please help malware defender 2009

View previous topic View next topic Go down

please help malware defender 2009

Post by julio on Thu Mar 12, 2009 4:50 pm

It seem that my computer got infected by the malware defender, i keep getting pop-ups and system alerts. please help...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:27 PM, on 3/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\hijackgpthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusHeat 4.3] "C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [Sdigi] rundll32.exe "C:\WINDOWS\Hdefesoxikayisuk.dll",e
O4 - HKLM\..\Run: [Ksesizodulipore] rundll32.exe "C:\WINDOWS\ikorisubacaxo.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [A00F33E094.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F33E094.exe
O4 - HKCU\..\Run: [A00F1919C.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F1919C.exe
O4 - HKCU\..\Run: [A00FB099F.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00FB099F.exe
O4 - HKCU\..\Run: [A00F161F1.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F161F1.exe
O4 - HKCU\..\Run: [A00F1560A.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F1560A.exe
O4 - HKCU\..\Run: [SmitFraudFixTool] C:\Program Files\SmitFraudFixTool\SmitFraudFixTool.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [bolalahama] Rundll32.exe "C:\WINDOWS\system32\godobovo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bolalahama] Rundll32.exe "C:\WINDOWS\system32\godobovo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acsdataline.com
O17 - HKLM\Software\..\Telephony: DomainName = acsdataline.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA00031B-07CF-40B1-B8E6-C59EC7ED2C33}: NameServer = 68.28.186.91 68.28.178.91
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acsdataline.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acsdataline.com
O20 - AppInit_DLLs: ugnlac.dll ,C:\WINDOWS\System32\cic32.dll
O20 - Winlogon Notify: 98ca0905548 - C:\WINDOWS\System32\cic32.dll
O20 - Winlogon Notify: __c00CBD7 - C:\WINDOWS\system32\__c00CBD7.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10044 bytes

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Thu Mar 12, 2009 5:01 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [VirusHeat 4.3] "C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h
    O4 - HKLM\..\Run: [Sdigi] rundll32.exe "C:\WINDOWS\Hdefesoxikayisuk.dll",e
    O4 - HKLM\..\Run: [Ksesizodulipore] rundll32.exe "C:\WINDOWS\ikorisubacaxo.dll",e
    O4 - HKCU\..\Run: [A00F33E094.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F33E094.exe
    O4 - HKCU\..\Run: [A00F1919C.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F1919C.exe
    O4 - HKCU\..\Run: [A00FB099F.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00FB099F.exe
    O4 - HKCU\..\Run: [A00F161F1.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F161F1.exe
    O4 - HKCU\..\Run: [A00F1560A.exe] C:\DOCUME~1\JULIO_~1\LOCALS~1\Temp\_A00F1560A.exe
    O4 - HKCU\..\Run: [SmitFraudFixTool] C:\Program Files\SmitFraudFixTool\SmitFraudFixTool.exe -boot
    O4 - HKUS\S-1-5-19\..\Run: [bolalahama] Rundll32.exe "C:\WINDOWS\system32\godobovo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [bolalahama] Rundll32.exe "C:\WINDOWS\system32\godobovo.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: ugnlac.dll ,C:\WINDOWS\System32\cic32.dll
    O20 - Winlogon Notify: 98ca0905548 - C:\WINDOWS\System32\cic32.dll
    O20 - Winlogon Notify: __c00CBD7 - C:\WINDOWS\system32\__c00CBD7.dat


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Thu Mar 12, 2009 5:47 pm

here are the results, but i am still getting pop-ups

Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 2

3/12/2009 4:40:40 PM
mbam-log-2009-03-12 (16-40-40).txt

Scan type: Quick Scan
Objects scanned: 78316
Time elapsed: 11 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Hdefesoxikayisuk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00CBD7.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00cbd7 (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksesizodulipore (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\julio_moncivais\Application Data\SmitFraudFixTool (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Application Data\SmitFraudFixTool\Log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Application Data\SmitFraudFixTool\Settings (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Hdefesoxikayisuk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\syssvc.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Worm.P2P) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\13.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\2.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\3.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\_A00F1560A.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\_A00F161F1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\_A00F1919C.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\_A00F33E094.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\_A00FB099F.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\4.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temp\5.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temporary Internet Files\Content.IE5\JGBSRUW2\MalwareDefender2009[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Local Settings\Temporary Internet Files\Content.IE5\JGBSRUW2\MalwareDefender2009[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Application Data\SmitFraudFixTool\rs.dat (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Application Data\SmitFraudFixTool\Log\2009 Mar 12 - 03_24_41 PM_828.log (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\julio_moncivais\Application Data\SmitFraudFixTool\Settings\ScanResults.pie (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
C:\WINDOWS\ikorisubacaxo.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00CBD7.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c0013492.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c001A3F2.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c005E9A4.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00F8213.dat (Trojan.Agent) -> Quarantined and deleted successfully.

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Thu Mar 12, 2009 6:07 pm

Lets have a look around.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Fri Mar 13, 2009 3:28 pm

ok. here we go. thanks for your help by the way..

DDS (Ver_09-02-01.01) - NTFSx86
Run by Julio_Moncivais at 14:25:46.45 on Fri 03/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.100 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\julio_moncivais\Local Settings\Temporary Internet Files\Content.IE5\79RD2UV9\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ScanSoft OmniPage SE 4.0-reminder] "c:\program files\scansoft\omnipagese4.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipagese4.0\ereg\ereg.ini"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: []
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
TCP: {AA00031B-07CF-40B1-B8E6-C59EC7ED2C33} = 68.28.186.91 68.28.178.91
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: 98ca0905548 - c:\windows\system32\cic32.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\cic32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-4-23 33664]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-4 991232]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-4-24 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-4-24 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-4-24 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-4-24 170408]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-22 18560]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\fnetusb.sys [2007-7-24 13696]
S3 fnetusb;fnetusb;c:\windows\system32\drivers\fnetusb.sys [2007-7-24 13696]

=============== Created Last 30 ================

2009-03-12 16:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-12 16:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 16:25 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 15:42 401,720 a------- C:\hijackgpthis.exe
2009-03-12 15:34 --d----- c:\windows\system32\appmgmt
2009-03-11 15:26 --dsh--- c:\windows\system32\NetworkService32
2009-03-11 01:13 9,486 a------- c:\windows\GnuHashes.ini
2009-03-11 01:03 1,404 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-03-11 01:02 139,264 a------- c:\windows\system32\cic32.dll
2009-03-07 11:01 --d----- c:\docume~1\julio_~1\applic~1\Malwarebytes
2009-03-07 11:01 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-26 14:18 --d----- c:\program files\MSECache

==================== Find3M ====================

2009-03-01 13:37 24,448 a------- c:\docume~1\julio_~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 14:27:22.06 ===============

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Fri Mar 13, 2009 5:05 pm

Hello.
There are still a few things I want to do before I can let you go.

First though, I need to know if you are running a trial of Mcafee? because it's outdated and won't keep you safe.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Some leftovers to get rid of.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\cic32.dll
    c:\windows\system32\GroupPolicy000.dat
    c:\windows\GnuHashes.ini

    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98ca0905548]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    "AppInit_DLLs"=""


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Fri Mar 13, 2009 7:07 pm

ok.. here you go and i do mcafee

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\98ca0905548\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_180104

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Fri Mar 13, 2009 7:14 pm

Hello.
The registry fix went fine, but you missed the :files header. Please re-run OTMoveIt using this script:

:files
c:\windows\system32\cic32.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\GnuHashes.ini


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Fri Mar 13, 2009 7:23 pm

oh sorry

DllUnregisterServer procedure not found in c:\windows\system32\cic32.dll
c:\windows\system32\cic32.dll NOT unregistered.
c:\windows\system32\cic32.dll moved successfully.
c:\windows\system32\GroupPolicy000.dat moved successfully.
c:\windows\GnuHashes.ini moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_182442

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Fri Mar 13, 2009 7:41 pm

Hello.
2 questions.

Was the Mcafee a trial or just not updated?
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 12:02 am

just not updated. i have no pop-ups now. thank you so much...!!

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sat Mar 14, 2009 7:19 am

Hello.
Just wanna check something.

Please download FindAWF from here:
[You must be registered and logged in to see this link.]
Save it to your desktop and run it.
Post awf.txt back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 11:41 am

sorry, i lied, i am still getting pop-ups from everywhere...

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 03/14/2009
The current time is: 10:40:00.42


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
12/13/2005 05:41 PM 77,824 hkcmd.exe
12/13/2005 05:45 PM 118,784 igfxpers.exe
12/13/2005 05:44 PM 98,304 igfxtray.exe
11/01/2006 12:48 PM 1,392,640 WLTRAY.exe
5 File(s) 1,702,912 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

12/09/2005 08:29 PM 49,152 DVDLauncher.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE\COMMON~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MCAFEE\VIRUSS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

10/11/2006 12:45 PM 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 08:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK

09/28/2006 01:16 PM 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

12/17/2007 01:57 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

09/25/2007 02:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jul 20 2007 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
77824 Dec 13 2005 "C:\dell\drivers\R114946\Win2000\hkcmd.exe"
118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Dec 13 2005 "C:\dell\drivers\R114946\Win2000\igfxpers.exe"
98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
98304 Dec 13 2005 "C:\dell\drivers\R114946\Win2000\igfxtray.exe"
1392640 Nov 1 2006 "C:\dell\drivers\R140747\wltray.exe"
1392640 Nov 1 2006 "C:\WINDOWS\system32\bak\WLTRAY.exe"
49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
39792 Jan 11 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
171448 Dec 17 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sat Mar 14, 2009 12:54 pm

Hello.
There is indeed an AWF infection.
Please delete FindAWF and OTMoveIt now, because were going for the bigger hammer.
We need to uninstall Mcafee because it will interfere, even if we disable it.

Go to Start > Control Panel > Add/Remove Programs and remove/uninstall any "Mcafee" product programs if present. It should be called Mcafee security center or security suite.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please make sure Mcafee is uninstalled before running Combofix.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 1:34 pm

i can`t download the combofix, i get an error saying i need to rename combofix. also i deleted mcafee. do i also need to de-install malwarebytes?

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sat Mar 14, 2009 1:43 pm

Hello.
No, we just need to rename Combofix.

During the download, rename Combofix to Combo-Fix as follows:





It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.

See if Combofix will run now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 2:29 pm

ok...


ComboFix 09-03-13.02 - Julio_Moncivais 2009-03-14 12:58:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.199 [GMT -5:00]
Running from: c:\documents and settings\julio_moncivais\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548C.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548O.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548P.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548S.manifest
c:\windows\system32\__c003D9E5.dat
c:\windows\system32\__c0044BEE.dat
c:\windows\system32\__c00489CA.dat
c:\windows\system32\__c00660FE.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 18:01 . 2009-03-13 18:01 d-------- C:\_OTMoveIt
2009-03-13 17:48 . 2009-03-13 17:48 d-------- c:\program files\Trend Micro
2009-03-13 14:51 . 2009-03-13 14:52 133,632 --a------ c:\windows\ivuzawosa.dll
2009-03-13 14:39 . 2009-03-13 14:39 43,520 --a------ c:\windows\Hdefesoxikayisuk.dll
2009-03-12 16:25 . 2009-03-12 16:25 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 16:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 16:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 15:42 . 2009-03-12 15:42 401,720 --a------ C:\hijackgpthis.exe
2009-03-11 15:26 . 2009-03-11 15:27 d--hs---- c:\windows\system32\NetworkService32
2009-03-11 01:02 . 2009-03-13 18:24 139,264 --a------ c:\windows\system32\cic32.dll
2009-03-07 11:01 . 2009-03-07 11:01 d-------- c:\documents and settings\julio_moncivais\Application Data\Malwarebytes
2009-03-07 11:01 . 2009-03-07 11:01 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 15:18 . 2009-02-26 15:18 11,724 --a------ c:\documents and settings\WYHINVENTORY-2-26-09.xlsx
2009-02-26 14:18 . 2009-02-26 14:18 d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 17:17 --------- d-----w c:\program files\McAfee
2009-03-14 17:17 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-13 23:20 --------- d-----w c:\documents and settings\julio_moncivais\Application Data\U3
2009-03-12 05:18 --------- d-----w c:\documents and settings\julio_moncivais\Application Data\LimeWire
2009-03-01 18:37 24,448 ----a-w c:\documents and settings\julio_moncivais\Application Data\GDIPFONTCACHEV1.DAT
2007-05-31 20:36 20,560 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 01:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 04:16:38 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 185,896 2006-09-28 18:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 49,152 2005-12-10 01:29:52 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 171,448 2007-12-17 06:57:40 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

----a-w 270,648 2007-07-10 14:18:20 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 132,496 2007-09-25 07:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\qttask.exe

----a-w 75,304 2006-10-11 17:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe

----a-w 15,360 2004-08-04 06:56:50 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 06:56:50 c:\windows\system32\ctfmon.exe

----a-w 77,824 2005-12-13 22:41:08 c:\windows\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 22:45:00 c:\windows\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 22:44:18 c:\windows\system32\bak\igfxtray.exe

----a-w 1,392,640 2006-11-01 17:48:12 c:\windows\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 1410600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-04 352256]
"Sdigi"="c:\windows\Hdefesoxikayisuk.dll" [2009-03-13 43520]
"Ksesizodulipore"="c:\windows\ivuzawosa.dll" [2009-03-13 133632]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\98ca0905548]
2009-03-13 18:24 139264 c:\windows\system32\cic32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\cic32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-261903793-839522115-3127\scripts\Logon\0\0]
"script"=audit.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-02-15 26624]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-04-23 33664]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-04 991232]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-02-07 2944]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-22 18560]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\fnetusb.sys [2007-07-24 13696]
S3 fnetusb;fnetusb;c:\windows\system32\drivers\fnetusb.sys [2007-07-24 13696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89324c0a-88de-11dd-baae-0019b96abf1e}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-03-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 05:08]

2009-03-12 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe []

2009-03-12 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool []
.
- - - - ORPHANS REMOVED - - - -

Notify-__c00660FE - c:\windows\system32\__c00660FE.dat


.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {AA00031B-07CF-40B1-B8E6-C59EC7ED2C33} = 68.28.186.91 68.28.178.91
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-14 13:00:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\JULIO_~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\cic32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\DWRCS.EXE
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\DWRCST.EXE
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft ActiveSync\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-14 13:02:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 18:02:50

Pre-Run: 42,845,007,872 bytes free
Post-Run: 43,448,750,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

196

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sat Mar 14, 2009 2:39 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\ivuzawosa.dll
c:\windows\Hdefesoxikayisuk.dll
c:\windows\system32\cic32.dll
c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job

Folder::
c:\documents and settings\julio_moncivais\Application Data\LimeWire

AWF::
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\igfxpers.exe
c:\windows\system32\bak\igfxtray.exe
c:\windows\system32\bak\WLTRAY.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sdigi"=-
"Ksesizodulipore"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\98ca0905548]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-261903793-839522115-3127\scripts\Logon\0\0]
"script"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89324c0a-88de-11dd-baae-0019b96abf1e}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 3:23 pm

ok.. forgive my ignorance, but can you explain all we`ve done so far, please..? thanks


ComboFix 09-03-13.02 - Julio_Moncivais 2009-03-14 14:05:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.214 [GMT -5:00]
Running from: c:\documents and settings\julio_moncivais\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\julio_moncivais\Desktop\CFscript.txt.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548C.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548O.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548P.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\__c00FC27D.dat
c:\windows\system32\3.tmp
c:\windows\system32\GroupPolicy000.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 18:01 . 2009-03-13 18:01 d-------- C:\_OTMoveIt
2009-03-13 17:48 . 2009-03-13 17:48 d-------- c:\program files\Trend Micro
2009-03-13 14:51 . 2009-03-13 14:52 133,632 --a------ c:\windows\ivuzawosa.dll
2009-03-13 14:39 . 2009-03-13 14:39 43,520 --a------ c:\windows\Hdefesoxikayisuk.dll
2009-03-12 16:25 . 2009-03-12 16:25 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 16:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 16:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 15:42 . 2009-03-12 15:42 401,720 --a------ C:\hijackgpthis.exe
2009-03-11 15:26 . 2009-03-14 13:05 d--hs---- c:\windows\system32\NetworkService32
2009-03-11 01:02 . 2009-03-13 18:24 139,264 --a------ c:\windows\system32\cic32.dll
2009-03-07 11:01 . 2009-03-07 11:01 d-------- c:\documents and settings\julio_moncivais\Application Data\Malwarebytes
2009-03-07 11:01 . 2009-03-07 11:01 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 15:18 . 2009-02-26 15:18 11,724 --a------ c:\documents and settings\WYHINVENTORY-2-26-09.xlsx
2009-02-26 14:18 . 2009-02-26 14:18 d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 17:17 --------- d-----w c:\program files\McAfee
2009-03-14 17:17 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-13 23:20 --------- d-----w c:\documents and settings\julio_moncivais\Application Data\U3
2009-03-12 05:18 --------- d-----w c:\documents and settings\julio_moncivais\Application Data\LimeWire
2009-03-01 18:37 24,448 ----a-w c:\documents and settings\julio_moncivais\Application Data\GDIPFONTCACHEV1.DAT
2007-05-31 20:36 20,560 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-14 17:06:05 53,166 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 18:05:08 53,166 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-14 17:06:05 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 18:05:08 380,918 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 01:51:55 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 04:16:38 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 185,896 2006-09-28 18:16:20 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 49,152 2005-12-10 01:29:52 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 171,448 2007-12-17 06:57:40 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

----a-w 270,648 2007-07-10 14:18:20 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 132,496 2007-09-25 07:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\qttask.exe

----a-w 75,304 2006-10-11 17:45:12 c:\program files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe

----a-w 15,360 2004-08-04 06:56:50 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 06:56:50 c:\windows\system32\ctfmon.exe

----a-w 77,824 2005-12-13 22:41:08 c:\windows\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 22:45:00 c:\windows\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 22:44:18 c:\windows\system32\bak\igfxtray.exe

----a-w 1,392,640 2006-11-01 17:48:12 c:\windows\system32\bak\WLTRAY.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 1410600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-04 352256]
"Sdigi"="c:\windows\Hdefesoxikayisuk.dll" [2009-03-13 43520]
"Ksesizodulipore"="c:\windows\ivuzawosa.dll" [2009-03-13 133632]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\98ca0905548]
2009-03-13 18:24 139264 c:\windows\system32\cic32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\cic32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1708537768-261903793-839522115-3127\scripts\Logon\0\0]
"script"=audit.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-02-15 26624]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-04-23 33664]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-04 991232]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-02-07 2944]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-22 18560]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\fnetusb.sys [2007-07-24 13696]
S3 fnetusb;fnetusb;c:\windows\system32\drivers\fnetusb.sys [2007-07-24 13696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89324c0a-88de-11dd-baae-0019b96abf1e}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-03-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 05:08]

2009-03-12 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool\SmitFraudFixTool.exe []

2009-03-12 c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
- c:\program files\SmitFraudFixTool []
.
- - - - ORPHANS REMOVED - - - -

Notify-__c00FC27D - c:\windows\system32\__c00FC27D.dat


.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {AA00031B-07CF-40B1-B8E6-C59EC7ED2C33} = 68.28.186.91 68.28.178.91
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-14 14:08:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\cic32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\DWRCS.EXE
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\DWRCST.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft ActiveSync\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-14 14:11:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 19:11:12
ComboFix2.txt 2009-03-14 18:02:54

Pre-Run: 43,441,061,888 bytes free
Post-Run: 43,431,424,000 bytes free

184

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sat Mar 14, 2009 3:39 pm

Hello.
The CFScript was meant to remove the leftover malware, but hasn't done so because you made a slightly mistake in naming the script file, see here:

c:\documents and settings\julio_moncivais\Desktop\CFscript.txt.txt

There is one too many .txt, it should be called CFScript.txt, not CFScript.txt.txt, so remove one .txt off the end and drag and drop CFScript onto Combofix again. Don't worry if you see only one .txt file extension, just means your file extensions are hidden, so it should still have the notepad icon image.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 6:57 pm

i had to split the results in half, is it ok now?

ComboFix 09-03-13.02 - Julio_Moncivais 2009-03-14 17:39:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.182 [GMT -5:00]
Running from: c:\documents and settings\julio_moncivais\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\julio_moncivais\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\Hdefesoxikayisuk.dll
c:\windows\ivuzawosa.dll
c:\windows\system32\cic32.dll
c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548C.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548O.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548P.manifest
c:\documents and settings\julio_moncivais\Application Data\020000002ff0c1d9548S.manifest
c:\documents and settings\julio_moncivais\Application Data\LimeWire
c:\documents and settings\julio_moncivais\Application Data\LimeWire\active.mojito
c:\documents and settings\julio_moncivais\Application Data\LimeWire\createtimes.cache
c:\documents and settings\julio_moncivais\Application Data\LimeWire\fileurns.bak
c:\documents and settings\julio_moncivais\Application Data\LimeWire\fileurns.cache
c:\documents and settings\julio_moncivais\Application Data\LimeWire\filters.props
c:\documents and settings\julio_moncivais\Application Data\LimeWire\gnutella.net
c:\documents and settings\julio_moncivais\Application Data\LimeWire\installation.props
c:\documents and settings\julio_moncivais\Application Data\LimeWire\library.dat
c:\documents and settings\julio_moncivais\Application Data\LimeWire\limewire.props
c:\documents and settings\julio_moncivais\Application Data\LimeWire\mojito.props
c:\documents and settings\julio_moncivais\Application Data\LimeWire\questions.props
c:\documents and settings\julio_moncivais\Application Data\LimeWire\responses.cache
c:\documents and settings\julio_moncivais\Application Data\LimeWire\simpp.xml
c:\documents and settings\julio_moncivais\Application Data\LimeWire\spam.dat
c:\documents and settings\julio_moncivais\Application Data\LimeWire\tables.props
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme.lwtp
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\question.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\version.txt
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\julio_moncivais\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\julio_moncivais\Application Data\LimeWire\ttrees.cache
c:\documents and settings\julio_moncivais\Application Data\LimeWire\ttroot.cache
c:\documents and settings\julio_moncivais\Application Data\LimeWire\version.xml
c:\documents and settings\julio_moncivais\Application Data\LimeWire\xml\data\audio.sxml
c:\documents and settings\julio_moncivais\Application Data\LimeWire\xml\data\video.sxml
c:\windows\Hdefesoxikayisuk.dll
c:\windows\ivuzawosa.dll
c:\windows\system32\3.tmp
c:\windows\system32\cic32.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\Tasks\SmitFraudFixTool Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-14 17:23 . 2009-03-14 17:25 d--hs---- c:\windows\system32\NetworkService32
2009-03-14 14:57 . 2009-03-14 14:57 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-14 14:57 . 2009-03-14 14:57 1,409 --a------ c:\windows\QTFont.for
2009-03-13 18:01 . 2009-03-13 18:01 d-------- C:\_OTMoveIt
2009-03-13 17:48 . 2009-03-13 17:48 d-------- c:\program files\Trend Micro
2009-03-12 16:25 . 2009-03-12 16:25 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 16:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 16:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 15:42 . 2009-03-12 15:42 401,720 --a------ C:\hijackgpthis.exe
2009-03-07 11:01 . 2009-03-07 11:01 d-------- c:\documents and settings\julio_moncivais\Application Data\Malwarebytes
2009-03-07 11:01 . 2009-03-07 11:01 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 15:18 . 2009-02-26 15:18 11,724 --a------ c:\documents and settings\WYHINVENTORY-2-26-09.xlsx
2009-02-26 14:18 . 2009-02-26 14:18 d-------- c:\program files\MSECache

.

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sat Mar 14, 2009 6:58 pm

ok here is the other half of the results


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 22:39 --------- d-----w c:\program files\QuickTime
2009-03-14 22:39 --------- d-----w c:\program files\iTunes
2009-03-14 17:17 --------- d-----w c:\program files\McAfee
2009-03-14 17:17 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-13 23:20 --------- d-----w c:\documents and settings\julio_moncivais\Application Data\U3
2009-03-01 18:37 24,448 ----a-w c:\documents and settings\julio_moncivais\Application Data\GDIPFONTCACHEV1.DAT
2007-05-31 20:36 20,560 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-12-13 22:41:08 77,824 ----a-w c:\windows\system32\hkcmd.exe
+ 2005-12-13 22:45:00 118,784 ----a-w c:\windows\system32\igfxpers.exe
+ 2005-12-13 22:44:18 98,304 ----a-w c:\windows\system32\igfxtray.exe
- 2009-03-14 17:06:05 53,166 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-14 22:04:16 53,166 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-14 17:06:05 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-14 22:04:16 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2006-11-01 17:48:12 1,392,640 ----a-w c:\windows\system32\WLTRAY.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 1410600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-04 352256]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-02-15 26624]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-04-23 33664]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-04 991232]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-02-07 2944]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-22 18560]
S3 FNET_USB;Fluke Networks Scanner USB Interface Driver;c:\windows\system32\drivers\fnetusb.sys [2007-07-24 13696]
S3 fnetusb;fnetusb;c:\windows\system32\drivers\fnetusb.sys [2007-07-24 13696]
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2009-03-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-03-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 05:08]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {AA00031B-07CF-40B1-B8E6-C59EC7ED2C33} = 68.28.186.91 68.28.178.91
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-14 17:43:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\DWRCS.EXE
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\DWRCST.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\Microsoft ActiveSync\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-14 17:45:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 22:45:53
ComboFix2.txt 2009-03-14 19:11:15
ComboFix3.txt 2009-03-14 18:02:54

Pre-Run: 43,371,835,392 bytes free
Post-Run: 43,379,007,488 bytes free

228

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sat Mar 14, 2009 7:04 pm

That worked.

2 more things to do.

1. Remove Combofix.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

2. Please install Avira.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Let me know how the machine is running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by julio on Sun Mar 15, 2009 1:18 pm

done.... No pop-ups, no nothing, it seems to be running just fine... thanks so much for your help and time.

julio
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-03-12
OS OS : windows
Points Points : 28290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: please help malware defender 2009

Post by Belahzur on Sun Mar 15, 2009 1:23 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum