View Full Version : Hi, Cannot open any antivirus/malware/spyware programs
Hello,
2 Days ago I noticed that I could not open any anti spyware or malware programs like Spybot Search and Destroy, I was uninstalling and reinstalling to no avail. I finally came accross this forum and found that many of the posts are the same as mine. I have read the "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)" thread.
I do have uTorrent and I am going to uninstall that right away as I have read that it needs to be removed from this forum. I will go all the way with this, and do anything to get this problem fixed.
Whenever I try to open anti spyware/malware/virus it says "windows cannot access the specified device path or file. you may not have appropriate permissions to access the item", and now my games will not run on loading races (Like my Need for Speed SHIFT Demo). They say that it has encountered a problem and needs to close.
I hope this is enough info and really hope you can help me :)
P.S. Going to college, will be 4 hours.
Respect,
(*$malli$*)
Hello Malli
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
Hello, thank you very much for your reply. Here is the report:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/26 02:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC98A000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E6000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9613000 Size: 49152 File Visible: No Signed: -
Status: -
Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA378000 Size: 20480 File Visible: No Signed: -
Status: -
Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xACB36000 Size: 61440 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba0f887e
#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba0f8bfe
==EOF==
Respect,
(*$malli$*)
Good Morning,
No need to attach or quote any reports, its easier for us if you just copy and paste them in. Looks like a Rootkit infection is involved here causing you all your grief.
This is a bit hard to remove but it can be done, as to not overwhelm you we will take it one step at a time.
Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Morning :)
Here is the content:
Running from: C:\Documents and Settings\malli\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\malli\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1FF.tmp\ZAP1FF.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21C.tmp\ZAP21C.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}\{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
[1] 2008-04-14 13:42:22 744448 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()
[1] 2008-04-14 13:42:22 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-14 13:41:54 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 13:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 13:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
I uninstalled Spybot S&D before I started all this so that I can get a clean install once everything is fixed (hopefully).
Thankyou ^_^
(*$malli$*)
Hi,
Your infected with max++, this is a nasty Rootkit that is preventing all your security programs from running.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Done it. Oh, before I did what you just asked I put the previous win32kDiag.txt file in a separate folder on my desktop as it was going to be the same name. (Unless you meant it to sill be there?):
Running from: C:\Documents and Settings\malli\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\malli\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1FF.tmp\ZAP1FF.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1FF.tmp\ZAP1FF.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20B.tmp\ZAP20B.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21C.tmp\ZAP21C.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21C.tmp\ZAP21C.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\Installer\{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}\{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}\{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Minidump\Minidump
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\security\logs\logs
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2008-04-14 13:41:54 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-14 13:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-14 13:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Finished!
Great, it done its job.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Done that:
exeHelper by Raktor - 09
Build 20090925
Run at 12:21:12 on 09/26/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
Hey, I will be going out for about 2 hours in a min, thanks very much so far for your help, I really appreciate it.
Respect,
(*$malli$*)
What we have been doing is slowly disabling this rootkit, but its not removed yet. We are going to run Combofix, its very important that you rename it, it may not run if you do not.
I will be away from late morning until early evening, have to go watch the Florida Gators beat Kentucky :bigthumb: Big BBQ prior to the game.
This is College Football by the way
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Hello,
Hope you had a good time! (Wish I had a BBQ right now)... Did Florida Gators win? :)
Anyway here is the log. Lol you know everything about my computer now with all them details :P. I did uninstall uTorrent by the way, so I don't know why it is still there :/
ComboFix 09-09-25.01 - malli 09/26/2009 16:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT 1:00]
Running from: c:\documents and settings\malli\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\malli\Local Settings\Temporary Internet Files\mcc182.tmp
c:\documents and settings\malli\Local Settings\Temporary Internet Files\mcc268.tmp
c:\documents and settings\malli\Local Settings\Temporary Internet Files\mccB765.tmp
c:\documents and settings\malli\Local Settings\Temporary Internet Files\mccBE.tmp
c:\documents and settings\malli\Local Settings\Temporary Internet Files\mccD90B.tmp
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\Installer\f240eb.msi
c:\windows\system\update.exe
c:\windows\system32\tmp74.tmp
c:\windows\system32\tmp75.tmp
D:\AUTORUN.INF
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.
2009-09-23 01:06 . 2009-09-23 01:06 -------- d-----w- c:\program files\ESET
2009-09-22 22:03 . 2009-09-22 22:03 -------- d-----w- c:\documents and settings\malli\Application Data\Malwarebytes
2009-09-22 22:03 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 22:03 . 2009-09-22 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 22:03 . 2009-09-22 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 22:03 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-22 21:49 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 21:49 . 2009-09-22 21:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-22 21:49 . 2009-09-22 21:49 -------- d-----w- c:\program files\Lavasoft
2009-09-22 14:48 . 2009-09-22 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-22 14:30 . 2009-09-22 21:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-20 23:03 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\malli\Local Settings\Application Data\AVG Security Toolbar(2)
2009-09-20 23:02 . 2009-09-22 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar(2)
2009-09-20 22:50 . 2009-09-26 09:15 0 ----a-r- c:\windows\win32k.sys
2009-09-20 18:35 . 2009-09-22 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)
2009-09-20 16:22 . 2009-09-22 13:06 -------- d-----w- c:\program files\Monitor Calibration Wizard
2009-09-20 15:10 . 2009-09-20 15:10 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-18 23:44 . 2009-09-18 23:44 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-09-18 23:44 . 2009-07-15 10:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-09-18 23:44 . 2009-09-18 23:44 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-09-18 23:44 . 2009-09-18 23:44 -------- d-----w- c:\documents and settings\malli\Application Data\TuneUp Software
2009-09-18 23:44 . 2009-09-18 23:44 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-09-18 23:44 . 2009-09-18 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-09-18 19:12 . 2009-09-18 19:12 -------- d-----w- c:\windows\system32\AGEIA
2009-09-18 19:12 . 2009-09-18 19:12 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-05 06:49 . 2009-09-05 06:49 45 ----a-w- c:\documents and settings\malli\jagex_runescape_preferences2.dat
2009-08-31 12:42 . 2009-08-31 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 01:04 . 2009-05-24 20:11 -------- d-----w- c:\documents and settings\malli\Application Data\uTorrent
2009-09-22 21:41 . 2009-07-19 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-22 21:28 . 2009-09-21 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 13:01 . 2009-09-21 00:03 -------- d-----w- c:\documents and settings\malli\Application Data\WinPatrol
2009-09-22 13:01 . 2009-08-06 00:54 -------- d-----w- c:\program files\Opera
2009-09-20 15:09 . 2009-08-20 22:26 774088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-20 15:08 . 2009-07-19 12:25 -------- d-----w- c:\documents and settings\malli\Application Data\Bioshock
2009-09-20 01:49 . 2009-07-30 04:00 -------- d-----w- c:\documents and settings\malli\Application Data\IMVU
2009-09-19 00:56 . 2009-06-18 19:05 57656 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-10 00:27 . 2009-05-28 22:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 00:21 . 2009-05-29 06:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-05 06:49 . 2009-08-24 12:30 37 ----a-w- c:\documents and settings\malli\jagex_runescape_preferences.dat
2009-08-28 02:46 . 2009-07-30 03:59 -------- d-----w- c:\documents and settings\malli\Application Data\IMVUClient
2009-08-24 13:43 . 2009-05-24 14:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 12:55 . 2009-08-24 12:53 -------- d-----w- c:\program files\MixMeister Fusion
2009-08-24 12:54 . 2009-08-24 12:54 -------- d-----w- c:\documents and settings\malli\Application Data\MixMeister Technology
2009-08-20 22:12 . 2009-08-20 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-08-20 22:10 . 2009-08-20 22:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-08-20 22:10 . 2009-08-20 22:02 -------- d-----w- c:\documents and settings\malli\Application Data\uniblue
2009-08-20 22:10 . 2009-08-20 22:00 -------- d-----w- c:\program files\Uniblue
2009-08-20 22:07 . 2009-08-20 22:07 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-08-20 22:05 . 2009-08-20 22:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A613CA96-150A-4A1D-90CE-67F81379DF8C}
2009-08-18 11:44 . 2009-08-18 11:44 128 ----a-w- c:\documents and settings\malli\Local Settings\Application Data\fusioncache.dat
2009-08-17 16:10 . 2009-05-24 14:36 72624 ----a-w- c:\documents and settings\malli\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 15:06 . 2009-06-08 16:32 -------- d-----w- c:\program files\Safari
2009-08-17 11:48 . 2009-08-17 11:48 -------- d-----w- c:\program files\GameSpy
2009-08-17 11:45 . 2009-08-17 11:45 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-17 11:45 . 2009-08-17 11:45 22328 ----a-w- c:\documents and settings\malli\Application Data\PnkBstrK.sys
2009-08-17 11:45 . 2009-08-17 11:45 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-17 11:45 . 2009-08-17 11:45 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-17 11:45 . 2009-08-17 11:45 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-14 22:29 . 2009-06-03 15:03 -------- d-----w- c:\program files\Vodafone PC Assistant
2009-08-14 05:58 . 2009-09-22 14:35 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:45 . 2009-08-14 00:45 -------- d-----w- c:\documents and settings\malli\Application Data\Amazon
2009-08-10 10:27 . 2009-08-09 09:08 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-09 09:08 . 2009-08-09 09:08 -------- d-----w- c:\documents and settings\malli\Application Data\Atari
2009-08-09 09:08 . 2009-08-09 09:08 -------- d-----w- c:\program files\Common Files\PocketSoft
2009-08-06 12:52 . 2009-05-25 00:05 -------- d-----w- c:\program files\Java
2009-08-06 07:37 . 2009-07-19 18:31 82548 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01 . 2008-04-14 12:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:55 . 2009-08-04 20:55 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-08-04 20:48 . 2009-08-04 20:48 -------- d-----w- c:\documents and settings\malli\Application Data\Media Player Classic
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-31 21:45 . 2009-05-24 17:45 -------- d-----w- c:\documents and settings\malli\Application Data\SPORE
2009-07-25 04:23 . 2009-05-25 00:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 08:34 . 2009-07-20 08:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-19 18:45 . 2009-07-19 18:31 2829 ----a-w- c:\windows\War3Unin.pif
2009-07-19 18:45 . 2009-07-19 18:31 139264 ----a-w- c:\windows\War3Unin.exe
2009-07-17 19:01 . 2008-04-14 12:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2009-01-12 02:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2009-01-12 02:43 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 18:38 . 2009-06-29 18:38 33061 ----a-w- c:\windows\king-uninstall.exe
.
------- Sigcheck -------
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Google Update"="c:\documents and settings\malli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-12 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2007-11-29 1474048]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Acrobat Assistant 8.0"="d:\documents\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-05-20 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Windows*Updates"=c:\windows\system\Update.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Speed Launcher"="d:\documents\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Windows*Updates"=c:\windows\system\Update.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"d:\\Games\\Street Fighter\\StreetFighterIV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/22/2009 10:49 PM 64160]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [9/19/2009 12:44 AM 604488]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [4/1/2009 12:28 PM 93184]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe --> c:\program files\IObit\IObit Security 360\IS360srv.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 3:49 PM 1029456]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [5/24/2009 2:33 AM 83552]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [6/3/2009 4:04 PM 101120]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y8OBC5C0-4FCB-11CF-AAX5-81CX1C635612}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe
.
Contents of the 'Scheduled Tasks' folder
2009-09-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 09:54]
2009-09-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1757981266-343818398-1003Core.job
- c:\documents and settings\malli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 18:29]
2009-09-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1757981266-343818398-1003UA.job
- c:\documents and settings\malli\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 18:29]
2009-09-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-24 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\malli\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: motive.com\pbttbc.bt
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\malli\Application Data\Mozilla\Firefox\Profiles\t6a4xpzc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\documents and settings\malli\Application Data\Mozilla\Firefox\Profiles\t6a4xpzc.default\extensions\{4037A226-F33F-427c-803C-DB710DB665EA}\components\bhelper.dll
FF - plugin: c:\documents and settings\malli\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\documents\Adobe\Acrobat 9.0\Acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-avgrsstarter - avgrsstx.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 16:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1390067357-1757981266-343818398-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:18,31,d7,88,02,a1,22,5b,72,64,de,ec,06,41,96,78,bd,40,ca,f9,4a,06,dc,
1e,5f,6c,b0,ce,2e,dd,1b,b2,96,a8,61,cd,cc,70,c8,48,9b,49,7a,57,4e,2e,0e,52,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
[HKEY_USERS\S-1-5-21-1390067357-1757981266-343818398-1003\Software\SecuROM\License information*]
"datasecu"=hex:c8,7c,4d,99,e0,20,ed,71,18,8f,91,7b,5d,18,c7,37,3b,0c,47,d4,16,
d3,6a,7f,79,48,5d,6e,7e,9d,29,b8,8d,fe,8e,21,8e,bd,cc,86,f5,00,da,f1,ef,ef,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(2876)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-09-26 16:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 15:15
Pre-Run: 8,892,325,888 bytes free
Post-Run: 8,996,417,536 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
297 --- E O F --- 2009-09-10 00:24
Thank you,
(*$malli$*)
Hi,
The Florida Gators play at 6 USA time.
I need a bit of time to look over your log, in the meantime do this.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)
Here you go:
Malwarebytes Report
Malwarebytes' Anti-Malware 1.41
Database version: 2862
Windows 5.1.2600 Service Pack 3
9/26/2009 6:38:28 PM
mbam-log-2009-09-26 (18-38-28).txt
Scan type: Quick Scan
Objects scanned: 99766
Time elapsed: 6 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{y8obc5c0-4fcb-11cf-aax5-81cx1c635612} (Generic.Bot.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
DDS Report
DDS (Ver_09-09-24.01) - NTFSx86
Run by malli at 18:46:53.75 on Sat 09/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1562 [GMT 1:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
D:\Documents\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\malli\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\documents\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\documents\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\malli\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Acrobat Assistant 8.0] "d:\documents\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\malli\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: motive.com\pbttbc.bt
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\malli\applic~1\mozilla\firefox\profiles\t6a4xpzc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\documents and settings\malli\application data\mozilla\firefox\profiles\t6a4xpzc.default\extensions\{4037a226-f33f-427c-803c-db710db665ea}\components\bhelper.dll
FF - plugin: c:\documents and settings\malli\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: d:\documents\adobe\acrobat 9.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-22 64160]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-29 935208]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-9-19 604488]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-4-1 93184]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe --> c:\program files\iobit\iobit security 360\IS360srv.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2009-5-24 83552]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2009-6-3 101120]
=============== Created Last 30 ================
2009-09-26 18:29 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-26 18:29 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-26 18:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 16:01 <DIR> a-dshr-- C:\cmdcons
2009-09-26 16:00 229,888 a------- c:\windows\PEV.exe
2009-09-26 16:00 161,792 a------- c:\windows\SWREG.exe
2009-09-26 16:00 98,816 a------- c:\windows\sed.exe
2009-09-23 02:06 <DIR> --d----- c:\program files\ESET
2009-09-22 23:03 <DIR> --d----- c:\docume~1\malli\applic~1\Malwarebytes
2009-09-22 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-22 22:49 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-22 22:49 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-22 22:49 <DIR> --d----- c:\program files\Lavasoft
2009-09-22 15:35 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-22 15:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-21 21:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-21 20:52 <DIR> --d----- C:\!KillBox
2009-09-21 01:03 <DIR> --d----- c:\docume~1\malli\applic~1\WinPatrol
2009-09-21 00:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar(2)
2009-09-20 19:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8(2)
2009-09-20 17:22 7 a------- c:\windows\INI2=No
2009-09-20 17:22 7 a------- c:\windows\INI1=No
2009-09-20 17:22 <DIR> --d----- c:\program files\Monitor Calibration Wizard
2009-09-20 16:10 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-19 00:44 604,488 a------- c:\windows\system32\TUProgSt.exe
2009-09-19 00:44 29,000 a------- c:\windows\system32\uxtuneup.dll
2009-09-19 00:44 361,288 a------- c:\windows\system32\TuneUpDefragService.exe
2009-09-19 00:44 <DIR> --d----- c:\docume~1\malli\applic~1\TuneUp Software
2009-09-19 00:44 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-09-19 00:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-09-18 20:12 <DIR> --d----- c:\windows\system32\AGEIA
2009-09-09 18:29 139,264 a------- c:\windows\system32\pinyinput.ime
2009-09-05 07:49 45 a------- c:\documents and settings\malli\jagex_runescape_preferences2.dat
==================== Find3M ====================
2009-09-19 01:56 57,656 a---h--- c:\windows\system32\mlfcache.dat
2009-09-05 07:49 37 a------- c:\documents and settings\malli\jagex_runescape_preferences.dat
2009-08-17 12:45 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-17 12:45 22,328 a------- c:\docume~1\malli\applic~1\PnkBstrK.sys
2009-08-17 12:45 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-08-17 12:45 669,184 a------- c:\windows\system32\pbsvc.exe
2009-08-17 12:45 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-08-10 11:27 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-08-06 08:37 82,548 a------- c:\windows\War3Unin.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-19 19:45 2,829 a------- c:\windows\War3Unin.pif
2009-07-19 19:45 139,264 a------- c:\windows\War3Unin.exe
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 16:32 171,214 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-29 19:38 33,061 a------- c:\windows\king-uninstall.exe
2009-05-24 02:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-05-24 02:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052320090524\index.dat
2009-05-24 02:16 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 18:47:25.32 ===============
Also with the DDS Report was something called "Attach.txt" and it told me to zip it and post it on the forums as an attachment.
Thank you so far.
Respect,
(*$malli$*)
Congrats, your logs look fine :bigthumb:
How are things running now ?
Hello, looks like it worked!! :D
Just one problem though, on my game (Need for Speed Shift Demo) it closes just when I'm about to accelerate at the start of a race and comes up with this error:
http://img121.imageshack.us/img121/958/pic02f.th.jpg (http://img121.imageshack.us/i/pic02f.jpg/)
I was wandering if there is any fix for this at all??
Also I don't think this is for this area but When I first got my new Graphics card (ATI Radeon HD 4850), it was running great. But now whenever I play a racing game for about 5 mins, it starts to lag quite badly. It never did this when I first bought it. This problem isnt that important though, but I thought I would post it just incase you do know how to help :).
By the way, is there anything you recommend for me to do, to keep protected in the future?
Thank you very much Ken545 for all your help so far, I will most definatly recommend this great team/forum to any of my friends who experience malware/spyware/virus issues.
Respect,
(*$malli$*)
Malli,
Graphics cards get very hot. This may or may not be your problem. There should be a fan attached to it, open the case and make sure its running. If it has no fan you can buy one fairly cheap to insert in an open slot right next to it to help keep it cool. You can post here for help here
http://forums.whatthetech.com/General_Hardware_f126.html
Don't know what to tell you on your game, we just do malware removal on this forum.
RootRepeal <--Drag it to the trash
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Thanks once again Ken,
Was wandering if you know of any forums or other places that could deal with the "shiftdemo.exe has encountered a problem..." error at all, as I was able to play it fine before I got the malware which seams to be gone now as I can run everything ells fine, just not my Shift Demo :(.
If it is something that you cannot help me on or tell me about a place that could help me, that's fine. I just thank you for all the help you have given, as you have fixed the main of my problems.
Respect,
(*$malli$*)
Malli,
I am not a gamer so I really don't know. You may want to try uninstalling it and then reinstalling it to see if that helps.
I have tried that, I will take a look over at their forums, maybe somebody has experienced the same problem as me (hopefully). I have had these "(name of program).exe has encountered and needs to close" errors before. I have no recollection on how I got rid of it as it was many years ago, It sounds like a problem with the registry.
(*$malli$*)
I got it fixed :). I had to change some settings in the game. Thanks again for all the help.
Respect,
(*$malli$*)
Great, glad to hear that. Thanks for letting me know.
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.