Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Bot infection, multiple viruses

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 25th, 2010, 3:41 pm

Received the following error message:


Warning!

Error saving file C:\Combofix\HIV\users\00000005\sst-ea~1.tmp!
Continue with the next file? [RegCreateKeyEx:87 - the parameter is incorrect]


please advise
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut
Advertisement
Register to Remove

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 25th, 2010, 9:05 pm

At what point did you receive that meesage?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 25th, 2010, 9:33 pm

The blue message window behind the error message states that the log is being generated and will be located in C:\Combofix.txt

This is after the scan and reboot i believe, i haven't clicked anything so the error message is still up
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 25th, 2010, 9:59 pm

OK, thanks.
Please bare with me. I've not seen that particular message before, so endeavoring to get more information.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 26th, 2010, 1:15 am

Hi

Click through the message & allow ComboFix to continue.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 26th, 2010, 9:35 am

ComboFix 10-08-24.0A - Adam 08/25/2010 0:44.6.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1087 [GMT -6:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
Command switches used :: c:\users\Adam\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Some 3rd party browsers were infected and had to be removed. Do not be alarmed.


c:\program files\mozilla Firefox\firefox.exe

Infected copy of c:\windows\system32\wininit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\wininit.exe

Infected copy of c:\program files\internet explorer\iexplore.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_12a958f24909fe6f\iexplore.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tduasqbp


((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.

2010-08-25 07:02 . 2010-08-25 13:34 -------- d-----w- c:\users\Adam\AppData\Local\temp
2010-08-25 07:02 . 2010-08-25 07:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-25 07:02 . 2010-08-25 07:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-24 03:59 . 2008-01-21 02:23 96768 ----a-w- c:\windows\system32\wininit.exe
2010-08-24 01:51 . 2008-01-21 02:23 96768 ----a-w- C:\wininit.exe
2010-08-23 09:06 . 2010-08-23 09:06 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-22 17:12 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-22 17:12 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-22 17:12 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-22 17:12 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-22 17:11 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-22 17:11 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-22 17:10 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-22 17:09 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-22 17:09 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-22 17:09 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-15 19:24 . 2010-08-15 19:24 -------- d-----w- C:\rsit
2010-07-31 21:55 . 2006-11-02 09:39 15821312 ----a-w- c:\windows\system32\imageres.dll
2010-07-31 21:49 . 2010-07-31 21:49 -------- dc----w- c:\programdata\{CFA6F4AE-B6D4-4F71-BBA4-ACFE805E7214}
2010-07-30 03:12 . 2010-07-30 03:20 -------- d-----w- C:\AdobeTemp
2010-07-29 18:17 . 2010-07-29 18:17 -------- d-----w- c:\users\Adam\AppData\Local\VS Revo Group
2010-07-29 18:17 . 2009-12-30 18:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-29 18:17 . 2010-07-29 18:17 -------- d-----w- c:\program files\VS Revo Group
2010-07-28 23:50 . 2010-07-28 23:50 -------- d-----w- c:\program files\Sophos
2010-07-28 00:21 . 2010-07-28 00:21 -------- d-----w- c:\users\Adam\AppData\Local\Mozilla
2010-07-27 19:36 . 2010-07-28 23:39 -------- d-----w- C:\TDSSKiller_Quarantine
2010-07-27 19:05 . 2008-03-02 09:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-07-27 19:03 . 2010-07-27 19:04 -------- d-----w- c:\program files\Trend Micro
2010-07-27 05:08 . 2010-07-27 05:08 -------- d-----w- c:\users\Adam\AppData\Roaming\Malwarebytes
2010-07-27 05:08 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 05:08 . 2010-07-27 05:08 -------- d-----w- c:\programdata\Malwarebytes
2010-07-27 05:08 . 2010-07-27 05:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 05:08 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 13:33 . 2010-05-30 16:47 34805 ----a-w- c:\programdata\nvModes.dat
2010-08-25 03:42 . 2010-07-25 17:35 -------- d-----w- c:\programdata\webroot
2010-08-23 09:28 . 2008-03-20 07:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-23 09:09 . 2008-03-20 07:26 -------- d-----w- c:\program files\Microsoft Works
2010-08-23 09:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-22 17:13 . 2010-08-22 17:13 -------- d-----w- c:\program files\VirusTotalUploader2
2010-08-22 16:51 . 2008-11-28 01:43 113368 ----a-w- c:\users\Adam\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-20 20:48 . 2008-12-12 03:50 -------- d-----w- c:\programdata\BVRP Software
2010-08-17 04:18 . 2009-01-05 01:05 -------- d-----w- c:\users\Adam\AppData\Roaming\Skype
2010-08-17 04:17 . 2009-01-05 01:06 -------- d-----w- c:\users\Adam\AppData\Roaming\skypePM
2010-08-13 00:37 . 2009-10-03 20:41 -------- d-----w- c:\program files\Microsoft
2010-08-12 23:17 . 2008-12-08 22:37 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 23:17 . 2008-12-09 03:30 -------- d-----w- c:\program files\Microsoft.NET
2010-08-12 23:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2010-08-10 02:09 . 2010-04-11 22:20 -------- d--h--w- c:\programdata\{358E2726-5129-4614-9175-3CAA96153DFA}
2010-08-10 02:09 . 2010-03-29 03:51 -------- d-----w- c:\program files\Common Files\Stardock
2010-07-31 21:50 . 2010-03-29 03:38 -------- d-----w- c:\program files\Stardock
2010-07-30 03:36 . 2008-11-29 21:21 -------- d-----w- c:\program files\EA GAMES
2010-07-30 03:17 . 2008-03-20 07:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-29 00:05 . 2009-01-04 21:24 -------- d-----w- c:\program files\MagicDisc
2010-07-28 23:59 . 2008-12-11 16:55 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-07-28 23:48 . 2009-02-24 07:20 -------- d-----w- c:\program files\Rising Research
2010-07-28 23:48 . 2009-07-16 00:37 -------- d-----w- c:\program files\Audiosurf
2010-07-28 01:40 . 2010-07-06 03:34 -------- d-----w- c:\program files\The Wonderful End of the World
2010-07-28 01:39 . 2009-02-22 02:20 -------- d-----w- c:\users\Adam\AppData\Roaming\Red Kawa
2010-07-28 01:38 . 2008-12-07 22:06 -------- d-----w- c:\program files\Xilisoft
2010-07-27 07:30 . 2010-07-22 18:00 -------- d-----w- c:\programdata\Update
2010-07-27 04:05 . 2008-12-07 03:55 -------- d-----w- c:\program files\Thoosje Vista Tweaker
2010-07-27 04:04 . 2009-01-16 02:14 -------- d-----w- c:\program files\NCH Swift Sound
2010-07-27 04:03 . 2009-06-23 01:42 -------- d-----w- c:\program files\MobMapUpdater
2010-07-27 04:03 . 2009-06-27 22:47 -------- d-----w- c:\program files\Graboid
2010-07-27 03:45 . 2008-01-21 02:23 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-07-27 01:20 . 2009-01-16 02:19 -------- d-----w- c:\programdata\NCH Swift Sound
2010-07-27 01:20 . 2009-01-16 02:19 -------- d-----w- c:\users\Adam\AppData\Roaming\NCH Swift Sound
2010-07-26 18:40 . 2008-11-28 02:08 2708 ----a-w- c:\users\Adam\AppData\Local\d3d9caps.dat
2010-07-25 17:49 . 2009-02-08 22:23 -------- d-----w- c:\program files\Webroot
2010-07-25 17:36 . 2010-07-25 17:36 -------- dc-h--w- c:\programdata\{9A82E8DE-6B96-49B5-BA94-0EF3E3DE16D3}
2010-07-25 17:17 . 2008-11-28 02:38 -------- d-----w- c:\programdata\Google Updater
2010-07-22 03:30 . 2008-11-28 02:38 -------- d-----w- c:\program files\Google
2010-07-12 05:58 . 2008-03-20 07:34 -------- d-----w- c:\programdata\WildTangent
2010-07-12 04:39 . 2008-11-28 07:42 -------- d-----w- c:\program files\WildGames
2010-07-11 01:11 . 2008-12-10 06:24 -------- d-----w- c:\program files\THQ
2010-07-11 01:08 . 2009-01-21 06:18 -------- d-----w- c:\users\Adam\AppData\Roaming\RiffTrax
2010-07-08 05:47 . 2010-07-08 05:47 -------- d-----w- c:\programdata\The Game Equation
2010-07-02 17:23 . 2008-11-28 07:06 -------- d-----w- c:\program files\iTunes
2010-07-02 17:21 . 2010-07-02 17:21 -------- d-----w- c:\program files\iPod
2010-07-02 17:21 . 2008-11-28 07:01 -------- d-----w- c:\program files\Common Files\Apple
2010-07-02 17:07 . 2010-07-02 17:07 -------- d-----w- c:\program files\Bonjour
2010-06-26 06:05 . 2010-08-22 17:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-22 17:13 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 06:02 . 2010-08-22 17:13 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 04:25 . 2010-08-22 17:13 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-17 20:49 . 2010-07-25 17:45 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2010-06-17 20:49 . 2009-11-06 19:00 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2010-06-17 20:49 . 2009-11-06 19:00 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2010-06-08 00:44 . 2010-06-08 00:44 92 ----a-w- c:\users\Adam\AppData\Local\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-24 39408]
"Google Update"="c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-24 133104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2010-06-26 13312]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-07-31 1626112]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"MyGarminAgent"="c:\program files\Garmin\MyGarminAgent.exe" [2009-06-17 331776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-23 30192]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-25 1266336]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13683816]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"MRT"="c:\windows\system32\MRT.exe" [2010-08-03 35962312]

c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Impulse Now.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2010-3-17 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files\Stardock\ObjectDockPlus2\ODMenu.dll" [2010-03-24 511344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GO333C~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e7,fc,7b,ce,88,34,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-23 30192]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\EDA5.tmp [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-11 42112]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-11-30 685816]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-02-29 18944]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2008-11-06 582992]
S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [2010-06-17 45072]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [2010-08-25 3035616]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 13:57]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 02:38]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 02:38]

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1685170627-3577132848-81057928-1000Core.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-24 18:13]

2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1685170627-3577132848-81057928-1000UA.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-24 18:13]

2010-08-21 c:\windows\Tasks\HPCeeScheduleForAdam.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-03-20 19:10]

2010-08-25 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-02-29 00:57]

2010-08-25 c:\windows\Tasks\User_Feed_Synchronization-{BF955419-3C2E-4DC3-86C2-CE8E1953218C}.job
- c:\windows\system32\msfeedssync.exe [2010-08-22 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {51528C4F-16C1-4022-82DB-286A6F480975} = 205.171.3.65,205.171.2.65
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 07:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EDA5.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2820)
c:\windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
c:\program files\Stardock\ObjectDockPlus2\ODMenu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Stardock\MyColors\VistaSrv.exe
c:\program files\Stardock\MyColors\WBVista.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-26 00:25:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 06:25
ComboFix2.txt 2010-08-25 01:03
ComboFix3.txt 2010-08-24 03:50
ComboFix4.txt 2010-08-19 03:20

Pre-Run: 91,037,478,912 bytes free
Post-Run: 85,220,392,960 bytes free

- - End Of File - - 93FE3CDCA322E93512D3A53FE0EE5217
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 26th, 2010, 9:37 am

submitted the above log via the infected computer, internet connection did not stutter and connection seemed fast and clean, hopes are high :)

next?
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 26th, 2010, 5:17 pm

Good stuff

Regarding Firefox. As you can see the Firefox.exe file was deleted due to being infected. You will probably have to completely uninstall Firefox then re-install it.

Now that you internet connection appears stable, let's try the Kaspersky Online scan again:

Remove Programs
Click Start > Control Panel > Programs and Features
Remove these programs by clicking Uninstall

Java(TM) 6 Update 18
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1


If some programs listed are not present, please do not panic
These outdated versions of Java are open to exploitation.

Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
Pictured tutorial if required.
This scan will take quite some time to update & scan, so be patient with it.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 26th, 2010, 10:30 pm

Kaspersky website:

"The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not take a free trial of Kaspersky Internet Security 2011, which has everything you need to keep your computer safe."
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 26th, 2010, 10:36 pm

Followed your link to the scanner, it's telling something about Java. I'll get you the message shortly
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 26th, 2010, 10:39 pm

I enabled the Java add-on that kaspersky required, but am getting a digital signature error, specificaly,
"The digital signature was generated with a trusted certificate but has expired"
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 26th, 2010, 10:40 pm

Hi

Leave the Kaspersky scan & try this one:
ESET Online Scanner
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 26th, 2010, 10:47 pm

Will run now, also, there is a java update 21 available, do i need to upgrade?
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 26th, 2010, 11:08 pm

Hi

You can do so if you wish. Always pays to keep things updated. Though I don't believe there are any security issues with the version you have (Java(TM) 6 Update 20).
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 27th, 2010, 9:38 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=33107e4ea6c2484385dd8e9e8390967d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-27 05:55:50
# local_time=2010-08-26 11:55:50 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 2533684 2533684 0 0
# compatibility_mode=768 16777215 100 0 53600919 53600919 0 0
# compatibility_mode=5892 16776574 100 100 0 119485111 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=248030
# found=9
# cleaned=0
# scan_time=10966
C:\Program Files\Stardock\ObjectDockPlus2\CrashRptHelp.dll probably a variant of Win32/Genetik trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2010-08-24_12.04.12.zip a variant of Win32/Bubnix.AW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\iexplore.exe.vir Win32/Bamital.DX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\firefox.exe.vir Win32/Bamital.DX trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_jcbggfvh_.sys.zip a variant of Win32/Bubnix.AW trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\27.07.2010_13.34.54\susp0000\svc0000\tsk0000.dta a variant of Win32/Bubnix.AW trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\27.07.2010_13.34.54\susp0001\svc0000\tsk0000.dta a variant of Win32/Bubnix.AW trojan 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\28.07.2010_17.38.50\susp0000\svc0000\tsk0000.dta a variant of Win32/Bubnix.AW trojan 00000000000000000000000000000000 I
C:\Windows\System32\wininit.old Win32/Bamital.DX trojan 00000000000000000000000000000000 I
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware