I have mcafee, so far it will not delete the programs, it will not do anything to them.

It is getting really anoying, any ideas on what I can do?

Thanks.

Recommended Answers

All 30 Replies

I am guessing the trojan will not let me download the:
Malwarebytes' Anti-Malware (MBA-M)
or the
Microsoft® Windows® Malicious Software Removal Tool

It says I have no internet connection, then closes the web page.

what should I do from here?

I am running windows software removal tool, should I be in safe mode at this point never did the walkthrough prompt me to be in safe more, or turn off system restore, it only showed me how.

If it is running then it must be ok to run it as you are.

something will not let me update malwarebytes, it says

error code 732.

but the 1/7/2010 is the current version it is on.

what should I do from here?

this is tough, I have not found anything yet with any of these scans, so odd.

something will not let me update malwarebytes, it says

error code 732.

but the 1/7/2010 is the current version it is on.

what should I do from here?

Error code also refers to no internet connectivity. Are you doing this posting from the infected computer?

Error code also refers to no internet connectivity. Are you doing this posting from the infected computer?

yes I am posting this from a infected computer.

the dang think keeps forwarding me to sites, from google searches, I've ran all of the scans, every last one of them!

is there a program, I can download to do this all for me?

I am going crazy here.

Thanks for all the help so far, and I really mean it.

ESET Online Scanner will not open, it bring up a blank page saying error, no net connection. then shut the page down.

Whatever I have is bad, what can I do from herE?

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@doubleclick[3].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@mediaplex[3].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@7search[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@apmebf[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@advertising[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@questionmarket[1].txt

it will not let me use • Trend Micro HouseCall
• F-Secure Online Virus Scanner

or Kaspersky Online Scanner

what should I do now?

What was the log you posted in post #12?
Have you tried working via Safe Mode with networking? Especially downloading Malwarebytes' program?

Do you have another computer you could use to download Malwarebytes' and then take it to the infected computer, say via a flash drive or a cd?

What was the log you posted in post #12?
Have you tried working via Safe Mode with networking? Especially downloading Malwarebytes' program?

Do you have another computer you could use to download Malwarebytes' and then take it to the infected computer, say via a flash drive or a cd?

Panda ActiveScan

question 2,
I have used my other clean computer to download malwarebytes, updated the progam, then plugged it into my infected computer, but is only showed up as the old version.

Panda ActiveScan

question 2,
I have used my other clean computer to download malwarebytes, updated the progam, then plugged it into my infected computer, but is only showed up as the old version.

Do you HAVE the old version on the infected computer? Have never heard of this happening, especially if the copy is brand new.
Don't update the program when you download to the other computer, all you want to do is download the install file and than take THAT to the infected computer. You can also download the install file to the other computer, rename that file to some other name entirely, just be sure the .exe remains and then put that renamed file on the infected computer and install. The infection is looking for the security programs by name usually but if it sees something like that it very likely won't see it or know what it is.

Thanks,

here are the logs.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/22/2010 6:05:47 PM
mbam-log-2010-02-22 (18-05-47).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objects scanned: 223684
Time elapsed: 56 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00000222.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\0000044a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\000009ce.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00002c99.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\0000523b.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\000059ee.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00006be9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00007f1a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


This one is from Panda active scan.
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@doubleclick[3].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@mediaplex[3].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@7search[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@apmebf[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@advertising[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\administrator\appdata\roaming\microsoft\windows\cookies\administrator@questionmarket[1].txt

here is DDS

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 22:28:10.61 on Tue 02/23/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2379 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dealextreme.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} - hxxp://imlive.com/chatsource/ImlCID.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.155,93.188.161.59
TCP: {635BFBF1-301B-41BB-992D-95D7444CEC26} = 93.188.163.155,93.188.161.59
TCP: {CA957182-82DF-4EAA-987B-AA0D04F43278} = 93.188.163.155,93.188.161.59
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-23 28552]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-22 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-22 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-22 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSvix86.sys [2010-2-22 343088]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-27 214664]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-22 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-21 102448]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-7-14 19720]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-2 43040]
R3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2009-6-10 335872]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-2-22 48688]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-27 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-27 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-27 40552]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-02-24 05:17:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 05:17:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 05:17:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 05:01:39 0 d-s---w- C:\ComboFix
2010-02-24 04:21:07 98816 ----a-w- c:\windows\sed.exe
2010-02-24 04:21:07 77312 ----a-w- c:\windows\MBR.exe
2010-02-24 04:21:07 261632 ----a-w- c:\windows\PEV.exe
2010-02-24 04:21:07 161792 ----a-w- c:\windows\SWREG.exe
2010-02-24 04:03:57 0 d-----w- c:\program files\Trend Micro
2010-02-24 03:19:13 0 d-----w- c:\programdata\F-Secure
2010-02-24 02:12:04 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-24 02:12:02 0 d-----w- c:\program files\Panda Security
2010-02-24 02:06:45 0 d-----w- c:\programdata\Sun
2010-02-24 02:05:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-22 23:33:35 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-02-22 23:33:29 0 d-----w- c:\programdata\Malwarebytes
2010-02-22 13:15:51 0 d-----w- c:\programdata\Symantec
2010-02-22 07:15:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-22 07:15:17 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-22 07:15:14 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-02-22 07:15:11 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-22 07:15:11 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-22 07:15:11 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-22 07:15:10 0 d-----w- c:\program files\Symantec
2010-02-22 07:15:10 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-22 07:14:39 0 d-----w- c:\windows\system32\drivers\N360
2010-02-22 07:14:38 0 d-----w- c:\program files\Norton Security Suite
2010-02-22 07:14:37 0 d-----w- c:\programdata\Norton
2010-02-22 07:10:13 0 d-----w- c:\programdata\NortonInstaller
2010-02-22 07:10:13 0 d-----w- c:\program files\NortonInstaller
2010-02-20 08:10:43 65536 --sha-w- c:\users\administrator\NTUSER.DAT{4bdb0418-1df7-11df-a79b-002215f15fce}.TM.blf
2010-02-20 08:10:43 524288 --sha-w- c:\users\administrator\NTUSER.DAT{4bdb0418-1df7-11df-a79b-002215f15fce}.TMContainer00000000000000000002.regtrans-ms
2010-02-20 08:10:43 524288 --sha-w- c:\users\administrator\NTUSER.DAT{4bdb0418-1df7-11df-a79b-002215f15fce}.TMContainer00000000000000000001.regtrans-ms
2010-02-10 06:10:10 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 06:10:10 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 06:10:07 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 06:10:07 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 06:10:02 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 06:10:02 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 06:09:58 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 06:09:58 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 06:09:58 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 06:09:58 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 06:09:58 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 06:09:58 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 06:09:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 06:09:58 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 06:09:58 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 06:09:55 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 06:09:55 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-02 14:56:39 0 d-----w- c:\program files\iPod
2010-02-02 14:56:37 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-02-22 07:15:12 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-22 07:15:12 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-22 07:15:12 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-21 08:03:20 74776 ----a-w- c:\windows\War3Unin.dat
2010-01-03 05:39:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSBW_01_00_00.Wdf
2010-01-03 05:39:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_lgSSQVGA_01_00_00.Wdf
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 08:24:03 1648462032 ----a-w- c:\program files\MSSetupv80.exe
2009-12-14 10:26:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-13 01:04:31 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-01 01:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 01:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 09:16:17 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 22:28:26.75 ===============

I tried to run Combo Fix, but it said rootkit detected, rebooting computer!

Do I have a rootkit? Is that what is keeping me from downloading all these programs, and not letting me update software, or use online scans?

here is a Hijackthis scan log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:15 PM, on 2/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dealextreme.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{635BFBF1-301B-41BB-992D-95D7444CEC26}: NameServer = 93.188.163.155,93.188.161.59
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA957182-82DF-4EAA-987B-AA0D04F43278}: NameServer = 93.188.163.155,93.188.161.59
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.155,93.188.161.59
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.155,93.188.161.59
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.155,93.188.161.59
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7098 bytes

Before I go through the logs I am somewhat confused here. In post #15 you said

I have used my other clean computer to download malwarebytes, updated the progam, then plugged it into my infected computer, but is only showed up as the old version.

The MBA-M log you just ran does NOT show it is the old version, it shows it is the current version. The Database is out of date but not the program itself. Did you attempt to Update the program ON the infected computer before running?
Also, who told you to run Combofix? I certainly didn't. Please don't attempt to do this unless you are first told to do so. You need to remove that Combofix from the computer. If it is decided LATER that it needs to be run then a new copy would be required as it cannot be run a second time unless it is done so in a specific way and since you tried all ready this one cannot be re-used.
Nothing is showing in the Panda Scan except cookies.

I would like you to try to update that MBA-M program and run it again. Remove all that is found. Post back here with the log.

One more question: you clearly state in your first post here:

I have mcafee, so far it will not delete the programs, it will not do anything to them.

However, McAfee doesn't show here, Norton is the program that shows in the HJT log.

thanks for getting back to me,

What I had to do the other day was, get on my uninfected computer, download malwarebytes, and save the program on my desktop, then I emailed my malwarebytes to myself, then loaded it onto my infected computer, I scanned my computer before comming to this website using malwarebytes found on a google search, the uninstalled it thinking the program was not the same as the one you listed, and tried to install the malwarebytes, on that link you listed #2, but it would not let me, so I had to use my email the program to myself.

asfar as me using mcaffe, I get it free through comcast, but it stopped working (go figure!), then I logged onto comcast.net to find out what the heck happend, it turns out they switched to norton anti virus, mcaffe was no long working for me, so I uninstalled mcaffe, then installed norton.

norton found 16 files, (if I am not mistaken.), deleted them all.


here is the most current log from malwarebytes, sorry for the confusion, and thank you for the help.

I just wanted to post the first log up, that had a list, because the 2nd scan said nothing was found, I just wanted you to see what I had, incase it would help you out.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/23/2010 6:38:47 PM
mbam-log-2010-02-23 (18-38-47).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objects scanned: 224641
Time elapsed: 57 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

You still have not updated MBA-M. The database version is the one which comes with the install file. You need to update it to the newest database version which is 3782 and do the scan again. The scan you just posted was done about 40 minutes after the last one was completed.
You must always check for updates each and everytime you run MBA-M. It very often has 2 or more updates daily, very often one right after the other so if you run a second scan you should always check to be sure there has not been an update. But this database version IS the original from when the program version was released several months ago so this has never been updated.

Holland, thanks.

I try and try to update it any way I can, but it says I have no internet connection and give me a error code 732 (12007, 0)

asks me to contact the support team, with the code, so I tried, I log onto the website, and it says I have no internet connection, and will close the page.

I don't know how I can get a updated version, I have tried going to my uninfected computer, downloading the program, updating it, emailing all the updated files to myself, the locating the files in my my program files, and replace them all and re run it, but the version STILL stays the same, so I don't know what to do from here.

thanks!

good morning, I have can re run the malewarebytes if you would like Holland.

Well this thing is an absolute bear I will say that. Now I want you to do these steps using the infected computer, don't mail them from the other one.
What is obviously happening is this "nasty" has something working in the background that is putting a stop to whatever is tried so you have to try to get IT stopped so you can go forward and get it off there.
First of all I want you to remove all copies of MBA-M from the infected computer using first Add/Remove and then restart the computer. Next download and run this utility. mbam-clean.exe
It will ask to restart your computer (please allow it to).
Next follow these instructions:
You are going to have to use this little program called rkill which stops the infection from running in the background and then hopefully you can get it off of there.
These are instructions from bleepingcomputer for the running of rkill


Download
rkill.com

Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the infection when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the infection . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.
Do not reboot your computer after running rkill as the malware programs will start again.

Now download a new copy of MBA-M
again steps from bleepingcomputer

Double click mbam.exe to install and follow the prompts.
Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors they will be resolved later.
As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: Malwarebytes' EXE Download
When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded. The main screen of the program will open and you will now need to update this program.
Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
Now click on the Scanner tab and make sure the the Perform full scan option is selected. Then click on the Scan button to start scanning your computer. When the scan is completed then have it REMOVE ALL items found. It should remove the files and request a reboot. Now it should be ok to reboot.

Post back here either with difficulties encountered or HOPEFULLY the new log and I will tell you what to do next.
Judy

Judy, I am sorry, but it will not let me download mbam-clean.exe, it says I have no internet connection, then I have to shut the page down.

What should I do from here?

Sorry.


Erick.

Forget that for now, move onto the rkill instructions. If that DOES work THEN try first tha tmbam-clean.exe

If you can't get the rkill files to download onto the infected computer then do as you did before and use the good computer and email to the other.
Are you absolutely certain that it is the infection blocking and not a firewall or some setting in the browser?

I was able to use rkill, the program was done in less then 10 seconds,
then a white notepad page popped up, here is what was on it.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 02/24/2010 at 18:41:31.


Processes terminated by Rkill or while it was running:


C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\Administrator\Desktop\rkill.com


Rkill completed on 02/24/2010 at 18:41:35.

2nd scan.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 02/24/2010 at 18:48:09.


Processes terminated by Rkill or while it was running:


C:\Users\Administrator\Desktop\rkill.com


Rkill completed on 02/24/2010 at 18:48:14.

I was able to downlaod malwarebytes this time, but it will not let me update the program. it says I have no internet connection again.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.