Thanks for the logs.
Why have you run ComboFix there? I can't recall giving you any instructions related to it. Post contents of c:\ComboFix.txt file, please.
Thanks for the logs.
Why have you run ComboFix there? I can't recall giving you any instructions related to it. Post contents of c:\ComboFix.txt file, please.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Sorry about that -- my daughter's boyfriend tried to "help" yesterday while I was at work -- I've told them hands-off till we're done.
I can't find combofix.txt - or .exe for that matter. I assume he deleted the files after he was done.
Then we can do nothing else than run it again.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
ComboFix 09-08-07.09 - Owner 08/08/2009 2:03:21.4.1 - NTFSx86
Running from: C:\CFIx\ComboFix.exe
Command switches used :: C:\CFIx\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.
/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
/wow section - STAGE 50
Access is denied.
DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Administrator at 19:41:30.15 on Thu 08/06/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = about:blank
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRunOnce: [SPRTRA] iexplore https://www.tmremote.com/sdcxuser/ra...de=2&op=reboot
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 14:37 389,120 a------- c:\windows\system32\CF18593.exe
2009-08-06 12:49 389,120 a------- c:\windows\system32\CF30086.exe
2009-08-06 12:43 <DIR> --d----- C:\RootkitBuster2.52.0.1013
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 219,648 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 12:04 <DIR> --d----- c:\docume~1\admini~1\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-08-01 11:48 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-07-31 08:50 17,446 a------- c:\docume~1\alluse~1\applic~1\ukeginyzal.sys
2009-07-31 08:50 15,603 a------- c:\docume~1\alluse~1\applic~1\relu.com
2009-07-31 08:50 13,422 a------- c:\program files\common files\zojytamy.vbs
2009-07-31 08:50 13,415 a------- c:\program files\common files\lodydob.bin
2009-07-31 08:49 <DIR> --d----- c:\program files\HomeAntivirus2010
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom
2009-07-13 12:16 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 12:16 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 12:16 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-13 11:43 <DIR> --d----- c:\program files\Diablo II
2009-07-13 10:26 <DIR> --d----- c:\program files\Poker Pal Pro Edition
2009-07-11 14:55 139,264 a------- c:\windows\system32\igfxres.dll
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-10 09:04 <DIR> --d----- c:\program files\Warcraft III Demo
2009-07-08 11:28 <DIR> --d----- c:\program files\Gateway
==================== Find3M ====================
2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
============= FINISH: 19:41:44.43 ===============
Hi,
See if you're able to run ComboFix in safe mode.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
ComboFix 09-08-07.09 - Administrator 08/08/2009 9:18:58.6.1 - NTFSx86 MINIMAL
Running from: C:\CFIx\ComboFix.exe
Command switches used :: C:\CFIx\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.
/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
/wow section - STAGE 50
Access is denied.
Watching the screen as ComboFix runs, when it first starts, I see "access denied" twice, and then at the end of the scan, after the line about "the system will restart don't restart manually", I again see "access denied" three more times
Hi,
Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you have ComboFix.exe in C:\CFIx folder):
- cd\CFIx
- ComboFix.exe
When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Here's ComboFix run from SafeMode-CommandPrompt. Watch it run, I'm still seeing two "Access denied" when it first opens, and three more after the "rebooting system" message.
=====================================
ComboFix 09-08-07.09 - Administrator 08/08/2009 20:30:30.7.1 - NTFSx86 MINIMAL
Running from: C:\CFIx\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 32A
Access is denied.
/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
/wow section - STAGE 50
Access is denied.