Jump to content

Bad Image - C:\windows\system32\wiki.dll


Recommended Posts

Windows XP. System had AVG Free when it got infected.

Have been getting tons of popups that follow this format:

Dialog window header: NOTEPAD.EXE - Bad Image

Message in dialog: The application or DLL C:\WINDOWS\system32\WIKI.DLL is not a valid Windows image. Please check this against your installation diskette.

OK button is only choice.

On bootup, I'll see this dialog twenty times as everything loads.

After that, I get it once for each app I launch.

Tried MBAM, it said it cleaned a bunch of things, but this hasn't gone away. Also tried SuperAntiSpyware to no avail.

THANK YOU!!!!!

Brian

MBAM LOGS

--------------------------

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7213

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/20/2011 3:26:46 PM

mbam-log-2011-07-20 (15-26-46).txt

Scan type: Quick scan

Objects scanned: 180540

Time elapsed: 23 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\MyWaySearchAssistantDE.Auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\MyWaySearchAssistantDE.Auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------

DDS

-----------------------------

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Kelly at 15:49:43 on 2011-07-20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.498 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\WLANSTA.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Belkin\F5D9010\Belkinwcui.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Documents and Settings\Kelly\Desktop\dds.com

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uLocal Page = \blank.htm

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.msn.com

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: X1IEHook Class: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\juno\qsacc\X1IEBHO.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [Microsoft Works Update Detection] ???\WkDetect.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [WLANSTA.EXE] WLANSTA.EXE START

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"

mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [brStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN

mRun: [F5D9010] c:\program files\belkin\f5d9010\Belkinwcui.exe

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe

IE: Display All Images with Full Quality - c:\program files\juno\qsacc\appres.dll/228

IE: Display Image with Full Quality - c:\program files\juno\qsacc\appres.dll/227

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.09.13&unknown&unknown&http://www.sonystyle.com/is-bin/INTERSHOP.enfinity/eCS/Store/en/-/USD/SY_BrowseCatalog-Start?CategoryName=cpu_VAIONotebookComputers_A600&Dept=computers

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxps://www.cchs.net/onlinelearning/include/web_players7/awswaxd.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab

DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} - hxxp://preview.keager.photosite.com/~site/UploadBox/UploadBox_live.cab

Filter: text/html - {ce9ab388-3df3-4b49-8235-f0fde0eb7f7b} -

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: WIKI.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\vcd\VCdRom.sys [2001-12-19 8576]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-20 366640]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-25 24652]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\belkin\f5d9010\BKNDIS5.SYS [2011-6-5 15872]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-20 22712]

R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2011-6-5 19968]

S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-3-26 245760]

S3 CW10;Prism PCMCIA Wireless LAN Driver;c:\windows\system32\drivers\cw10.sys [2005-12-9 36764]

S3 ndcprtns;NDC Network Agent;c:\windows\system32\drivers\ndcprtns.sys [2005-12-9 9328]

S3 WLAN;Red Inalambrica Local 802.11b WLAN Driver;c:\windows\system32\drivers\WLANNDS.sys [2002-8-29 593920]

S3 WLANRB;NETGEAR Wireless 802.11b LAN RB Driver;c:\windows\system32\drivers\MA401RB.sys [2008-4-8 593920]

.

=============== Created Last 30 ================

.

2011-07-20 18:52:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-20 18:52:04 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-20 18:52:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-20 15:04:57 2321288 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll

2011-07-20 15:04:25 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a5113959-209c-4bff-a5d9-eb94de1f7a4d}\mpengine.dll

2011-07-20 15:04:21 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-07-20 13:51:31 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-07-20 13:51:31 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-20 01:59:07 -------- d-----w- c:\documents and settings\kelly\application data\Malwarebytes

2011-07-20 01:58:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-19 22:41:52 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-07-19 22:41:51 -------- d-----w- c:\documents and settings\kelly\application data\SUPERAntiSpyware.com

2011-07-19 22:40:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-12 10:45:00 20 ----a-w- c:\windows\system32\WIKI.DLL

2011-06-28 03:09:10 -------- d-----w- c:\program files\MSECache

.

==================== Find3M ====================

.

2011-07-02 23:45:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-06 03:50:53 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 15:52:29.48 ===============

-------------------------------------------------------------------------

ark.zip

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

The symptoms seem to be gone. Is it fully cleaned??

MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7264

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/24/2011 4:37:11 PM

mbam-log-2011-07-24 (16-37-11).txt

Scan type: Quick scan

Objects scanned: 181180

Time elapsed: 44 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix log

ComboFix 11-07-24.01 - Kelly 07/24/2011 18:05:58.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.444 [GMT -4:00]

Running from: c:\documents and settings\Kelly\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Kelly\WINDOWS

c:\program files\Shared

c:\windows\system32\rnaph.dll

c:\windows\system32\WIKI.DLL

.

.

((((((((((((((((((((((((( Files Created from 2011-06-24 to 2011-07-24 )))))))))))))))))))))))))))))))

.

.

2011-07-24 20:10 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{E39E167E-991E-4E52-B779-8DD42D25754F}\mpengine.dll

2011-07-20 18:52 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-20 18:52 . 2011-07-20 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-20 18:52 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-20 15:04 . 2011-06-20 12:57 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-07-20 15:04 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-07-20 15:02 . 2011-07-20 15:02 -------- d-----w- c:\program files\Windows Defender

2011-07-20 13:51 . 2011-07-20 13:51 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-20 01:59 . 2011-07-20 01:59 -------- d-----w- c:\documents and settings\Kelly\Application Data\Malwarebytes

2011-07-20 01:58 . 2011-07-20 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-07-19 22:41 . 2011-07-19 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-19 22:41 . 2011-07-19 22:41 -------- d-----w- c:\documents and settings\Kelly\Application Data\SUPERAntiSpyware.com

2011-07-19 22:40 . 2011-07-19 22:43 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-28 03:09 . 2011-06-28 03:09 -------- d-----w- c:\program files\MSECache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-02 23:45 . 2011-05-17 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-06 03:50 . 2011-06-06 03:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2011-06-02 14:02 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-10 17:51 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-26 11:07 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="???\WkDetect.exe" [?]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WLANSTA.EXE"="WLANSTA.EXE START" [X]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]

"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-12-09 86016]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]

"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]

"F5D9010"="c:\program files\Belkin\F5D9010\Belkinwcui.exe" [2006-02-14 1531904]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2006-8-12 110592]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\vcd\VCdRom.sys [12/19/2001 11:45 AM 8576]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/20/2011 2:52 PM 366640]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 8:21 AM 92592]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/25/2007 10:41 PM 24652]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]

R3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\F5D9010\BKNDIS5.SYS [6/5/2011 11:50 PM 15872]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/20/2011 2:52 PM 22712]

R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [6/5/2011 11:50 PM 19968]

S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [3/26/2011 9:08 PM 245760]

S3 CW10;Prism PCMCIA Wireless LAN Driver;c:\windows\system32\drivers\cw10.sys [12/9/2005 4:54 PM 36764]

S3 ndcprtns;NDC Network Agent;c:\windows\system32\drivers\ndcprtns.sys [12/9/2005 4:58 PM 9328]

S3 WLAN;Red Inalambrica Local 802.11b WLAN Driver;c:\windows\system32\drivers\WLANNDS.sys [8/29/2002 2:25 AM 593920]

S3 WLANRB;NETGEAR Wireless 802.11b LAN RB Driver;c:\windows\system32\drivers\MA401RB.sys [4/8/2008 8:01 PM 593920]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-07-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uLocal Page = \blank.htm

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = \blank.htm

mStart Page = hxxp://www.google.com/

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Display All Images with Full Quality - c:\program files\Juno\qsacc\appres.dll/228

IE: Display Image with Full Quality - c:\program files\Juno\qsacc\appres.dll/227

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

TCP: DhcpNameServer = 192.168.1.254

DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} - hxxp://preview.keager.photosite.com/~site/UploadBox/UploadBox_live.cab

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-24 18:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4191055344-963464610-1872081465-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2011-07-24 18:26:19

ComboFix-quarantined-files.txt 2011-07-24 22:25

.

Pre-Run: 3,336,175,616 bytes free

Post-Run: 4,212,645,888 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 06301792641C9BDF5C779A999175AA5D

Link to post
Share on other sites

Hi guys -- I know you're very busy and provide a great service, for free.... but can someone take a look at these last logs and confirm I am virus free now? The laptop is sitting in a corner unused. It does seem to be acting normally.

Thanks for the wonderful help!!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Hi.

Are you saying there is still malware on my computer? Or did you not see the logs I posted above, after running MBAM and ComboFix???

As I said, since running ComboFix it seems the computer has been cleaned.

Thanks.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the error. Gave you the wrong instructions. :)

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.