malwarebytes

View previous topic View next topic Go down

malwarebytes

Post by orangeboy on 12th May 2009, 1:54 am

Greetings, for some reason I cannot post a new topic on other forums.
Hopefully this forum will suffice. I am unable to update my Malwarebytes, futhermore I can't access the website either, and finally I tried the manual update link you guys provided on the "malware removal guide" forum and I still have the problem loading page. Please help.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 2:01 am

Hello please post a HijackThis log;

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 2:09 am

Here is the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:31 PM, on 5/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 6542 bytes

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 2:11 am

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 2:27 am

Here is the log:



Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 2:49 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 3:08 am

Here is the DDS, do I have some sort of virus? Because certain security websites I cannot load, such as superantispyware.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Danny at 20:02:10.45 on Mon 05/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.256.37 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090511-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Danny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uCustomizeSearch =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\danny\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {15B782AF-55D8-11D1-B477-006097098764} - [You must be registered and logged in to see this link.]
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danny\applic~1\mozilla\firefox\profiles\hy2sjaj2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-16 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-16 352920]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2009-2-28 194304]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ALiEHCI.SYS [2005-7-26 112835]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\ALiRTHUB.SYS [2005-7-26 5325]
S3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;c:\windows\system32\drivers\lne100tx.sys [2005-5-12 70730]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-25 280344]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [2005-7-5 336256]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2005-5-12 258560]
S3 ZD1211U(Hawking Technologies);Hawking Technologies HW54G Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [2005-5-12 258560]

=============== Created Last 30 ================

2009-05-11 19:07 --d----- c:\program files\Trend Micro
2009-05-10 19:15 --d----- c:\program files\SpywareBlaster
2009-05-09 14:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-15 00:56 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 00:56 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 00:56 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 00:56 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 00:56 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 00:56 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 00:56 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 00:56 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 00:56 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 00:49 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 00:49 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 00:49 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 22:39 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:35 1,636 a------- c:\windows\system32\d3d9caps.dat
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2006-03-21 02:42 18,312 a------- c:\docume~1\danny\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:04:10.13 ===============

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 3:17 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\docume~1\danny\applic~1\GDIPFONTCACHEV1.DAT
    c:\windows\system32\d3d9caps.dat



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.



Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Double-click GooredFix.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 3:25 am

Here is the log, I did not run GooredFix yet.



========== FILES ==========
c:\docume~1\danny\applic~1\GDIPFONTCACHEV1.DAT moved successfully.
c:\windows\system32\d3d9caps.dat moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05112009_202347

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 3:38 am

Ok please post the GooredFix log as soon as possible Wink

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 3:45 am

The contents of the log, Sir:


GooredFix v1.92 by jpshortstuff
Log created at 20:43 on 11/05/2009 running Option #1 (Danny)
Firefox version 2.0.0.11 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 3:54 am

Now try to download and run Malwarebytes:

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 4:01 am

Not good, the page from the link does not load!

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 4:04 am

Can you try to download it from any of these links:

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 4:15 am

I was able to download it from major geeks, but once again when it updated itself, the message pops up again: "Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebyte's Anti-Malware to access the internet." I already manually allowed firewall to allow it. The problem is still the same. Well I am doing the Quick Scan right now still.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 4:50 am

Here is the log:



Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/11/2009 9:33:00 PM
mbam-log-2009-05-11 (21-33-00).txt

Scan type: Quick Scan
Objects scanned: 70787
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Origin on 12th May 2009, 5:05 am

Hello is it possible to do a full scan?

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 5:14 am

Full Scanning as of right now.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 6:53 am

Finally done scanning..I hope you're still on..haha



Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/11/2009 11:51:41 PM
mbam-log-2009-05-11 (23-51-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 115715
Time elapsed: 1 hour(s), 34 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5FDF717E-75DC-46FA-AD86-D44DFDB4AC47}\RP801\A0071410.exe (Adware.Cinmus) -> Quarantined and deleted successfully.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 12th May 2009, 5:52 pm

Hello Belahzur,
I won't be able to get on my computer for another 7 hours, but when I do, are you saying I should NOT run the RootRepeal yet? Thanks.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 12th May 2009, 6:19 pm

Correct.
RootRepeal will display the driver and we can kill it, but the forum is having trouble, and we have a very small character limit (how many letters can be in one post), the trouble would make the log twice as big.

I can't help right now due to the problems, and you don't have access to the infected machine, so were both our of the game right now. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 13th May 2009, 12:26 pm

Hello.
Forum is fixed, service resumes as normal.

Run RootRepeal now, post the log when your ready. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 13th May 2009, 3:54 pm

Hello,
I'm at work and I still cannot connect to the site at home. Is there anything I can do to fix this? Am I being blocked?. Unfortunately It'll be a while before I can try anything.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 13th May 2009, 4:03 pm

The site RootRepeal is hosted on?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 13th May 2009, 4:08 pm

No, I can't connect to the great site that is Geekpolice! I was trying all last night with no luck.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 13th May 2009, 4:12 pm

Oh, guess we are being blocked too. LMBO or ROFL oh joy.

Okay, we'll do this without any logs for now. Run RootRepeal, when done, scroll right to the bottom of the log, you should see something like this:

Name: UACd.sys
ImagePath: C:\Windows\system32\drivers\UAC-----.sys

Note: ---- are random letters. Take note of the file name exactly as seen. If the driver name isn't UACd.sys, let me know what it is.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 13th May 2009, 4:23 pm

If I still cannot connect to this site later, then I will just email myself the Rootrepeal instructions and do it. This will take a myriad of hours to report back, so I would like to apologize for any inconvenience I am causing.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 14th May 2009, 3:31 pm

Greetings,
Geekpolice still not loading for me, so taking a long time to reply. But here is the rootrepeal log:



ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/13 22:32
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF813D000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9DF0000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF789D000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\system.LOG
Status: Size mismatch (API: 1024, Raw: 65536)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815da52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf815d8ae

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 14th May 2009, 3:58 pm

Is that all to the log?

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 14th May 2009, 4:14 pm

Yes.
Is something missing?

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 14th May 2009, 4:46 pm

No, just wondering, usually it's longer than that.

Can you try Dr.Web?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 14th May 2009, 5:20 pm

I can try it after work. Haha.
Once again, thank you for your patience.

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 15th May 2009, 3:38 pm

Hello. Finally the Dr. web log:

BSINSTALL.exe\data018;C:\Documents and Settings\Danny\My Documents\My Downloads\BSINSTALL.exe;Adware.SearchAid.40;;

BSINSTALL.exe\data024;C:\Documents and Settings\Danny\My Documents\My Downloads\BSINSTALL.exe;Adware.SaveNow;;

BSINSTALL.exe\data028;C:\Documents and Settings\Danny\My Documents\My Downloads\BSINSTALL.exe;Adware.SaveNow;;

BSINSTALL.exe;C:\Documents and Settings\Danny\My Documents\My Downloads;Archive contains infected objects;;

WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 15th May 2009, 4:02 pm

Oh yeah, when closing Dr. web, it says no actions were taken and asks if I want to. Should I just say no and close?

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 15th May 2009, 4:31 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]


    Now do this. Read this next instructions for renaming Combofix.

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 17th May 2009, 10:06 pm

Hello.
Good news. I can finally access this site! Also I am able to update malwarebytes. I did not run the combo fix though.
Is there anything I can do/run to check to make sure my computer is clean/safe?

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 17th May 2009, 10:27 pm

Combofix would be a good idea. Make sure your AV is disabled before running it though.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 18th May 2009, 1:13 am

Here is the combofix log:


ComboFix 09-05-17.03 - Danny 05/17/2009 16:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.256.70 [GMT -7:00]
Running from: c:\documents and settings\Danny\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090516-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kdcoms.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 22:21 . 2009-05-17 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 22:21 . 2009-05-17 22:43 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-15 01:27 . 2009-05-15 01:27 -------- d-----w c:\documents and settings\Danny\DoctorWeb
2009-05-12 03:23 . 2009-05-12 03:23 -------- d-----w C:\_OTMoveIt
2009-05-12 02:07 . 2009-05-12 02:07 -------- d-----w c:\program files\Trend Micro
2009-05-11 02:15 . 2009-05-16 20:00 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 02:15 . 2009-05-16 20:00 -------- d-----w c:\program files\SpywareBlaster
2009-05-09 22:19 . 2009-05-09 22:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-09 22:07 . 2009-05-09 22:12 -------- d-----w c:\program files\Common Files\Adobe
2009-05-09 21:25 . 2009-05-09 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-09 17:37 . 2009-05-09 17:38 -------- d-----w c:\documents and settings\Administrator.DANNYBOY\Local Settings\Application Data\Adobe
2009-05-09 09:06 . 2009-05-09 09:06 -------- d-----w c:\documents and settings\Administrator.DANNYBOY\Local Settings\Application Data\Mozilla
2009-05-09 09:04 . 2009-05-09 09:04 -------- d-----w c:\documents and settings\Administrator.DANNYBOY\Application Data\Malwarebytes
2009-05-09 04:17 . 2009-05-09 07:30 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-05-09 04:17 . 2009-05-09 07:30 -------- d-s---w c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2022-01-18 02:47 . 2005-08-10 21:10 -------- d-----w c:\program files\DivX
2009-05-12 04:07 . 2009-03-21 06:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-09 23:15 . 2008-11-29 08:26 -------- d-----w c:\program files\NOS
2009-05-09 21:33 . 2005-10-23 08:07 -------- d-----w c:\program files\Java
2009-04-18 07:18 . 2005-08-10 21:11 -------- d-----w c:\program files\Google
2009-04-06 22:32 . 2009-03-21 06:26 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-03-21 06:27 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 02:04 . 2009-04-01 01:44 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-19 05:21 . 2009-03-19 05:13 -------- d-----w c:\program files\system_apps
2009-03-06 14:22 . 2003-07-07 16:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-07-07 16:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 01:25 . 2009-03-01 01:25 21035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-02-20 18:09 . 2005-05-12 19:51 78336 ----a-w c:\windows\system32\ieencode.dll
2007-12-02 09:25 . 2005-05-13 07:23 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-12-02 09:25 . 2005-05-13 07:23 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-12-02 09:25 . 2007-08-24 09:12 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-12-02 09:25 . 2007-08-24 09:12 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-12-02 09:25 . 2005-05-13 07:23 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-09 148888]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21240:TCP"= 21240:TCP:*:Disabled:BitComet 21240 TCP
"21240:UDP"= 21240:UDP:*:Disabled:BitComet 21240 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/16/2009 7:05 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/16/2009 7:05 PM 20560]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2/28/2009 6:25 PM 194304]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ALiEHCI.SYS [7/26/2005 3:10 PM 112835]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\ALiRTHUB.SYS [7/26/2005 3:10 PM 5325]
S3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;c:\windows\system32\drivers\lne100tx.sys [5/12/2005 4:34 AM 70730]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [7/5/2005 4:08 PM 336256]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [5/12/2005 11:35 PM 258560]
S3 ZD1211U(Hawking Technologies);Hawking Technologies HW54G Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [5/12/2005 11:35 PM 258560]

--- Other Services/Drivers In Memory ---

*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pctspk
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMDM PMSP Service
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2007-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1383384898-1708537768-1003.job
- c:\documents and settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 05:22]

2009-05-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Danny\Application Data\Mozilla\Firefox\Profiles\hy2sjaj2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-17 16:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Funk Software\Odyssey Client\odLogin.dll
.
Completion time: 2009-05-17 16:25
ComboFix-quarantined-files.txt 2009-05-17 23:24

Pre-Run: 6,102,675,456 bytes free
Post-Run: 6,097,895,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

194 --- E O F --- 2009-04-16 07:07

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 18th May 2009, 2:36 am

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Folder::
C:\_OTMoveIt

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21240:TCP"=-
"21240:UDP"=-

DDS::
mSearch Bar =

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 18th May 2009, 5:04 am

The next combofix log:




ComboFix 09-05-17.03 - Danny 05/17/2009 21:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.256.93 [GMT -7:00]
Running from: c:\documents and settings\Danny\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Danny\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090517-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\05112009_202347.log
c:\_otmoveit\MovedFiles\05112009_202347.res
c:\_otmoveit\MovedFiles\05112009_202347\docume~1\danny\applic~1\GDIPFONTCACHEV1.DAT
c:\_otmoveit\MovedFiles\05112009_202347\windows\system32\d3d9caps.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-17 22:21 . 2009-05-17 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-17 22:21 . 2009-05-17 23:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-15 01:27 . 2009-05-15 01:27 -------- d-----w c:\documents and settings\Danny\DoctorWeb
2009-05-12 02:07 . 2009-05-12 02:07 -------- d-----w c:\program files\Trend Micro
2009-05-11 02:15 . 2009-05-16 20:00 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 02:15 . 2009-05-16 20:00 -------- d-----w c:\program files\SpywareBlaster
2009-05-09 22:19 . 2009-05-09 22:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-09 22:07 . 2009-05-09 22:12 -------- d-----w c:\program files\Common Files\Adobe
2009-05-09 21:25 . 2009-05-09 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-09 17:37 . 2009-05-09 17:38 -------- d-----w c:\documents and settings\Administrator.DANNYBOY\Local Settings\Application Data\Adobe
2009-05-09 09:06 . 2009-05-09 09:06 -------- d-----w c:\documents and settings\Administrator.DANNYBOY\Local Settings\Application Data\Mozilla
2009-05-09 09:04 . 2009-05-09 09:04 -------- d-----w c:\documents and settings\Administrator.DANNYBOY\Application Data\Malwarebytes
2009-05-09 04:17 . 2009-05-09 07:30 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-05-09 04:17 . 2009-05-09 07:30 -------- d-s---w c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2022-01-18 02:47 . 2005-08-10 21:10 -------- d-----w c:\program files\DivX
2009-05-12 04:07 . 2009-03-21 06:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-09 23:15 . 2008-11-29 08:26 -------- d-----w c:\program files\NOS
2009-05-09 21:33 . 2005-10-23 08:07 -------- d-----w c:\program files\Java
2009-04-18 07:18 . 2005-08-10 21:11 -------- d-----w c:\program files\Google
2009-04-06 22:32 . 2009-03-21 06:26 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-03-21 06:27 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 02:04 . 2009-04-01 01:44 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-19 05:21 . 2009-03-19 05:13 -------- d-----w c:\program files\system_apps
2009-03-06 14:22 . 2003-07-07 16:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-07-07 16:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 01:25 . 2009-03-01 01:25 21035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-02-20 18:09 . 2005-05-12 19:51 78336 ----a-w c:\windows\system32\ieencode.dll
2007-12-02 09:25 . 2005-05-13 07:23 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-12-02 09:25 . 2005-05-13 07:23 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-12-02 09:25 . 2007-08-24 09:12 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-12-02 09:25 . 2007-08-24 09:12 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-12-02 09:25 . 2005-05-13 07:23 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-18 04:15 . 2009-05-18 04:15 16384 c:\windows\Temp\Perflib_Perfdata_744.dat
+ 2009-05-18 04:14 . 2009-05-18 04:14 16384 c:\windows\Temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-09 148888]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/16/2009 7:05 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/16/2009 7:05 PM 20560]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2/28/2009 6:25 PM 194304]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ALiEHCI.SYS [7/26/2005 3:10 PM 112835]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\ALiRTHUB.SYS [7/26/2005 3:10 PM 5325]
S3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;c:\windows\system32\drivers\lne100tx.sys [5/12/2005 4:34 AM 70730]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [7/5/2005 4:08 PM 336256]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [5/12/2005 11:35 PM 258560]
S3 ZD1211U(Hawking Technologies);Hawking Technologies HW54G Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [5/12/2005 11:35 PM 258560]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - BthServ
*Deregistered* - Creative Service for CDROM Access
*Deregistered* - CryptSvc
*Deregistered* - CVPND
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pctspk
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMDM PMSP Service
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2007-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1383384898-1708537768-1003.job
- c:\documents and settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 05:22]

2009-05-18 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Danny\Application Data\Mozilla\Firefox\Profiles\hy2sjaj2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-17 21:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'explorer.exe'(1660)
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-18 21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 04:51
ComboFix2.txt 2009-05-17 23:25

Pre-Run: 6,120,472,576 bytes free
Post-Run: 6,123,307,008 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4
229 --- E O F --- 2009-04-16 07:07

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 20th May 2009, 8:42 pm

"Bump."

Greetings. I have not had a reply in about two days, I hope I am not forgotten. Haha. I definitely can see that you guys are getting busier and busier, which is good. Keep up the hard work!

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 20th May 2009, 8:45 pm

Thanks for the bump.
Yep, we have been very busy lately, sorry for missing your post.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: malwarebytes

Post by orangeboy on 21st May 2009, 1:44 am

Machine is definitely running better. Thanks for all the help.
Do I need to do anything else? Should I keep all programs downloaded during this whole process?

orangeboy
Intermediate
Intermediate

Posts Posts : 51
Joined Joined : 2009-05-09
OS OS : windows XP
Points Points : 27831
# Likes # Likes : 0

View user profile

Back to top Go down

Re: malwarebytes

Post by Belahzur on 21st May 2009, 1:45 am

No, delete them. Combofix is too powerful to be trusted when used alone.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum