Jump to content

Unable to install or run MBAM


melnsue

Recommended Posts

Hi,

apologies if format incorrect. Daughters PC exceedingly slow to start up and waiting for any web page took forever. The original Malwarebytes did not appear to function nor did SpybotSD. Downloaded both Malwarebytes and SpybotSD to another PC and emailed across. However could still not run either program. Reviewed the forum (topic 2936) and downloaded both Avira AntiVir software and HijackThis. The original Norton V3 package was updated to V4 and between the three managed to remove several viruses/ Trojans/malware. I have also run the packages in Safe mode but apart from a couple more anomalies I am still unable to run either SpybotSD or Malwarebytes unless I change the filename (not the extension). I have attached the referenced log files and hope this may assist in identifying the root problem. System still seems slow to start up. Thanks in anticipation.

Mel

mbam_log_2010_12_16__17_43_47_.txt

hijackthis.log

Link to post
Share on other sites

Hello Mel! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - (no file)

O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)

O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)

O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe

O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe

O4 - HKLM\..\Policies\Explorer\Run: []

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.84,93.188.161.224

O22 - SharedTaskScheduler: displume - {d54f12f7-4d76-4c39-a096-e51ef5d33f2b} - (no file)

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 2

Your database version is 5214 , but the current is 5339 , so please:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. Add or Remove Programs list
  3. a new fresh HiJackThis log

Link to post
Share on other sites

Hi Borislav,

thanks for your quick response. I may have carried out some additional scans/removal after the Hijack This log was sent, as only three of the items were still present. These being the following:

O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)

O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)

O4 - HKLM\..\Policies\Explorer\Run: []

These were checked and fixed.

I updated Malwarebytes database; now 5343, and carried out the scan. There were no problems found and therefore nothing to disinfect. Note the log file was located here: C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs.

The log file is as follows:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5343

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

17/12/2010 16:45:25

mbam-log-2010-12-17 (16-45-25).txt

Scan type: Quick scan

Objects scanned: 150498

Time elapsed: 16 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The Uninstall list from Hijack This is as follows:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Bridge 1.0

Adobe Common File Installer

Adobe Flash Player 10 ActiveX

Adobe Help Center 1.0

Adobe Illustrator CS2

Adobe Photoshop CS2

Adobe Reader 8.1.2

Adobe Stock Photos 1.0

Adobe SVG Viewer 3.0

AudioConverter Studio 5.9

AVIcodec (remove only)

Avira AntiVir Personal - Free Antivirus

AVS Cover Editor 1.3.1.96 (AVS4YOU)

AVS Disc Creator version 3.5

AVS Update Manager 1.0

AVS Video Converter 6

AVS4YOU Software Navigator 1.3

Critical Update for Windows Media Player 11 (KB959772)

DivX Content Uploader

DivX Converter

DivX Player

DivX Web Player

FrostWire 4.17.0

GearDrvs

GearDrvs

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

HP Customer Participation Program 7.0

HP Document Viewer 7.0

HP Imaging Device Functions 7.0

HP Photosmart Premier Software 6.5

HP Photosmart, Officejet and Deskjet 7.0.A

HP Solution Center 7.0

HP Update

Java 6 Update 13

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Java SE Runtime Environment 6 Update 1

K-Lite Codec Pack 4.2.5 (Full)

Macromedia Dreamweaver 8

Macromedia Extension Manager

Magic FLAC to MP3 Converter 3.71

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Mozilla Firefox (2.0.0.14)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 8

neroxml

NETGEAR WPN311 Wireless Adapter

Network Stumbler 0.4.0 (remove only)

Nokia Connectivity Cable Driver

Nokia MTP driver

Nokia PC Connectivity Solution

Nokia PC Suite

Nokia Software Launcher

Norton 360

Norton 360

NVIDIA Drivers

OCR Software by I.R.I.S 7.0

Panda ActiveScan 2.0

QuickTime

Realtek High Definition Audio Driver

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Spybot - Search & Destroy

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)

Windows Live Messenger

Windows Live OneCare safety scanner

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

Latest Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:48:37, on 17/12/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17093)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\NETGEAR\WPN311\wlancfg5.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.3.0.5\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.3.0.5\IPSBHO.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.3.0.5\coIEPlg.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6770.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184749948687

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--

End of file - 6201 bytes

Apart from updating Malwarebytes version I have made no other changes (install/uninstall). mbam.exe and SpybotSD.exe have still got alternative names. I will await your response/advice before attempting to run these under their proper filenames.

Thanks again.

Link to post
Share on other sites

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi,

do not know what has happened but I had posted the following reply on 21 December but only looked today, as I have been down with the dreaded flu, and noted my feedback was missing. No doubt I made an error.

ComboFix 10-12-20.05 - Owner 21/12/2010 17:53:11.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3007.2446 [GMT 0:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\dumphive.exe

c:\windows\system32\pthreadVC.dll

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_usnjsvc

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))

.

2010-12-16 17:46 . 2010-12-16 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira

2010-12-15 22:43 . 2010-12-15 22:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-12-15 12:17 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 12:17 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-12 15:24 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-12-12 15:24 . 2010-12-12 15:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-12-12 15:24 . 2010-12-12 15:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-12-12 15:24 . 2010-12-12 15:24 -------- d-----w- c:\program files\Symantec

2010-12-12 15:23 . 2010-12-13 16:55 -------- d-----w- c:\windows\system32\drivers\N360

2010-12-12 15:23 . 2010-12-12 15:23 -------- d-----w- c:\program files\Norton 360

2010-12-12 15:23 . 2010-12-12 15:23 -------- d-----w- c:\program files\Windows Sidebar

2010-12-12 15:10 . 2010-12-12 15:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2010-12-12 13:43 . 2010-12-12 13:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-12-12 13:30 . 2010-12-17 17:48 -------- d-----w- c:\program files\Trend Micro

2010-12-12 13:24 . 2010-12-21 16:36 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-12-12 13:24 . 2010-12-12 13:24 -------- d-----w- c:\program files\Avira

2010-12-12 13:24 . 2010-12-12 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-12-12 13:24 . 2010-11-30 18:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-12-12 13:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-12-12 13:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-12-12 05:59 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-12-12 05:59 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-12-12 05:58 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-12-12 05:43 . 2005-08-27 02:38 1435272 ----a-w- c:\windows\system32\Flash.ocx

2010-12-12 05:43 . 2004-05-11 10:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll

2010-12-12 05:43 . 2004-03-09 00:00 131856 ----a-w- c:\windows\system32\MSADODC.ocx

2010-12-12 05:43 . 2003-11-19 14:59 512688 ----a-w- c:\windows\system32\XceedCry.dll

2010-12-12 05:43 . 2002-03-04 13:27 1140472 ----a-w- c:\windows\system32\IGUltraGrid20.ocx

2010-12-12 05:43 . 2001-04-20 02:28 28672 ----a-w- c:\windows\system32\systray.ocx

2010-12-12 05:43 . 2004-02-05 21:53 389120 ----a-w- c:\windows\system32\ACTSKN43.OCX

2010-12-12 05:43 . 2004-01-09 11:54 188416 ----a-w- c:\windows\system32\actsplash.ocx

2010-12-12 05:43 . 2001-07-28 13:50 265753 ----a-w- c:\windows\system32\AS-Exp2.ocx

2010-12-12 05:43 . 2001-03-28 23:02 89088 ----a-w- c:\windows\system32\ProgressBar4.ocx

2010-12-12 05:43 . 2000-07-15 06:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2010-12-12 05:43 . 2010-12-12 05:43 -------- d-----w- c:\program files\MalwareSweeper.com

2010-12-11 16:00 . 2010-12-11 22:57 -------- d-----w- c:\program files\Windows Live Safety Center

2010-12-11 15:12 . 2006-03-16 03:39 167808 ----a-r- c:\windows\system32\drivers\wg111v2.sys

2010-12-06 20:48 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-06 20:48 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-06 20:44 . 2010-12-16 23:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-06 20:44 . 2010-12-06 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 18:12 . 2007-03-17 11:19 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:34 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:34 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-11-06 00:34 . 2006-02-28 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-06 00:34 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-11-03 12:25 . 2006-02-28 12:00 389120 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2008-03-04 18:18 . 2008-03-04 18:18 7570944 ----a-w- c:\program files\ica32web.msi

2009-03-31 21:47 . 2008-12-01 17:10 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2008-08-29 15:53 . 2007-09-02 14:42 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-08-29 15:53 . 2007-09-02 14:42 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-08-29 15:53 . 2007-09-02 14:42 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-08-29 15:53 . 2007-09-02 14:42 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-08-29 15:53 . 2007-09-02 14:42 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-02-18 16:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2008-02-28 09:59 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-12 05:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-07-12 05:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]

2006-06-27 16:21 1449984 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"NapsterShell"=c:\program files\Napster\napster.exe /systray

"NSLauncher"=c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

"SkyTel"=SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [15/11/2008 10:20 28544]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [13/12/2010 16:47 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [13/12/2010 16:47 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [23/11/2010 03:34 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [13/12/2010 16:47 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [13/12/2010 16:47 116784]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2010 13:24 135336]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [13/12/2010 16:46 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/12/2010 15:31 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101217.001\IDSXpx86.sys [21/12/2010 16:43 341944]

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [11/12/2010 15:12 167808]

S3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [20/03/2007 11:39 437760]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9gt7ynpl.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-21 18:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Owner\LOCALS~1\Temp\RGI3.tmp 7075 bytes

scan completed successfully

hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: MAXTOR_STM3160211AS rev.3.AAE -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AC28EC5]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x887db872; SUB DWORD [EBP-0x4], 0x887db12e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AE01AB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000073[0x8ADA4F18]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AE01030]

[0x8AB56608] -> IRP_MJ_CREATE -> 0x8AC28EC5

error: Read The system cannot find the file specified.

kernel: MBR read successfully

_asm { CLD ; XOR AX, AX; MOV SS, AX; XOR SP, SP; MOV DS, AX; MOV ES, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; MOV SI, 0x7ee; MOV AL, 0x8; JMP FAR 0x0:0x620; }

detected disk devices:

\Device\00000072 -> \??\IDE#DiskMAXTOR_STM3160211AS_____________________3.AAE___#202020202020202020

2020205036335437465A39#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1993962763-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3218D2EC-FC3E-702F-F101-3705B438DFF5}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaackaecjjomgnkllc"=hex:6b,61,70,6f,68,6c,64,6d,62,70,6e,6b,67,6c,6a,6f,65,61,

69,6d,69,6e,00,00

"haklmodbdnlgkclg"=hex:6b,61,6d,70,6c,6c,64,70,66,6c,65,68,69,6b,68,66,6d,62,

70,64,6a,6d,00,00

[HKEY_USERS\S-1-5-21-299502267-1993962763-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:d0,8e,54,46,04,a3,96,7d,c1,62,cd,2d,3a,96,22,e0,a6,b5,cc,a5,a7,bd,b6,

41,49,aa,6a,0c,88,91,ea,1e,26,ee,80,3d,e5,a3,12,93,cd,d1,36,12,af,f5,0f,84,\

"??"=hex:cd,37,ed,9f,f7,d5,ff,e2,07,5c,7f,5d,df,39,f8,05

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1308)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\windows\system32\ConnAPI.DLL

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\acs.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\IoctlSvc.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\program files\Avira\AntiVir Desktop\avgnt.exe

.

**************************************************************************

.

Completion time: 2010-12-21 18:23:45 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-21 18:23

Pre-Run: 28,140,052,480 bytes free

Post-Run: 27,955,580,928 bytes free

- - End Of File - - AAECFF2BA6E6DB931E31EA500E65AC62

Link to post
Share on other sites

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira , so please uninstall Norton 360 .

Step 2

Open Notepad and copy and paste next in it:

REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Save this as fix.reg . Choose to save as All Files and place it on your desktop. It should look like this: reg.gif

Doubleclick on it and when it asks you, click Yes and then OK button.

Then reboot your computer to apply the changes.

Step 3

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, change it to Cure and then click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites

Hi,

I have removed Norton, though having just renewed subscription I presume you have good reasons for preferring Avira, I c/o the fix.reg + d/loaded and ran TDSSKiller. One infected and one suspicious file were identified. However, there was no Cure option for the latter, just Skip;Copy to Quarantine and Delete. I chose Quarantine. Ironically I had experienced loss of mouse driver/ driver corruption during the initial phase, and this file appears to relate to a driver file. Unfortunately after reboot I again lost mouse control, which is why it has taken me some time to respond once again. I did not wish to re-install a driver until you had viewed the feedback and hopefully provide a solution .... keyboard strokes are not my forte. Here is the log file, though to the unenlightened it does not appear to say a lot:

2010/12/28 14:12:33.0265 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/28 14:12:33.0265 ================================================================================

2010/12/28 14:12:33.0265 SystemInfo:

2010/12/28 14:12:33.0265

2010/12/28 14:12:33.0265 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/28 14:12:33.0265 Product type: Workstation

2010/12/28 14:12:33.0265 ComputerName: TREDSONIC

2010/12/28 14:12:33.0265 UserName: Owner

2010/12/28 14:12:33.0265 Windows directory: C:\WINDOWS

2010/12/28 14:12:33.0265 System windows directory: C:\WINDOWS

2010/12/28 14:12:33.0265 Processor architecture: Intel x86

2010/12/28 14:12:33.0265 Number of processors: 1

2010/12/28 14:12:33.0265 Page size: 0x1000

2010/12/28 14:12:33.0265 Boot type: Normal boot

2010/12/28 14:12:33.0265 ================================================================================

2010/12/28 14:12:33.0437 Initialize success

Link to post
Share on other sites

Hi,

c/o further TDSSKiller scan just now, the log file is as follows. I still do not have mouse control though.

2010/12/30 10:51:40.0546 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46

2010/12/30 10:51:40.0546 ================================================================================

2010/12/30 10:51:40.0546 SystemInfo:

2010/12/30 10:51:40.0546

2010/12/30 10:51:40.0546 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/30 10:51:40.0546 Product type: Workstation

2010/12/30 10:51:40.0546 ComputerName: TREDSONIC

2010/12/30 10:51:40.0546 UserName: Owner

2010/12/30 10:51:40.0546 Windows directory: C:\WINDOWS

2010/12/30 10:51:40.0546 System windows directory: C:\WINDOWS

2010/12/30 10:51:40.0546 Processor architecture: Intel x86

2010/12/30 10:51:40.0546 Number of processors: 1

2010/12/30 10:51:40.0546 Page size: 0x1000

2010/12/30 10:51:40.0546 Boot type: Normal boot

2010/12/30 10:51:40.0546 ================================================================================

2010/12/30 10:51:40.0781 Initialize success

Link to post
Share on other sites

Hi,

thanks for the feedback - had the flu bug but back on track. Uninstalled/re-installed mouse driver, also deleted existing Combo-fix and downloaded/ran new file. Log file as follows:

ComboFix 11-01-05.01 - Owner 05/01/2011 20:13:16.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3007.2474 [GMT 0:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))

.

2010-12-28 14:02 . 2010-12-28 14:02 -------- d-----w- C:\TDSSKiller_Quarantine

2010-12-28 12:35 . 2010-12-28 12:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Tific

2010-12-16 17:46 . 2010-12-16 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira

2010-12-15 22:43 . 2010-12-15 22:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-12-15 12:17 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys

2010-12-15 12:17 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

2010-12-12 15:23 . 2010-12-12 15:23 -------- d-----w- c:\program files\Windows Sidebar

2010-12-12 15:10 . 2010-12-12 15:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira

2010-12-12 13:43 . 2010-12-12 13:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-12-12 13:30 . 2010-12-17 17:48 -------- d-----w- c:\program files\Trend Micro

2010-12-12 13:24 . 2010-12-21 16:36 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-12-12 13:24 . 2010-12-12 13:24 -------- d-----w- c:\program files\Avira

2010-12-12 13:24 . 2010-12-12 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-12-12 13:24 . 2010-11-30 18:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-12-12 13:24 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-12-12 13:24 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-12-12 05:59 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-12-12 05:59 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-12-12 05:58 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-12-12 05:43 . 2005-08-27 02:38 1435272 ----a-w- c:\windows\system32\Flash.ocx

2010-12-12 05:43 . 2004-05-11 10:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll

2010-12-12 05:43 . 2004-03-09 00:00 131856 ----a-w- c:\windows\system32\MSADODC.ocx

2010-12-12 05:43 . 2003-11-19 14:59 512688 ----a-w- c:\windows\system32\XceedCry.dll

2010-12-12 05:43 . 2002-03-04 13:27 1140472 ----a-w- c:\windows\system32\IGUltraGrid20.ocx

2010-12-12 05:43 . 2001-04-20 02:28 28672 ----a-w- c:\windows\system32\systray.ocx

2010-12-12 05:43 . 2004-02-05 21:53 389120 ----a-w- c:\windows\system32\ACTSKN43.OCX

2010-12-12 05:43 . 2004-01-09 11:54 188416 ----a-w- c:\windows\system32\actsplash.ocx

2010-12-12 05:43 . 2001-07-28 13:50 265753 ----a-w- c:\windows\system32\AS-Exp2.ocx

2010-12-12 05:43 . 2001-03-28 23:02 89088 ----a-w- c:\windows\system32\ProgressBar4.ocx

2010-12-12 05:43 . 2000-07-15 06:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2010-12-12 05:43 . 2010-12-12 05:43 -------- d-----w- c:\program files\MalwareSweeper.com

2010-12-11 16:00 . 2010-12-11 22:57 -------- d-----w- c:\program files\Windows Live Safety Center

2010-12-11 15:12 . 2006-03-16 03:39 167808 ----a-r- c:\windows\system32\drivers\wg111v2.sys

2010-12-06 20:48 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-06 20:48 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-06 20:44 . 2010-12-16 23:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-06 20:44 . 2010-12-06 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-28 14:04 . 2006-02-28 12:00 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2010-11-18 18:12 . 2007-03-17 11:19 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:34 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:34 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-11-06 00:34 . 2006-02-28 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-06 00:34 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-11-03 12:25 . 2006-02-28 12:00 389120 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2008-03-04 18:18 . 2008-03-04 18:18 7570944 ----a-w- c:\program files\ica32web.msi

2009-03-31 21:47 . 2008-12-01 17:10 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2008-08-29 15:53 . 2007-09-02 14:42 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-08-29 15:53 . 2007-09-02 14:42 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-08-29 15:53 . 2007-09-02 14:42 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-08-29 15:53 . 2007-09-02 14:42 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-08-29 15:53 . 2007-09-02 14:42 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-02-18 16:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2008-02-28 09:59 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-07-12 05:19 7626752 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-07-12 05:19 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]

2006-06-27 16:21 1449984 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 09:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"NapsterShell"=c:\program files\Napster\napster.exe /systray

"NSLauncher"=c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

"SkyTel"=SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [15/11/2008 10:20 28544]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2010 13:24 135336]

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [11/12/2010 15:12 167808]

S3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [20/03/2007 11:39 437760]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9gt7ynpl.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-05 20:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1993962763-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3218D2EC-FC3E-702F-F101-3705B438DFF5}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaackaecjjomgnkllc"=hex:6b,61,70,6f,68,6c,64,6d,62,70,6e,6b,67,6c,6a,6f,65,61,

69,6d,69,6e,00,00

"haklmodbdnlgkclg"=hex:6b,61,6d,70,6c,6c,64,70,66,6c,65,68,69,6b,68,66,6d,62,

70,64,6a,6d,00,00

[HKEY_USERS\S-1-5-21-299502267-1993962763-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:d0,8e,54,46,04,a3,96,7d,c1,62,cd,2d,3a,96,22,e0,a6,b5,cc,a5,a7,bd,b6,

41,49,aa,6a,0c,88,91,ea,1e,26,ee,80,3d,e5,a3,12,93,cd,d1,36,12,af,f5,0f,84,\

"??"=hex:cd,37,ed,9f,f7,d5,ff,e2,07,5c,7f,5d,df,39,f8,05

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3176)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-01-05 20:21:36

ComboFix-quarantined-files.txt 2011-01-05 20:21

ComboFix2.txt 2010-12-21 18:23

Pre-Run: 28,651,708,416 bytes free

Post-Run: 28,654,510,080 bytes free

- - End Of File - - E4E1748194E4188776CA4E58F5067AD2

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Let me know how are things running now.

Link to post
Share on other sites

Hi

I downloaded the latest version of malwarebytes and c/o scan as requested. The log file is as follows, which looks good to me:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5471

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

06/01/2011 18:29:40

mbam-log-2011-01-06 (18-29-40).txt

Scan type: Quick scan

Objects scanned: 152505

Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Good! :blink:

Last steps:

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please uninstall HiJackThis.

Step 3

Please manually delete TDSSKiller.

Step 4

Keep your software up-to-date:

www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :blink:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.