Click.giftload and other malwares
- Thread starter soysauce
- Start date
- Status
I can't even run it!:laugh:
The System Restore seems to have knackered it. It looks like the majority of the services just aren't starting up so simple things like running programs aren't working. Even when I booted into safe mode ComboFix wouldn't load up.
It seems as though it's trying to get the services working but some keep dropping out rendering it useless.
Ah well it was worth a shot, I'll just re-install the OS.
Thanks for your help though.
The System Restore seems to have knackered it. It looks like the majority of the services just aren't starting up so simple things like running programs aren't working. Even when I booted into safe mode ComboFix wouldn't load up.
It seems as though it's trying to get the services working but some keep dropping out rendering it useless.
Ah well it was worth a shot, I'll just re-install the OS.
Thanks for your help though.
ken545
Emeritus-Security Expert
Most times with the threats going around and with your operating system appearing somewhat damaged its not a bad idea to format and reinstall, but this is up to you.
If you want to continue than do this
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Drag your copy of Combofix to the trash and redownload it but follow the instructions for renaming it
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
If you want to continue than do this
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Drag your copy of Combofix to the trash and redownload it but follow the instructions for renaming it
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
exeHelper log
exeHelper by Raktor
Build 20100414
Run at 21:29:18 on 05/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
exeHelper by Raktor
Build 20100414
Run at 21:29:18 on 05/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
ComboFix log
I had a bit of trouble disabling Microsoft Security Essentials. I disabled the real time protection, but CF said that it was still running. I then killeopped working d the process in task manager and ran CF again but it still thought it was running. I went ahead anyway as there was no more i could do and it seems to have run ok.
I got a few windows errors as it was running along the lines of pev.exxe has stopped working but it seemed to carry on anyway.
Cheers,
Nick
ComboFix 11-05-09.01 - LSS 09/05/2011 22:23:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3066.2037 [GMT 1:00]
Running from: c:\users\LSS\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\5744\Downloads\162088e9-0b41-471a-947d-e6bfb7774266.dll
c:\programdata\PCDr\5744\Downloads\3060b7ae-c612-4b71-be9a-0721727ba831.dll
c:\programdata\PCDr\5744\Downloads\3abc4f65-3752-4824-83cd-674c30d9f41c.dll
c:\programdata\PCDr\5744\Downloads\4128ef4c-5308-415e-947b-b523a115be2d.dll
c:\programdata\PCDr\5744\Downloads\4b07fd4d-6cb2-4166-8e08-7e3d0fb96a24.dll
c:\programdata\PCDr\5744\Downloads\654e4133-96c6-421b-9240-26a29538de3f.dll
c:\programdata\PCDr\5744\Downloads\69bf7709-6da5-40eb-b648-3731ebda143c.dll
c:\programdata\PCDr\5744\Downloads\7cfc7ddb-2ff0-41ad-a5d7-3e2c7c6da278.dll
c:\programdata\PCDr\5744\Downloads\920b4bdb-56cb-44d8-b977-2de6535367f0.dll
c:\programdata\PCDr\5744\Downloads\94c1bf6e-ecf1-4c5d-ad15-1b8540879958.dll
c:\programdata\PCDr\5744\Downloads\a12cd2ff-9e6d-4d89-a010-63188cb6a861.dll
c:\programdata\PCDr\5744\Downloads\c6bcc260-2097-4f4f-a0c3-098183f01ac5.dll
c:\programdata\PCDr\5744\Downloads\db49fe36-7c40-41f5-b9c1-5a7c3297c269.dll
c:\programdata\PCDr\5744\Downloads\db760e79-da96-4a2b-a687-8256c6e72fb6.dll
c:\programdata\PCDr\5744\Downloads\e3d50fea-9128-4ef0-9ea5-b4d74186612f.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 21:32 . 2011-05-09 21:32 -------- d-----w- c:\users\LSS\AppData\Local\temp
2011-05-09 21:05 . 2011-05-09 21:11 -------- d-----w- C:\32788R22FWJFW
2011-05-09 20:25 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7FC37DF4-6AFB-4FF8-9EF2-6DE45537A4CF}\mpengine.dll
2011-05-06 18:26 . 2011-05-06 18:26 -------- d-sh--w- c:\users\LSS\%APPDATA%
2011-05-06 18:25 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-05 18:08 . 2011-05-05 18:08 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-05-05 14:52 . 2011-05-05 14:52 -------- d-----w- c:\program files\ESET
2011-05-05 14:35 . 2011-05-06 21:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2011-05-05 14:35 . 2011-05-06 21:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Deployment
2011-05-05 14:35 . 2011-05-05 14:35 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Apps
2011-05-05 08:22 . 2011-05-05 08:22 -------- d-----w- C:\_OTL
2011-05-05 08:16 . 2011-05-05 08:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\ATI
2011-05-05 08:16 . 2011-05-05 08:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\ATI
2011-05-05 08:15 . 2011-05-09 20:02 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-05-04 21:49 . 2011-05-04 21:49 -------- d-----w- c:\users\LSS\AppData\Roaming\Malwarebytes
2011-05-04 21:49 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 21:49 . 2011-05-04 21:49 -------- d-----w- c:\programdata\Malwarebytes
2011-05-04 21:49 . 2011-05-09 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-04 21:49 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 21:47 . 2011-05-04 21:47 -------- d-----w- c:\users\LSS\AppData\Local\Adobe
2011-04-29 20:13 . 2011-05-09 20:01 -------- d-----w- c:\program files\ERUNT
2011-04-29 19:05 . 2011-04-29 19:05 -------- d-----w- C:\found.000
2011-04-29 12:24 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-04-29 12:24 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F504C7DB-C3C5-4FB8-A87E-5ED7BC6A9085}\gapaengine.dll
2011-04-29 12:22 . 2011-05-09 20:01 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-29 11:21 . 2011-05-05 08:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-29 10:35 . 2011-05-09 20:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-04-29 10:35 . 2011-05-09 20:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-28 22:57 . 2011-04-28 22:57 -------- d-----w- c:\windows\Sun
2011-04-28 20:55 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-28 20:20 . 2007-11-07 18:03 496384 ----a-w- c:\windows\system32\XceedZip.dll
2011-04-28 20:20 . 2005-08-09 16:14 262144 ----a-w- c:\windows\system32\vspdf8.ocx
2011-04-28 20:20 . 2005-08-09 16:14 458752 ----a-w- c:\windows\system32\vsprint8.ocx
2011-04-28 20:20 . 2002-02-12 15:24 169216 ----a-w- c:\windows\system32\WSpell.ocx
2011-04-28 20:20 . 1999-07-01 12:17 237568 ----a-w- c:\windows\system32\Vsocx6.ocx
2011-04-28 20:20 . 1998-09-11 08:14 21504 ----a-w- c:\windows\system32\WBCustomizer.dll
2011-04-28 20:20 . 2003-02-19 00:11 65536 ----a-w- c:\windows\system32\ReSize32.ocx
2011-04-28 20:20 . 2000-12-06 08:59 832448 ----a-w- c:\windows\system32\tdbg6.ocx
2011-04-28 20:20 . 2000-05-21 23:00 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-04-28 20:20 . 2000-05-21 22:00 115920 ----a-w- c:\windows\system32\MSINET.OCX
2011-04-28 20:20 . 1999-09-17 10:14 65536 ----a-w- c:\windows\system32\ssfm1032.dll
2011-04-28 20:20 . 1999-05-06 23:00 198640 ----a-w- c:\windows\system32\MCI32.OCX
2011-04-27 13:23 . 2011-04-27 13:23 -------- d-----w- c:\users\LSS\AppData\Local\LogMeIn
2011-04-27 13:23 . 2011-04-27 13:23 -------- d-----w- c:\programdata\LogMeIn
2011-04-27 10:56 . 2011-04-27 11:12 -------- d-----w- c:\users\LSS\AppData\Roaming\TeamViewer
2011-04-27 10:11 . 2011-04-27 12:35 -------- d-----w- C:\temp
2011-04-27 10:11 . 2007-02-25 09:10 102400 ----a-w- c:\windows\system32\UniCType.dll
2011-04-27 10:11 . 2007-02-25 09:10 73788 ----a-w- c:\windows\system32\Log2Vis.dll
2011-04-27 10:11 . 2007-02-25 09:10 380928 ----a-w- c:\windows\system32\krb5_32.dll
2011-04-27 10:11 . 2007-02-25 09:10 24576 ----a-w- c:\windows\system32\comerr32.dll
2011-04-27 09:46 . 2011-05-09 20:01 -------- d-----w- c:\program files\AL500-18
2011-04-26 15:32 . 2011-05-09 20:01 -------- d-----w- C:\46f8d8b26ce9750c5047a042850a32
2011-04-26 13:17 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBC72D5F-F32A-43A4-B33A-4301E40D32F7}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-27 233472]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-13 61440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-30 483428]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-02-22 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\users\Assistant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-19 21:07 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 12:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-04-09 14:29 1762032 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-28 20:46 136176 ----atw- c:\users\LSS\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-07-04 12:16 132392 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-30 81920]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-03-08 62496]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-08-25 203264]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-05-06 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-09 22:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
Completion time: 2011-05-09 22:36:17
ComboFix-quarantined-files.txt 2011-05-09 21:36
.
Pre-Run: 222,286,352,384 bytes free
Post-Run: 221,199,986,688 bytes free
.
- - End Of File - - 457989C3F5FC53B4111B48CF4F7F9C69
I had a bit of trouble disabling Microsoft Security Essentials. I disabled the real time protection, but CF said that it was still running. I then killeopped working d the process in task manager and ran CF again but it still thought it was running. I went ahead anyway as there was no more i could do and it seems to have run ok.
I got a few windows errors as it was running along the lines of pev.exxe has stopped working but it seemed to carry on anyway.
Cheers,
Nick
ComboFix 11-05-09.01 - LSS 09/05/2011 22:23:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3066.2037 [GMT 1:00]
Running from: c:\users\LSS\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\5744\Downloads\162088e9-0b41-471a-947d-e6bfb7774266.dll
c:\programdata\PCDr\5744\Downloads\3060b7ae-c612-4b71-be9a-0721727ba831.dll
c:\programdata\PCDr\5744\Downloads\3abc4f65-3752-4824-83cd-674c30d9f41c.dll
c:\programdata\PCDr\5744\Downloads\4128ef4c-5308-415e-947b-b523a115be2d.dll
c:\programdata\PCDr\5744\Downloads\4b07fd4d-6cb2-4166-8e08-7e3d0fb96a24.dll
c:\programdata\PCDr\5744\Downloads\654e4133-96c6-421b-9240-26a29538de3f.dll
c:\programdata\PCDr\5744\Downloads\69bf7709-6da5-40eb-b648-3731ebda143c.dll
c:\programdata\PCDr\5744\Downloads\7cfc7ddb-2ff0-41ad-a5d7-3e2c7c6da278.dll
c:\programdata\PCDr\5744\Downloads\920b4bdb-56cb-44d8-b977-2de6535367f0.dll
c:\programdata\PCDr\5744\Downloads\94c1bf6e-ecf1-4c5d-ad15-1b8540879958.dll
c:\programdata\PCDr\5744\Downloads\a12cd2ff-9e6d-4d89-a010-63188cb6a861.dll
c:\programdata\PCDr\5744\Downloads\c6bcc260-2097-4f4f-a0c3-098183f01ac5.dll
c:\programdata\PCDr\5744\Downloads\db49fe36-7c40-41f5-b9c1-5a7c3297c269.dll
c:\programdata\PCDr\5744\Downloads\db760e79-da96-4a2b-a687-8256c6e72fb6.dll
c:\programdata\PCDr\5744\Downloads\e3d50fea-9128-4ef0-9ea5-b4d74186612f.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 21:32 . 2011-05-09 21:32 -------- d-----w- c:\users\LSS\AppData\Local\temp
2011-05-09 21:05 . 2011-05-09 21:11 -------- d-----w- C:\32788R22FWJFW
2011-05-09 20:25 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7FC37DF4-6AFB-4FF8-9EF2-6DE45537A4CF}\mpengine.dll
2011-05-06 18:26 . 2011-05-06 18:26 -------- d-sh--w- c:\users\LSS\%APPDATA%
2011-05-06 18:25 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-05 18:08 . 2011-05-05 18:08 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-05-05 14:52 . 2011-05-05 14:52 -------- d-----w- c:\program files\ESET
2011-05-05 14:35 . 2011-05-06 21:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2011-05-05 14:35 . 2011-05-06 21:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Deployment
2011-05-05 14:35 . 2011-05-05 14:35 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Apps
2011-05-05 08:22 . 2011-05-05 08:22 -------- d-----w- C:\_OTL
2011-05-05 08:16 . 2011-05-05 08:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\ATI
2011-05-05 08:16 . 2011-05-05 08:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\ATI
2011-05-05 08:15 . 2011-05-09 20:02 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-05-04 21:49 . 2011-05-04 21:49 -------- d-----w- c:\users\LSS\AppData\Roaming\Malwarebytes
2011-05-04 21:49 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-04 21:49 . 2011-05-04 21:49 -------- d-----w- c:\programdata\Malwarebytes
2011-05-04 21:49 . 2011-05-09 20:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-04 21:49 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 21:47 . 2011-05-04 21:47 -------- d-----w- c:\users\LSS\AppData\Local\Adobe
2011-04-29 20:13 . 2011-05-09 20:01 -------- d-----w- c:\program files\ERUNT
2011-04-29 19:05 . 2011-04-29 19:05 -------- d-----w- C:\found.000
2011-04-29 12:24 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-04-29 12:24 . 2010-11-30 10:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F504C7DB-C3C5-4FB8-A87E-5ED7BC6A9085}\gapaengine.dll
2011-04-29 12:22 . 2011-05-09 20:01 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-29 11:21 . 2011-05-05 08:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-04-29 10:35 . 2011-05-09 20:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-04-29 10:35 . 2011-05-09 20:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-28 22:57 . 2011-04-28 22:57 -------- d-----w- c:\windows\Sun
2011-04-28 20:55 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-28 20:20 . 2007-11-07 18:03 496384 ----a-w- c:\windows\system32\XceedZip.dll
2011-04-28 20:20 . 2005-08-09 16:14 262144 ----a-w- c:\windows\system32\vspdf8.ocx
2011-04-28 20:20 . 2005-08-09 16:14 458752 ----a-w- c:\windows\system32\vsprint8.ocx
2011-04-28 20:20 . 2002-02-12 15:24 169216 ----a-w- c:\windows\system32\WSpell.ocx
2011-04-28 20:20 . 1999-07-01 12:17 237568 ----a-w- c:\windows\system32\Vsocx6.ocx
2011-04-28 20:20 . 1998-09-11 08:14 21504 ----a-w- c:\windows\system32\WBCustomizer.dll
2011-04-28 20:20 . 2003-02-19 00:11 65536 ----a-w- c:\windows\system32\ReSize32.ocx
2011-04-28 20:20 . 2000-12-06 08:59 832448 ----a-w- c:\windows\system32\tdbg6.ocx
2011-04-28 20:20 . 2000-05-21 23:00 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
2011-04-28 20:20 . 2000-05-21 22:00 115920 ----a-w- c:\windows\system32\MSINET.OCX
2011-04-28 20:20 . 1999-09-17 10:14 65536 ----a-w- c:\windows\system32\ssfm1032.dll
2011-04-28 20:20 . 1999-05-06 23:00 198640 ----a-w- c:\windows\system32\MCI32.OCX
2011-04-27 13:23 . 2011-04-27 13:23 -------- d-----w- c:\users\LSS\AppData\Local\LogMeIn
2011-04-27 13:23 . 2011-04-27 13:23 -------- d-----w- c:\programdata\LogMeIn
2011-04-27 10:56 . 2011-04-27 11:12 -------- d-----w- c:\users\LSS\AppData\Roaming\TeamViewer
2011-04-27 10:11 . 2011-04-27 12:35 -------- d-----w- C:\temp
2011-04-27 10:11 . 2007-02-25 09:10 102400 ----a-w- c:\windows\system32\UniCType.dll
2011-04-27 10:11 . 2007-02-25 09:10 73788 ----a-w- c:\windows\system32\Log2Vis.dll
2011-04-27 10:11 . 2007-02-25 09:10 380928 ----a-w- c:\windows\system32\krb5_32.dll
2011-04-27 10:11 . 2007-02-25 09:10 24576 ----a-w- c:\windows\system32\comerr32.dll
2011-04-27 09:46 . 2011-05-09 20:01 -------- d-----w- c:\program files\AL500-18
2011-04-26 15:32 . 2011-05-09 20:01 -------- d-----w- C:\46f8d8b26ce9750c5047a042850a32
2011-04-26 13:17 . 2011-04-18 08:15 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBC72D5F-F32A-43A4-B33A-4301E40D32F7}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-27 233472]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-13 61440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-30 483428]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-02-22 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\users\Assistant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-19 21:07 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 12:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-04-09 14:29 1762032 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-28 20:46 136176 ----atw- c:\users\LSS\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-07-04 12:16 132392 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-30 81920]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-03-08 62496]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-08-25 203264]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-05-06 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-09 22:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
Completion time: 2011-05-09 22:36:17
ComboFix-quarantined-files.txt 2011-05-09 21:36
.
Pre-Run: 222,286,352,384 bytes free
Post-Run: 221,199,986,688 bytes free
.
- - End Of File - - 457989C3F5FC53B4111B48CF4F7F9C69
Last edited by a moderator:
typos
sorry, a few typos there, should be:
I had a bit of trouble disabling Microsoft Security Essentials. I disabled the real time protection, but CF said that it was still running. I then killed the MSE process in task manager and ran CF again but it still thought it was running it. I went ahead anyway as there was no more i could do and it seems to have run ok.
I got a few windows errors as it was running along the lines of pev.exxe has stopped working but it seemed to carry on anyway.
Cheers,
Nick
sorry, a few typos there, should be:
I had a bit of trouble disabling Microsoft Security Essentials. I disabled the real time protection, but CF said that it was still running. I then killed the MSE process in task manager and ran CF again but it still thought it was running it. I went ahead anyway as there was no more i could do and it seems to have run ok.
I got a few windows errors as it was running along the lines of pev.exxe has stopped working but it seemed to carry on anyway.
Cheers,
Nick
ken545
Emeritus-Security Expert
Due to inactivity, this thread will now be closed.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
- Status