0

I have a terminal that has something and I just can't figure it out. I am getting pop ups like mad. I cannot get into symantec or malware bytes. It keeps telling me the link is broken. I tried to navigate to the the web site to redownload and it redirects me. I tried to boot in safe mode and when I hit enter to boot in safemode with networking it just gets stuck in a reboot loop and never boots. I can boot in normal mode but I cannot get to anything. So I can't run anything to see what I have going on. I tried running from a cd and jump drive and it wont let me open the .exe.

Where should I start with this?

They are inducing labor on my wife tomorrow so I might not get to reply for a couple days but at least you guys can give me some ideas for when I get the terminal in my hands again.

Scott

5
Contributors
52
Replies
53
Views
7 Years
Discussion Span
Last Post by PhilliePhan
0

They are inducing labor on my wife tomorrow so I might not get to reply for a couple days but at least you guys can give me some ideas for when I get the terminal in my hands again.

Congratulations :)

See if you are able to download the attached FindWPP.zip and Extract the FindWpp Folder from the ZIP to your Desktop.
In the FindWPP folder, you'll see RunThis.bat.
Run it, if you are able.
A log should pop up after a bit. Please post that for me.

PP :)

Edited by PhilliePhan: n/a

0

I will try to run this tomorrow night at some point........I think.

Thanks

0

I will try to run this tomorrow night at some point........I think.

Thanks

Great - No rush.
I imagine you'll be pretty busy :)

I, or one of the other volunteers, will be happy to help once you are ready.

PP

0

I can't run the file. I get a window that pops up that says my computer is infected and it cant run the file. Any other ideas?

FYI - baby is healthy baby girl!

0

I cannot boot in safe mode and I cannot run certain files off of a jump drive. I can run HJT and create a log file. That is about it. Nothing but popups that say your computer is infected. I was able to download malwarebytes but I cannot run it. It just says it can't find the link.

Not sure any of this helps?

Scott

0

FYI - baby is healthy baby girl!

That's great! Congrats :)

I can't run the file. I get a window that pops up that says my computer is infected and it cant run the file. Any other ideas?

-- Are you still able to transfer programs to the ill computer?
-- Are you able to get a command prompt on the ill computer?

Can you do this:
Download all four of these and place them on ill compy:
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe

First, run RKILL. You only need to run it once. If it runs successfully, a black screen will appear and then disappear.
If one doesn't run (you get error message) , try the next and so on until one runs.

Once RKILL runs, immediately start MBAM and do the quick scan. Remove what it finds an post the log.

Also, try this:
Please download and try to run http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please copy/paste that log in your next reply if possible.

Let me know how you fare.

PP :)

Edited by PhilliePhan: n/a

0

I was actually able to download that program and it started to run then the computer completely locked up. I had to force a shut down and now it gets stuck at "preparing network connections" and that is it. I still can't boot in safe mode. I have no idea how to get my desktop back let alone do anything.

0

That's great! Congrats :)

-- Are you still able to transfer programs to the ill computer?
-- Are you able to get a command prompt on the ill computer?

Can you do this:
Download all four of these and place them on ill compy:
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe

First, run RKILL. You only need to run it once. If it runs successfully, a black screen will appear and then disappear.
If one doesn't run (you get error message) , try the next and so on until one runs.

Once RKILL runs, immediately start MBAM and do the quick scan. Remove what it finds an post the log.

Also, try this:
Please download and try to run http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please copy/paste that log in your next reply if possible.

Let me know how you fare.

PP :)

When I run the downloads I get "application cannot be executed. the file is infected. Please start your antivirus software."

So I can't actually run any of them.

I can get to command prompt.

I can't transfer files to the computer. When I do or try to run from a jump drive I get the same error or it says the link is broken.

0

PP

The last link might be running.

I might need to correct the last post. I do have the screen that says "Please wait..." and I can hear the hard drive ticking away so it might be doing something. It has been like that for about 5 minutes now. HOw long will it take to return a log?

0

Here we go!

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SmcService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ccEvtMgr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ccSetMgr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Symantec Antivirus
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Symantec Antvirus

0

I restarted the computer and I was able to run each of your downloads but I cannot get MBAM to open. I get:

"The item 'mbam.exe' that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly"

So I uninstalled MBAM and reinstalled it and I still get the same error. Is there any other way to get MBAM to install and run?

0

Please try this

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here and try again to run it and let us know.

0

So I uninstalled MBAM and reinstalled it and I still get the same error. Is there any other way to get MBAM to install and run?

Let's try something different first:
Please Download Win32kDiag from a linky below and place it on the Desktop of the ill compy.
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.
Be sure to let it run until is says "Finished" before posting the log!

Also:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to iexplore.exe and then download it and see if you can place it on the Desktop of the ill machine.

Do not run it yet - just place it on the Desktop.

Let me know how you fare with these steps.

PP:)

0

I ran it until it finished but there is nothing really in the log. It just says finished. I will try to get you a copy iof the .txt file if it helps. I am having a hard time getting the logs from one computer to another.

0

I ran it until it finished but there is nothing really in the log. It just says finished.

Actually, that's good - no need to see it.

Are you able to move the renamed combofix to the desktop?
If so, please follow the steps in this linky to manually install the Recovery Console.

If combofix prompts you to start the scan, go ahead and say yes and follow the in the linky from the top.
You'll need to disable any AV / AntiSpy tools on the compy prior to running combofix. If you are unable to update it, no worries - run it anyway.

Let me know how you fare. I'll need to see the combofix log, if it is able to complete successfully.

PP:)

Edited by PhilliePhan: n/a

0

It says that symantec is running but I can't turn it off so I ran it anyways.

It says these files are trying to attach....

c:\windows\system32\curslib.dll
c:\windows\system32\siktodo.dll
c:\windows\system32\hamaveho.dll
c:\windows\system32\tenugizo.dll

Then it locks up. Is there a way to run this with norton still on? I have no clue how to remove that right now because it was endpoint security that was pushed out through our server and I am at home away from our server.

Scott

0

Hi Scott,

-- So the Recovery Console installed with no trouble?

Open a command prompt and type:

"%userprofile%\desktop\combofix.exe" /KillAll

Note ---> ix.exe"<space> /Kil

Hit Enter and that should start combofix. If it still has trouble, try in Safe Mode ( assuming you can now get there).

Let me know how that shakes out.

PP:)

Edited by PhilliePhan: n/a

0

I just got the correct service pack of xp pro on my desktop. I drag and drop on the iexplorer.exe icon and nothing happens. According to the instructions it should start to scan.

Am I missing something?

0

OK I got combofix to run but it is getting stuck in the blue screen and sticks on "attempting to create a new system restorepoint"

I cannot boot in safemode

Edited by sklingb1: added info

0

Now I cannot get my desktop. It gets hung up at "preparing network connections". Is there anything I can do to jump around this?

0

I got everything to run and I have a .txt log. should I post it?

Now I have a bigger problem. My good computer that is on the same network cannot get on the internet anymore and only my infected computer can access the internet. What could I have done to my good terminal?

0

I just got the correct service pack of xp pro on my desktop. I drag and drop on the iexplorer.exe icon and nothing happens. According to the instructions it should start to scan.
Am I missing something?

I'm not sure what you are referring to - You don't want to install a service pack. We need the appropriate Recovery Console download for your machine.

Most likely this one :
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en

Once the Recovery Console has been installed, you need to start combofix with this command:
"%userprofile%\desktop\combofix.exe" /KillAll

I got everything to run and I have a .txt log. should I post it?

YES! :)
I definitely need to see that!

Now I have a bigger problem. My good computer that is on the same network cannot get on the internet anymore and only my infected computer can access the internet. What could I have done to my good terminal?

Shut down the good computer for the time being - in a lot of cases, it is easily possible to infect one compy while trying to clean a second one. Just shut it down for the time being.

If that is not an option, please start a new thread for the second computer and we'll work both at once. We'll need separate threads to avoid confusion.

-- Can you run MBAM on second compy?
-- What OS is second compy?
-- Do you have Windows CD / DVD for either computer?

Hang in there - know you have a lot on your plate right now :)

PP

0

OK I think I have everything good to go. Here is the .txt I got from teh combofix.

ComboFix 09-12-05.03 - JoshPolacek 12/06/2009 8:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1596 [GMT -6:00]
Running from: c:\documents and settings\joshpolacek\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\joshpolacek\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
The following files were disabled during the run:
c:\windows\system32\curslib.dll
c:\windows\system32\kuyigiba.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\joshpolacek\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\joshpolacek\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\joshpolacek\Start Menu\Advanced Virus Remover.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\AVR.exe
c:\recycler\S-1-5-21-592622461-2600799113-3497242797-500
c:\windows\system32\__c0082787.dat
c:\windows\system32\18467.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\bszip.dll
c:\windows\system32\critical_warning.html
c:\windows\system32\curslib.dll
c:\windows\system32\drivers\H8SRTrsueldwruu.sys
c:\windows\system32\fakuhazu.dll
c:\windows\system32\h8srtcfg.dat
c:\windows\system32\H8SRTejvvgoejbp.dll
c:\windows\system32\H8SRTenfynbaiwj.dll
c:\windows\system32\H8SRTiysdojlasq.dll
c:\windows\system32\H8SRTntjrcpxuou.dat
c:\windows\system32\jetebemi.dll
c:\windows\system32\junefare.dll
c:\windows\system32\kafudera.dll
c:\windows\system32\logon.exe
c:\windows\system32\lohulatu.dll
c:\windows\system32\nawobiti.dll
c:\windows\system32\nawodogi.dll
c:\windows\system32\revesele.dll
c:\windows\system32\se9x3.dll
c:\windows\system32\tenugizu.dll
c:\windows\system32\vakumene.dll
c:\windows\system32\varadosa.dll
c:\windows\system32\vosulome.dll
c:\windows\system32\wincert.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\yirotiko.dll
c:\windows\system32\zodogupe.dll
c:\windows\Tasks\xocuvfmb.job
c:\windows\Temp\4162880940.exe
c:\windows\Temp\lsass.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-06 03:56 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-06 03:56 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 04:02 . 2009-12-06 03:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 02:19 . 2009-12-05 02:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-05 02:19 . 2009-12-05 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-05 02:16 . 2009-12-05 02:16 -------- d-----w- c:\program files\Trend Micro
2009-12-05 00:32 . 2009-12-06 03:50 120 ----a-w- c:\windows\system32\srcr.dat
2009-12-03 23:26 . 2009-12-03 23:26 78720 ----a-w- c:\windows\system32\drivers\rtnqfdtftvwuao.sys
2009-12-03 23:19 . 2009-12-03 20:50 -------- d-sh--w- c:\documents and settings\joshpolacek\IETldCache
2009-12-03 18:03 . 2009-12-03 18:03 16384 ----a-w- C:\ndgkqs.exe
2009-12-03 18:03 . 2009-12-03 18:04 222720 ----a-w- C:\dens.exe
2009-12-03 18:02 . 2009-12-03 18:03 52736 ----a-w- C:\enhs.exe
2009-12-03 18:02 . 2009-12-03 18:03 51712 ----a-w- C:\gelcdomj.exe
2009-12-02 13:59 . 2009-06-22 17:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2009-11-23 15:48 . 2009-11-23 15:48 -------- d-----w- C:\ELEVATOR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-06 14:30 . 2007-06-11 15:01 -------- d-----w- c:\documents and settings\joshpolacek\Application Data\IM
2009-12-05 03:53 . 2008-03-24 16:23 -------- d-----w- c:\documents and settings\joshpolacek\Application Data\U3
2009-12-03 16:05 . 2009-04-03 18:27 2826 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-12-02 14:13 . 2007-01-11 19:44 -------- d-----w- c:\documents and settings\joshpolacek\Application Data\SolidWorks
2009-12-02 13:54 . 2009-04-06 18:02 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-11-25 14:15 . 2009-08-12 13:17 852784 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2009-11-25 14:15 . 2009-08-12 13:17 2168112 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2009-11-25 14:15 . 2009-04-06 18:04 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-25 14:15 . 2009-04-06 18:04 1087752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-06 14:10 . 2009-08-12 13:17 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-06 14:10 . 2009-08-12 13:17 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-06 14:10 . 2009-08-12 13:17 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-06 14:10 . 2009-08-12 13:17 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-06 14:10 . 2009-08-12 13:17 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-06 14:10 . 2009-08-12 13:17 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-06 14:10 . 2009-08-12 13:17 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-06 14:10 . 2009-08-12 13:17 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-06 14:10 . 2009-08-12 13:17 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-10-28 22:17 . 2007-01-10 17:52 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-28 17:57 . 2007-01-10 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-28 17:57 . 2007-01-10 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-28 17:55 . 2007-01-10 17:32 -------- d-----w- c:\program files\Symantec
2009-10-28 17:55 . 2009-10-28 17:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-28 17:55 . 2009-10-28 17:55 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-28 17:55 . 2009-10-28 17:55 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-28 17:55 . 2009-10-28 17:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-28 17:44 . 2009-10-28 17:54 8560 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\program files\Symantec\SEP\res\1033\VpshellRes.dll
2009-10-15 15:17 . 2009-10-15 15:16 188184 ----a-w- c:\documents and settings\All Users\Application Data\tmp66F.tmp
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:11 . 2009-09-10 15:11 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-06 13:24 . 2009-09-06 13:24 62464 --sha-w- c:\windows\system32\hozirave.dll
2009-09-05 14:11 . 2009-09-05 14:11 54272 --sha-w- c:\windows\system32\kufiselu.dll
2009-09-05 00:32 . 2009-09-05 00:32 53760 --sha-w- c:\windows\system32\liborazo.dll
2009-09-05 23:31 . 2009-09-05 23:31 54272 --sha-w- c:\windows\system32\yatodimi.dll
2009-09-05 00:32 . 2009-09-05 00:32 62464 --sha-w- c:\windows\system32\yiyetoze.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f309a089-3bc9-4ef4-a661-89b3fe189b49}]
2009-09-05 23:31 54272 --sha-w- c:\windows\system32\yatodimi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 344064]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"nwiz"="nwiz.exe" [2006-03-17 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-17 86016]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2007-11-29 6526232]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2000-10-26 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-28 115560]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-11-6 984352]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2005-10-15 114688]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\wincert.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/7/2007 2:28 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/29/2009 9:05 AM 102448]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S2 alsyixwjgtoud;alsyixwjgtoud;c:\windows\system32\drivers\rtnqfdtftvwuao.sys [12/3/2009 5:26 PM 78720]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/28/2009 11:44 AM 23888]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {04FE1F3F-1981-4D68-98E3-72604564CAC8} = 193.104.110.38,4.2.2.1,64.233.207.8 64.233.207.9
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
DPF: {42D5A794-9AD1-4409-950B-C8B9EB1282B0} - hxxps://www.rdfs.com/contentexplorer/covi/VipTiffPrint.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
FF - ProfilePath - c:\documents and settings\joshpolacek\Application Data\Mozilla\Firefox\Profiles\6y3ps6ah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ririyabovo - lohulatu.dll
HKLM-Run-zubolekob - c:\windows\system32\kuyigiba.dll
SharedTaskScheduler-{8ee32e2d-8a5f-4f50-b006-1216e02153c7} - c:\windows\system32\hamaveho.dll
SharedTaskScheduler-{c58e03e7-189a-49d1-b08f-3fa7a5c3b2d3} - c:\windows\system32\hamaveho.dll
SharedTaskScheduler-{f3e6ac6c-d2a3-4a86-92b7-0d593e1cfcfb} - c:\windows\system32\hamaveho.dll
SharedTaskScheduler-{2b35ba3f-06ed-45eb-8c89-2a16dbf30635} - c:\windows\system32\kuyigiba.dll
SSODL-fakahufep-{8ee32e2d-8a5f-4f50-b006-1216e02153c7} - c:\windows\system32\hamaveho.dll
SSODL-pamadonan-{c58e03e7-189a-49d1-b08f-3fa7a5c3b2d3} - c:\windows\system32\hamaveho.dll
SSODL-lipetidoz-{f3e6ac6c-d2a3-4a86-92b7-0d593e1cfcfb} - c:\windows\system32\hamaveho.dll
SSODL-zomuhusaw-{2b35ba3f-06ed-45eb-8c89-2a16dbf30635} - c:\windows\system32\kuyigiba.dll
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-hp LaserJet 5100 Uninstaller - c:\program files\Hewlett-Packard\LJ5100\Uninstall\unhp.exe ciuninst.ini
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 08:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1396)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\hasplms.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-06 08:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-06 14:49

Pre-Run: 35,201,105,920 bytes free
Post-Run: 38,633,238,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 97896892EF4A7AF51EA063065374A948

0

It appears everything is back to normal.

I can get into safe mode and I can run MBAM. Do you need to see that log?

The second computer somehow managed to get a corrupt file in Norton Internet Security that was restricting my acces to the internet. It must have been when I was transferring files back and forth. I pinged yahoo to see if it was connected and it was. I uninstalled norton and reinstalled and it appears to be good. I will start a new thread if I run into problems with that one.

Is there anyway to find out how I got this worm/virus? I would like to find a way to avoid this in the future. It was on one of my employees computers that this happened.

Scott

0

It appears everything is back to normal.

Not Quite! Still some baddies remaining - please do the following:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

-- Then, update your MBAM and run the Full scan in Normal Windows Boot and post the log for me.

Is there anyway to find out how I got this worm/virus? I would like to find a way to avoid this in the future. It was on one of my employees computers that this happened.

You had/have a healthy infestation of malware. Probably not from one source.
I imagine some was from "drive by" download of a rogue scanner.
The rootkit components are worrisome.

Honestly, in cases such as this, I usually recommend a reformat and reinstall of Windows. Especially on business computers with potentially sensitive data.
Even if all of the scanlogs show clean, you can never really be certain......

'Course, that isn't always a practical option. But, it is the only 100% effective option.

Please post the new scanlogs from combofix and MBAM for me.

PP:)

Edited by PhilliePhan: n/a

0

Combofix log:
ComboFix 09-12-06.09 - JoshPolacek 12/06/2009 19:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1232 [GMT -6:00]
Running from: c:\documents and settings\joshpolacek\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\joshpolacek\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"C:\dens.exe"
"c:\documents and settings\All Users\Application Data\tmp66F.tmp"
"C:\enhs.exe"
"C:\gelcdomj.exe"
"C:\ndgkqs.exe"
"c:\windows\system32\curslib.dll"
"c:\windows\system32\drivers\rtnqfdtftvwuao.sys"
"c:\windows\system32\hozirave.dll"
"c:\windows\system32\kufiselu.dll"
"c:\windows\system32\kuyigiba.dll"
"c:\windows\system32\liborazo.dll"
"c:\windows\system32\yatodimi.dll"
"c:\windows\system32\yiyetoze.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dens.exe
c:\documents and settings\All Users\Application Data\tmp66F.tmp
c:\windows\system32\drivers\rtnqfdtftvwuao.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALSYIXWJGTOUD
-------\Service_alsyixwjgtoud


((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-06 19:19 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-06 19:19 . 2009-12-06 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-06 19:19 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 02:19 . 2009-12-06 15:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-05 02:16 . 2009-12-05 02:16 -------- d-----w- c:\program files\Trend Micro
2009-12-05 00:32 . 2009-12-06 03:50 120 ----a-w- c:\windows\system32\srcr.dat
2009-12-03 23:19 . 2009-12-03 20:50 -------- d-sh--w- c:\documents and settings\joshpolacek\IETldCache
2009-12-02 13:59 . 2009-06-22 17:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2009-11-23 15:48 . 2009-11-23 15:48 -------- d-----w- C:\ELEVATOR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 01:37 . 2007-06-11 15:01 -------- d-----w- c:\documents and settings\joshpolacek\Application Data\IM
2009-12-05 03:53 . 2008-03-24 16:23 -------- d-----w- c:\documents and settings\joshpolacek\Application Data\U3
2009-12-03 16:05 . 2009-04-03 18:27 2826 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-12-02 14:13 . 2007-01-11 19:44 -------- d-----w- c:\documents and settings\joshpolacek\Application Data\SolidWorks
2009-12-02 13:54 . 2009-04-06 18:02 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-11-25 14:15 . 2009-08-12 13:17 852784 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2009-11-25 14:15 . 2009-08-12 13:17 2168112 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2009-11-25 14:15 . 2009-04-06 18:04 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-25 14:15 . 2009-04-06 18:04 1087752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-06 14:10 . 2009-08-12 13:17 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-06 14:10 . 2009-08-12 13:17 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-06 14:10 . 2009-08-12 13:17 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-06 14:10 . 2009-08-12 13:17 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-06 14:10 . 2009-08-12 13:17 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-06 14:10 . 2009-08-12 13:17 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-06 14:10 . 2009-08-12 13:17 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-06 14:10 . 2009-08-12 13:17 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-06 14:10 . 2009-08-12 13:17 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-10-28 22:17 . 2007-01-10 17:52 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-28 17:57 . 2007-01-10 17:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-28 17:57 . 2007-01-10 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-28 17:55 . 2007-01-10 17:32 -------- d-----w- c:\program files\Symantec
2009-10-28 17:55 . 2009-10-28 17:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-28 17:55 . 2009-10-28 17:55 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-28 17:55 . 2009-10-28 17:55 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-28 17:55 . 2009-10-28 17:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-28 17:44 . 2009-10-28 17:54 8560 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\program files\Symantec\SEP\res\1033\VpshellRes.dll
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:11 . 2009-09-10 15:11 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-05 344064]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-17 7561216]
"nwiz"="nwiz.exe" [2006-03-17 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-03-17 86016]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2007-11-29 6526232]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2000-10-26 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-28 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-11-6 984352]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2005-10-15 114688]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SmcGui.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SavUI.exe"=

R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/7/2007 2:28 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/29/2009 9:05 AM 102448]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [10/28/2009 11:44 AM 23888]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll
DPF: {42D5A794-9AD1-4409-950B-C8B9EB1282B0} - hxxps://www.rdfs.com/contentexplorer/covi/VipTiffPrint.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
FF - ProfilePath - c:\documents and settings\joshpolacek\Application Data\Mozilla\Firefox\Profiles\6y3ps6ah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 19:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\hasplms.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-06 19:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-07 01:54
ComboFix2.txt 2009-12-06 14:49

Pre-Run: 38,656,053,248 bytes free
Post-Run: 38,706,253,824 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - ACD2C4959BCC7A7855447D5A9A2FDE16

0

MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3307
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/6/2009 9:20:08 PM
mbam-log-2009-12-06 (21-20-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245911
Time elapsed: 1 hour(s), 16 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140385.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140375.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140377.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140378.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140379.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140381.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140382.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140383.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP674\A0140384.exe (Malware.Packer.T) -> Quarantined and deleted successfully.

0

Hey Scott - that looks better.

Do you know what this is?
C:\ELEVATOR
What's in the folder?


Let's go ahead and remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

I'd also like to look to see if there are other minor cleanup items - things we need to update (Adobe / Java etc...) that otherwise would pose security risks. The Vundo on your machine may well have been a result of outdated Java, for instance.

So, please do this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

We'll take a quick run through that and wrap this puppy up!

Cheers :)
PP

0

DDS log

DDS (Ver_09-12-01.01) - NTFSx86
Run by JoshPolacek at 7:40:15.64 on Mon 12/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1415 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec AntiVirus\SymCorpUI.exe
C:\Documents and Settings\joshpolacek\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\joshpo~1\startm~1\programs\startup\solidw~1.lnk - \\samwork-xp\c$\program files\solidworks (4)\solidworks\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {42D5A794-9AD1-4409-950B-C8B9EB1282B0} - hxxps://www.rdfs.com/contentexplorer/covi/VipTiffPrint.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joshpo~1\applic~1\mozilla\firefox\profiles\6y3ps6ah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-28 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-28 108392]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-10-28 2477304]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-7 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091124.050\NAVENG.SYS [2009-11-25 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091124.050\NAVEX15.SYS [2009-11-25 1323568]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-28 23888]

=============== Created Last 30 ================


==================== Find3M ====================

2009-10-28 17:55:48 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-28 17:55:48 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-28 17:55:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-28 17:55:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-28 17:44:52 9892 ----a-w- c:\windows\system32\drivers\SymRedir.cat
2009-10-28 17:44:52 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2009-10-28 17:44:52 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2009-10-28 17:44:52 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2009-10-28 17:44:52 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2009-10-28 17:44:52 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2009-10-28 17:44:52 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2009-10-28 17:44:52 1356 ----a-w- c:\windows\system32\drivers\SymRedir.inf
2009-10-28 17:44:52 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2009-10-28 17:44:50 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2009-10-28 17:44:50 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2009-10-28 17:44:50 10537 ----a-w- c:\windows\system32\drivers\coh_mon.cat
2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-04-22 08:07:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042220090423\index.dat

============= FINISH: 7:40:58.87 ===============

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.