:\windows\system32\kiwugilo.dll c:\windows\system32\nuvutame.dll c:\windows\system32\domitena.dll c:\windows\system32\nosinisu.dll c:\windows\system32\lugefulo.dll c:\windows\system32\jidufavu.dll c:\windows\system32\rarepero.dll c:\windows\system32\tupukenu.dll c:\windows\system32\fakafuto.dll c:\windows\system32\ropekibe.dll c:\windows\system32\bahezido.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: juwajejud - {b0f0943a-eac8-4c79-abb9-575e3c80ef2a} - c:\windows\system32\bahezido.dll

STS: mujuzedij: {e7f84a76-87ba-4e3a-9513-fc539134727e} - c:\windows\system32\ropekibe.dll

STS: kupuhivus: {b0f0943a-eac8-4c79-abb9-575e3c80ef2a} - c:\windows\system32\bahezido.dll

LSA: Notification Packages = scecli wudadefi.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\naveng.sys [2010-6-20 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\navex15.sys [2010-6-20 1347504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

=============== Created Last 30 ================

2010-06-21 22:41:08 0 ----a-w- c:\documents and settings\mike dolphin\defogger_reenable

2010-06-21 22:37:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-21 22:37:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 22:37:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 02:42:49 0 d-----w- C:\The Fixx

2010-06-21 01:47:14 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-06-21 01:47:14 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-06-21 01:47:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-06-21 01:47:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-06-09 00:39:37 0 d-----w- C:\ProgramData

2010-06-09 00:39:37 0 d-----w- c:\program files\Angle Interactive

==================== Find3M ====================

2010-06-12 11:26:47 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2010-03-21 20:30:37 99328 --sha-w- c:\windows\system32\bahezido.dll

2010-03-21 01:46:43 99328 --sha-w- c:\windows\system32\fetotava.dll

2009-04-12 19:23:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041220090413\index.dat

============= FINISH: 18:42:37.26 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-21 20:09:15

Windows 5.1.2600 Service Pack 3

Running: 6gc14l33.exe; Driver: C:\DOCUME~1\MIKEDO~1\LOCALS~1\Temp\kxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT 89442088 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA495900]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\HPZipm12.exe[236] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00B01A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00B019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B01A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B01A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00B01B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00B01BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00B01AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00B01AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[240] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00B01B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[408] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe[976] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00A41A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00A419AB C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A41A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A41A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00A41B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00A41BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00A41AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00A41AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[1248] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00A41B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1400] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 01D51A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 01D519AB C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 01D51A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D51A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 01D51B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 01D51BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 01D51AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 01D51AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\Explorer.EXE[1460] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 01D51B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1720] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 009F1A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 009F19AB C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 009F1A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F1A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 009F1B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 009F1BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 009F1AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 009F1AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\WINDOWS\system32\ctfmon.exe[1792] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 009F1B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10001A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 100019AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 10001A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 10001AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 10001AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1924] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 10001B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00B71A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00B719AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B71A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B71A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00B71B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00B71BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00B71AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00B71AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2196] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00B71B45 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00B31A81 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00B319AB C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00B31A11 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B31A28 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00B31B0E C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00B31BDF C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!Module32FirstW 7C8652E7 5 Bytes JMP 00B31AB8 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] kernel32.dll!Module32NextW 7C865484 5 Bytes JMP 00B31AF7 C:\WINDOWS\system32\wudadefi.dll

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2404] PSAPI.DLL!EnumProcessModules 76BF1EF4 5 Bytes JMP 00B31B45 C:\WINDOWS\system32\wudadefi.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\HPZipm12.exe [236] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [240] 0x00B00000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [408] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [600] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [648] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [668] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Documents and Settings\mike dolphin\Desktop\6gc14l33.exe [976] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [1248] 0x00A40000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [1400] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1460] 0x01D50000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [1720] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1792] 0x009F0000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\DefWatch.exe [1924] 0x10000000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2196] 0x00B70000

Library C:\WINDOWS\system32\wudadefi.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe [2404] 0x00B30000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\wudadefi.dll 70656 bytes executable

File C:\WINDOWS\system32\begapofi 6456 bytes

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4223

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/22/2010 7:41:21 AM

mbam-log-2010-06-22 (07-41-21).txt

Scan type: Quick scan

Objects scanned: 120723

Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4223

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

6/22/2010 7:28:59 AM

mbam-log-2010-06-22 (07-28-59).txt

Scan type: Full scan (C:\|)

Objects scanned: 159874

Time elapsed: 45 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nulamodiy (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fimikeyuwa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Although these logs indicate No Malicious Items, I really wnat to make sure I got it all. And, I'm not that sure. So, I'm just looking to see if someone else can look things over.

Thanks

H

Link to post
Share on other sites

Hello Hoib! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

1. Please download ComboFix from: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Save it on your Desktop.

3. Follow the instructions:

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=54922

KillAll::

Collect::[8]
c:\windows\system32\perobewe.dll
c:\windows\system32\bahezido.dll
c:\windows\system32\givobebe.dll
C:\WINDOWS\system32\wudadefi.dll
c:\windows\system32\nabehunu.dll
c:\windows\system32\galabano.dll
c:\windows\system32\nokafolu.dll
c:\windows\system32\futavova.dll
c:\windows\system32\kiwugilo.dll
c:\windows\system32\nuvutame.dll
c:\windows\system32\domitena.dll
c:\windows\system32\nosinisu.dll
c:\windows\system32\lugefulo.dll
c:\windows\system32\jidufavu.dll
c:\windows\system32\rarepero.dll
c:\windows\system32\tupukenu.dll
c:\windows\system32\fakafuto.dll
c:\windows\system32\ropekibe.dll
c:\windows\system32\bahezido.dll
c:\windows\system32\fetotava.dll
C:\WINDOWS\system32\begapofi

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next reply, please include these log(s) in this sequence:

  1. ComboFix log
  2. a new fresh DDS log with Attach.txt

Link to post
Share on other sites

OK all went well. CF ran with the parms in CFScript.txt. Here are the logs:

ComboFix 10-06-22.02 - mike dolphin 06/22/2010 17:28:00.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.821 [GMT -4:00]

Running from: c:\documents and settings\mike dolphin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\mike dolphin\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\begapofi

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\mike dolphin\My Documents\AllReg.reg

c:\windows\is-DSI7I.exe

c:\windows\system32\begapofi

.

((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))

.

2010-06-21 22:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-21 22:37 . 2010-06-21 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 22:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 22:28 . 2010-06-21 22:28 -------- d-----w- c:\documents and settings\mike dolphin\Local Settings\Application Data\TechSmith

2010-06-21 02:42 . 2010-06-22 11:52 -------- d-----w- C:\The Fixx

2010-06-21 01:47 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-06-21 01:47 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-06-21 01:47 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-06-21 01:47 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-06-09 00:39 . 2010-06-21 02:23 -------- d-----w- C:\ProgramData

2010-06-09 00:39 . 2010-06-09 00:39 -------- d-----w- c:\program files\Angle Interactive

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 21:37 . 2007-10-03 12:16 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-22 21:18 . 2007-10-07 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-22 21:16 . 2007-10-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-22 11:54 . 2007-10-07 21:09 -------- d-----w- c:\program files\CCleaner

2010-06-12 11:26 . 2010-02-26 16:00 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2010-05-14 11:26 . 2008-03-09 19:56 -------- d-----w- c:\program files\Google

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-08-25 49152]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\WINDOWS\\system32\\logon.scr"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 8:14 PM 135664]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 20:17]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll

SharedTaskScheduler-{e7f84a76-87ba-4e3a-9513-fc539134727e} - (no file)

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-22 17:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-06-22 17:41:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-22 21:41

Pre-Run: 64,276,541,440 bytes free

Post-Run: 64,234,110,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 50B40EAC497ECF73B2E360DF3984B478

DDS (Ver_10-03-17.01) - NTFSx86

Run by mike dolphin at 17:45:19.51 on Tue 06/22/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.677 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\mike dolphin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191791640765

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191792277593

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\naveng.sys [2010-6-20 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\navex15.sys [2010-6-20 1347504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

=============== Created Last 30 ================

2010-06-22 21:27:07 0 d-sha-r- C:\cmdcons

2010-06-22 21:25:42 98816 ----a-w- c:\windows\sed.exe

2010-06-22 21:25:42 77312 ----a-w- c:\windows\MBR.exe

2010-06-22 21:25:42 256512 ----a-w- c:\windows\PEV.exe

2010-06-22 21:25:42 161792 ----a-w- c:\windows\SWREG.exe

2010-06-21 22:41:08 0 ----a-w- c:\documents and settings\mike dolphin\defogger_reenable

2010-06-21 22:37:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-21 22:37:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 22:37:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 02:42:49 0 d-----w- C:\The Fixx

2010-06-21 01:47:14 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-06-21 01:47:14 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-06-21 01:47:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-06-21 01:47:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-06-09 00:39:37 0 d-----w- C:\ProgramData

2010-06-09 00:39:37 0 d-----w- c:\program files\Angle Interactive

==================== Find3M ====================

2010-06-12 11:26:47 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2009-04-12 19:23:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041220090413\index.dat

============= FINISH: 17:45:36.96 ===============

How'd I do?

H

Hello Hoib! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

1. Please download ComboFix from: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Save it on your Desktop.

3. Follow the instructions:

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=54922

KillAll::

Collect::[8]
c:\windows\system32\perobewe.dll
c:\windows\system32\bahezido.dll
c:\windows\system32\givobebe.dll
C:\WINDOWS\system32\wudadefi.dll
c:\windows\system32\nabehunu.dll
c:\windows\system32\galabano.dll
c:\windows\system32\nokafolu.dll
c:\windows\system32\futavova.dll
c:\windows\system32\kiwugilo.dll
c:\windows\system32\nuvutame.dll
c:\windows\system32\domitena.dll
c:\windows\system32\nosinisu.dll
c:\windows\system32\lugefulo.dll
c:\windows\system32\jidufavu.dll
c:\windows\system32\rarepero.dll
c:\windows\system32\tupukenu.dll
c:\windows\system32\fakafuto.dll
c:\windows\system32\ropekibe.dll
c:\windows\system32\bahezido.dll
c:\windows\system32\fetotava.dll
C:\WINDOWS\system32\begapofi

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next reply, please include these log(s) in this sequence:

  1. ComboFix log
  2. a new fresh DDS log with Attach.txt

Link to post
Share on other sites

OK, I think it all went well.

ComboFix 10-06-22.02 - mike dolphin 06/22/2010 17:28:00.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.821 [GMT -4:00]

Running from: c:\documents and settings\mike dolphin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\mike dolphin\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\begapofi

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\mike dolphin\My Documents\AllReg.reg

c:\windows\is-DSI7I.exe

c:\windows\system32\begapofi

.

((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))

.

2010-06-21 22:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-21 22:37 . 2010-06-21 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 22:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 22:28 . 2010-06-21 22:28 -------- d-----w- c:\documents and settings\mike dolphin\Local Settings\Application Data\TechSmith

2010-06-21 02:42 . 2010-06-22 11:52 -------- d-----w- C:\The Fixx

2010-06-21 01:47 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-06-21 01:47 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-06-21 01:47 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-06-21 01:47 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-06-09 00:39 . 2010-06-21 02:23 -------- d-----w- C:\ProgramData

2010-06-09 00:39 . 2010-06-09 00:39 -------- d-----w- c:\program files\Angle Interactive

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 21:37 . 2007-10-03 12:16 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-22 21:18 . 2007-10-07 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-22 21:16 . 2007-10-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-22 11:54 . 2007-10-07 21:09 -------- d-----w- c:\program files\CCleaner

2010-06-12 11:26 . 2010-02-26 16:00 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2010-05-14 11:26 . 2008-03-09 19:56 -------- d-----w- c:\program files\Google

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-08-25 49152]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\WINDOWS\\system32\\logon.scr"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 8:14 PM 135664]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 20:17]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll

SharedTaskScheduler-{e7f84a76-87ba-4e3a-9513-fc539134727e} - (no file)

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-22 17:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-06-22 17:41:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-22 21:41

Pre-Run: 64,276,541,440 bytes free

Post-Run: 64,234,110,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 50B40EAC497ECF73B2E360DF3984B478

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume3

Install Date: 9/26/2007 5:27:25 PM

System Uptime: 6/22/2010 5:33:13 PM (0 hours ago)

Motherboard: ECS | | 761GX-M754-964

Processor: Mobile AMD Athlon XP-M Processor 3100+ | CPU 1 | 1800/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 75 GiB total, 59.842 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 112 GiB total, 106.728 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP960: 6/22/2010 7:55:57 AM - System Checkpoint

RP961: 6/22/2010 7:55:57 AM - System Checkpoint

RP962: 6/22/2010 7:55:56 AM - System Checkpoint

RP963: 6/22/2010 7:55:56 AM - System Checkpoint

RP964: 6/22/2010 7:55:56 AM - System Checkpoint

RP965: 6/22/2010 7:55:56 AM - System Checkpoint

RP966: 6/22/2010 7:55:56 AM - System Checkpoint

RP967: 6/22/2010 7:55:56 AM - Software Distribution Service 3.0

RP968: 6/22/2010 7:55:56 AM - System Checkpoint

RP969: 6/22/2010 7:55:56 AM - System Checkpoint

RP970: 6/22/2010 7:55:56 AM - System Checkpoint

RP971: 6/22/2010 7:55:55 AM - System Checkpoint

RP972: 6/22/2010 7:55:55 AM - System Checkpoint

RP973: 6/22/2010 7:55:55 AM - System Checkpoint

RP974: 6/22/2010 7:55:55 AM - System Checkpoint

RP975: 6/22/2010 7:55:55 AM - System Checkpoint

RP976: 6/22/2010 7:55:55 AM - System Checkpoint

RP977: 6/22/2010 7:55:55 AM - System Checkpoint

RP978: 6/22/2010 7:55:55 AM - System Checkpoint

RP979: 6/22/2010 7:55:55 AM - System Checkpoint

RP980: 6/22/2010 7:55:55 AM - System Checkpoint

RP981: 4/14/2010 3:00:18 AM - Software Distribution Service 3.0

RP982: 4/15/2010 3:00:24 AM - Software Distribution Service 3.0

RP983: 4/16/2010 3:27:29 AM - System Checkpoint

RP984: 4/17/2010 4:27:29 AM - System Checkpoint

RP985: 4/18/2010 5:27:29 AM - System Checkpoint

RP986: 4/19/2010 6:28:34 AM - System Checkpoint

RP987: 4/20/2010 7:27:29 AM - System Checkpoint

RP988: 4/21/2010 8:27:29 AM - System Checkpoint

RP989: 4/22/2010 9:27:29 AM - System Checkpoint

RP990: 4/23/2010 10:27:33 AM - System Checkpoint

RP991: 4/24/2010 11:27:35 AM - System Checkpoint

RP992: 4/25/2010 2:14:31 PM - System Checkpoint

RP993: 4/26/2010 2:27:34 PM - System Checkpoint

RP994: 4/27/2010 3:27:34 PM - System Checkpoint

RP995: 4/28/2010 4:39:58 PM - System Checkpoint

RP996: 4/29/2010 5:27:34 PM - System Checkpoint

RP997: 4/30/2010 5:28:05 PM - System Checkpoint

RP998: 5/1/2010 6:28:05 PM - System Checkpoint

RP999: 5/2/2010 6:41:53 PM - System Checkpoint

RP1000: 5/3/2010 6:42:58 PM - System Checkpoint

RP1001: 5/4/2010 7:37:27 PM - System Checkpoint

RP1002: 5/10/2010 6:45:07 PM - System Checkpoint

RP1003: 5/11/2010 7:12:21 PM - System Checkpoint

RP1004: 5/12/2010 8:12:21 PM - System Checkpoint

RP1005: 5/13/2010 3:00:23 AM - Software Distribution Service 3.0

RP1006: 5/14/2010 3:12:21 AM - System Checkpoint

RP1007: 5/15/2010 4:12:21 AM - System Checkpoint

RP1008: 5/16/2010 5:12:21 AM - System Checkpoint

RP1009: 5/17/2010 6:12:21 AM - System Checkpoint

RP1010: 5/18/2010 7:12:24 AM - System Checkpoint

RP1011: 5/19/2010 8:12:23 AM - System Checkpoint

RP1012: 5/20/2010 8:15:51 AM - System Checkpoint

RP1013: 5/21/2010 9:12:24 AM - System Checkpoint

RP1014: 5/22/2010 1:04:33 PM - System Checkpoint

RP1015: 5/23/2010 1:10:43 PM - System Checkpoint

RP1016: 5/24/2010 1:18:47 PM - System Checkpoint

RP1017: 5/25/2010 2:12:24 PM - System Checkpoint

RP1018: 5/26/2010 3:00:18 AM - Software Distribution Service 3.0

RP1019: 5/27/2010 7:32:27 AM - System Checkpoint

RP1020: 6/1/2010 7:07:46 PM - System Checkpoint

RP1021: 6/2/2010 7:36:54 PM - System Checkpoint

RP1022: 6/3/2010 8:36:54 PM - System Checkpoint

RP1023: 6/4/2010 9:35:49 PM - System Checkpoint

RP1024: 6/5/2010 10:35:53 PM - System Checkpoint

RP1025: 6/6/2010 11:36:00 PM - System Checkpoint

RP1026: 6/8/2010 12:35:49 AM - System Checkpoint

RP1027: 6/9/2010 1:35:50 AM - System Checkpoint

RP1028: 6/10/2010 2:35:49 AM - System Checkpoint

RP1029: 6/11/2010 3:35:51 AM - System Checkpoint

RP1030: 6/12/2010 4:35:49 AM - System Checkpoint

RP1031: 6/13/2010 5:35:48 AM - System Checkpoint

RP1032: 6/14/2010 6:36:01 AM - System Checkpoint

RP1033: 6/15/2010 7:33:06 AM - System Checkpoint

RP1034: 6/16/2010 7:33:16 AM - System Checkpoint

RP1035: 6/17/2010 8:33:17 AM - System Checkpoint

RP1036: 6/18/2010 9:33:16 AM - System Checkpoint

RP1037: 6/19/2010 10:33:15 AM - System Checkpoint

RP1038: 6/20/2010 10:51:54 AM - System Checkpoint

RP1039: 6/21/2010 4:59:31 PM - System Checkpoint

RP1040: 6/21/2010 6:33:26 PM - Revo Uninstaller's restore point - Malwarebytes' Anti-Malware

RP1041: 6/22/2010 5:14:52 PM - Revo Uninstaller's restore point - Spybot - Search & Destroy

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Reader 7.0.5

BufferChm

CCleaner

CCScore

Comcast High-Speed Internet Install Wizard

Comcast Universal Installer v1.2

Critical Update for Windows Media Player 11 (KB959772)

CustomerResearchQFolder

D4100

D4100_Help

DeviceManagementQFolder

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESSini

ESSPCD

ESSPDock

ESSSONIC

ESSTOOLS

essvatgt

eSupportQFolder

Google Chrome

Google Earth

Google Update Helper

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Customer Participation Program 7.0

HP Imaging Device Functions 7.0

HP Photosmart and Deskjet 7.0 Software

HP Photosmart Essential

HP Solution Center 7.0

HP Update

hph_ProductContext

hph_readme

hph_software

hph_software_req

HPPhotoSmartExpress

HPProductAssistant

InstantShareDevicesMFC

J2SE Runtime Environment 5.0 Update 6

kgcbase

Kodak EasyShare software

KSU

LiveUpdate 2.6 (Symantec Corporation)

Macromedia Flash Player 8

Macromedia Shockwave Player

Malwarebytes' Anti-Malware

MarketResearch

Mavis Beacon Teaches Typing Deluxe 16

MetaFrame Presentation Server Web Client for Win32

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

netbrdg

Notifier

OfotoXMI

PanoStandAlone

QuickTime

RCA Digital Cable Modem

Revo Uninstaller 1.88

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

SFR

SHASTA

SiS VGA Utilities

SiSAGP driver

skin0001

SKINXSDK

SolutionCenter

SoundMAX

staticcr

Status

Symantec AntiVirus

Toolbox

tooltips

TrayApp

TuneUp Utilities 2008

Unload

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VPRINTOL

WebFldrs XP

WebReg

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

WIRELESS

==== Event Viewer Messages From Past Week ========

6/22/2010 6:29:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SAVRT SAVRTPEL SYMTDI Tcpip

6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.

6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/22/2010 6:29:44 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

6/22/2010 6:28:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

6/22/2010 5:28:39 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service.

6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).

6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).

6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).

6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).

6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).

6/22/2010 5:27:53 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

6/21/2010 6:51:50 PM, error: System Error [1003] - Error code 1000007f, parameter1 0000000d, parameter2 00000000, parameter3 00000000, parameter4 00000000.

6/20/2010 9:45:40 PM, error: Dhcp [1002] - The IP address lease 71.192.57.121 for the Network Card with network address 0016EC54C937 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

6/20/2010 11:46:42 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

6/20/2010 10:31:19 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

6/20/2010 1:52:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/20/2010 1:48:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

6/20/2010 1:22:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips Processor SAVRT SAVRTPEL SYMTDI

6/20/2010 1:05:15 PM, error: Service Control Manager [7034] - The Symantec AntiVirus Definition Watcher service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

How'd I do?

H

OK all went well. CF ran with the parms in CFScript.txt. Here are the logs:

ComboFix 10-06-22.02 - mike dolphin 06/22/2010 17:28:00.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.821 [GMT -4:00]

Running from: c:\documents and settings\mike dolphin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\mike dolphin\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\begapofi

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\mike dolphin\My Documents\AllReg.reg

c:\windows\is-DSI7I.exe

c:\windows\system32\begapofi

.

((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))

.

2010-06-21 22:37 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-21 22:37 . 2010-06-21 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 22:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 22:28 . 2010-06-21 22:28 -------- d-----w- c:\documents and settings\mike dolphin\Local Settings\Application Data\TechSmith

2010-06-21 02:42 . 2010-06-22 11:52 -------- d-----w- C:\The Fixx

2010-06-21 01:47 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-06-21 01:47 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-06-21 01:47 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-06-21 01:47 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-06-09 00:39 . 2010-06-21 02:23 -------- d-----w- C:\ProgramData

2010-06-09 00:39 . 2010-06-09 00:39 -------- d-----w- c:\program files\Angle Interactive

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 21:37 . 2007-10-03 12:16 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-22 21:18 . 2007-10-07 21:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-22 21:16 . 2007-10-07 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-22 11:54 . 2007-10-07 21:09 -------- d-----w- c:\program files\CCleaner

2010-06-12 11:26 . 2010-02-26 16:00 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2010-05-14 11:26 . 2008-03-09 19:56 -------- d-----w- c:\program files\Google

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-08-25 49152]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2010-04-29 19:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"SoundMAX"="c:\program files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\WINDOWS\\system32\\logon.scr"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 8:14 PM 135664]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 20:17]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 00:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{dfdcac03-890e-4677-ae82-dac4e3a3407c} - perobewe.dll

SharedTaskScheduler-{e7f84a76-87ba-4e3a-9513-fc539134727e} - (no file)

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-22 17:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-06-22 17:41:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-22 21:41

Pre-Run: 64,276,541,440 bytes free

Post-Run: 64,234,110,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 50B40EAC497ECF73B2E360DF3984B478

DDS (Ver_10-03-17.01) - NTFSx86

Run by mike dolphin at 17:45:19.51 on Tue 06/22/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1247.677 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\mike dolphin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191791640765

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191792277593

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\naveng.sys [2010-6-20 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100620.006\navex15.sys [2010-6-20 1347504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

=============== Created Last 30 ================

2010-06-22 21:27:07 0 d-sha-r- C:\cmdcons

2010-06-22 21:25:42 98816 ----a-w- c:\windows\sed.exe

2010-06-22 21:25:42 77312 ----a-w- c:\windows\MBR.exe

2010-06-22 21:25:42 256512 ----a-w- c:\windows\PEV.exe

2010-06-22 21:25:42 161792 ----a-w- c:\windows\SWREG.exe

2010-06-21 22:41:08 0 ----a-w- c:\documents and settings\mike dolphin\defogger_reenable

2010-06-21 22:37:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-21 22:37:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-21 22:37:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-21 02:42:49 0 d-----w- C:\The Fixx

2010-06-21 01:47:14 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-06-21 01:47:14 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-06-21 01:47:01 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-06-21 01:47:01 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-06-09 00:39:37 0 d-----w- C:\ProgramData

2010-06-09 00:39:37 0 d-----w- c:\program files\Angle Interactive

==================== Find3M ====================

2010-06-12 11:26:47 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2009-04-12 19:23:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041220090413\index.dat

============= FINISH: 17:45:36.96 ===============

How'd I do?

H

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 7.0.5

You can read, how to this here:

Step 2

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Let me know how are things running now.

Link to post
Share on other sites

We are looking good! Seems to be running fine now. No pop-ups, or new windows opening.

Adobe Rdr 7.5 uninstalled.

Did the Qoobox dump. What did the report show you?

Bonus: Uninstalled MBAM 1.46. Reinstalled MBAM 1.46. No need to rename/redirect. Update now works. Full scan now works. Full scan shows no sign of infection.

I'm going to scrap/uninstall SAV 10.0 as it obviously misses stuff. Purchased ESET Smart Security and am set to install that.

Are we good to go?

H

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 7.0.5

You can read, how to this here:

Step 2

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
  6. Once you're ready, click the Send File button.

Let me know how are things running now.

Link to post
Share on other sites

Do you send it?

We need it because is a something that MBAM does not detect.

Yes, Borislav - I sent it the other day.

And now, I've just sent it again a second time.

Please let me know if the file is coming through. I've installed ESET now so I feel better about being fully protected.

It looks like he installed Google Chrome on June 9 - when the problems started. But he doesn't remember from where he was installing it from. I've instructed him to be very careful from now on.

Let me know if you have success in reading the file dump.

H

Link to post
Share on other sites

Thanks!

How are things running now?

I would say they're running pretty good.

Scan with MBAM reveals nothing.

Scan with ESET SS comes up with 2 harmless tracking cookies - but nothing else.

Shall we declare victory?

H

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Here's another scan log just completed.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4244

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/26/2010 3:39:52 PM

mbam-log-2010-06-26 (15-39-52).txt

Scan type: Quick scan

Objects scanned: 126096

Time elapsed: 18 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I think we're clean. Agree?

H

Link to post
Share on other sites

Yeah. ;)

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, DDS, ResetTeaTimer and GMER.

Step 4

Please download and install the latest version of Adobe Reader from:

www.adobe.com

Step 5

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :o

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.