Jump to content

Infected Open Cloud AV? Please help


Recommended Posts

I am hoping someone can help me. Somehow we got infected with this Open Cloud AV trojan virus. We cannot run malwarebytes. We can get it started, but it will automatically disappear within a minute. We have tried other programs to get rid of it as well but the same thing happens. Websites are constantly forwarded to different websites. The open cloud AV will keep loading upon start up. We ran combofix and still have the same problems. Here is our log:

ComboFix 11-10-03.01 - Hugh 10/03/2011 16:34:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.721 [GMT -4:00]

Running from: c:\documents and settings\Hugh\Desktop\ComboFix.exe

AV: Emsisoft Anti-Malware *Enabled/Updated* {0F8591BB-342B-4493-91C3-4E948ED21255}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\$$CIHTTP.TMP

c:\documents and settings\Administrator\Application Data\volmgr.dll

c:\documents and settings\Administrator\Application Data\volmgr.exe

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Hugh\Application Data\742E.FEE

c:\documents and settings\Hugh\Application Data\dwm.exe

c:\documents and settings\Hugh\Application Data\eaQH6dWK7R9Open Cloud AV.ico

c:\documents and settings\Hugh\Application Data\EH5sWJ7dE8TqYwIOpen Cloud AV.ico

c:\documents and settings\Hugh\Application Data\GvD2onF4pHsJdLgOpen Cloud AV.ico

c:\documents and settings\Hugh\g2mdlhlpx.exe

c:\documents and settings\Hugh\WINDOWS

C:\Thumbs.db

c:\windows\$NtUninstallKB41205$\3547368570\@

c:\windows\$NtUninstallKB41205$\3547368570\bckfg.tmp

c:\windows\$NtUninstallKB41205$\3547368570\cfg.ini

c:\windows\$NtUninstallKB41205$\3547368570\Desktop.ini

c:\windows\$NtUninstallKB41205$\3547368570\keywords

c:\windows\$NtUninstallKB41205$\3547368570\kwrd.dll

c:\windows\$NtUninstallKB41205$\3547368570\L\ooewodno

c:\windows\$NtUninstallKB41205$\3547368570\lsflt7.ver

c:\windows\$NtUninstallKB41205$\3547368570\U\00000001.@

c:\windows\$NtUninstallKB41205$\3547368570\U\00000002.@

c:\windows\$NtUninstallKB41205$\3547368570\U\80000000.@

c:\windows\$NtUninstallKB41205$\3547368570\U\80000032.@

c:\windows\$NtUninstallKB41205$\607508176

c:\windows\Downloaded Program Files\ODCTOOLS

c:\windows\iun6002.exe

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\blascalc.dll

c:\windows\system32\comct332.ocx

c:\windows\system32\d3d9caps.dat

c:\windows\system32\Thumbs.db

c:\windows\WindowsXP-KB822603-x86.exe

c:\windows\$NtUninstallKB41205$ . . . . Failed to delete

.

c:\windows\system32\Version.dll . . . is infected!!

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_d3708c7a

.

.

((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))

.

.

2011-10-03 20:52 . 2011-10-03 20:52 -------- d-----w- c:\documents and settings\Hugh\Application Data\eP0ucS2ib3n5Q6W

2011-10-03 20:19 . 2011-10-03 20:19 -------- d-----w- c:\documents and settings\Hugh\Application Data\l9hTXqjUClBzNc1

2011-10-03 20:19 . 2011-10-03 20:19 -------- d-----w- c:\documents and settings\Hugh\Application Data\GvD2onF4pHsJdLg

2011-10-03 17:46 . 2011-10-03 20:18 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2011-10-03 17:07 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-03 17:07 . 2011-10-03 18:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-03 16:52 . 2011-10-03 16:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-10-03 16:00 . 2011-10-03 16:00 -------- d-----w- c:\documents and settings\Hugh\Application Data\slOBtxP0uSiDpG

2011-10-03 16:00 . 2011-10-03 16:00 -------- d-----w- c:\documents and settings\Hugh\Application Data\eaQH6dWK7R9

2011-10-03 15:17 . 2011-10-03 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2011-10-03 14:49 . 2011-10-03 14:49 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-10-03 14:43 . 2011-10-03 17:13 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-03 13:58 . 2011-10-03 13:58 -------- d-----w- c:\documents and settings\Hugh\Application Data\VNycA1uvDoFp

2011-10-03 13:58 . 2011-10-03 13:58 -------- d-----w- c:\documents and settings\Hugh\Application Data\EH5sWJ7dE8TqYwI

2011-10-03 13:41 . 2011-10-03 13:41 -------- d-----w- c:\documents and settings\Hugh\Application Data\LOBtzP0yc1v3n4

2011-10-03 13:41 . 2011-10-03 13:41 -------- d-----w- c:\documents and settings\Hugh\Application Data\BqjYCekIBzNx1v2

2011-10-03 13:41 . 2011-10-03 13:41 2412032 ----a-w- c:\windows\system32\UjYCwkIVrOtAuS.exe

2011-10-03 13:41 . 2011-10-03 13:41 -------- d-----w- c:\documents and settings\Hugh\Application Data\p2onF4amHsJfLgZ

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2008-04-13 23:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-15 13:29 . 2008-04-13 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2008-04-13 23:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1626112]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"vibF3pmG5Q8234A"="c:\windows\system32\UjYCwkIVrOtAuS.exe" [2011-10-03 2412032]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

MyWebSearch Email Plugin.lnk - c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

OKI LPR Utility.lnk - c:\program files\Okidata\OKI LPR Utility\okilpr.exe [2007-11-27 151552]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk

backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk

backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]

2005-10-03 15:23 20480 ------w- c:\windows\CameraFixer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]

2008-04-13 23:00 27648 ----a-w- c:\windows\system32\conime.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-13 23:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]

2009-08-03 14:33 1626112 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1182532319\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2006-03-24 00:13 77824 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

2006-01-06 19:07 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]

2006-01-06 19:07 348160 ----a-w- c:\windows\system32\hphmon04.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2006-03-24 00:17 94208 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]

2000-11-10 16:58 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\2\printray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

2003-03-11 21:24 86016 -c--a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-02-16 14:54 282624 -c--a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]

2005-08-17 01:54 339968 ----a-w- c:\windows\vsnp2std.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 08:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]

2005-11-03 14:12 106496 ----a-w- c:\windows\tsnp2std.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"AOL TopSpeedMonitor"=2 (0x2)

"Messenger"=2 (0x2)

"gupdate"=2 (0x2)

"ERSvc"=2 (0x2)

"Bonjour Service"=2 (0x2)

"APC UPS Service"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\automan\\Automan.exe"=

"c:\\Program Files\\Common Files\\AOL\\1182532319\\ee\\aolsoftware.exe"=

"c:\\Program Files\\CoffeeCup Software\\Coffee.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"9322:TCP"= 9322:TCP:EKDiscovery

.

R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [10/3/2011 1:46 PM 41928]

R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [10/3/2011 1:46 PM 11776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [10/3/2011 1:46 PM 3045688]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/8/2005 7:46 PM 61440]

R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [10/3/2011 1:46 PM 73728]

S0 cerc6;cerc6; [x]

S0 hhtobb;hhtobb;c:\windows\system32\drivers\wihh.sys --> c:\windows\system32\drivers\wihh.sys [?]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 1:49 PM 284016]

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/13/2009 11:43 AM 135664]

S4 H3sssevepo;H3sssevepo; [x]

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-03 c:\windows\Tasks\User_Feed_Synchronization-{D9E7BF5A-77FE-4C97-8D9F-680771C09B27}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.sirius.com/

uInternet Settings,ProxyServer = http=127.0.0.1:62848

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: microsoft.com\v4.windowsupdate

TCP: Interfaces\{DE848FCE-89FA-42D8-ACFA-7C9869142FBD}: NameServer = 167.206.112.3,167.206.112.4

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {CA6F0A67-18BB-4E39-BB8A-A1E04D6AACDF} - hxxp://www.superadblocker.com/activex/sabminf.cab

FF - ProfilePath - c:\documents and settings\Hugh\Application Data\Mozilla\Firefox\Profiles\vsu03x9z.default\

FF - prefs.js: browser.startup.homepage - www.sirius.com

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 62848

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-volmgr - c:\documents and settings\Administrator\Application Data\volmgr.exe

MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe

MSConfigStartUp-cafw - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

MSConfigStartUp-capfasem - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

MSConfigStartUp-capfupgrade - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

MSConfigStartUp-CAVRID - c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

MSConfigStartUp-cctray - c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe

MSConfigStartUp-CitiVAN - c:\program files\Citi Virtual Account Numbers\CitiVAN.exe

MSConfigStartUp-dvHighMem - c:\windows\cfgmng32.exe

MSConfigStartUp-Gateway Ink Monitor - c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe

MSConfigStartUp-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-mmtask - c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

MSConfigStartUp-QOELOADER - c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe

MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe

MSConfigStartUp-SAV - c:\documents and settings\All Users\Application Data\071e6bf\LivePCGuard.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe

AddRemove-FireTune1.0.4 for Firefox v1.x - c:\windows\iun6002.exe

AddRemove-SmartFTP Client 2.0 Setup Files - c:\program files\SmartFTP Client 2.0 Setup Files\uninst-sftp.exe

AddRemove-VV_Outloud_50_En_US - c:\program files\ViaVoice TTS\vvol50En_US.isu

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-03 16:52

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwOpenFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

"Installed"="1"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

"Installed"="1"

"NoChange"="1"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(664)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\cscui.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE

.

**************************************************************************

.

Completion time: 2011-10-03 16:57:12 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-03 20:57

.

Pre-Run: 61,303,930,880 bytes free

Post-Run: 61,864,071,168 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

.

- - End Of File - - E8566F6D7DA80023A79941072D7BD82E

Can anyone please help!!!

Thank you.

Gary

Link to post
Share on other sites

Hello, and Welcome to Malwarebytes

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the
Malware Removal forum
so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the
    , skipping any steps you are unable to complete. Then post a
    .

  • After posting your new post, make sure under
    options
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    , so that you're alerted when someone has replied to your post.

  • One of the
    there will give you one-on-one assistance when one becomes available.

  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

NOTE:
Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.

      Or

    • You may send a Private Message to a Moderator asking for assistance.

IMPORTANT: Please do NOT make any further changes to your computer such as (Install/Uninstall programs; use special fix tools; delete files; edit the registry; OR use temp file cleaners, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk at
or
.

OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
support site.

Please be patient, someone will assist you as soon as it is possible.

PS: Please use the "ADDREPLY" Add-Reply.png button instead of other ones when you start replying. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.