Jump to content

Unable to run MBAM. System hanging


Recommended Posts

Hi - I have a laptop running Vista SP2 32bit.(Unable to update the OS yet!)

I have enabled the Admin account & running everyting from this accout whilst in safemode, else the laptop hangs.

I have had problems getting MBAM to run (MBAM_ERROR_EXPANDING_VARIABLES (0,453) & other errors) managed to run MBAM_CLEAN & then reinstall, allowed me to run it and find some viruses - then it hangs. Then I ran MBAM, found viruses, Aborted, cleaned etc..etc However, eventually MBAM hangs again & I have to reboot. After the reboot, I am unable to run MBAM without clanign & reinstalling

I have run KILL (in its various guises prior to running MBAM, to no avail.

HJT, DDS & GMER are attached,

I hope someone can help!

Jay..

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Administrator at 7:53:47 on 2011-08-02

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop

mURLSearchHooks: H - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{232E6076-E6E4-4CE8-85C5-7654E69DA199} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{8640CB16-A2AA-46FA-921B-B7CDFF0538FB} : DhcpNameServer = 192.168.10.5 8.8.8.8

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2011-08-02 06:31:57 -------- d-----w- c:\users\administrator.tricky-pc\appdata\roaming\Malwarebytes

2011-08-02 06:31:49 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-02 06:31:48 -------- d-----w- c:\programdata\Malwarebytes

2011-08-02 06:31:45 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-02 06:31:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-01 17:59:14 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Apple Computer

2011-08-01 17:54:01 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Google

2011-08-01 17:53:28 -------- d-----w- c:\program files\CCleaner

2011-08-01 17:39:39 -------- d-----w- c:\windows\pss

2011-08-01 17:29:05 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\temp

2011-08-01 17:28:27 -------- d-sh--w- C:\$RECYCLE.BIN

2011-08-01 17:18:05 -------- d-----w- C:\Combo-Fix

2011-08-01 17:06:45 -------- d-----w- c:\program files\BHODemon 2

2011-08-01 17:04:08 -------- d--h--w- c:\windows\PIF

2011-08-01 16:56:49 -------- d-----w- C:\ComboFix

2011-08-01 16:24:45 388096 ----a-r- c:\users\administrator.tricky-pc\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-01 16:24:43 -------- d-----w- c:\program files\Trend Micro

2011-08-01 16:08:07 -------- d-----w- c:\users\administrator.tricky-pc\appdata\roaming\QuickScan

2011-08-01 15:00:26 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\CrashDumps

2011-08-01 14:49:36 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Adobe

2011-08-01 14:01:47 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\QuickPlay

2011-08-01 14:01:45 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\ArcSoft

2011-08-01 14:01:23 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\SupportSoft

2011-08-01 14:01:04 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Trusteer

2011-08-01 13:04:13 208896 ----a-w- c:\windows\MBR.exe

2011-08-01 13:04:12 98816 ----a-w- c:\windows\sed.exe

2011-08-01 13:04:12 518144 ----a-w- c:\windows\SWREG.exe

2011-08-01 13:04:12 256000 ----a-w- c:\windows\PEV.exe

2011-07-28 08:56:44 -------- d-----w- C:\972957a43b2d557e1e2362db6e1eff8d

2011-07-28 08:50:09 -------- d-----w- C:\4bc50e099e0061bdded5c7dd

2011-07-28 08:38:17 -------- d-----w- C:\3c63e7097ed858fe4a36897884

2011-07-23 14:18:43 508416 ----a-w- c:\windows\system32\drivers\bthport.sys

2011-07-23 14:18:43 30208 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2011-07-23 14:18:39 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-23 14:18:29 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-23 14:18:29 375808 ----a-w- c:\windows\system32\winsrv.dll

.

==================== Find3M ====================

.

2011-06-22 17:01:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2011-05-31 10:17:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 7:54:49.36 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Combo Fix log as requested.

Incidentally - I can no longer access my netowrk & if I go into the CP or run anything (like DDS.SCR) - I get "illegal operation attempted on a registry key that has been marked for deletion"

I will reboot & see if the issue remains

ComboFix 11-08-01.02 - Administrator 04/08/2011 16:47:32.1.2 - x86 NETWORK

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1638 [GMT 1:00]

Running from: c:\users\Administrator.tricky-PC\Desktop\Virus - Jay\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))

.

.

2011-08-04 15:54 . 2011-08-04 15:54 -------- d-----w- c:\users\tricky\AppData\Local\temp

2011-08-04 15:54 . 2011-08-04 15:54 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-03 16:30 . 2011-08-03 16:30 632064 ----a-w- c:\windows\system32\msvcr80.dll

2011-08-03 16:30 . 2011-08-03 16:30 554240 ----a-w- c:\windows\system32\msvcp80.dll

2011-08-03 16:30 . 2011-08-03 16:30 34048 ----a-w- c:\windows\system32\eEmpty.exe

2011-08-03 16:30 . 2011-08-03 16:30 -------- d-----w- c:\program files\Common Files\MicroWorld

2011-08-03 16:30 . 2011-08-03 16:30 -------- d-----w- c:\programdata\MicroWorld

2011-08-02 16:36 . 2011-08-02 16:36 -------- d-----w- c:\programdata\!SASCORE

2011-08-02 16:36 . 2011-08-02 16:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-02 16:36 . 2011-08-02 16:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-08-02 16:35 . 2011-08-02 16:35 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-08-02 16:28 . 2011-08-02 16:28 -------- d-----w- c:\programdata\Hitman Pro

2011-08-02 08:06 . 2011-08-02 08:06 -------- d-----w- c:\programdata\Kaspersky Lab

2011-08-02 06:31 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-02 06:31 . 2011-08-02 06:31 -------- d-----w- c:\programdata\Malwarebytes

2011-08-02 06:31 . 2011-08-02 06:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-02 06:31 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-01 17:53 . 2011-08-01 17:53 -------- d-----w- c:\program files\CCleaner

2011-08-01 17:18 . 2011-08-01 17:29 -------- d-----w- C:\Combo-Fix

2011-08-01 17:06 . 2011-08-01 17:08 -------- d-----w- c:\program files\BHODemon 2

2011-08-01 17:04 . 2011-08-01 17:04 -------- d--h--w- c:\windows\PIF

2011-08-01 16:24 . 2011-08-01 16:24 -------- d-----w- c:\program files\Trend Micro

2011-08-01 13:54 . 2011-08-01 13:54 -------- d-----w- c:\users\Administrator

2011-07-30 09:28 . 2011-07-30 09:28 0 ---ha-w- c:\users\tricky\AppData\Local\BIT9EF.tmp

2011-07-28 08:56 . 2011-07-28 08:56 -------- d-----w- C:\972957a43b2d557e1e2362db6e1eff8d

2011-07-28 08:50 . 2011-07-28 08:50 -------- d-----w- C:\4bc50e099e0061bdded5c7dd

2011-07-28 08:38 . 2011-07-28 08:38 -------- d-----w- C:\3c63e7097ed858fe4a36897884

2011-07-26 19:08 . 2011-07-26 19:08 0 ---ha-w- c:\users\tricky\AppData\Local\BIT3E67.tmp

2011-07-26 18:40 . 2011-07-26 18:40 -------- d-----w- c:\users\tricky\AppData\Roaming\Malwarebytes

2011-07-23 14:18 . 2011-04-21 13:55 508416 ----a-w- c:\windows\system32\drivers\bthport.sys

2011-07-23 14:18 . 2009-06-17 13:23 30208 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2011-07-23 14:18 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-23 14:18 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-23 14:18 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-22 17:01 . 2011-06-22 17:01 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2011-05-31 10:17 . 2011-05-31 10:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-17 08:07 . 2011-05-17 08:07 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-29 4599680]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]

"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-02-16 172032]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-21 133656]

"NapsterShell"="c:\program files\Napster\napster.exe" [2006-09-06 323216]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-21 141848]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-21 166424]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

PHOTOfunSTUDIO HD Edition.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-8-2 44176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-06-22 53816]

R1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\26762\RapportCerberus_26762.sys [2011-06-13 57144]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-06-22 66360]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-06-22 158904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-22 870200]

R4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R4 gupdate1ca242fbe5d3210;Google Update Service (gupdate1ca242fbe5d3210);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 133104]

R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 133104]

R4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

R4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-07-19 123264]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - klmd25

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

bthsvcs REG_MULTI_SZ BthServ

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 20:24]

.

2011-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 20:24]

.

2011-08-02 c:\windows\Tasks\Hitman Pro 3.5 Boot Task.job

- c:\program files\Hitman Pro 3.5\HitmanPro35.exe [2011-08-02 16:03]

.

2011-06-27 c:\windows\Tasks\Norton Security Scan for tricky.job

- c:\progra~1\NORTON~3\Engine\301~1.8\Nss.exe [2011-01-15 20:15]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop

TCP: DhcpNameServer = 192.168.1.254

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-04 16:54

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2670147850-1205366126-802892886-500\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (Administrator)

"{50BCBFA7-2A6A-41ED-9D96-34D2073A8943}"=hex:51,66,7a,6c,4c,1d,3b,1b,b7,a3,a8,

4e,5d,78,86,0b,89,98,76,92,06,7b,cc,5a

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,3b,1b,a1,de,0c,

3d,52,1b,bf,5b,8f,16,42,d0,26,e4,88,56

"{32004B8A-44A9-43E7-84E9-808838809519}"=hex:51,66,7a,6c,4c,1d,3b,1b,9a,57,14,

2c,9e,16,8c,09,90,e7,c2,c8,39,c1,d0,00

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,3b,1b,8f,82,90,

18,e0,9a,32,07,ac,73,3a,0b,7c,2a,a5,aa

"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,3b,1b,95,68,ab,

70,a8,47,94,01,b5,41,fb,a3,ab,85,03,42

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,3b,1b,ab,8b,00,

68,c7,84,47,0c,a2,e5,96,9a,f0,98,68,5a

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,c8,24,

8e,35,1e,d4,00,9a,c2,13,24,77,49,26,df

"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,3b,1b,7b,fd,c9,

81,58,d1,6d,02,bf,11,56,15,ca,ae,b7,90

"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,3b,1b,48,f1,4c,

b4,ea,53,fa,07,97,3d,8d,50,56,35,36,ee

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,1c,dc,

c5,72,f6,30,09,a8,7a,de,65,c0,84,cd,b0

.

[HKEY_USERS\S-1-5-21-2670147850-1205366126-802892886-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (Administrator)

"Timestamp"=hex:cc,45,8c,83,64,50,cc,01

.

[HKEY_USERS\S-1-5-21-2670147850-1205366126-802892886-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,09,64,2c,19,f9,b6,40,83,1f,a8,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3b,09,64,2c,19,f9,b6,40,83,1f,a8,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

Completion time: 2011-08-04 16:56:43

ComboFix-quarantined-files.txt 2011-08-04 15:56

ComboFix2.txt 2011-08-01 17:29

.

Pre-Run: 59,815,108,608 bytes free

Post-Run: 60,147,720,192 bytes free

.

- - End Of File - - 7C1E9177D8B3EDDCB3B1613E2D1C3DC9

Link to post
Share on other sites

Ok - after the reboot I could run stuff.

Second DDS:

.

DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421

Run by Administrator at 17:21:30 on 2011-08-04

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1640 [GMT 1:00]

.

AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=PRESARIO&pf=laptop

mURLSearchHooks: H - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [NapsterShell] c:\program files\napster\napster.exe /systray

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{232E6076-E6E4-4CE8-85C5-7654E69DA199} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{8640CB16-A2AA-46FA-921B-B7CDFF0538FB} : DhcpNameServer = 192.168.10.5 8.8.8.8

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-7-19 123264]

S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-6-22 53816]

S1 RapportCerberus_26762;RapportCerberus_26762;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\26762\RapportCerberus_26762.sys [2011-6-13 57144]

S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-6-22 66360]

S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-6-22 158904]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-6-22 870200]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-12-30 39272]

S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S4 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-20 21504]

S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S4 gupdate1ca242fbe5d3210;Google Update Service (gupdate1ca242fbe5d3210);c:\program files\google\update\GoogleUpdate.exe [2009-8-23 133104]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-8-23 133104]

S4 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-04 15:56:44 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\temp

2011-08-04 15:56:05 -------- d-sh--w- C:\$RECYCLE.BIN

2011-08-04 15:45:47 -------- d-----w- C:\ComboFix

2011-08-03 16:30:34 632064 ----a-w- c:\windows\system32\msvcr80.dll

2011-08-03 16:30:33 554240 ----a-w- c:\windows\system32\msvcp80.dll

2011-08-03 16:30:32 34048 ----a-w- c:\windows\system32\eEmpty.exe

2011-08-03 16:30:28 -------- d-----w- c:\program files\common files\MicroWorld

2011-08-03 16:30:22 -------- d-----w- c:\programdata\MicroWorld

2011-08-02 16:37:22 -------- d-----w- c:\users\administrator.tricky-pc\appdata\roaming\SUPERAntiSpyware.com

2011-08-02 16:36:30 -------- d-----w- c:\programdata\!SASCORE

2011-08-02 16:36:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-08-02 16:36:27 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-02 16:35:47 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-08-02 16:28:29 -------- d-----w- c:\programdata\Hitman Pro

2011-08-02 08:06:11 -------- d-----w- c:\programdata\Kaspersky Lab

2011-08-02 06:31:57 -------- d-----w- c:\users\administrator.tricky-pc\appdata\roaming\Malwarebytes

2011-08-02 06:31:49 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-02 06:31:48 -------- d-----w- c:\programdata\Malwarebytes

2011-08-02 06:31:45 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-02 06:31:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-01 17:59:14 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Apple Computer

2011-08-01 17:54:01 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Google

2011-08-01 17:53:28 -------- d-----w- c:\program files\CCleaner

2011-08-01 17:39:39 -------- d-----w- c:\windows\pss

2011-08-01 17:18:05 -------- d-----w- C:\Combo-Fix

2011-08-01 17:06:45 -------- d-----w- c:\program files\BHODemon 2

2011-08-01 17:04:08 -------- d--h--w- c:\windows\PIF

2011-08-01 16:24:45 388096 ----a-r- c:\users\administrator.tricky-pc\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-01 16:24:43 -------- d-----w- c:\program files\Trend Micro

2011-08-01 16:08:07 -------- d-----w- c:\users\administrator.tricky-pc\appdata\roaming\QuickScan

2011-08-01 15:00:26 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\CrashDumps

2011-08-01 14:49:36 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Adobe

2011-08-01 14:01:47 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\QuickPlay

2011-08-01 14:01:45 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\ArcSoft

2011-08-01 14:01:23 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\SupportSoft

2011-08-01 14:01:04 -------- d-----w- c:\users\administrator.tricky-pc\appdata\local\Trusteer

2011-08-01 13:04:13 208896 ----a-w- c:\windows\MBR.exe

2011-08-01 13:04:12 98816 ----a-w- c:\windows\sed.exe

2011-08-01 13:04:12 518144 ----a-w- c:\windows\SWREG.exe

2011-08-01 13:04:12 256000 ----a-w- c:\windows\PEV.exe

2011-07-28 08:56:44 -------- d-----w- C:\972957a43b2d557e1e2362db6e1eff8d

2011-07-28 08:50:09 -------- d-----w- C:\4bc50e099e0061bdded5c7dd

2011-07-28 08:38:17 -------- d-----w- C:\3c63e7097ed858fe4a36897884

2011-07-23 14:18:43 508416 ----a-w- c:\windows\system32\drivers\bthport.sys

2011-07-23 14:18:43 30208 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS

2011-07-23 14:18:39 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-23 14:18:29 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-23 14:18:29 375808 ----a-w- c:\windows\system32\winsrv.dll

.

==================== Find3M ====================

.

2011-06-22 17:01:26 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2011-05-31 10:17:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 17:22:33.38 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.