Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 21 Se

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 21 Se

Unread postby stevew1 » September 22nd, 2010, 12:21 am

I recently visited the pearldrummersforum website and noticed a warning indicating "This website may be harmful to your computer", but I went ahead to the site anyway. After this I noticed that my computer ran slower and things took longer to open in my browser window. I attempted to run various programs that I typically use to detect and remove spyware, including SpyBot Search and Destroy, Malwarebytes' Anti-Malware, Norton Antivirus and others. When I tried to run SpyBot and Anti-Malware, they would not run. The hour glass popped up for a second and then disappeared. After some Google searching, I found suggestions to rename the executables and try again. This worked in both cases. I let both programs run and they both found several things, but after allowing them to remove what they found I still could not run either program using the original name. I uninstalled and reinstalled a few times. I've also run Norton Anti-Virus, which found nothing, and did a scan using Panda Security ActiveScan, which still reports problems. I thought I would try asking for help before re-imaging my machine.

I've included my HJT log and uninstall list below.
Thanks very much,
Steve
--------------
HJT Log
--------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:39:09 AM, on 9/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\apcupsd\bin\apcupsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\apps\altera\quartus\bin\jtagserver.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Perforce\p4webs.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\timingtool\jre\bin\jusched.exe
C:\Garmin\gStart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Software by Design\Calendar.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC10.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG10.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.home;*.mot.com;access.motorola.com;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\timingtool\jre\bin\ssv.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\program files\timingtool\jre\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\timingtool\jre\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\timingtool\jre\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.6. ... ontrol.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6745043500
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://access.motorola.com/dana-cached ... Client.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.3.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC3A205-0D50-4449-8BC6-5779F613D329}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E377E9AB-350A-4263-BB02-D574234B3809}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA875E54-D03F-498A-9148-EB236DDAA674}: Domain = wiz.home
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA875E54-D03F-498A-9148-EB236DDAA674}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wiz.home,ftw.mot.com,sps.mot.com,corp.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wiz.home,ftw.mot.com,sps.mot.com,corp.mot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: nwbeco.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apcupsd UPS Monitor (Apcupsd) - Unknown owner - C:\Program Files\apcupsd\bin\apcupsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Motorola MVP\Extranet_serv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\apps\altera\quartus\bin\jtagserver.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Perforce Web - Unknown owner - C:\Program Files\Perforce\p4webs.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11921 bytes

--------------
uninstall list
--------------
"Minimal SYStem 1.0.10"
68HC11/12
7-Zip 4.57
ABBYY FineReader OCR Engine for Microtek
AC3Filter (remove only)
Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 3.0
Adobe Premiere Elements 1.0
Adobe Reader 8.1.3
AFPL Ghostscript 8.54
AFPL Ghostscript Fonts
Amazon MP3 Downloader 1.0.10
AnalogX TapTempo
AnswerWorks 5.0 English Runtime
Any Video Converter 3.0.7
Apcupsd
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian Director
Aptana Studio 2.0
ArcGIS Explorer
Audacity 1.2.6
Autodesk Design Review 2011
AVR-ISP v5.0.0
AVRStudio4
AVS Audio Editor version 4.2
AVS4YOU Software Navigator 1.3
Bible Mapper 4
Calendar 2000
Canon iP4200
CD-DA X-Tractor v0.20
Chief 60 Demo
Chief Architect 6.0
CleanUp!
Compatibility Pack for the 2007 Office system
Cygnus Hex Editor FREE EDITION 1.00
Dart Pro 24
DeNoise 1.1.5 and DeNoiseLF 1.0.5
DesignPro 5.0 Media Edition
DWG TrueView 2011
DYMO Label Software
EAGLE 5.5.0
Easy CD & DVD Creator 6
EasyGPS 2.7.5
eBay Toolbar Featuring Yahoo!
EMP Device Programming Software
Excla WAVhum 1.9
ExpressPCB
ffdshow
Freecorder 4.01 Application
FreeZip
Garmin City Navigator North America NT 2010.10 Update
Garmin Communicator Plugin
Garmin MapSource
Garmin MetroGuide North America v8
Garmin nRoute
Garmin POI Loader
Garmin Training Center 3.3.2
Garmin USB Drivers
Garmin WebUpdater
getPlus(R) for Adobe
GIMPshop .1 beta
GnuWin32: Make-3.81
GoldWave v5.52
Google Chrome
Google Update Helper
GSview 4.9
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
ISODisk 1.1
ispLEVER Classic 1.2
ispVMSystem 17.3.2
iTunes
IZArc 3.81
JBug11
Juniper Networks Network Connect 6.5.0
Lattice OEM Synplify
Lexicon Omega Software (remove only)
Lexicon Pantheon VST Plug-in (remove only)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
MapSource
MapSource
MapSource - GPSMAP 162/168 Tide Points
MapSource - MetroGuide USA
MapSource - US Topo 24K National Parks, Central v3
MapSource - US Topo 24K National Parks, West v2
Master Blues Piano Solos Volume 1
Master Flatpick Guitar Volume 1
Master Jazz Guitar Solos SuperPAK
MegaCore IP Library 7.2
MGTEK MiniIDE 1.19
MicroLoad by Technological Arts
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Media 2 SP2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MinGW 5.1.4
ModelSim-Altera 6.1g (Quartus II 7.2)
Motorola Driver Installation 3.2.0
Motorola MVP Client 4.7
Motorola Phone Tools
Mozilla Firefox (3.6.8)
Mozilla Thunderbird (3.1.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nios II Embedded Design Suite 7.2
Notepad++
OGA Notifier 2.0.0048.0
PAC-Designer 5.1
Panda ActiveScan 2.0
Perforce P4Web Component
Perforce P4Web Component
Perforce P4Win Components
Perforce P4Win Components
Perforce Visual Components
PG Music DirectX Plugins 1.3.4.1
PonyProg2000 v2.07c
PrimoPDF
PrimoPDF
PrimoPDF Redistribution Package
ProChip Designer 5.0
Quartus II 7.0 Programmer and SignalTap II
Quartus II 7.2
Quicken 2009
QuickTime
ReadPlease 2003/ReadPlease PLUS 2003
Realtek AC'97 Audio
Replay Converter 4
RSA SecurID Software Token
Safari
ScanWizard 5
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sentinel System Driver
Sibelius Scorch (ActiveX Only)
Song Sheet 5
Songsheet Generator 2.8
Sony CD Architect 5.2
Sony Noise Reduction Plug-In 2.0b
Sony Sound Forge 8.0b
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Steinberg Cubase LE 4
Steinberg HALionOne
Steinberg HALionOne Essential Set
SureThing CD Labeler Deluxe 5
Switch
Symantec AntiVirus Client
Symantec Procomm Plus
Syncrosoft License Control
TimingTool Editor
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
UltraEdit-32 Uninstall
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
vanBasco's Karaoke Player
Virtual Sound Canvas DXi
VirtualBoss
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.2
Wave Flow
WinAVR 20080610 (remove only)
WinAVR 20080610 (remove only)
WinCupl
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Needhams Electronics Inc (empusb) USB (6/27/2005 2.01.0000.0)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinISD beta
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am
Advertisement
Register to Remove

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 24th, 2010, 7:02 pm

Hi stevew1,
If you still need help and are not getting it elsewhere:
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill. (Right-click and "Run as administrator" in Vista/Win7).
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If you cannot get one of the downloads to work for you, try one of the other links.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • XP : Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • VISTA/Win7: Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 25th, 2010, 6:15 pm

Hello askey127

Yes, I still need help. I've resisted running combofix on my own but am getting somewhat desperate since the the next step for me is probably to reformat and reinstall.

I ran the tools as you instructed but had some problems. I ran GMER 3 times. The first time, my machine blue-screened within about an hour. The second time it became unresponsive after a couple of hours, and the third time it rebooted after running for probably 12 hours. I saved off the log about every two hours. I'm not sure if what I captured will be of any help, but I've included the last log below.

I appreciate your help. Let me know how to proceed.

Thanks,
Steve

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-25 14:35:22
Windows 5.1.2600 Service Pack 3
Running: 4y4zbdy1.exe; Driver: C:\DOCUME~1\WHISEN~1\LOCALS~1\Temp\ugldypoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 25th, 2010, 7:38 pm

stevew1,
Let's try a different app to check for a rootkit.
Run RKill again.
-------------------------------------------------------------
Scan With RKUnHooker
Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it. (Right click and "Run as administrator" in Vista/Win7)
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. UNcheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. (eg. desktop) then Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 27th, 2010, 12:29 am

Ran RKUnhooker with no problems. Here is the report.
Thanks,
Steve

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xB967F000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB55BB000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100919.003\NAVEX15.sys 1359872 bytes (Symantec Corporation, AV Engine)
0xB950C000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 700416 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB800A000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB93E8000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB813D000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB5B9F000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB557A000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB8260000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 262144 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xB57A7000 C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys 253952 bytes (Symantec Corporation, AutoProtect)
0xB81BB000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 217088 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xB9446000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB94B9000 C:\WINDOWS\system32\drivers\windrvr6.sys 192512 bytes (Jungo, WinDriver Device Driver 9.20)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB5E39000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7843000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB961C000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 176128 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB3825000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB807A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB80ED000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB5A76000 C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys 163840 bytes (Roland, Roland VSC Synthesizer Engine)
0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB80C7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB822A000 C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS 147456 bytes (Roxio, DVDVR XP Filesystem Reader Driver)
0xB38D8000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB94E8000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9647000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB95D4000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB80A5000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF747A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB95B7000 C:\WINDOWS\System32\Drivers\pwd_2k.SYS 118784 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xB9476000 C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys 110592 bytes (Nortel Networks, Contivity VPN Client Adapter)
0xF7829000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB7FC0000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7870000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB94A2000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB52F9000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB544E000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100919.003\NAVENG.sys 81920 bytes (Symantec Corporation, AV Engine)
0xB9608000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB966B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB8196000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB5DFE000 C:\WINDOWS\System32\Drivers\SENTINEL.SYS 77824 bytes (Rainbow Technologies, Inc., Sentinel System Driver (NT Parallel driver))
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7468000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB95F7000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 69632 bytes (Roxio, CDR4_XP CDR Helper)
0xB5B66000 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS 69632 bytes (Symantec Corporation, NAVAPEL)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9491000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB57E5000 C:\Program Files\Symantec\SYMEVENT.SYS 69632 bytes (Symantec Corporation, Symantec Event Library)
0xB5D76000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7507000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7537000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7607000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7527000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA256000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7438000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7667000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB551A000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA599000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7617000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7657000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7408000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7677000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7428000 C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys 45056 bytes (Juniper Networks, dsNcAdapter)
0xBA559000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7517000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7887000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA5A9000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA5B9000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA236000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7547000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA5C9000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA569000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB39FA000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA539000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF780F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF781F000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB99D4000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB99CC000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF77DF000 C:\WINDOWS\System32\Drivers\dvd_2K.SYS 24576 bytes (Roxio, DVD-RAM AddOn Driver)
0xB99C4000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77CF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7717000 pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver)
0xB99DC000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77FF000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7807000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF771F000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF77B7000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB99F4000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB8214000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF791F000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB60CE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA66A000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB5F42000 C:\WINDOWS\System32\Drivers\TVICLPT.SYS 16384 bytes (EnTech Taiwan, TVicLPT NT/2000/XP Device Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB81F0000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB5F4E000 C:\WINDOWS\System32\Drivers\EMPDrv.SYS 12288 bytes
0xBA7F0000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB82E0000 C:\WINDOWS\System32\Drivers\ISODisk.SYS 12288 bytes
0xBA7EC000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA175000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA68A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A09000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 DMLOAD.SYS 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79AD000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79F7000 C:\WINDOWS\system32\DRIVERS\eacfilt.sys 8192 bytes (Nortel Networks, NDIS Filter Intermediate Driver)
0xF7A07000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB9F34000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB9F2E000 C:\WINDOWS\System32\DRIVERS\pacjtag.sys 8192 bytes (Lattice Semiconductor Corp., PAC-Designer WinNT Kernel-mode driver)
0xF79FF000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7A01000 C:\WINDOWS\system32\drivers\pgdhdlc.sys 8192 bytes (Altera Corporation, Altera ByteBlaster Driver)
0xB9F32000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79F9000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79F3000 C:\WINDOWS\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA090000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7AB9000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA600000 C:\WINDOWS\System32\Drivers\EMPNT.SYS 4096 bytes
0xBA149000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x053F0000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x89DDD930 ] PID: 276, 126976 bytes
0x03950000 Hidden Image-->System.XML.dll [ EPROCESS 0x89DDD930 ] PID: 276, 2060288 bytes
0x044D0000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x89DDD930 ] PID: 276, 266240 bytes
0x04260000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x89DDD930 ] PID: 276, 270336 bytes
0x00F80000 Hidden Image-->log4net.dll [ EPROCESS 0x89DDD930 ] PID: 276, 282624 bytes
0x03F30000 Hidden Image-->System.Data.dll [ EPROCESS 0x89DDD930 ] PID: 276, 2961408 bytes
0x04A30000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x89DDD930 ] PID: 276, 307200 bytes
0x03330000 Hidden Image-->System.dll [ EPROCESS 0x89DDD930 ] PID: 276, 3190784 bytes
0x05300000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x89DDD930 ] PID: 276, 421888 bytes
0x03170000 Hidden Image-->System.configuration.dll [ EPROCESS 0x89DDD930 ] PID: 276, 438272 bytes
0x042D0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x89DDD930 ] PID: 276, 479232 bytes
0x04C80000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x89DDD930 ] PID: 276, 5033984 bytes
0x05260000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x89DDD930 ] PID: 276, 634880 bytes
0x03E50000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x89DDD930 ] PID: 276, 872448 bytes
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 27th, 2010, 7:35 am

stevew,
"This website may be harmful to your computer", but I went ahead to the site anyway.

Hopefully you won't do that again.

Don't use any apps purporting to clean or optimize your registry.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Adobe Reader 8.1.3
CleanUp!

Take extra care in answering questions posed by any Uninstaller.
--------------------------------------------------------
Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.33 are vulnerable.
Go HERE and click on AdbeRdr933_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.
----------------------------------------------
Download and Run Temp File Cleaner (TFC.exe)
Download Temp File Cleaner and save it to your desktop.
Double click to run it. If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, if it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Imagesign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled.
    Norton Antivirus Guard is now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 28th, 2010, 12:44 am

Askey127,
I followed the instructions and have attached the ComboFix report. I ran into one issue while running ComboFix. A window popped up indicating that pev.cfxxe had terminated prematurely (the window was the normal one asking if you wanted to send a report to Microsoft). I waited for 30 minutes, during which time there was no disk activity and ComboFix appeared to be waiting. I closed the window without sending a report and ComboFix continued scanning. This pop-up window occured just after "Completed Stage 2" was displayed in the ComboFix window.

Here is the log.
-----------------------
ComboFix 10-09-27.04 - Whisenhunt 09/27/2010 22:11:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1425 [GMT -5:00]
Running from: c:\documents and settings\Whisenhunt\Desktop\zzz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\java.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-25 01:22 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-24 02:22 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-24 00:21 . 2010-09-24 00:21 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-09-23 05:49 . 2010-09-24 00:24 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-21 13:41 . 2010-09-24 02:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-21 09:38 . 2010-09-21 09:38 -------- d-----w- c:\program files\Trend Micro
2010-09-21 02:02 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-21 01:55 . 2010-09-21 01:55 -------- d-----w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\Sunbelt Software
2010-09-21 01:55 . 2010-09-21 01:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-21 01:54 . 2010-09-21 01:54 -------- d-----w- c:\program files\Lavasoft
2010-09-21 01:45 . 2010-09-24 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-21 00:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 00:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 00:59 . 2010-09-24 02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-20 04:34 . 2010-09-20 04:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 04:27 . 2010-09-20 04:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-20 04:20 . 2010-09-20 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-19 22:48 . 2010-09-21 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-18 02:06 . 2010-09-18 02:06 -------- d-----w- c:\program files\Panda Security
2010-09-14 14:34 . 2010-09-14 14:35 -------- d-----w- c:\program files\Safari
2010-09-14 14:31 . 2010-09-14 14:31 -------- d-----w- c:\program files\iPod
2010-09-14 14:31 . 2010-09-14 14:32 -------- d-----w- c:\program files\iTunes
2010-09-14 14:26 . 2010-09-14 14:27 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 04:03 . 2010-05-25 05:02 -------- d-----w- c:\program files\Common Files\Akamai
2010-09-28 02:53 . 2007-12-04 04:02 -------- d-----w- c:\program files\Symantec
2010-09-28 02:50 . 2007-12-04 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-28 01:33 . 2007-12-05 06:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-26 01:53 . 2007-12-05 08:03 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\Roxio
2010-09-25 01:43 . 2007-12-03 06:11 190528 ----a-w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-23 14:02 . 2007-12-05 06:07 -------- d-----w- c:\program files\Google
2010-09-23 13:55 . 2007-12-05 16:13 -------- d-----w- c:\program files\DYMO Label
2010-09-21 09:38 . 2010-09-21 09:38 388096 ----a-r- c:\documents and settings\Whisenhunt\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-21 02:50 . 2008-02-04 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 20:58 . 2007-12-04 06:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-19 01:52 . 2007-12-06 08:50 -------- d-----w- c:\program files\Java
2010-09-19 00:45 . 2007-12-04 03:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-19 00:40 . 2009-04-01 23:48 -------- d-----w- c:\program files\Roni Music
2010-09-19 00:40 . 2007-12-28 05:13 -------- d-----w- c:\program files\Common Files\AOL
2010-09-19 00:20 . 2010-08-04 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Psicraft
2010-09-17 14:26 . 2007-12-04 02:34 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-14 14:33 . 2010-09-14 14:33 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-14 14:31 . 2010-06-28 14:33 -------- d-----w- c:\program files\Common Files\Apple
2010-09-14 14:21 . 2010-09-14 14:21 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-10 19:34 . 2009-08-19 05:03 35552200 ----a-w- c:\windows\system32\MRTs.exe
2010-09-08 13:51 . 2008-06-19 03:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-04 16:22 . 2007-12-04 03:01 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\Thunderbird
2010-09-04 04:19 . 2010-02-03 06:42 -------- d-----w- c:\program files\Notepad++
2010-08-25 22:20 . 2010-08-25 22:20 81 ----a-w- C:\CTX.DAT
2010-08-25 02:27 . 2010-08-25 02:27 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\AnvSoft
2010-08-25 02:27 . 2010-08-25 02:27 -------- d-----w- c:\program files\AnvSoft
2010-08-25 02:18 . 2010-08-25 02:18 -------- d-----w- c:\program files\Common Files\Common Share
2010-08-24 01:00 . 2008-01-26 02:53 -------- d-----w- c:\program files\Nexia
2010-08-22 06:45 . 2009-01-29 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-22 06:36 . 2010-08-22 06:36 -------- d-----w- c:\program files\Applian Director
2010-08-22 06:35 . 2010-08-22 06:35 -------- d-----w- c:\program files\Replay Converter 4
2010-08-22 06:26 . 2010-08-22 06:26 2788816 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-08-22 06:20 . 2010-08-22 06:18 -------- d-----w- c:\program files\Freecorder
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 03:37 . 2010-02-23 04:55 129388 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-12 12:16 . 2010-09-21 01:55 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-05 01:52 . 2008-03-10 01:18 -------- d-----w- c:\program files\vanBasco's Karaoke Player
2010-08-04 02:18 . 2010-08-04 02:18 -------- d-----w- c:\program files\Psicraft
2010-08-03 04:45 . 2010-08-03 04:45 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\TC-Helicon
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-19 04:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
1766-04-10 18:59 . 1766-04-10 18:59 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gStart"="c:\garmin\gStart.exe" [2007-08-23 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-01 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-18 632048]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SunJavaUpdateSched"="c:\program files\timingtool\jre\bin\jusched.exe" [2008-10-27 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Whisenhunt\Start Menu\Programs\Startup\
Calendar 2000.lnk - c:\program files\Software by Design\Calendar.exe [2008-2-15 286720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2007-12-5 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Apps\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Apps\\cygwin\\bin\\ftp.exe"=
"c:\\Apps\\eclipse\\eclipse.exe"=
"c:\\Apps\\ispLEVER_Classic1_2\\synpbase\\bin\\mbin\\synbatch.exe"=
"c:\\Apps\\ispLEVER_Classic1_2\\synpbase\\bin\\mbin\\synplify.exe"=
"c:\\Program Files\\TimingTool\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe"=
"c:\\Program Files\\MagicDisc\\MagicDisc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Aptana\\Aptana Studio 2.0\\AptanaStudio.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1053:TCP"= 1053:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/20/2010 9:02 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/23/2010 9:22 PM 28552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [6/14/2009 3:41 PM 9600]
R1 PacJtag;PacJtag;c:\windows\system32\drivers\pacjtag.sys [4/22/2004 12:01 PM 46544]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 7:00 AM 14336]
R2 Apcupsd;Apcupsd UPS Monitor;c:\program files\apcupsd\bin\apcupsd.exe [2/10/2007 4:26 PM 692736]
R2 EMPDrv;EMPDrv;c:\windows\system32\drivers\EMPDrv.SYS [8/27/2008 11:25 PM 11872]
R2 EMPNT;EMPNT;c:\windows\system32\drivers\empnt.sys [11/13/2003 1:52 AM 3360]
R2 TVICLPT;TVICLPT;c:\windows\system32\drivers\TVICLPT.SYS [10/20/2008 12:57 AM 15504]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/12/2007 10:43 PM 9049]
S1 avoqojmj;avoqojmj;\??\c:\windows\system32\drivers\avoqojmj.sys --> c:\windows\system32\drivers\avoqojmj.sys [?]
S1 MpKsld5877bb9;MpKsld5877bb9;\??\c:\program files\Windows Live Safety Center\MpKsld5877bb9.sys --> c:\program files\Windows Live Safety Center\MpKsld5877bb9.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
S2 EZUSB;Cypress General Purpose USB Driver ((ezusb.sys);c:\windows\system32\drivers\ezusb.sys [8/30/2008 10:09 PM 12307]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/19/2010 5:48 PM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/12/2007 10:43 PM 115008]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S2 Perforce Web;Perforce Web;c:\program files\Perforce\p4webs.exe [12/7/2007 1:07 PM 1331200]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [3/21/2008 12:54 AM 47249]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [3/15/2009 1:05 AM 17920]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [10/18/2008 11:18 AM 3584]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [12/12/2007 10:43 PM 626688]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [3/15/2009 1:06 AM 18432]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [12/29/2008 11:54 PM 37708]

--- Other Services/Drivers In Memory ---

*Deregistered* - Lavasoft Kernexplorer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 02:10]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 22:48]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 22:48]

2010-09-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-09-28 c:\windows\Tasks\User_Feed_Synchronization-{13E72769-C396-4ED8-81BE-338B55C2343B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.home;*.mot.com;access.motorola.com;<local>
uInternet Settings,ProxyServer = 192.168.1.100:800
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki...
Trusted Zone: intuit.com\ttlc
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6. ... ontrol.CAB
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.motorola.com/dana-cached ... Client.cab
FF - ProfilePath - c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Whisenhunt/My%20Documents/Wiki/journal/journal.html
FF - component: c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Whisenhunt\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\timingtool\jre\bin\npjpi160_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 23:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2010-09-27 23:37:14
ComboFix-quarantined-files.txt 2010-09-28 04:37

Pre-Run: 9,327,079,424 bytes free
Post-Run: 9,287,426,048 bytes free

- - End Of File - - 3E89D7BD1D0DB93D1110F2333A6C7DBA

-----------------------

Thanks,
Steve
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 28th, 2010, 8:41 am

stevew1,
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Reg::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\Program Files\BitTorrent\bittorrent.exe"=-
    
    Folder::
    c:\Program Files\BitTorrent
    
    File::
    c:\windows\system32\drivers\avoqojmj.sys
    
    Driver::
    avoqojmj
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 28th, 2010, 11:06 am

Askey127,
I ran ComboFix using the script you sent. ComboFix completed and generated the log which is included below. There were two small issues. I again saw the pop-up window indicating that pev.cfxxe had terminated incorrectly and was given the option to send a report to Microsoft. This occurred after ComboFix Stage 2 had completed. I closed the window without sending a report. The other issue was that I was either logged out, or the machine rebooted, while ComboFix was running. I clicked my account icon on the login screen and things came back with ComboFix still running. I let it continue uninterrupted until the report was generated.

Thanks,
Steve
-----------------------

ComboFix 10-09-27.04 - Whisenhunt 09/28/2010 8:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1347 [GMT -5:00]
Running from: c:\documents and settings\Whisenhunt\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Whisenhunt\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\drivers\avoqojmj.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitTorrent
c:\program files\BitTorrent\bittorrent.exe
c:\program files\BitTorrent\BitTorrentIE.2.dll
c:\program files\BitTorrent\uninst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_avoqojmj


((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-28 05:23 . 2010-09-28 05:23 -------- d-----w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\Symantec
2010-09-28 05:22 . 2006-05-05 21:19 87808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-28 05:22 . 2006-05-05 21:19 107696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-28 05:22 . 2010-09-28 14:08 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-28 03:08 . 2010-09-28 04:37 -------- d-----w- C:\zzz
2010-09-25 01:22 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-24 02:22 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-24 00:21 . 2010-09-24 00:21 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-09-23 05:49 . 2010-09-24 00:24 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-21 13:41 . 2010-09-24 02:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-21 09:38 . 2010-09-21 09:38 -------- d-----w- c:\program files\Trend Micro
2010-09-21 02:02 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-21 01:55 . 2010-09-21 01:55 -------- d-----w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\Sunbelt Software
2010-09-21 01:55 . 2010-09-21 01:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-21 01:54 . 2010-09-21 01:54 -------- d-----w- c:\program files\Lavasoft
2010-09-21 01:45 . 2010-09-24 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-21 00:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 00:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 00:59 . 2010-09-24 02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-20 04:34 . 2010-09-20 04:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 04:27 . 2010-09-20 04:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-20 04:20 . 2010-09-20 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-19 22:48 . 2010-09-21 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-18 02:06 . 2010-09-18 02:06 -------- d-----w- c:\program files\Panda Security
2010-09-14 14:34 . 2010-09-14 14:35 -------- d-----w- c:\program files\Safari
2010-09-14 14:31 . 2010-09-14 14:31 -------- d-----w- c:\program files\iPod
2010-09-14 14:31 . 2010-09-14 14:32 -------- d-----w- c:\program files\iTunes
2010-09-14 14:26 . 2010-09-14 14:27 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 14:08 . 2010-05-25 05:02 -------- d-----w- c:\program files\Common Files\Akamai
2010-09-28 05:23 . 2007-12-04 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-28 05:23 . 2007-12-04 04:02 -------- d-----w- c:\program files\Symantec
2010-09-28 05:22 . 2007-12-04 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-28 01:33 . 2007-12-05 06:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-26 01:53 . 2007-12-05 08:03 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\Roxio
2010-09-25 01:43 . 2007-12-03 06:11 190528 ----a-w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-23 14:02 . 2007-12-05 06:07 -------- d-----w- c:\program files\Google
2010-09-23 13:55 . 2007-12-05 16:13 -------- d-----w- c:\program files\DYMO Label
2010-09-21 02:50 . 2008-02-04 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 20:58 . 2007-12-04 06:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-19 01:52 . 2007-12-06 08:50 -------- d-----w- c:\program files\Java
2010-09-19 00:45 . 2007-12-04 03:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-19 00:40 . 2009-04-01 23:48 -------- d-----w- c:\program files\Roni Music
2010-09-19 00:40 . 2007-12-28 05:13 -------- d-----w- c:\program files\Common Files\AOL
2010-09-19 00:20 . 2010-08-04 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Psicraft
2010-09-17 14:26 . 2007-12-04 02:34 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-14 14:31 . 2010-06-28 14:33 -------- d-----w- c:\program files\Common Files\Apple
2010-09-10 19:34 . 2009-08-19 05:03 35552200 ----a-w- c:\windows\system32\MRTs.exe
2010-09-08 13:51 . 2008-06-19 03:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-04 16:22 . 2007-12-04 03:01 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\Thunderbird
2010-09-04 04:19 . 2010-02-03 06:42 -------- d-----w- c:\program files\Notepad++
2010-08-25 22:20 . 2010-08-25 22:20 81 ----a-w- C:\CTX.DAT
2010-08-25 02:27 . 2010-08-25 02:27 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\AnvSoft
2010-08-25 02:27 . 2010-08-25 02:27 -------- d-----w- c:\program files\AnvSoft
2010-08-25 02:18 . 2010-08-25 02:18 -------- d-----w- c:\program files\Common Files\Common Share
2010-08-24 01:00 . 2008-01-26 02:53 -------- d-----w- c:\program files\Nexia
2010-08-22 06:45 . 2009-01-29 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-22 06:36 . 2010-08-22 06:36 -------- d-----w- c:\program files\Applian Director
2010-08-22 06:35 . 2010-08-22 06:35 -------- d-----w- c:\program files\Replay Converter 4
2010-08-22 06:20 . 2010-08-22 06:18 -------- d-----w- c:\program files\Freecorder
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 03:37 . 2010-02-23 04:55 129388 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-05 01:52 . 2008-03-10 01:18 -------- d-----w- c:\program files\vanBasco's Karaoke Player
2010-08-04 02:18 . 2010-08-04 02:18 -------- d-----w- c:\program files\Psicraft
2010-08-03 04:45 . 2010-08-03 04:45 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\TC-Helicon
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-19 04:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
1766-04-10 18:59 . 1766-04-10 18:59 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gStart"="c:\garmin\gStart.exe" [2007-08-23 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-01 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-18 632048]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SunJavaUpdateSched"="c:\program files\timingtool\jre\bin\jusched.exe" [2008-10-27 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-08-03 124656]

c:\documents and settings\Whisenhunt\Start Menu\Programs\Startup\
Calendar 2000.lnk - c:\program files\Software by Design\Calendar.exe [2008-2-15 286720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2007-12-5 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Apps\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Apps\\cygwin\\bin\\ftp.exe"=
"c:\\Apps\\eclipse\\eclipse.exe"=
"c:\\Apps\\ispLEVER_Classic1_2\\synpbase\\bin\\mbin\\synbatch.exe"=
"c:\\Apps\\ispLEVER_Classic1_2\\synpbase\\bin\\mbin\\synplify.exe"=
"c:\\Program Files\\TimingTool\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe"=
"c:\\Program Files\\MagicDisc\\MagicDisc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Aptana\\Aptana Studio 2.0\\AptanaStudio.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/20/2010 9:02 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/23/2010 9:22 PM 28552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [6/14/2009 3:41 PM 9600]
R1 PacJtag;PacJtag;c:\windows\system32\drivers\pacjtag.sys [4/22/2004 12:01 PM 46544]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 7:00 AM 14336]
R2 Apcupsd;Apcupsd UPS Monitor;c:\program files\apcupsd\bin\apcupsd.exe [2/10/2007 4:26 PM 692736]
R2 EMPDrv;EMPDrv;c:\windows\system32\drivers\EMPDrv.SYS [8/27/2008 11:25 PM 11872]
R2 EMPNT;EMPNT;c:\windows\system32\drivers\empnt.sys [11/13/2003 1:52 AM 3360]
R2 Perforce Web;Perforce Web;c:\program files\Perforce\p4webs.exe [12/7/2007 1:07 PM 1331200]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/3/2006 10:48 AM 115952]
R2 TVICLPT;TVICLPT;c:\windows\system32\drivers\TVICLPT.SYS [10/20/2008 12:57 AM 15504]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/12/2007 10:43 PM 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2010 8:52 PM 102448]
S1 MpKsld5877bb9;MpKsld5877bb9;\??\c:\program files\Windows Live Safety Center\MpKsld5877bb9.sys --> c:\program files\Windows Live Safety Center\MpKsld5877bb9.sys [?]
S2 EZUSB;Cypress General Purpose USB Driver ((ezusb.sys);c:\windows\system32\drivers\ezusb.sys [8/30/2008 10:09 PM 12307]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/19/2010 5:48 PM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/12/2007 10:43 PM 115008]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [3/21/2008 12:54 AM 47249]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [3/15/2009 1:05 AM 17920]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [10/18/2008 11:18 AM 3584]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [12/12/2007 10:43 PM 626688]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [3/15/2009 1:06 AM 18432]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [12/29/2008 11:54 PM 37708]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILREBOOTDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 02:10]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 22:48]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 22:48]

2010-09-28 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-09-28 c:\windows\Tasks\User_Feed_Synchronization-{13E72769-C396-4ED8-81BE-338B55C2343B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.home;*.mot.com;access.motorola.com;<local>
uInternet Settings,ProxyServer = 192.168.1.100:800
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki...
Trusted Zone: intuit.com\ttlc
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6. ... ontrol.CAB
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.motorola.com/dana-cached ... Client.cab
FF - ProfilePath - c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Whisenhunt/My%20Documents/Wiki/journal/journal.html
FF - component: c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent - c:\program files\BitTorrent\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 09:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\WININET.dll
c:\documents and settings\Whisenhunt\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Perforce\p4exp.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\apps\altera\quartus\bin\jtagserver.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-28 09:23:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-28 14:23
ComboFix2.txt 2010-09-28 04:37

Pre-Run: 9,095,487,488 bytes free
Post-Run: 8,971,968,512 bytes free

- - End Of File - - DF6CE8EEC598477C07A4A4F18387F218
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 28th, 2010, 1:37 pm

stevew,
First, I would remove Intuit from the trusted zone in Internet Explorer.
There should never be anything except Microsoft or your Internet provider in there.
Intuit has had data breaches in the past.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    File::
    c:\program files\Windows Live Safety Center\MpKsld5877bb9.sys
    
    Driver::
    MpKsld5877bb9
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 28th, 2010, 8:37 pm

Askey127,
I followed your instructions and have included the ComboFix log below. ComboFix ran pretty much as it has been, so I assume I'm doing things correctly. When I first run ComboFix, I'm told that a new version is available and given the option to download, which I do not do. Between stages 2 and 3 I get the same popup indicating that PEV.cfxxe has terminated and am given the option to send a report to Microsoft, which I do not do. ComboFix logged me out about half way through the run and I logged back in by clicking the icon for my account. ComboFix was still running. After the reboot, I forgot to disable Ad-Aware and it notified me that mbf.cfxxe and regt.cfxxe were trying to make changes to the registry. I allowed these changes (just as if Ad-Aware had not been running) and then disabled Ad-Aware.
Thanks for your help,
Steve
---------------------
ComboFix 10-09-27.04 - Whisenhunt 09/28/2010 18:53:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1356 [GMT -5:00]
Running from: c:\documents and settings\Whisenhunt\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Whisenhunt\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\program files\Windows Live Safety Center\MpKsld5877bb9.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPKSLD5877BB9
-------\Service_MpKsld5877bb9


((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-28 05:23 . 2010-09-28 05:23 -------- d-----w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\Symantec
2010-09-28 05:22 . 2006-05-05 21:19 87808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-28 05:22 . 2006-05-05 21:19 107696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-28 05:22 . 2010-09-29 00:07 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-28 03:08 . 2010-09-28 04:37 -------- d-----w- C:\zzz
2010-09-25 01:22 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-24 02:22 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-24 00:21 . 2010-09-24 00:21 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-09-23 05:49 . 2010-09-24 00:24 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-21 13:41 . 2010-09-24 02:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-21 09:38 . 2010-09-21 09:38 -------- d-----w- c:\program files\Trend Micro
2010-09-21 02:02 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-21 01:55 . 2010-09-21 01:55 -------- d-----w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\Sunbelt Software
2010-09-21 01:55 . 2010-09-21 01:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-21 01:54 . 2010-09-21 01:54 -------- d-----w- c:\program files\Lavasoft
2010-09-21 01:45 . 2010-09-24 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-21 00:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 00:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 00:59 . 2010-09-24 02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-20 04:34 . 2010-09-20 04:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 04:27 . 2010-09-20 04:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-20 04:20 . 2010-09-20 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-19 22:48 . 2010-09-21 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-18 02:06 . 2010-09-18 02:06 -------- d-----w- c:\program files\Panda Security
2010-09-14 14:34 . 2010-09-14 14:35 -------- d-----w- c:\program files\Safari
2010-09-14 14:31 . 2010-09-14 14:31 -------- d-----w- c:\program files\iPod
2010-09-14 14:31 . 2010-09-14 14:32 -------- d-----w- c:\program files\iTunes
2010-09-14 14:26 . 2010-09-14 14:27 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 00:07 . 2010-05-25 05:02 -------- d-----w- c:\program files\Common Files\Akamai
2010-09-28 05:23 . 2007-12-04 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-28 05:23 . 2007-12-04 04:02 -------- d-----w- c:\program files\Symantec
2010-09-28 05:22 . 2007-12-04 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-28 01:33 . 2007-12-05 06:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-26 01:53 . 2007-12-05 08:03 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\Roxio
2010-09-25 01:43 . 2007-12-03 06:11 190528 ----a-w- c:\documents and settings\Whisenhunt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-23 14:02 . 2007-12-05 06:07 -------- d-----w- c:\program files\Google
2010-09-23 13:55 . 2007-12-05 16:13 -------- d-----w- c:\program files\DYMO Label
2010-09-21 02:50 . 2008-02-04 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 20:58 . 2007-12-04 06:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-19 01:52 . 2007-12-06 08:50 -------- d-----w- c:\program files\Java
2010-09-19 00:45 . 2007-12-04 03:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-19 00:40 . 2009-04-01 23:48 -------- d-----w- c:\program files\Roni Music
2010-09-19 00:40 . 2007-12-28 05:13 -------- d-----w- c:\program files\Common Files\AOL
2010-09-19 00:20 . 2010-08-04 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Psicraft
2010-09-17 14:26 . 2007-12-04 02:34 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-14 14:31 . 2010-06-28 14:33 -------- d-----w- c:\program files\Common Files\Apple
2010-09-10 19:34 . 2009-08-19 05:03 35552200 ----a-w- c:\windows\system32\MRTs.exe
2010-09-08 13:51 . 2008-06-19 03:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-04 16:22 . 2007-12-04 03:01 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\Thunderbird
2010-09-04 04:19 . 2010-02-03 06:42 -------- d-----w- c:\program files\Notepad++
2010-08-25 22:20 . 2010-08-25 22:20 81 ----a-w- C:\CTX.DAT
2010-08-25 02:27 . 2010-08-25 02:27 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\AnvSoft
2010-08-25 02:27 . 2010-08-25 02:27 -------- d-----w- c:\program files\AnvSoft
2010-08-25 02:18 . 2010-08-25 02:18 -------- d-----w- c:\program files\Common Files\Common Share
2010-08-24 01:00 . 2008-01-26 02:53 -------- d-----w- c:\program files\Nexia
2010-08-22 06:45 . 2009-01-29 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-22 06:36 . 2010-08-22 06:36 -------- d-----w- c:\program files\Applian Director
2010-08-22 06:35 . 2010-08-22 06:35 -------- d-----w- c:\program files\Replay Converter 4
2010-08-22 06:20 . 2010-08-22 06:18 -------- d-----w- c:\program files\Freecorder
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 03:37 . 2010-02-23 04:55 129388 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-05 01:52 . 2008-03-10 01:18 -------- d-----w- c:\program files\vanBasco's Karaoke Player
2010-08-04 02:18 . 2010-08-04 02:18 -------- d-----w- c:\program files\Psicraft
2010-08-03 04:45 . 2010-08-03 04:45 -------- d-----w- c:\documents and settings\Whisenhunt\Application Data\TC-Helicon
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-19 04:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
1766-04-10 18:59 . 1766-04-10 18:59 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2007-12-07 18:07 557056 ----a-r- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gStart"="c:\garmin\gStart.exe" [2007-08-23 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-01 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-18 632048]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SunJavaUpdateSched"="c:\program files\timingtool\jre\bin\jusched.exe" [2008-10-27 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-08-03 124656]

c:\documents and settings\Whisenhunt\Start Menu\Programs\Startup\
Calendar 2000.lnk - c:\program files\Software by Design\Calendar.exe [2008-2-15 286720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2007-12-5 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Apps\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Apps\\cygwin\\bin\\ftp.exe"=
"c:\\Apps\\eclipse\\eclipse.exe"=
"c:\\Apps\\ispLEVER_Classic1_2\\synpbase\\bin\\mbin\\synbatch.exe"=
"c:\\Apps\\ispLEVER_Classic1_2\\synpbase\\bin\\mbin\\synplify.exe"=
"c:\\Program Files\\TimingTool\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe"=
"c:\\Program Files\\MagicDisc\\MagicDisc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Aptana\\Aptana Studio 2.0\\AptanaStudio.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/20/2010 9:02 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/23/2010 9:22 PM 28552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [6/14/2009 3:41 PM 9600]
R1 PacJtag;PacJtag;c:\windows\system32\drivers\pacjtag.sys [4/22/2004 12:01 PM 46544]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 7:00 AM 14336]
R2 Apcupsd;Apcupsd UPS Monitor;c:\program files\apcupsd\bin\apcupsd.exe [2/10/2007 4:26 PM 692736]
R2 EMPDrv;EMPDrv;c:\windows\system32\drivers\EMPDrv.SYS [8/27/2008 11:25 PM 11872]
R2 EMPNT;EMPNT;c:\windows\system32\drivers\empnt.sys [11/13/2003 1:52 AM 3360]
R2 Perforce Web;Perforce Web;c:\program files\Perforce\p4webs.exe [12/7/2007 1:07 PM 1331200]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/3/2006 10:48 AM 115952]
R2 TVICLPT;TVICLPT;c:\windows\system32\drivers\TVICLPT.SYS [10/20/2008 12:57 AM 15504]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/12/2007 10:43 PM 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2010 8:52 PM 102448]
S2 EZUSB;Cypress General Purpose USB Driver ((ezusb.sys);c:\windows\system32\drivers\ezusb.sys [8/30/2008 10:09 PM 12307]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/19/2010 5:48 PM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/12/2007 10:43 PM 115008]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\ftdibus.sys [3/21/2008 12:54 AM 47249]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [3/15/2009 1:05 AM 17920]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.SYS [10/18/2008 11:18 AM 3584]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Motorola MVP\Extranet_serv.exe [12/12/2007 10:43 PM 626688]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [3/15/2009 1:06 AM 18432]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [12/29/2008 11:54 PM 37708]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 02:10]

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 22:48]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 22:48]

2010-09-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-09-29 c:\windows\Tasks\User_Feed_Synchronization-{13E72769-C396-4ED8-81BE-338B55C2343B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.home;*.mot.com;access.motorola.com;<local>
uInternet Settings,ProxyServer = 192.168.1.100:800
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki...
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6. ... ontrol.CAB
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.motorola.com/dana-cached ... Client.cab
FF - ProfilePath - c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Whisenhunt/My%20Documents/Wiki/journal/journal.html
FF - component: c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Whisenhunt\Application Data\Mozilla\Firefox\Profiles\thuupqf8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 19:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2160)
c:\windows\system32\WININET.dll
c:\documents and settings\Whisenhunt\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Perforce\p4exp.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\apps\altera\quartus\bin\jtagserver.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-28 19:25:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-29 00:25
ComboFix2.txt 2010-09-28 14:23
ComboFix3.txt 2010-09-28 04:37

Pre-Run: 8,992,321,536 bytes free
Post-Run: 8,988,069,888 bytes free

- - End Of File - - 4DBA4049A7404507E2248840D322A333
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 29th, 2010, 7:27 am

stevew1,
I would uninstall Ad-Aware. You don't need it.
If you want a memory resident anti-spyware app, I would suggest paying the one time fee for Malwarebytes.
I think we got most of the bad guys. Let's see if there are any leftovers.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.

It's possible that MBAM has been damaged by malware (it's a target). If so, we will need to Uninstall it and delete its folder under \program files\. Then download a new one.
------------------------------------------------
Reset System Restore Points
  • Click Start, All Programs, Accessories, System Tools, System Restore
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Click Start, Run and type Cleanmgr
  • Select the Windows drive (usually C:), then click OK.
  • After it scans, Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Reboot your machine to record the changes you have made.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware or changes in the Restore settings.

I notice the HD has about 9Gb free. This may not be enough for best Windows performance.
XP needs about 15% of the drive free as a minimum. You may want to offload some seldom used sets of files, like music or photos, onto another media.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 30th, 2010, 9:58 am

Askey127,
I followed your instructions. I uninstalled Ad-Aware, then uninstalled Malwarebytes Anti-Malware, made sure the folder had been deleted, and then downloaded and installed a new version. I ran MBAM and it produced a log showing that there was one infected object in the System Volume Information Folder. I created a new system restore point and then ran Cleanmgr to remove all previous restore points. I did some cleanup on my Windows system disk, rebooted and then finally ran MBAM again to compare results. This last time, no infected objects were found. I've included the "before" and "after" logs below showing the MBAM results before disk cleanup and after.
Steve
-----------------------------------------------------------
MBAM log before disk cleanup and removing old restore points

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4720

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/30/2010 1:21:13 AM
mbam-log-2010-09-30 (01-21-13).txt

Scan type: Full scan (C:\|)
Objects scanned: 447210
Time elapsed: 2 hour(s), 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D9EBDA22-42D2-4B17-B8E8-7C85EF081CD5}\RP18\A0003304.exe (Trojan.Agent) -> No action taken.


-----------------------------------------------------------
MBAM log after disk cleanup and removing old restore points

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4720

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/30/2010 4:36:49 AM
mbam-log-2010-09-30 (04-36-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 425739
Time elapsed: 2 hour(s), 59 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby askey127 » September 30th, 2010, 10:57 am

Sounds like you got it, Steve.

Make sure you remove Combofix (zzz.exe) and RootkitUnhooker from your desktop.
You can use TFC.exe occasionally to clean up old temp files.

Your machine should be good to go.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: SpyBot, Malwarebytes Anti-Malware Won't RunPosted: Tue 2

Unread postby stevew1 » September 30th, 2010, 8:33 pm

I really appreciate your help and and am impressed with the professional way you worked through my problem. I removed Combofix, RKUnhooker and rkill and deleted the various log files since they are captured here. Thanks again for your help.
Sincerely,
Steve
stevew1
Active Member
 
Posts: 9
Joined: September 21st, 2010, 5:46 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 321 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware