Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Malwarebytes Targeted, Same problem as before despite new har

Started by Mirrodin , Oct 09 2009 04:13 PM

  • This topic is locked This topic is locked
58 replies to this topic

#16 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 12 October 2009 - 06:42 AM

Hi, delete the copy of combofix that you have from your desktop, down load a fresh copy from one of the previous links provided. Now boot into safe mode and run it. There is always a risk involved, but if we can get ComboFix to run, it should delete the infection from your computer and you should be able to boot normally. The problem is McAfee is known to interfere with it, so end as much as you can that is McAfee related in Task Manager and hopefully it will be enough to get ComboFix to run.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove

#17 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 12 October 2009 - 12:26 PM

Okay, I'll try it.

#18 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 12 October 2009 - 09:41 PM

ComboFix 09-10-12.02 - jmart366 10/12/2009 23:09.2.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.758.602 [GMT -4:00]
Running from: c:\documents and settings\jmart366\My Documents\Downloads\MonkeysProgram.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\fumesawi.dll
c:\windows\system32\pigagoza.dll
c:\windows\system32\resejepi.dll
.
---- Previous Run -------
.
c:\windows\Installer\76450.msp
c:\windows\Installer\76465.msp
c:\windows\Installer\7647a.msp
c:\windows\Installer\7648f.msp
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\msnmsg.exe
c:\windows\system32\setup.ini
c:\windows\system32\wohahibe.dll

----- BITS: Possible infected sites -----

hxxp://193.33.61.160
.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-10 23:49 . 2009-10-10 23:50 -------- d-----w- c:\program files\Fighters
2009-10-10 23:49 . 2009-10-10 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters
2009-10-10 01:07 . 2009-10-10 01:07 -------- d-----w- c:\documents and settings\jmart366\Application Data\Windows Search
2009-10-09 22:06 . 2009-10-09 22:06 -------- d-----w- c:\program files\ERUNT
2009-10-09 21:27 . 2009-10-11 18:21 -------- d-----w- C:\QUARANTINE
2009-10-09 18:14 . 2009-10-09 18:14 -------- d-----w- c:\program files\ASIO4ALL v2
2009-10-09 18:14 . 2009-10-09 18:14 -------- d-----w- c:\program files\VstPlugins
2009-10-09 18:14 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2009-10-09 18:13 . 2009-10-09 18:13 -------- d-----w- c:\program files\Outsim
2009-10-09 18:09 . 2009-10-09 18:14 -------- d-----w- c:\program files\Image-Line
2009-10-08 17:34 . 2004-08-04 04:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-10-07 21:31 . 2009-10-12 22:05 -------- d-----w- c:\documents and settings\jmart366\Application Data\LimeWire
2009-10-07 21:30 . 2009-10-07 21:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 21:29 . 2009-10-07 21:29 -------- d-----w- c:\program files\Java
2009-10-07 21:29 . 2009-10-07 21:30 -------- d-----w- c:\program files\LimeWire
2009-10-07 21:24 . 2009-10-07 21:26 -------- d-----w- c:\documents and settings\jmart366\Application Data\Apple Computer
2009-10-07 21:23 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-07 21:23 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-07 21:22 . 2009-10-07 21:22 -------- d-----w- c:\program files\iPod
2009-10-07 21:22 . 2009-10-07 21:23 -------- d-----w- c:\program files\iTunes
2009-10-07 21:22 . 2009-10-07 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-07 21:22 . 2009-10-07 21:22 -------- d-----w- c:\program files\Bonjour
2009-10-07 21:20 . 2009-10-07 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-07 21:20 . 2009-10-07 21:20 -------- d-----w- c:\documents and settings\jmart366\Local Settings\Application Data\Apple
2009-10-07 21:20 . 2009-10-07 21:20 -------- d-----w- c:\program files\Apple Software Update
2009-10-07 21:18 . 2009-10-07 21:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-07 21:18 . 2009-10-07 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-07 21:18 . 2009-10-07 21:26 -------- d-----w- c:\documents and settings\jmart366\Local Settings\Application Data\Apple Computer
2009-10-07 21:02 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-07 21:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-07 19:56 . 2009-10-07 19:56 -------- d-----w- c:\documents and settings\jmart366\Application Data\Malwarebytes
2009-10-07 19:56 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 19:56 . 2009-10-07 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 19:56 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 19:56 . 2009-10-09 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 19:13 . 2009-10-10 21:24 -------- d-----w- c:\documents and settings\jmart366\Tracing
2009-10-07 19:11 . 2009-10-07 19:11 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-07 19:10 . 2009-10-07 19:11 -------- d-----w- c:\program files\Windows Live
2009-10-07 19:08 . 2009-10-07 19:09 -------- d-----w- c:\documents and settings\jmart366\Application Data\acccore
2009-10-07 19:08 . 2009-10-07 19:11 -------- d-----w- c:\documents and settings\jmart366\Local Settings\Application Data\AIM
2009-10-07 19:08 . 2009-10-07 19:08 -------- d-----w- c:\documents and settings\jmart366\Local Settings\Application Data\AOL
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-----w- c:\program files\AIM7
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-07 19:07 . 2009-10-07 19:07 -------- d-----w- c:\program files\Common Files\AOL
2009-10-07 18:36 . 2009-10-07 18:36 -------- d-----w- c:\documents and settings\jmart366\Local Settings\Application Data\Mozilla
2009-10-07 18:21 . 2009-10-07 18:21 -------- d-----w- c:\documents and settings\jmart366\Application Data\Avaya
2009-10-07 16:26 . 2009-10-07 18:21 76256 ----a-w- c:\documents and settings\jmart366\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 16:26 . 2005-05-10 18:56 136 ----a-w- c:\documents and settings\jmart366\Local Settings\Application Data\fusioncache.dat
2009-10-07 16:26 . 2009-10-07 16:26 -------- d-----w- c:\documents and settings\jmart366\Application Data\Intel
2009-10-07 16:25 . 2009-04-21 15:39 -------- d-----w- c:\documents and settings\jmart366\Application Data\ThinkVantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 21:53 . 2009-04-21 18:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-09 21:53 . 2009-04-21 17:29 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-08 17:48 . 2008-08-06 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-07 21:21 . 2003-07-02 00:40 -------- d-----w- c:\program files\QuickTime
2009-10-07 19:11 . 2009-04-21 17:44 -------- d-----w- c:\program files\Microsoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-09 21:26 . 2009-07-09 21:26 114688 --sha-w- c:\windows\system32\butawabe.dll.tmp
2009-07-10 23:23 . 2009-07-10 23:23 88576 --sha-w- c:\windows\system32\dehojaro.dll
2009-07-10 23:23 . 2009-07-10 23:23 51200 --sha-w- c:\windows\system32\hebowugi.dll
2009-07-11 18:21 . 2009-07-11 18:21 38400 --sha-w- c:\windows\system32\kegovada.dll
2009-07-09 21:26 . 2009-07-09 21:26 114688 --sha-w- c:\windows\system32\lagehogo.dll.tmp
2009-07-12 06:20 . 2009-07-12 06:20 38400 --sha-w- c:\windows\system32\lihujedo.dll
2009-07-12 18:22 . 2009-07-12 18:22 51712 --sha-w- c:\windows\system32\masahola.dll
2009-07-09 21:32 . 2009-07-09 21:32 1011112 --sha-w- c:\windows\system32\pijihaje.exe
2009-07-12 06:20 . 2009-07-12 06:20 88064 --sha-w- c:\windows\system32\runimuhu.dll
2009-07-10 23:23 . 2009-07-10 23:23 1011345 --sha-w- c:\windows\system32\sowimudu.exe
2009-07-12 18:20 . 2009-07-12 18:20 51712 --sha-w- c:\windows\system32\tagogire.dll
2009-07-11 18:21 . 2009-07-11 18:21 87552 --sha-w- c:\windows\system32\tanotuwo.dll
2009-07-12 18:20 . 2009-07-12 18:20 38400 --sha-w- c:\windows\system32\tarahasi.dll
2009-07-10 23:23 . 2009-07-10 23:23 172544 --sha-w- c:\windows\system32\tosofove.dll
2009-07-09 21:32 . 2009-07-09 21:32 69120 --sha-w- c:\windows\system32\wawebodo.dll
2009-07-09 21:32 . 2009-07-09 21:32 3 --sha-w- c:\windows\system32\yahetugi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2b6d7b0-a02f-48eb-9f08-f1ebbf51fb0a}]
2009-07-12 18:22 51712 --sha-w- c:\windows\system32\masahola.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM7\aim.exe" [2009-10-01 3634024]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 176128]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-04 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-02-27 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-02-27 159744]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 94208]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-02-24 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-24 208896]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-02-27 69632]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-02-24 106496]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 864256]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-09 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-09 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-09 131072]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]
"spywarefighterguard"="c:\program files\Fighters\spywarefighter\SpywarefighterUser.exe" [2008-11-18 180872]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

c:\documents and settings\jmart366\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-02-27 09:00 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2009-02-27 14:07 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"=

R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [5/10/2005 12:45 PM 14208]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 5:50 AM 46144]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [5/10/2005 12:45 PM 6016]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:54 PM 37312]
R3 Vfscan;Vfscan;c:\windows\system32\drivers\vffilter.sys [11/18/2008 11:01 AM 15496]
S3 AM5211;11b/g Wireless LAN Mini PCI Adapter Service;c:\windows\system32\DRIVERS\am5211.sys --> c:\windows\system32\DRIVERS\am5211.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/15/2009 2:06 PM 64432]
.
Contents of the 'Scheduled Tasks' folder

2009-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-15 08:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cpprod.stjohns.edu/cp/home/loginf
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jmart366\Application Data\Mozilla\Firefox\Profiles\al5onozg.default\
FF - prefs.js: browser.startup.homepage - hxxp://cpprod.stjohns.edu/cp/home/loginf
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSPY2002 - c:\windows\System32\IME\PINTLGNT\ImScInst.exe
HKLM-Run-PHIME2002ASync - c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-veluhepoj - c:\windows\system32\fumesawi.dll
HKLM-Run-yojududabo - pigagoza.dll
SharedTaskScheduler-{6b943bbe-303e-4808-a237-a927d59a8f04} - c:\windows\system32\tibukiji.dll
SharedTaskScheduler-{846e8f70-9eba-4b36-bced-fc16998c4690} - c:\windows\system32\fumesawi.dll
SSODL-nugusivek-{6b943bbe-303e-4808-a237-a927d59a8f04} - c:\windows\system32\tibukiji.dll
SSODL-hitiwemun-{846e8f70-9eba-4b36-bced-fc16998c4690} - c:\windows\system32\fumesawi.dll
Notify-AtiExtEvent - (no file)
AddRemove-Remove Multimedia Center - c:\ibmtools\apps\recnow\sequencer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 23:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1040)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll

- - - - - - - > 'explorer.exe'(5984)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\mfevtps.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Fighters\ConfigService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
c:\windows\system32\searchindexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\Fighters\LicenseService.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\Fighters\UpdateService.exe
c:\program files\Fighters\ScannerService.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Fighters\Spywarefighter\SpywarefighterTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-13 23:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 03:32

Pre-Run: 40,990,208,000 bytes free
Post-Run: 40,134,905,856 bytes free

321 --- E O F --- 2009-10-08 17:48


As for how the computer is running, everything appears to be okay, but I'm not sure. Malwarebytes' icon on the desktop had gone away and was replaced with just a normal program icon. It still hasn't returned to the old version.

#19 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 13 October 2009 - 12:25 AM

Popups keep coming, so I don't think Combofix was able to fix the problem. Also, when I was running combofix in safe mode, the McAfee was still there. I exited it through taskmanager, but then Combofix would stop, after I pressed ok for it to go again. When I tried again, the computer had started McAfee, so again, the only way I was able to run Combofix was by letting it go while McAfee was running.

#20 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 October 2009 - 02:26 AM

Hi,

Please do the following:

Run this script in normal mode, end process of mcAfee in task manager:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Malwarebytes_Targeted_Same_problem_before_despite_new_hard_drive_t107509.html&view=findpost&p=602584#entry602584

Collect::
c:\windows\system32\butawabe.dll.tmp
c:\windows\system32\dehojaro.dll
c:\windows\system32\hebowugi.dll
c:\windows\system32\kegovada.dll
c:\windows\system32\lagehogo.dll.tmp
c:\windows\system32\lihujedo.dll
c:\windows\system32\masahola.dll
c:\windows\system32\pijihaje.exe
c:\windows\system32\runimuhu.dll
c:\windows\system32\sowimudu.exe
c:\windows\system32\tagogire.dll
c:\windows\system32\tanotuwo.dll
c:\windows\system32\tarahasi.dll
c:\windows\system32\tosofove.dll
c:\windows\system32\wawebodo.dll
c:\windows\system32\yahetugi.dll

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2b6d7b0-a02f-48eb-9f08-f1ebbf51fb0a}]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT

drag the malwarebytes exe into the following program

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"


see if you can now access malwarebytes - if so, update and run it, post the malwarebytes log also.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#21 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 13 October 2009 - 03:03 PM

ComboFix 09-10-12.02 - jmart366 10/13/2009 16:35:44.3.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.758.602 [GMT -4:00] Running from: C:\Documents and Settings\jmart366\My Documents\Downloads\MonkeysProgram.exe Command switches used :: C:\Documents and Settings\jmart366\Desktop\CFScript.txt AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} file zipped: c:\windows\system32\butawabe.dll.tmp file zipped: c:\windows\system32\dehojaro.dll file zipped: c:\windows\system32\hebowugi.dll file zipped: c:\windows\system32\kegovada.dll file zipped: c:\windows\system32\lagehogo.dll.tmp file zipped: c:\windows\system32\lihujedo.dll file zipped: c:\windows\system32\pijihaje.exe file zipped: c:\windows\system32\runimuhu.dll file zipped: c:\windows\system32\sowimudu.exe file zipped: c:\windows\system32\tagogire.dll file zipped: c:\windows\system32\tarahasi.dll file zipped: c:\windows\system32\tosofove.dll file zipped: c:\windows\system32\wawebodo.dll file zipped: c:\windows\system32\yahetugi.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\butawabe.dll.tmp c:\windows\system32\dehojaro.dll c:\windows\system32\hebowugi.dll c:\windows\system32\juvilisi.dll c:\windows\system32\kegovada.dll c:\windows\system32\lagehogo.dll.tmp c:\windows\system32\lihujedo.dll c:\windows\system32\pijihaje.exe c:\windows\system32\runimuhu.dll c:\windows\system32\sowimudu.exe c:\windows\system32\tagogire.dll c:\windows\system32\tarahasi.dll c:\windows\system32\tosofove.dll c:\windows\system32\wawebodo.dll c:\windows\system32\yahetugi.dll . ((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 ))))))))))))))))))))))))))))))) . 2009-10-10 23:49:06 . 2009-10-10 23:50:10 0 d-----w- C:\Program Files\Fighters 2009-10-10 23:49:06 . 2009-10-10 23:49:06 0 d-----w- C:\Documents and Settings\All Users\Application Data\Fighters 2009-10-10 01:07:43 . 2009-10-10 01:07:43 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Windows Search 2009-10-09 22:06:13 . 2009-10-09 22:06:16 0 d-----w- C:\Program Files\ERUNT 2009-10-09 21:27:24 . 2009-10-13 20:17:40 0 d-----w- C:\QUARANTINE 2009-10-09 18:14:52 . 2009-10-09 18:14:53 0 d-----w- C:\Program Files\ASIO4ALL v2 2009-10-09 18:14:26 . 2009-10-09 18:14:27 0 d-----w- C:\Program Files\VstPlugins 2009-10-09 18:14:26 . 2006-06-20 08:56:42 225280 ----a-w- C:\WINDOWS\system32\rewire.dll 2009-10-09 18:13:37 . 2009-10-09 18:13:37 0 d-----w- C:\Program Files\Outsim 2009-10-09 18:09:29 . 2009-10-09 18:14:18 0 d-----w- C:\Program Files\Image-Line 2009-10-08 17:34:25 . 2004-08-04 04:56:48 221184 ----a-w- C:\WINDOWS\system32\wmpns.dll 2009-10-07 21:31:22 . 2009-10-13 20:14:12 0 d-----w- C:\Documents and Settings\jmart366\Application Data\LimeWire 2009-10-07 21:30:09 . 2009-10-07 21:29:42 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll 2009-10-07 21:29:38 . 2009-10-07 21:29:38 0 d-----w- C:\Program Files\Java 2009-10-07 21:29:16 . 2009-10-07 21:30:47 0 d-----w- C:\Program Files\LimeWire 2009-10-07 21:24:40 . 2009-10-07 21:26:06 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Apple Computer 2009-10-07 21:23:47 . 2009-05-18 18:17:00 26600 ----a-w- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2009-10-07 21:23:47 . 2008-04-17 17:12:54 107368 ----a-w- C:\WINDOWS\system32\GEARAspi.dll 2009-10-07 21:22:39 . 2009-10-07 21:22:39 0 d-----w- C:\Program Files\iPod 2009-10-07 21:22:31 . 2009-10-07 21:23:44 0 d-----w- C:\Program Files\iTunes 2009-10-07 21:22:31 . 2009-10-07 21:23:44 0 d-----w- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-10-07 21:22:13 . 2009-10-07 21:22:13 0 d-----w- C:\Program Files\Bonjour 2009-10-07 21:20:56 . 2009-10-07 21:22:31 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer 2009-10-07 21:20:18 . 2009-10-07 21:20:18 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\Apple 2009-10-07 21:20:09 . 2009-10-07 21:20:10 0 d-----w- C:\Program Files\Apple Software Update 2009-10-07 21:18:58 . 2009-10-07 21:22:37 0 d-----w- C:\Program Files\Common Files\Apple 2009-10-07 21:18:58 . 2009-10-07 21:18:58 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple 2009-10-07 21:18:19 . 2009-10-07 21:26:16 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\Apple Computer 2009-10-07 21:02:28 . 2009-06-21 21:44:50 153088 -c----w- C:\WINDOWS\system32\dllcache\triedit.dll 2009-10-07 21:01:53 . 2009-07-10 13:27:49 1315328 -c----w- C:\WINDOWS\system32\dllcache\msoe.dll 2009-10-07 19:56:14 . 2009-10-07 19:56:14 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Malwarebytes 2009-10-07 19:56:07 . 2009-09-10 18:54:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2009-10-07 19:56:05 . 2009-10-07 19:56:05 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-10-07 19:56:05 . 2009-09-10 18:53:50 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys 2009-10-07 19:56:04 . 2009-10-09 21:27:12 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware 2009-10-07 19:13:06 . 2009-10-13 20:13:46 0 d-----w- C:\Documents and Settings\jmart366\Tracing 2009-10-07 19:11:00 . 2009-10-07 19:11:00 0 d-----w- C:\Program Files\Windows Live SkyDrive 2009-10-07 19:10:35 . 2009-10-07 19:11:06 0 d-----w- C:\Program Files\Windows Live 2009-10-07 19:08:21 . 2009-10-07 19:09:59 0 d-----w- C:\Documents and Settings\jmart366\Application Data\acccore 2009-10-07 19:08:06 . 2009-10-07 19:11:29 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\AIM 2009-10-07 19:08:05 . 2009-10-07 19:08:05 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\AOL 2009-10-07 19:07:57 . 2009-10-07 19:07:57 0 d-----w- C:\Documents and Settings\All Users\Application Data\AIM 2009-10-07 19:07:51 . 2009-10-07 19:07:55 0 d-----w- C:\Program Files\AIM7 2009-10-07 19:07:46 . 2009-10-07 19:07:46 0 d-----w- C:\Program Files\Common Files\Software Update Utility 2009-10-07 19:07:44 . 2009-10-07 19:07:45 0 d-----w- C:\Program Files\Common Files\AOL 2009-10-07 18:36:53 . 2009-10-07 18:36:53 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\Mozilla 2009-10-07 18:21:01 . 2009-10-07 18:21:01 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Avaya 2009-10-07 16:26:02 . 2009-10-07 18:21:41 76256 ----a-w- C:\Documents and Settings\jmart366\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-07 16:26:02 . 2005-05-10 18:56:28 136 ----a-w- C:\Documents and Settings\jmart366\Local Settings\Application Data\fusioncache.dat 2009-10-07 16:26:00 . 2009-10-07 16:26:29 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Intel 2009-10-07 16:25:59 . 2009-04-21 15:39:30 0 d-----w- C:\Documents and Settings\jmart366\Application Data\ThinkVantage . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-09 21:53:43 . 2009-04-21 18:02:59 0 d-----w- C:\Program Files\Microsoft Silverlight 2009-10-09 21:53:43 . 2009-04-21 17:29:07 0 d-----w- C:\Program Files\Windows Desktop Search 2009-10-08 17:48:18 . 2008-08-06 15:33:21 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2009-10-07 21:21:35 . 2003-07-02 00:40:40 0 d-----w- C:\Program Files\QuickTime 2009-10-07 19:11:11 . 2009-04-21 17:44:25 0 d-----w- C:\Program Files\Microsoft 2009-08-05 09:01:48 . 2004-08-04 12:00:00 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll 2009-07-29 04:37:01 . 2004-08-04 12:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll 2009-07-29 04:37:01 . 2004-08-04 12:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll 2009-07-26 20:44:56 . 2009-07-26 20:44:56 48448 ----a-w- C:\WINDOWS\system32\sirenacm.dll 2009-07-17 19:01:06 . 2004-08-04 12:00:00 58880 ----a-w- C:\WINDOWS\system32\atl.dll 2009-07-13 06:21:02 . 2009-07-13 06:21:02 88064 --sha-w- C:\WINDOWS\system32\bisobobe.dll 2009-07-13 06:21:02 . 2009-07-13 06:21:02 38400 --sha-w- C:\WINDOWS\system32\sewupedi.dll 2009-07-13 18:21:10 . 2009-07-13 18:21:10 37888 --sha-w- C:\WINDOWS\system32\zubuduna.dll . ((((((((((((((((((((((((((((( SnapShot@2009-10-13_03.20.55 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-13 20:45:12 . 2009-10-13 20:45:12 16384 C:\WINDOWS\temp\Perflib_Perfdata_9d8.dat + 2009-10-13 20:42:02 . 2009-10-13 20:42:02 16384 C:\WINDOWS\temp\Perflib_Perfdata_158.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim"="C:\Program Files\AIM7\aim.exe" [2009-10-01 20:20:57 3634024] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 20:44:34 3883856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 00:05:26 204288] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 20:08:00 86016] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 02:32:00 208952] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 15:11:06 925696] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 07:30:10 176128] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-04 03:17:00 118784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 03:10:00 1323008] "ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-02-27 14:12:10 425984] "ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-02-27 14:06:48 159744] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 09:22:00 237568] "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 21:00:54 94208] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-02-24 08:13:00 151552] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-24 08:13:00 208896] "AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-02-27 09:00:00 69632] "LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-02-24 08:04:00 106496] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 23:04:44 864256] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 09:10:00 122940] "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 14:34:20 487424] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-09 20:32:52 135168] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-09 20:32:54 155648] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-09 20:32:24 131072] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008-03-14 08:00:00 136512] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 12:07:00 124240] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-09-05 05:54:42 417792] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-09-21 20:36:12 305440] "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-07 21:29:45 149280] "spywarefighterguard"="C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe" [2008-11-18 15:01:58 180872] "veluhepoj"="c:\windows\system32\juvilisi.dll" [BU] "TpShocks"="TpShocks.exe" - C:\WINDOWS\system32\TpShocks.exe [2005-11-07 15:14:16 106496] "TP4EX"="tp4ex.exe" - C:\WINDOWS\system32\TP4EX.exe [2005-10-17 05:11:00 65536] C:\Documents and Settings\jmart366\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2009-9-30 503808] OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "LogonType"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 02:41:34 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] 2006-02-27 09:00:00 49152 ----a-w- C:\Program Files\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2009-02-27 14:07:16 32768 ----a-w- C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 06:45:08 28672 ----a-w- C:\WINDOWS\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 03:16:02 24576 ----a-w- C:\WINDOWS\system32\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "C:\\Program Files\\AIM7\\aim.exe"= "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"= S3 AM5211;11b/g Wireless LAN Mini PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\am5211.sys --> C:\WINDOWS\system32\DRIVERS\am5211.sys [?] S3 mferkdet;McAfee Inc. mferkdet;C:\WINDOWS\system32\drivers\mferkdet.sys [5/15/2009 2:06:10 PM 64432] . Contents of the 'Scheduled Tasks' folder 2009-10-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12] 2009-10-13 C:\WINDOWS\Tasks\PMTask.job - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-15 16:17:11 . 2006-02-24 08:13:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://cpprod.stjohns.edu/cp/home/loginf uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab FF - ProfilePath - C:\Documents and Settings\jmart366\Application Data\Mozilla\Firefox\Profiles\al5onozg.default\ FF - prefs.js: browser.startup.homepage - hxxp://cpprod.stjohns.edu/cp/home/loginf FF - plugin: C:\Program Files\Microsoft\Office Live\npOLW.dll FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false. - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-{93e4de08-0815-4a31-aa99-d4cbc714e610} - c:\windows\system32\juvilisi.dll SSODL-ludefipus-{93e4de08-0815-4a31-aa99-d4cbc714e610} - c:\windows\system32\juvilisi.dll Now its saying Error Loading C:\windows\system32\juvilisi.dll But the end of the log file says something about that, isn't it.

#22 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 13 October 2009 - 03:16 PM

I don't think Inherit is working. Nothing happened to Malwarebytes.

#23 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 13 October 2009 - 03:25 PM

Hi,

Please do the following:
The bottom of that previous ComboFix log was cut off - it should say ===end of file === at the bottom, it you could repost it please thanks.


NEXT

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Malwarebytes_Targeted_Same_problem_before_despite_new_hard_drive_t107509.html&view=findpost&p=602714#entry602714

Collect::
C:\WINDOWS\system32\bisobobe.dll
C:\WINDOWS\system32\sewupedi.dll
C:\WINDOWS\system32\zubuduna.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"veluhepoj"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#24 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 14 October 2009 - 04:25 PM

ComboFix 09-10-12.02 - jmart366 10/14/2009 18:03:05.4.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.758.603 [GMT -4:00] Running from: C:\Documents and Settings\jmart366\My Documents\Downloads\MonkeysProgram.exe Command switches used :: C:\Documents and Settings\jmart366\Desktop\CFScript.txt AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} file zipped: C:\WINDOWS\system32\bisobobe.dll file zipped: C:\WINDOWS\system32\sewupedi.dll file zipped: C:\WINDOWS\system32\zubuduna.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\bisobobe.dll C:\WINDOWS\system32\sewupedi.dll C:\WINDOWS\system32\zubuduna.dll . ((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 ))))))))))))))))))))))))))))))) . 2009-10-13 20:33:44 . 2009-10-13 21:00:23 0 d-----w- C:\MonkeysProgram 2009-10-10 23:49:06 . 2009-10-10 23:50:10 0 d-----w- C:\Program Files\Fighters 2009-10-10 23:49:06 . 2009-10-10 23:49:06 0 d-----w- C:\Documents and Settings\All Users\Application Data\Fighters 2009-10-10 01:07:43 . 2009-10-10 01:07:43 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Windows Search 2009-10-09 22:06:13 . 2009-10-09 22:06:16 0 d-----w- C:\Program Files\ERUNT 2009-10-09 21:27:24 . 2009-10-13 20:17:40 0 d-----w- C:\QUARANTINE 2009-10-09 18:14:52 . 2009-10-09 18:14:53 0 d-----w- C:\Program Files\ASIO4ALL v2 2009-10-09 18:14:26 . 2009-10-09 18:14:27 0 d-----w- C:\Program Files\VstPlugins 2009-10-09 18:14:26 . 2006-06-20 08:56:42 225280 ----a-w- C:\WINDOWS\system32\rewire.dll 2009-10-09 18:13:37 . 2009-10-09 18:13:37 0 d-----w- C:\Program Files\Outsim 2009-10-09 18:09:29 . 2009-10-09 18:14:18 0 d-----w- C:\Program Files\Image-Line 2009-10-08 17:34:25 . 2004-08-04 04:56:48 221184 ----a-w- C:\WINDOWS\system32\wmpns.dll 2009-10-07 21:31:22 . 2009-10-14 21:14:32 0 d-----w- C:\Documents and Settings\jmart366\Application Data\LimeWire 2009-10-07 21:30:09 . 2009-10-07 21:29:42 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll 2009-10-07 21:29:38 . 2009-10-07 21:29:38 0 d-----w- C:\Program Files\Java 2009-10-07 21:29:16 . 2009-10-07 21:30:47 0 d-----w- C:\Program Files\LimeWire 2009-10-07 21:24:40 . 2009-10-07 21:26:06 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Apple Computer 2009-10-07 21:23:47 . 2009-05-18 18:17:00 26600 ----a-w- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys 2009-10-07 21:23:47 . 2008-04-17 17:12:54 107368 ----a-w- C:\WINDOWS\system32\GEARAspi.dll 2009-10-07 21:22:39 . 2009-10-07 21:22:39 0 d-----w- C:\Program Files\iPod 2009-10-07 21:22:31 . 2009-10-07 21:23:44 0 d-----w- C:\Program Files\iTunes 2009-10-07 21:22:31 . 2009-10-07 21:23:44 0 d-----w- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-10-07 21:22:13 . 2009-10-07 21:22:13 0 d-----w- C:\Program Files\Bonjour 2009-10-07 21:20:56 . 2009-10-07 21:22:31 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer 2009-10-07 21:20:18 . 2009-10-07 21:20:18 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\Apple 2009-10-07 21:20:09 . 2009-10-07 21:20:10 0 d-----w- C:\Program Files\Apple Software Update 2009-10-07 21:18:58 . 2009-10-07 21:22:37 0 d-----w- C:\Program Files\Common Files\Apple 2009-10-07 21:18:58 . 2009-10-07 21:18:58 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple 2009-10-07 21:18:19 . 2009-10-07 21:26:16 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\Apple Computer 2009-10-07 21:02:28 . 2009-06-21 21:44:50 153088 -c----w- C:\WINDOWS\system32\dllcache\triedit.dll 2009-10-07 21:01:53 . 2009-07-10 13:27:49 1315328 -c----w- C:\WINDOWS\system32\dllcache\msoe.dll 2009-10-07 19:56:14 . 2009-10-07 19:56:14 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Malwarebytes 2009-10-07 19:56:07 . 2009-09-10 18:54:06 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2009-10-07 19:56:05 . 2009-10-07 19:56:05 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-10-07 19:56:05 . 2009-09-10 18:53:50 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys 2009-10-07 19:56:04 . 2009-10-09 21:27:12 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware 2009-10-07 19:13:06 . 2009-10-13 20:49:48 0 d-----w- C:\Documents and Settings\jmart366\Tracing 2009-10-07 19:11:00 . 2009-10-07 19:11:00 0 d-----w- C:\Program Files\Windows Live SkyDrive 2009-10-07 19:10:35 . 2009-10-07 19:11:06 0 d-----w- C:\Program Files\Windows Live 2009-10-07 19:08:21 . 2009-10-07 19:09:59 0 d-----w- C:\Documents and Settings\jmart366\Application Data\acccore 2009-10-07 19:08:06 . 2009-10-07 19:11:29 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\AIM 2009-10-07 19:08:05 . 2009-10-07 19:08:05 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\AOL 2009-10-07 19:07:57 . 2009-10-07 19:07:57 0 d-----w- C:\Documents and Settings\All Users\Application Data\AIM 2009-10-07 19:07:51 . 2009-10-07 19:07:55 0 d-----w- C:\Program Files\AIM7 2009-10-07 19:07:46 . 2009-10-07 19:07:46 0 d-----w- C:\Program Files\Common Files\Software Update Utility 2009-10-07 19:07:44 . 2009-10-07 19:07:45 0 d-----w- C:\Program Files\Common Files\AOL 2009-10-07 18:36:53 . 2009-10-07 18:36:53 0 d-----w- C:\Documents and Settings\jmart366\Local Settings\Application Data\Mozilla 2009-10-07 18:21:01 . 2009-10-07 18:21:01 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Avaya 2009-10-07 16:26:02 . 2009-10-07 18:21:41 76256 ----a-w- C:\Documents and Settings\jmart366\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-07 16:26:02 . 2005-05-10 18:56:28 136 ----a-w- C:\Documents and Settings\jmart366\Local Settings\Application Data\fusioncache.dat 2009-10-07 16:26:00 . 2009-10-07 16:26:29 0 d-----w- C:\Documents and Settings\jmart366\Application Data\Intel 2009-10-07 16:25:59 . 2009-04-21 15:39:30 0 d-----w- C:\Documents and Settings\jmart366\Application Data\ThinkVantage . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-09 21:53:43 . 2009-04-21 18:02:59 0 d-----w- C:\Program Files\Microsoft Silverlight 2009-10-09 21:53:43 . 2009-04-21 17:29:07 0 d-----w- C:\Program Files\Windows Desktop Search 2009-10-08 17:48:18 . 2008-08-06 15:33:21 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2009-10-07 21:21:35 . 2003-07-02 00:40:40 0 d-----w- C:\Program Files\QuickTime 2009-10-07 19:11:11 . 2009-04-21 17:44:25 0 d-----w- C:\Program Files\Microsoft 2009-08-05 09:01:48 . 2004-08-04 12:00:00 204800 ----a-w- C:\WINDOWS\system32\mswebdvd.dll 2009-07-29 04:37:01 . 2004-08-04 12:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll 2009-07-29 04:37:01 . 2004-08-04 12:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll 2009-07-26 20:44:56 . 2009-07-26 20:44:56 48448 ----a-w- C:\WINDOWS\system32\sirenacm.dll 2009-07-17 19:01:06 . 2004-08-04 12:00:00 58880 ----a-w- C:\WINDOWS\system32\atl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim"="C:\Program Files\AIM7\aim.exe" [2009-10-01 20:20:57 3634024] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 20:44:34 3883856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 00:05:26 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 20:08:00 86016] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 02:32:00 208952] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 15:11:06 925696] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 07:30:10 176128] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-04 03:17:00 118784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 03:10:00 1323008] "ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-02-27 14:12:10 425984] "ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-02-27 14:06:48 159744] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 09:22:00 237568] "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 21:00:54 94208] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-02-24 08:13:00 151552] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-02-24 08:13:00 208896] "AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-02-27 09:00:00 69632] "LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-02-24 08:04:00 106496] "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 23:04:44 864256] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-01 09:10:00 122940] "TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 14:34:20 487424] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-09 20:32:52 135168] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-09 20:32:54 155648] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-09 20:32:24 131072] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008-03-14 08:00:00 136512] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 12:07:00 124240] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-09-05 05:54:42 417792] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-09-21 20:36:12 305440] "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-10-07 21:29:45 149280] "spywarefighterguard"="C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe" [2008-11-18 15:01:58 180872] "TpShocks"="TpShocks.exe" - C:\WINDOWS\system32\TpShocks.exe [2005-11-07 15:14:16 106496] "TP4EX"="tp4ex.exe" - C:\WINDOWS\system32\TP4EX.exe [2005-10-17 05:11:00 65536] C:\Documents and Settings\jmart366\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2009-9-30 503808] OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "LogonType"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 02:41:34 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] 2006-02-27 09:00:00 49152 ----a-w- C:\Program Files\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2009-02-27 14:07:16 32768 ----a-w- C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 06:45:08 28672 ----a-w- C:\WINDOWS\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 03:16:02 24576 ----a-w- C:\WINDOWS\system32\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "C:\\Program Files\\AIM7\\aim.exe"= "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"= R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [5/10/2005 12:45:05 PM 14208] R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 8:07:00 AM 19456] R3 TPInput;TPInput;C:\WINDOWS\system32\drivers\TPInput.sys [5/10/2005 12:45:05 PM 6016] S1 tvtumon;tvtumon;C:\WINDOWS\system32\drivers\tvtumon.sys [5/9/2008 5:50:48 AM 46144] S2 mfevtp;McAfee Validation Trust Protection Service;C:\WINDOWS\system32\mfevtps.exe [5/15/2009 2:06:09 PM 67904] S2 PTK License-FIGHTERS-297811811;PTK License-FIGHTERS-297811811;C:\Program Files\Fighters\LicenseService.exe [11/18/2008 11:01:26 AM 283272] S2 PTK Live Update-FIGHTERS-297811811;PTK Live Update-FIGHTERS-297811811;C:\Program Files\Fighters\UpdateService.exe [11/18/2008 11:01:30 AM 307848] S2 PTK Scanner-FIGHTERS-297811811;PTK Scanner-FIGHTERS-297811811;C:\Program Files\Fighters\ScannerService.exe [11/18/2008 11:01:28 AM 311944] S2 PTK SharedAccess-FIGHTERS-297811811;PTK SharedAccess-FIGHTERS-297811811;C:\Program Files\Fighters\ConfigService.exe [11/18/2008 11:01:20 AM 139912] S2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 4:25:12 PM 520192] S2 TVT_UpdateMonitor;TVT Windows Update Monitor;C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 5:50:46 AM 253952] S3 AM5211;11b/g Wireless LAN Mini PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\am5211.sys --> C:\WINDOWS\system32\DRIVERS\am5211.sys [?] S3 mferkdet;McAfee Inc. mferkdet;C:\WINDOWS\system32\drivers\mferkdet.sys [5/15/2009 2:06:10 PM 64432] S3 TVTI2C;Lenovo SM bus driver;C:\WINDOWS\system32\drivers\tvti2c.sys [2/22/2008 4:54:40 PM 37312] S3 Vfscan;Vfscan;C:\WINDOWS\system32\drivers\vffilter.sys [11/18/2008 11:01:46 AM 15496] --- Other Services/Drivers In Memory --- *NewlyCreated* - MDMXSDK . Contents of the 'Scheduled Tasks' folder 2009-10-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12] 2009-10-14 C:\WINDOWS\Tasks\PMTask.job - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-15 16:17:11 . 2006-02-24 08:13:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://cpprod.stjohns.edu/cp/home/loginf uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab FF - ProfilePath - C:\Documents and Settings\jmart366\Application Data\Mozilla\Firefox\Profiles\al5onozg.default\ FF - prefs.js: browser.startup.homepage - hxxp://cpprod.stjohns.edu/cp/home/loginf FF - plugin: C:\Program Files\Microsoft\Office Live\npOLW.dll FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false. There was no EOF in the logfile. And Malwarebytes still doesn't run.

#25 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 14 October 2009 - 05:35 PM

Hi,

I needed some files to be submitted that weren't sent automatically as they should have been, so they need to be submitted automatically.

please do the following:

There should be two zipped folders as the first one didn't upload automatically either, if you can follow this procedure for the two zipped folders:

Please open this link HERE in a new window.

In the box marked Link to topic where this file was requested: please paste in the following text
http://forums.whatthetech.com/Malwarebytes_Targeted_Same_problem_before_despite_new_hard_drive_t107509.html&view=findpost&p=603002#entry603002

Click the Browse button and navigate to C:\Qoobox\Quarantine

There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denotes Date and Time stamp - the first one should be close to: 10/13/2009 16:35:44. the second one will be close to: 10/14/2009 18:03:05 )
Select this file and click Open
In the Largest box please put
File Requested By CatByte
Failed Submit::

Finally click SendFile

Please return here and let me know when both files have been uploaded.


NEXT

do this for the MalwareBytes program, see if it will run:

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove

#26 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 15 October 2009 - 06:15 PM

Files have been sent. Trying the Inherit thing again. Edit: Inherit downloaded and I dropped the .exe in there. The "ok" window came up, but I'm not sure what's supposed to happen now, so I'll wait for you.

Edited by Mirrodin, 15 October 2009 - 06:18 PM.

#27 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 15 October 2009 - 09:50 PM

see if Malware bytes will now update and run if not - uninstall it and try a fresh download and install

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#28 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 15 October 2009 - 10:47 PM

Downloaded a new copy and it installed properly and updated. Currently in the process of a scan. I'll post the logs when its done.

#29 Mirrodin

Mirrodin

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 15 October 2009 - 11:11 PM

Malwarebytes' Anti-Malware 1.41 Database version: 2970 Windows 5.1.2600 Service Pack 3 10/16/2009 1:10:44 AM mbam-log-2009-10-16 (01-10-44).txt Scan type: Quick Scan Objects scanned: 110376 Time elapsed: 23 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#30 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 16 October 2009 - 03:01 AM

That's good news. Please see if you can complete the online Kaspersky scan now (it can take several hours) Please post a fresh DDS and Attach.txt as well. Also please describe how your computer is running and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·