Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91813 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] All .EXE files locked - Believe The Cause Is "Security


  • This topic is locked This topic is locked
47 replies to this topic

#1 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 28 October 2009 - 07:04 PM

Apparently I went to a website and received some adware on my computer? It only took a matter of seconds. I didn't even have to reboot or restart my computer. It started effecting my computer immediately. From what I know this malicious program is called "Security Tool" it acts like it's helping and scanning your computer but like I said... I never had a problem before... and it started scanning my computer all by itself. It asks you to purchase the software for $89.99 etc. This adware/worm takes away all .EXE and double click functions on your desktop. I can't run Malwarebytes. I can't run Spybot. I tried downloading Mcafee quickly... but It will not run the program. I can download anything from the internet but I can't EXE the file. Oddly enough this adware hasn't effected my internet connection yet... and I might be running out of time??? I don't know? I googled how to fix this problem "Security Tool Adware" and it has effected quite a few computers. One person said to change the .EXE file to a .COM file to see Malwarebytes would work and for this particular person it did work. I tried that... and the Malwarebytes program didn't work. What are my options? At this particular time I can't run Hi-Jack to get a log because no EXE's won't run. It tires to run because you can see it and then in a split second... it stops running. The adware is blocking it. I can't run Malwarebytes. I can download files from the internet but I can't run the files... the adware is blocking it. I tried running the computer in safe mode but XP says it can't run in Safe Mode because of a system change? I am running XP and I can't run Safe mode. Computer was working perfectly prior to today. What can I do? Thank You.

    Advertisements

Register to Remove


#2 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 28 October 2009 - 07:21 PM

The location of the malicious adware is : C:\Documents and Settings\All Users\Application Data\40409522 and in that folder is 40409522.exe When I try to delete it in will not allow it. I know that file started this adware. Don't recall ever downloading anything in that folder though.

#3 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 28 October 2009 - 07:47 PM

Hi,

Please do the following:

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



NEXT

Download and run Win32kDiag:

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#4 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 28 October 2009 - 08:53 PM

I appreciate the fast response. exeHelper starts and in 2 seconds disappears. It's not working. I also lost my entire desktop due to the adware. My entire desktop has a bright blue background and all of my icons on my desktop have disappeared.

#5 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 03:02 AM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Try one of those...if one of them runs - stop - then run exeHelper and win32kDiag

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#6 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 29 October 2009 - 09:45 PM

Nothing worked. I tried all of them. :(

#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 10:10 PM

Navigate to that file you located earlier: C:\Documents and Settings\All Users\Application Data\40409522 now drag it to the desktop (don't try and delete it) and just drop it on your desktop. Now try and run those programs

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#8 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 29 October 2009 - 10:29 PM

That was a very interesting move and I really thought it was going to work. I moved the entire folder to the desktop and ran all 6 files you told me to run and it didn't work. Great idea though. Really thought that would of worked.

#9 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 29 October 2009 - 11:33 PM

Hmmm...that has worked in the past...we move on and try something else.


Did you try running each of those files one at a time, then running exeHelper and win32kdiag after running one of the files?

did you try that 6 times

as each of those files isn't supposed to do anything but disable the malware to allow other programs to run?


Try running this program:

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#10 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 30 October 2009 - 09:20 AM

Apparently the 6 files you gave me did do something!! After I powered down my computer last night and powered on my computer this morning my desktop appeared again! Here are the logs you requested: exeHELPER exeHelper by Raktor exeHelper by Raktor Build 20091021 exeHelper by Raktor Build 20091021 Run at 23:44:39exeHelper by Raktor Build 20091021 exeHelper by Raktor Build 20091021 Run at 11:10:14 on 10/30/09 Now searching... Checking for numerical processes... Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40409522 Checking for bad processes... Checking for bad files... Deleting file C:\WINDOWS\system32\calc.dll Error deleting C:\WINDOWS\system32\calc.dll Deleting file C:\Documents and Settings\HP_Owner\Desktop\Security Tool.lnk Deleting file C:\Documents and Settings\HP_Owner\ntuser.dll Deleting file C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\scandisk.dll Deleting file C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\scandisk.lnk Deleting file C:\Documents and Settings\HP_Owner\Start Menu\Programs\Security Tool.lnk Checking for bad registry entries... Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Win32k Log: For some reason it didn't work and errored up. Running from: C:\Documents and Settings\HP_Owner\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\HP_Owner\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Cannot access: C:\WINDOWS\Temp\hsperfdata_SYSTEM\1448 ERROR OCCURRED! ------------------------------ Windows Version: Windows XP SP2 Exception Code: 0xc0000005 Exception Address: 0x00402575 Attempt to write to address: 0x00000000

    Advertisements

Register to Remove


#11 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 30 October 2009 - 09:45 AM

Here is my Malware Log:

Malwarebytes' Anti-Malware 1.41
Database version: 3060
Windows 5.1.2600 Service Pack 2

10/30/2009 11:32:34 AM
mbam-log-2009-10-30 (11-32-22).txt

Scan type: Quick Scan
Objects scanned: 109849
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Owner\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\HP_Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\Documents and Settings\HP_Owner\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\Documents and Settings\HP_Owner\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

All action was taken. This was before the Quarantine.



And here is my Hi-Jack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:39 AM, on 10/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\HP_Owner\ntuser.dll,_IWMPEvents@0
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\Program Files\ArmorIE\SX.dll (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://bestbuy.mvm.c...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {407F5185-3B2E-4196-982B-1E258C46F8FD} - ftp://ftp.ea.com/pub/easports/patches/nhl2003/en-us/nhl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.h...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189652665921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189652621625
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c8fdb016204386) (gupdate1c8fdb016204386) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 12468 bytes

#12 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 30 October 2009 - 03:11 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#13 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 30 October 2009 - 05:15 PM

I appreciate your quick responses! Thank You! Here is the log you requested:


ComboFix 09-10-30.01 - HP_Owner 10/30/2009 18:51.6.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1518 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\HP_Owner\Application Data\inst.exe
c:\documents and settings\HP_Owner\ntuser.dll
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\LocalService\ntuser.dll
c:\windows\system32\calc.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 15:27 . 2008-03-20 19:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:32 . 2008-09-25 10:09 -------- d-----w- c:\program files\NavNet
2009-10-01 05:33 . 2006-01-31 11:42 406 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-09-14 21:08 . 2005-11-23 01:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 18:54 . 2008-11-22 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-06-25 19:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 15:51 . 2005-11-23 01:43 -------- d-----w- c:\program files\Google
2009-08-19 22:35 . 2009-08-19 22:35 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-19 22:35 . 2009-08-19 22:35 47360 ----a-w- c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2009-08-19 22:25 . 2009-08-19 22:20 1 ----a-w- c:\windows\system32\Earth BluRay Ripper.dat
2009-08-19 22:24 . 2009-08-19 22:20 117696 ----a-w- c:\windows\system32\advddischlp.dll
2009-08-19 22:24 . 2009-08-19 22:20 4363776 ----a-w- c:\windows\system32\bsdevice.dll
2009-08-19 22:20 . 2009-08-19 22:20 89256 ----a-w- c:\windows\system32\elbycdio.dll
2009-08-19 22:20 . 2009-08-19 22:20 24232 ----a-w- c:\windows\system32\drivers\elbycdio.sys
2009-08-19 22:20 . 2009-08-19 22:20 103744 ----a-w- c:\windows\system32\drivers\anydvd.sys
2009-08-19 22:20 . 2009-08-19 22:20 1046464 ----a-w- c:\windows\system32\anydialog.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-22 16384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2006-10-19 14:12 258048 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^..]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\..
backup=c:\windows\pss\..Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Morpheus Ultra\\Morpheus.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 2003\\Updater.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 2003\\mainapp.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 1:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/9/2007 3:09 PM 30720]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [7/22/2009 3:38 AM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/22/2009 3:38 AM 234888]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [8/19/2009 6:20 PM 66944]
R3 crtaud;Conexant Riptide WDM Audio Driver;c:\windows\system32\drivers\crtaud.sys [4/29/2008 6:37 PM 42112]
R3 rpfun;Conexant Riptide Dummy Driver;c:\windows\system32\drivers\rpfun.sys [4/29/2008 6:37 PM 3840]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;c:\windows\system32\drivers\rthwcls.sys [4/29/2008 6:37 PM 30720]
S2 gupdate1c8fdb016204386;Google Update Service (gupdate1c8fdb016204386);c:\program files\Google\Update\GoogleUpdate.exe [8/13/2008 9:50 PM 133104]
S3 CENIXFMC;Cenix Digicom Digital Voice Recorder Service;c:\windows\system32\drivers\CenixFMC.sys [5/31/2006 12:49 PM 18660]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [11/15/2007 9:18 PM 572416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-14 21:38]

2009-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-14 21:38]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bestbuy.mvm.com/Core/Player/2020PlayerAX_Win32.cab
DPF: {407F5185-3B2E-4196-982B-1E258C46F8FD} - ftp://ftp.ea.com/pub/easports/patches/nhl2003/en-us/nhl.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
AddRemove-010D7E30-8019-4477-AE7C-BFBBDE570CB9 - c:\program files\WildTangent\Apps\GameChannel\Games\010D7E30-8019-4477-AE7C-BFBBDE570CB9\Uninstall.exe
AddRemove-0B99A43B-A792-4003-9295-604BC687B6F6 - c:\program files\WildTangent\Apps\GameChannel\Games\0B99A43B-A792-4003-9295-604BC687B6F6\Uninstall.exe
AddRemove-1E728F26-D920-45F1-9E97-4A5690B07A7F - c:\program files\WildTangent\Apps\GameChannel\Games\1E728F26-D920-45F1-9E97-4A5690B07A7F\Uninstall.exe
AddRemove-27C7083E-4ECB-4C88-ACC1-0EDA88C00257 - c:\program files\WildTangent\Apps\GameChannel\Games\27C7083E-4ECB-4C88-ACC1-0EDA88C00257\Uninstall.exe
AddRemove-3295A049-B970-4CC5-847C-7ABF14B9F8F1 - c:\program files\WildTangent\Apps\GameChannel\Games\3295A049-B970-4CC5-847C-7ABF14B9F8F1\Uninstall.exe
AddRemove-36317AE4-57EC-4F3E-B828-009A3DD96BE8 - c:\program files\WildTangent\Apps\GameChannel\Games\36317AE4-57EC-4F3E-B828-009A3DD96BE8\Uninstall.exe
AddRemove-3F34F72F-9BB0-4B73-8312-558953ACF56F - c:\program files\WildTangent\Apps\GameChannel\Games\3F34F72F-9BB0-4B73-8312-558953ACF56F\Uninstall.exe
AddRemove-46CD7AAB-D3C9-41DB-8AEC-5BD24169B0E1 - c:\program files\WildTangent\Apps\GameChannel\Games\46CD7AAB-D3C9-41DB-8AEC-5BD24169B0E1\Uninstall.exe
AddRemove-47298745-7194-4142-AFDA-8BE2EDFDF82E - c:\program files\WildTangent\Apps\GameChannel\Games\47298745-7194-4142-AFDA-8BE2EDFDF82E\Uninstall.exe
AddRemove-5253F22E-D4B6-49B7-9106-28D9C5395F22 - c:\program files\WildTangent\Apps\GameChannel\Games\5253F22E-D4B6-49B7-9106-28D9C5395F22\Uninstall.exe
AddRemove-58D1A004-6D3C-480A-9E0D-FAA58F3C2A62 - c:\program files\WildTangent\Apps\GameChannel\Games\58D1A004-6D3C-480A-9E0D-FAA58F3C2A62\Uninstall.exe
AddRemove-5F5B2E2A-5924-4DAB-825A-10BEA50A4DA1 - c:\program files\WildTangent\Apps\GameChannel\Games\5F5B2E2A-5924-4DAB-825A-10BEA50A4DA1\Uninstall.exe
AddRemove-663A22CB-3C2B-4302-9A14-BC5DAFAB2071 - c:\program files\WildTangent\Apps\GameChannel\Games\663A22CB-3C2B-4302-9A14-BC5DAFAB2071\Uninstall.exe
AddRemove-6E4D87E1-83A3-4029-A9E4-2F360442E1FC - c:\program files\WildTangent\Apps\GameChannel\Games\6E4D87E1-83A3-4029-A9E4-2F360442E1FC\Uninstall.exe
AddRemove-703E3900-69DA-47C9-9768-C6514098F149 - c:\program files\WildTangent\Apps\GameChannel\Games\703E3900-69DA-47C9-9768-C6514098F149\Uninstall.exe
AddRemove-7978E9A8-5A11-4406-BA8F-866E120352DF - c:\program files\WildTangent\Apps\GameChannel\Games\7978E9A8-5A11-4406-BA8F-866E120352DF\Uninstall.exe
AddRemove-8C4E79CC-03E1-43AA-9910-9A5113F24603 - c:\program files\WildTangent\Apps\GameChannel\Games\8C4E79CC-03E1-43AA-9910-9A5113F24603\Uninstall.exe
AddRemove-95A4B97A-C363-41DD-B907-BD4AB9E4FF16 - c:\program files\WildTangent\Apps\GameChannel\Games\95A4B97A-C363-41DD-B907-BD4AB9E4FF16\Uninstall.exe
AddRemove-A9C7B4D4-A866-4696-B115-77B65D0A641A - c:\program files\WildTangent\Apps\GameChannel\Games\A9C7B4D4-A866-4696-B115-77B65D0A641A\Uninstall.exe
AddRemove-B2D3332F-EA2D-42B3-8E4A-F74D052BCBC1 - c:\program files\WildTangent\Apps\GameChannel\Games\B2D3332F-EA2D-42B3-8E4A-F74D052BCBC1\Uninstall.exe
AddRemove-B41503CB-5FE0-47E0-87C1-47BA8E660BCC - c:\program files\WildTangent\Apps\GameChannel\Games\B41503CB-5FE0-47E0-87C1-47BA8E660BCC\Uninstall.exe
AddRemove-BA910432-2C22-4BB8-9D13-46170F52C5AC - c:\program files\WildTangent\Apps\GameChannel\Games\BA910432-2C22-4BB8-9D13-46170F52C5AC\Uninstall.exe
AddRemove-C1241092-7183-480A-A289-B5920C7C56D0 - c:\program files\WildTangent\Apps\GameChannel\Games\C1241092-7183-480A-A289-B5920C7C56D0\Uninstall.exe
AddRemove-C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A - c:\program files\WildTangent\Apps\GameChannel\Games\C2C3C2DB-7D8A-4E20-B527-E3149FAECC3A\Uninstall.exe
AddRemove-D11F7128-8CBD-408B-8BF8-034604DEDD42 - c:\program files\WildTangent\Apps\GameChannel\Games\D11F7128-8CBD-408B-8BF8-034604DEDD42\Uninstall.exe
AddRemove-D3203C96-6C76-43D6-A3D0-5DD6A0732E83 - c:\program files\WildTangent\Apps\GameChannel\Games\D3203C96-6C76-43D6-A3D0-5DD6A0732E83\Uninstall.exe
AddRemove-DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292 - c:\program files\WildTangent\Apps\GameChannel\Games\DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292\Uninstall.exe
AddRemove-ED8E7ECA-9D6A-46BA-BF46-D97774AA7117 - c:\program files\WildTangent\Apps\GameChannel\Games\ED8E7ECA-9D6A-46BA-BF46-D97774AA7117\Uninstall.exe
AddRemove-F5215F01-DFC0-475D-A910-6F1AF94E807E - c:\program files\WildTangent\Apps\GameChannel\Games\F5215F01-DFC0-475D-A910-6F1AF94E807E\Uninstall.exe
AddRemove-SBC Self Support Tool - c:\docume~1\HP_Owner\LOCALS~1\Temp\SST\CustomUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 19:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2748)
c:\windows\system32\ctagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-30 19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 23:10
ComboFix2.txt 2008-12-04 05:09
ComboFix3.txt 2008-12-01 08:34
ComboFix4.txt 2008-12-01 00:10
ComboFix5.txt 2009-10-30 22:50

Pre-Run: 369,676,005,376 bytes free
Post-Run: 369,513,189,376 bytes free

- - End Of File - - 5600457DA73AEF94B7F3DEF899EC3A94

#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 30 October 2009 - 06:57 PM

Hi,

Your MalwareBytes log show "no action taken" Please run it again, choose the Update tab and allow it to update.
run the program and have it remove anything it finds...post the log


NEXT

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#15 T.C.

T.C.

    Authentic Member

  • Authentic Member
  • PipPip
  • 104 posts

Posted 30 October 2009 - 10:11 PM

Malwarebytes Log Malwarebytes' Anti-Malware 1.41 Database version: 3064 Windows 5.1.2600 Service Pack 2 10/30/2009 11:57:44 PM mbam-log-2009-10-30 (23-57-44).txt Scan type: Quick Scan Objects scanned: 110291 Time elapsed: 4 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\ilifati.dl (Malware.Trace) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\kyba.dl (Malware.Trace) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\MM2048.dat (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\MM256.dat (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\polorid.vbs (Malware.Trace) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot. I could not run the Kaspersky Online Scanner - error message says: "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program." I don't know why it's saying that? I have everything off and not anti-virus programs on my computer.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users