Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] wallpaper that wont go away, malware, problems!

Started by dzmr5s , Jan 31 2010 03:53 PM

  • This topic is locked This topic is locked
70 replies to this topic

#16 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 February 2010 - 09:58 PM

Hi,

Please try this:

Please boot back into the OTLPE and open OTL


Under the Custom Scans/Fixes type this in:

:Files
C:\Windows\system32\drivers\usbhub.sys|C:\WINDOWS\ServicePackFiles\i386\usbhub.sys /replace

It has to be exactly as shown:

Then press run fix - the fix should only take a moment:

If you think it will be easier than trying to type it out exactly ...you can run this fix from a USB


Copy and Paste that fix into Notepad.

Save the file as fix.txt onto your USB
  • Click the red Run Fix button.
  • You should be presented with a message "No Fix has been Provided! Do you want to load it from a file? Click Yes.
  • Browse to the fix.txt file on your USB stick, and click Open. The fix will then appear in the Custom Scans/Fixes window.
  • Click the red Run Fix button again.



Now try rebooting normally

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove

#17 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 01 February 2010 - 10:38 PM

I tried the first time to no avail and then recieved your pm and tried that but also to no avail. I get the same error. I double checked that I typed it exactly and also copied and pasted it.

#18 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 February 2010 - 10:51 PM

Ok, lets navigate there and do it manually Go back into OTLPE... First I want to make sure you have service pack files accessible to you and that usbhub.sys exists there Navigate to C:\WINDOWS\ServicePackFiles\i386 bottom left of the ReattoGo GUI is a small windows type symbol > that's your start button go to Start> My computer> C:\ local files > windows > Service pack files > i386 locate > usbhub.sys - if it is there > right click it and choose copy now back out of that folder and head to c:\windows\system32\drivers folder >locate the usbhub.sys file > right click on it and choose "rename" rename it to usbhub.sys.old now right click in the space beside that file and right click and choose "paste" the file you previously copied from the i386 folder will now be in the drivers folder exit and reboot normally

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#19 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 01 February 2010 - 11:07 PM

Success!! :thumbup: I am back to my infected desktop.

#20 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 01 February 2010 - 11:13 PM

Awesome :thumbup: (many, many thanks to expert noahdfear for his behind the scenes assistance) we need to run ComboFix again. Allow it to update if it asks...we won't have the non boot issue again as we have renamed the infected driver that caused it, but you have a lot of slime remaining on your system that we need to get rid of: Make sure your security programs are disabled and allow it to run uninterrupted: post the resulting log

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#21 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 01 February 2010 - 11:21 PM

ok! Thank you to you both!!!!!!!!

#22 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 01 February 2010 - 11:50 PM

Ran successfully and rebooted.

There is a windows message stating that new devices were installed and i need to reboot to update software.

here is the log file:

ComboFix 10-01-31.05 - Chad 02/02/2010 0:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1532 [GMT -5:00]
Running from: c:\documents and settings\Chad\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100131-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chad\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\documents and settings\Chad\Start Menu\Internet Security 2010.lnk
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
C:\Thumbs.db
C:\U.exe
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21238.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\helper32.dll
c:\windows\system32\smss32.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-31 13:05 . 2010-01-31 22:23 0 ----a-w- c:\windows\system32\41.exe.vir
2010-01-24 00:19 . 2010-01-24 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-23 14:49 . 2010-01-23 14:49 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-13 12:35 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-29 15:14 . 2008-05-10 15:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-26 01:12 . 2009-11-24 19:39 79488 ----a-w- c:\documents and settings\Miranda\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-25 16:20 . 2009-11-25 13:34 79488 ----a-w- c:\documents and settings\Chad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-24 01:55 . 2008-04-11 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-23 23:49 . 2009-04-07 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 23:47 . 2010-01-23 23:47 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-21 15:48 . 2008-04-14 04:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-07 21:07 . 2009-04-07 01:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-04-07 01:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2006-06-23 18:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-28 04:31 . 2009-09-22 03:31 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-24 23:54 . 2009-04-04 14:42 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-04 14:43 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-04 14:43 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-04 14:43 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-04 14:43 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-04 14:43 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-04 14:43 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-04 14:43 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-04 14:43 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2003-03-31 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 21:11 . 2009-11-15 21:11 1961720 ----a-w- c:\documents and settings\Miranda\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2008-04-11 02:32 . 2008-04-11 02:32 0 --sh--w- c:\windows\S6E39F38B.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-22 520024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 17:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/13/2009 10:31 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2009 9:43 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2009 9:43 AM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]
S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [4/13/2008 9:30 PM 530560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:31]

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2010-02-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: line6.net
Trusted Zone: buy-internet-security10.com
FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\hy7chk1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Chad\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TrendSecure Remote File Lock - c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 00:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-02-02 00:41:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 05:41

Pre-Run: 14,951,632,896 bytes free
Post-Run: 16,301,748,224 bytes free

- - End Of File - - D881963DF7855A3A263FA0879AD6CC11

#23 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 02 February 2010 - 12:31 AM

Hi,

Please do the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
c:\windows\system32\41.exe.vir
c:\windows\S6E39F38B.tmp
c:\windows\system32\drivers\usbhub.sys.old

DDS::
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: line6.net
Trusted Zone: buy-internet-security10.com

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Go Start > Run and type cmd into the Run box and click OK:

paste in the open command window

PEV "c:\windows\system32\config\*.sav" >Log.txt
start notepad log.txt



Post the contents of Log.txt in your next reply.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#24 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 02 February 2010 - 01:20 AM

here you go:

ComboFix 10-01-31.05 - Chad 02/02/2010 2:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1494 [GMT -5:00]
Running from: c:\documents and settings\Chad\Desktop\ComboFix.exe
Command switches used :: G:\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100131-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\S6E39F38B.tmp"
"c:\windows\system32\41.exe.vir"
"c:\windows\system32\drivers\usbhub.sys.old"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\41.exe.vir
c:\windows\system32\drivers\usbhub.sys.old
c:\windows\S6E39F38B.tmp . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-24 00:19 . 2010-01-24 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-23 14:49 . 2010-01-23 14:49 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-13 12:35 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 07:05 . 2010-02-02 07:05 0 ------w- c:\windows\S6E39F38B.tmp
2010-01-29 15:14 . 2008-05-10 15:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-26 01:12 . 2009-11-24 19:39 79488 ----a-w- c:\documents and settings\Miranda\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-25 16:20 . 2009-11-25 13:34 79488 ----a-w- c:\documents and settings\Chad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-24 01:55 . 2008-04-11 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-23 23:49 . 2009-04-07 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 23:47 . 2010-01-23 23:47 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-21 15:48 . 2008-04-14 04:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-07 21:07 . 2009-04-07 01:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-04-07 01:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2006-06-23 18:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-11-28 04:31 . 2009-09-22 03:31 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-24 23:54 . 2009-04-04 14:42 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-04 14:43 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-04 14:43 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-04 14:43 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-04 14:43 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-04 14:43 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-04 14:43 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-04 14:43 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-04 14:43 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2003-03-31 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-15 21:11 . 2009-11-15 21:11 1961720 ----a-w- c:\documents and settings\Miranda\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-22 520024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 14:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 17:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-07-18 21:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/13/2009 10:31 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/4/2009 9:43 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2009 9:43 AM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]
S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [4/13/2008 9:30 PM 530560]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:31]

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2010-02-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\hy7chk1p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Chad\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 02:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1476)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-02-02 02:13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 07:13
ComboFix2.txt 2010-02-02 05:41

Pre-Run: 16,329,785,344 bytes free
Post-Run: 16,255,877,120 bytes free

- - End Of File - - 71CC4AC3925DB57CAB039C85683F6DE1


c:\windows\system32\config\default.sav
c:\windows\system32\config\software.sav
c:\windows\system32\config\system.sav
c:\windows\system32\config\tvoogt8h.sav

#25 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 02 February 2010 - 01:26 AM

calling it a night! I will check back in the morning........or maybe closer to noon! :D

    Advertisements

Register to Remove

#26 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 02 February 2010 - 10:16 AM

As of right now, everything is running great! Is there still more to do? btw, how do you do it? I noticed you were posting early this morning and you were helping me very late last night!!

#27 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 02 February 2010 - 10:28 AM

btw, how do you do it? I noticed you were posting early this morning and you were helping me very late last night!!


sleep - what's that :lol:

Yes, there is more to do:

we want to make sure there is nothing more on your machine.

Please do the following:


Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "c:\windows\system32\config\tvoogt8h.sav"


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


also I'm just curious where this is coming from - do you have any idea where you might have picked up that max++ infection that showed in GMER...

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [268] 0x35670000

were you downloading dodgy files or visiting where you probably shouldn't have been?

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#28 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 02 February 2010 - 10:45 AM

Malwarebytes is running...... Honestly i have no idea! Neither my wife or I visit any risky sites! I do a lot of searching for information for school, but nothing out of the ordinary. I am usually very careful, as this is really this first infection that I have knowingly had. There was something odd though. The day before I first had the infection, we got a phone call and someone said there was a problem with my computer and they wanted me to go to it so they could help me fix it. I told them there was nothing wrong with my computer and they said " maybe not today, but there will be tomorrow!" They kept persisting that I would have a problem and I told them I wasnt interested. They wouldnt tell me who they were or who they were with and the caller ID was blocked. Oddly enough, the next day my wife called and said there is something wrong with the computer. I just figured it was all a coincidence. The item you posted has an ip address in it doesnt it? when you look up that address it says it is in the Cayman Islands and there are a lot of people looking it up. Could any of my personal info be at risk? (banking, credit cards, etc.) Malwarebytes' Anti-Malware 1.44 Database version: 3679 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 2/2/2010 11:41:48 AM mbam-log-2010-02-02 (11-41-48).txt Scan type: Quick Scan Objects scanned: 122409 Time elapsed: 5 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected)

#29 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 02 February 2010 - 11:06 AM

There are a lot of telephone scams, so that could be co-incidental. I've not heard of anyone remotely being able to infect a machine.

Here's one example of the scam:

http://ctaspley.word...the-fine-print/

The IP address you are referring to is always present with this infection.

As a precaution, I would definitely change all your online passwords and notify all your financial institutions of what has happened, and that your personal information may have been compromised - all you can do is keep a watch on things for a while.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#30 dzmr5s

dzmr5s

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 02 February 2010 - 11:42 AM

Kaspersky is running..... That is what I thought concerning the phone scam. I am sure no one wants to admit going to risky sites, but we really dont! I used to download music every once in a while, but I have not done that for a long time. She said she was surfing google shopping results when it first showed up. Can you recommend any really good virus software, or anything else I can do to make it harder to be infected again?

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·