Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 60

Thread: Dymanet problem here are the dds and attach files

  1. #11
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    http://forums.spybot.info/showthread.php?t=62486
    Suspect::
    c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    C:\Program Files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components\b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll
    Collect::
    C:\WINDOWS\system32\u_ntqmlesiytmavwobq.dll.exe

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    See if you're able to uninstall Adobe Reader in safe mode.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  2. #12
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default CFScript log

    ComboFix 11-05-11.04 - Linda Patrick 05/12/2011 11:39:46.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.398 [GMT -7:00]
    Running from: c:\documents and settings\Linda Patrick\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Linda Patrick\Desktop\CFScript.txt
    AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    file zipped: c:\windows\system32\u_ntqmlesiytmavwobq.dll.exe
    file zipped: c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components\b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll
    file zipped: c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\1998a49c-be6c-a2ff-404b-c86fcee00867
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\45c92351-9874-9d97-bedd-202d82176f92
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\54842025-8990-ede8-1d38-c28f3f3cd26c
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\7871ef18-be0f-7035-dd3f-223fd9661f5e
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\81006873-c45f-52db-a751-e55303ba63a6
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\96e4c2b5-ef85-3542-333b-93d44dbadd0a
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\a38d29d9-8654-152a-acfd-4468287bcbc0
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\caf8edd2-61f7-e1db-e5cc-088cd60fba03
    c:\documents and settings\Linda Patrick\Local Settings\Temporary Internet Files\fa1218cb-82e9-d112-d766-0d98e6f00b46
    c:\windows\system32\u_ntqmlesiytmavwobq.dll.exe
    E:\autorun.inf
    c:\windows\Fonts\ALGERIA.TTF . . . . Failed to delete
    c:\windows\Fonts\ANIM____.TTF . . . . Failed to delete
    c:\windows\Fonts\Anncrawl.ttf . . . . Failed to delete
    c:\windows\Fonts\bp-anim.ttf . . . . Failed to delete
    c:\windows\Fonts\Butterfl.ttf . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-12 03:11 . 2011-05-12 03:11 -------- d-----w- c:\program files\ESET
    2011-05-12 02:38 . 2011-05-12 02:37 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-05-12 02:38 . 2011-05-12 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-02 19:35 . 2011-05-02 19:37 -------- d-----w- c:\program files\Easy Click Commissions
    2011-05-02 19:35 . 2011-05-02 19:37 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\Easy Click Commissions
    2011-04-30 23:44 . 2011-04-30 23:44 -------- d-----w- c:\program files\ERUNT
    2011-04-28 00:36 . 2011-04-28 00:37 -------- d-----w- c:\program files\Microsoft Speech SDK 5.1
    2011-04-28 00:26 . 2011-04-28 00:26 -------- d-----w- c:\program files\e-Speaking
    2011-04-22 07:40 . 2011-04-22 07:40 -------- d-----w- c:\documents and settings\Linda Patrick\Local Settings\Application Data\Symantec
    2011-04-17 01:24 . 2011-04-17 01:50 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\FixCleaner
    2011-04-17 01:23 . 2011-04-24 23:28 -------- d-----w- c:\program files\FixCleaner
    2011-04-16 22:51 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2011-04-16 22:47 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
    2011-04-13 16:04 . 2011-04-13 16:25 -------- d-----w- c:\documents and settings\Linda Patrick\Application Data\TweetAdder3
    2011-04-13 16:03 . 2011-04-13 16:04 -------- d-----w- c:\program files\Tweet Adder 3
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-12 02:37 . 2007-04-26 13:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-05 23:38 . 2011-03-05 23:38 125918 ----a-w- c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    2011-02-24 00:04 . 2011-04-11 15:22 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
    2011-02-23 23:54 . 2011-04-11 15:22 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
    2007-08-25 03:52 . 2008-02-18 19:08 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
    "Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-02 160328]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0lsdelete
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
    backup=c:\windows\pss\eFax DllCmd 4.0.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
    backup=c:\windows\pss\eFax Tray Menu 4.0.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
    backup=c:\windows\pss\PalTalk.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Linda Patrick^Start Menu^Programs^Startup^eFax 4.4.lnk]
    path=c:\documents and settings\Linda Patrick\Start Menu\Programs\Startup\eFax 4.4.lnk
    backup=c:\windows\pss\eFax 4.4.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2005-04-11 22:21 794624 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
    2010-08-19 23:23 3069192 ----a-w- c:\program files\TechSmith\Jing\Jing.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    2005-09-24 22:46 20480 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    2007-06-07 20:08 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "EarthLinkMonitor"=2 (0x2)
    "ERSvc"=2 (0x2)
    "WMPNetworkSvc"=3 (0x3)
    "QBFCService"=3 (0x3)
    "Netlogon"=3 (0x3)
    "mnmsrvc"=3 (0x3)
    "LightScribeService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "hpqwmi"=3 (0x3)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
    "c:\\Documents and Settings\\Linda Patrick\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Documents and Settings\\Linda Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 10:09 AM 64288]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/11/2011 8:22 AM 13496]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [2/12/2011 12:41 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [2/12/2011 12:41 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [5/2/2011 6:39 PM 802936]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [2/12/2011 12:41 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [2/12/2011 12:41 AM 116784]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 12:25 PM 189736]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [2/12/2011 12:40 AM 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2011 1:11 PM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20110511.001\IDSXpx86.sys [5/11/2011 8:22 PM 341944]
    S0 TfFsMon;TfFsMon; [x]
    S0 TFSysMon;TfSysMon; [x]
    S2 gupdate1c9d4a4c1329514;Google Update Service (gupdate1c9d4a4c1329514);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 8:00 AM 133104]
    S3 BW2NDIS5;BW2NDIS5; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 8:00 AM 133104]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
    S3 RegKernelHelp;RegKernelHelp; [x]
    S3 Senfppyelc;Senfppyelc; [x]
    S3 TfNetMon;TfNetMon; [x]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    tapisrv REG_MULTI_SZ Tapisrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 15:00]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 15:00]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075307622-3171654227-2039206519-1006Core.job
    - c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 00:47]
    .
    2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075307622-3171654227-2039206519-1006UA.job
    - c:\documents and settings\Linda Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 00:47]
    .
    2011-03-29 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
    - c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-11 09:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    Handler: safeprint - {159A8CC0-E15B-11D3-A0FC-0050047FA13D} - c:\program files\SafePublish\sp.dll
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {4EC69696-0E77-4043-AB29-6103776A697E} - hxxp://www.snap.com/downloads/SnapVisualSearch_19.exe
    FF - ProfilePath - c:\documents and settings\Linda Patrick\Application Data\Mozilla\Firefox\Profiles\47muxjb6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ffsc&p=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: z: {64620e81-b27a-ff43-0ef1-d9818183f5ce} - c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: Shareaholic: firefox-extension@shareaholic.com - %profile%\extensions\firefox-extension@shareaholic.com
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
    FF - Ext: WiseStamp: wisestamp@wisestamp.com - %profile%\extensions\wisestamp@wisestamp.com
    FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
    FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
    FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-12 13:21
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.application.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xaml.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap]
    @DACL=(02 0000)
    @="bootstrap.xbap.1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3868)
    c:\windows\system32\WININET.dll
    c:\windows\system32\logishrd\LVPrcInj01.dll
    c:\program files\Logitech\MouseWare\System\LgWndHk.dll
    c:\documents and settings\Linda Patrick\Application Data\Dropbox\bin\DropboxExt.13.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\system32\astsrv.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Logitech\MouseWare\system\em_exec.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-12 13:34:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-12 20:33
    ComboFix2.txt 2011-05-12 02:05
    ComboFix3.txt 2011-04-22 06:08
    .
    Pre-Run: 17,791,197,184 bytes free
    Post-Run: 17,821,904,896 bytes free
    .
    - - End Of File - - 35C010C78A2EFC1AC4830FEA08003079

  3. #13
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    @echo off
    for %%g in (
    c:\qoobox\quarantine\c\windows\system32\u_ntqmlesiytmavwobq.dll.exe.vir
    c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components\b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll
    c:\windows\system32\bdfd40ad-640e-8168-79bb-e3d3eb7a9f9d.exe
    ) do zip Files_for_submission %%g
    del %0
    Save this as grab.bat
    Choose to Save type as - All Files
    Save it on your desktop.
    It should look like this:
    Double click on grab.bat & allow it to run

    A file, Files_for_submission.zip will be created on your desktop. Upload it to this website. Kindly include a link to this topic in the message.

    Let me know when the submission is ready.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #14
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default Files for submission done

    Hi,

    I have submitted the zipped file and put the link in the subject line at bleepingcomputer.com

  5. #15
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,


    Open notepad and then copy and paste the lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    Code:
    @ECHO OFF
    DIR /a/s "c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components\b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll" >Log.txt
    START Log.txt
    DEL %0
    Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please. Were you able to uninstall Adobe Reader in safe mode?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #16
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default log file

    Hi,

    No luck uninstalling Adobe Reader in safe mode, still get the 1402 error.
    Here is the log file.

    --------------------------------------------------
    Volume in drive C has no label.
    Volume Serial Number is 755A-7D16

    Directory of c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components

    02/08/2011 07:09 AM 2,851,840 b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll
    1 File(s) 2,851,840 bytes

    Total Files Listed:
    1 File(s) 2,851,840 bytes
    0 Dir(s) 19,405,762,560 bytes free

  7. #17
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please archive the following file into a zip file and submit it to Bleeping Computer like you did with the earlier one:
    c:\program files\Mozilla Firefox\extensions\{64620e81-b27a-ff43-0ef1-d9818183f5ce}\components\b4901fd7-7a79-3090-a1f6-cbe8f69edf21.dll
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #18
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default file submitted

    Thanks for ALL your help!

  9. #19
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Click Start, Run and type regedit.exe and go to following location:

    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.api\AcroExch.Plugin\ShellNew

    On the Edit menu(Right click on ShellNew Folder), click Permissions.

    Select your user account from the list, and ensure that Full Control permissions is set to Allow.

    Select Administrators group from the list, and give then Full Control permissions.

    Click the Advanced button

    Select Replace permission entries on all child objects with entries shown here that apply to child objects.

    Deselect Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here

    Click Apply, and then click Yes when you are prompted to continue. Click OK, and then click OK again.

    Exit the Registry editor.


    See if you're able to uninstall old Adobe Reader now (if still error appears post back a screenshot of it).
    Last edited by Blade81; 2011-05-14 at 19:16.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #20
    Member
    Join Date
    Apr 2011
    Posts
    34

    Default Still can't install Adobe Acrobat

    Hi
    I was able to change the permissions as you instructed. I then tried to install Acrobat reader 10. I still get the 1402 error. Attached is the screen shot of the error message and where the install stopped.
    Thanks!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •