Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91824 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Malwarebytes Finds 2 hijack.windowsupdates files and cannot


  • This topic is locked This topic is locked
35 replies to this topic

#1 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 07:01 AM

I had many, many issues with this PC about 4 months ago - and gave up on it and purchases another - now my daughter's laptop was stolen and need to fix this one for her to use for school. I used Malwawarebytes and managed after a few run throughs to leave only two problems. Malwarebytes finds the two, tells me that they are fixed and then finds them again on the next run through. I used Kapersky on-line checker which found about 100 problems - but my Kapersky trial version cannot enable all components. I think that I followed all of the instructions in the "new memebers - how to get help thread" Here is the RootRepeal log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/10 06:59 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: 4c9d18cd.sys Image Path: C:\WINDOWS\System32\drivers\4c9d18cd.sys Address: 0xF77CB000 Size: 48512 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB070C000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7B03000 Size: 8192 File Visible: No Signed: - Status: - Name: mchInjDrv.sys Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys Address: 0xF7CCB000 Size: 2560 File Visible: No Signed: - Status: - Name: ovfsthgkmlckmxxnhtitrxvnijesyxmguravbr.sys Image Path: C:\WINDOWS\system32\drivers\ovfsthgkmlckmxxnhtitrxvnijesyxmguravbr.sys Address: 0xB0E39000 Size: 180224 File Visible: - Signed: - Status: Hidden from the Windows API! Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAF12F000 Size: 49152 File Visible: No Signed: - Status: - Name: xpacket.sys Image Path: xpacket.sys Address: 0xF72AD000 Size: 73728 File Visible: No Signed: - Status: - ==EOF====EOF== Here is the DDS log: DDS (Ver_09-10-26.01) - NTFSx86 Run by Compaq_Owner at 6:50:43.56 on Tue 11/10/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.284 [GMT -5:00] AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} AV: iolo AntiVirus® *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014} FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: iolo Personal Firewall® *disabled* {38254411-9AEC-4967-913E-F892C2A4DF89} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hawking\Common\RaUI.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\AGRSMMSG.exe c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe C:\Program Files\TechSmith\SnagIt 9\snagit32.exe C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html mWindow Title = Windows Internet Explorer provided by Comcast uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = *.local;<local> uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File EB: DF Bar: {67fcef90-073e-11de-8c30-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2 mRun: [EPSON Stylus Photo R320 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P39 "EPSON Stylus Photo R320 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R320" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe" dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16 StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hawkin~1.lnk - c:\program files\hawking\common\RaUI.exe dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) dPolicies-explorer: NoFolderOptions = 1 (0x1) dPolicies-system: DisableTaskMgr = 1 (0x1) dPolicies-system: DisableRegistryTools = 1 (0x1) IE: add to anti-banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000 IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist! IE: {4248fe82-7fcb-46ac-b270-339f08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll IE: {ccf151d8-d089-449f-a5a4-d9909053f20f} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll LSP: c:\windows\system32\iavlsp.dll LSP: c:\program files\iolo\common\firewall\iFW_Xfilter.dll Trusted Zone: aol.com\free DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab Notify: klogon - c:\windows\system32\klogon.dll Notify: wvUoLffe - wvUoLffe.dll AppInit_DLLs: c:\windows\system32\yetisono.dll c:\windows\system32\wakozawa.dll,c:\windows\system32\pokupibo.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqPjGYR LSA: Notification Packages = scecli c:\windows\system32\pokupibo.dll ============= SERVICES / DRIVERS =============== R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880] R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [2008-5-31 39424] R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-5-31 566120] R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-5-31 566120] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472] R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2009-3-3 2688] R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2007-9-30 438912] S2 ekrn;Eset Service;"c:\program files\eset\eset smart security\ekrn.exe" --> c:\program files\eset\eset smart security\ekrn.exe [?] S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [?] S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2009-3-3 184320] ============== File Associations =============== JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 =============== Created Last 30 ================ 2009-11-10 03:27:15 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2009-11-10 03:27:15 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2009-11-10 03:25:40 0 d-----w- c:\program files\Kaspersky Lab 2009-11-10 03:25:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab 2009-11-10 03:25:28 0 d-----w- c:\windows\LastGood.Tmp 2009-11-10 03:21:58 75609088 ----a-w- C:\kis.en.msi 2009-11-10 03:21:58 59992 ----a-w- C:\setup.exe 2009-11-03 23:15:38 496 ----a-w- c:\windows\WININIT.INI 2009-11-03 21:12:04 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes 2009-11-03 21:12:01 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-03 21:11:59 19160 ------w- c:\windows\system32\drivers\mbam.sys 2009-11-03 21:11:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-03 17:15:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-11-03 17:14:55 0 d-----w- c:\program files\MalwarebytesPortable 2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll 2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys ==================== Find3M ==================== 2009-11-10 11:50:46 94204 ----a-w- c:\windows\system32\drivers\4c9d18cd.sys 2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2009-09-14 19:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys 2009-04-30 22:48:31 16384 --sha-w- c:\windows\temp\cookies\index.dat 2009-04-30 22:48:31 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat 2009-04-30 22:48:31 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 6:51:17.34 =============== I have attached the requested "DDS Attach" file Thanks in advance for any help you may be able to provide

Attached Files


    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 November 2009 - 08:22 AM

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it to combo.com before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 09:40 AM

Thanks so much for your help, it really is greatly appreciated.

I did as requested and here is the result:





ComboFix 09-11-09.01 - Compaq_Owner 11/10/2009 9:59.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.592 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo.com
AV: iolo AntiVirus® *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: iolo Personal Firewall® *disabled* {38254411-9AEC-4967-913E-F892C2A4DF89}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Math Advantage
c:\documents and settings\All Users\Start Menu\Programs\Math Advantage \Pre Algebra.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math Advantage \Quick Tour.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math Advantage \QuickTime Setup.lnk
c:\documents and settings\All Users\Start Menu\Programs\Math Advantage \Readme.lnk
c:\documents and settings\Compaq_Owner\Application Data\inst.exe
c:\documents and settings\Compaq_Owner\Desktop\Indy
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.209.hdtv.xvid.notv.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.210.hdtv.xvid.notv.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.s02e04.hdtv.xvid.notv.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.s02e05.hdtv.xvid-xor.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.s02e06.hdtv.xvid.notv.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.s02e07.hdtv.xvid.notv.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\dexter.s02e08.hdtv.xvid-xor.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\Dexter.S02E11.DVDR.XviD.avi
c:\documents and settings\Compaq_Owner\Desktop\Indy \Indy\Indy\Indy\Indy\Chill Out Scooby\TV Shows and Movies\dexter\Dexter.S02E12.DVDR.XviD.avi
c:\documents and settings\Compaq_Owner\Desktop\Zack and Miri
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\Cpvff.stt
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\smbols~1
c:\program files\Mozilla Firefox\extensions\{8AB5FA8B-EDF8-481F-A170-810E7451FC61}
c:\program files\Mozilla Firefox\extensions\{8AB5FA8B-EDF8-481F-A170-810E7451FC61}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8AB5FA8B-EDF8-481F-A170-810E7451FC61}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{8AB5FA8B-EDF8-481F-A170-810E7451FC61}\install.rdf
c:\program files\stem32~1
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\recycler\S-1-5-21-0062628178-6265140440-708220099-2667
c:\recycler\S-1-5-21-0905396221-8508604933-619309286-7316
c:\recycler\S-1-5-21-1378079732-3310832987-2705392182-1009
c:\recycler\S-1-5-21-2633436373-10974561-1082197262-1003
c:\recycler\S-1-5-21-4028342430-868462938-3973767353-1009
c:\recycler\S-1-5-21-654032191-2136409234-806578765-1009
C:\setup.exe
c:\temp\1cb
c:\temp\tn3
c:\temp\vtmp2
c:\windows\desktop
c:\windows\desktop\Cyber Patrol - FREE Trial!.lnk
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\racle~1
c:\windows\run.log
c:\windows\system32\bemoriva.dll
c:\windows\system32\crosof~1
c:\windows\system32\drivers\4c9d18cd.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\ovfsthgkmlckmxxnhtitrxvnijesyxmguravbr.sys
c:\windows\system32\ebigozes.ini
c:\windows\system32\jarugimo.dll
c:\windows\system32\ogumuhat.ini
c:\windows\system32\oluhiret.ini
c:\windows\system32\ovfsthaexhxnbhruxwwnytvsaofclaomwdiywp.dll
c:\windows\system32\ovfsthixdqpmylfiwileswdbprfrqmasjbpnsd.dat
c:\windows\system32\ovfsthsfljepygmboncdfrpccfnqpjwkrrlylv.dll
c:\windows\system32\ovfsthxmqfmuuekmvlihcoihncyofymmyefsxw.dat
c:\windows\system32\ovfsthxradkkruttigbgdkxrxpbbumaltldclo.dll
c:\windows\system32\owimunos.ini
c:\windows\system32\Packet.dll
c:\windows\system32\ps2.bat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\uburimif.ini
c:\windows\system32\uniq.tll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\yahipeja.dll
c:\windows\system32\yonevena.dll
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://83.149.105.228
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthctfebiyygfkqorrmtyqjcjphxobaoowq
-------\Legacy_fci
-------\Legacy_NPF
-------\Legacy_RKHIT
-------\Service_4c9d18cd


((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-10 11:49 . 2009-11-10 11:49 -------- d-----w- c:\program files\ERUNT
2009-11-10 03:27 . 2009-11-10 03:27 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-10 03:27 . 2009-11-10 03:27 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-10 03:25 . 2009-11-10 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-10 03:25 . 2009-11-10 03:25 -------- d-----w- c:\program files\Kaspersky Lab
2009-11-10 03:21 . 2009-10-20 16:54 75609088 ----a-w- C:\kis.en.msi
2009-11-03 21:12 . 2009-11-03 21:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-11-03 21:12 . 2009-09-10 19:54 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 21:11 . 2009-11-03 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 21:11 . 2009-09-10 19:53 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-11-03 17:15 . 2009-11-03 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 17:14 . 2009-11-03 17:15 -------- d-----w- c:\program files\MalwarebytesPortable
2009-10-21 01:34 . 2009-10-21 01:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-15 02:18 . 2009-10-15 02:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- c:\windows\LastGood.Tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 15:08 . 2004-08-04 12:00 577536 ----a-w- c:\windows\system32\user32.dll
2009-11-10 03:20 . 2009-01-29 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-10 03:02 . 2007-04-17 00:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-03 23:52 . 2009-04-23 20:19 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-11-03 23:52 . 2009-04-23 21:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 23:52 . 2007-04-13 19:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 23:50 . 2007-12-18 04:44 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Tunebite
2009-11-03 23:46 . 2005-05-26 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 23:41 . 2009-04-06 01:57 305640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-03 23:36 . 2008-01-05 21:45 -------- d-----w- c:\program files\Spider-Man Photo Lab
2009-11-03 23:36 . 2005-11-06 02:50 -------- d-----w- c:\program files\SlySoft
2009-11-03 23:33 . 2005-11-06 18:03 -------- d-----w- c:\program files\DVD Shrink
2009-11-03 23:30 . 2005-05-26 04:17 -------- d-----w- c:\program files\QuickTime
2009-11-03 23:27 . 2005-05-26 03:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-03 23:27 . 2009-03-04 02:11 -------- d-----w- c:\program files\SoundTaxi
2009-11-03 23:24 . 2005-07-24 17:53 101336 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 23:21 . 2005-05-26 04:31 -------- d-----w- c:\program files\Google
2009-11-03 23:21 . 2009-03-06 21:56 -------- d-----w- c:\program files\Error Repair Professional
2009-11-03 23:19 . 2009-03-02 00:15 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-03 23:15 . 2009-03-02 00:15 -------- d-----w- c:\program files\Roxio Creator 2009
2009-11-03 23:15 . 2005-05-26 04:05 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-03 23:14 . 2009-03-02 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-03 23:09 . 2008-07-16 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{FBB5C4A9-4848-46A0-8863-C359F08D7728}
2009-11-03 23:07 . 2008-06-11 00:46 -------- d-----w- c:\program files\Supreme Auction 2
2009-11-03 22:59 . 2006-12-25 15:11 -------- d-----w- c:\program files\Apple Software Update
2009-11-03 19:02 . 2009-03-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-10-03 00:39 . 2009-10-03 00:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-09-14 19:42 . 2009-09-14 19:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-10 00:01 . 2009-09-10 00:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-01 20:29 . 2009-09-01 20:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
.
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

[-] 2009-04-30 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-04-30 . 558635D3AF1C7546D26067D5D9B6959E . 212480 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"EPSON Stylus Photo R320 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-04-12 49152]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"=
"c:\\Program Files\\Wirelwss LAN Utility\\tiwlnsvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39658:TCP"= 39658:TCP:*:Disabled:Service
"39674:TCP"= 39674:TCP:*:Disabled:Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [5/31/2008 8:33 PM 39424]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/31/2008 8:34 PM 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/31/2008 8:34 PM 566120]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [3/3/2009 8:44 PM 2688]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [9/30/2007 1:34 PM 438912]
S2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" --> c:\program files\ESET\ESET Smart Security\ekrn.exe [?]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [3/3/2009 9:11 PM 184320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
Trusted Zone: aol.com\free
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
Notify-wvUoLffe - wvUoLffe.dll
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 10:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\OLD18.tmp:ext.exe 32256 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x85537500]<<
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x12a14c00 size 0x1af !
copy of MBR has been found in sector 62 !
PE file found in sector at 0x012A14C00 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4794b132-12ea-4371-ae4c-575eaa5fd580}]
@Denied: (Full) (Everyone)
"Model"=dword:00000070
"Therad"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ba,8c,62,eb,39,e8,ae,a7,18,31,b2,8f,01,de,1f,99,8a,9e,fe,29,fc,
c6,d8,38,44,9c,06,a5,b5,ba,d1,e3,07,e8,cc,cc,52,c4,a8,cf,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{76a4a367-8ef7-44e8-91ca-218acd36082f}]
@Denied: (Full) (Everyone)
"Model"=dword:00000041
"Therad"=dword:0000000e
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,8a,7b,58,00,84,
ef,4b,9c,05,98,32,02,34,2b,da,61,e9,38,b3,8c,f4,79,df,a8,14,0d,6e,ab,92,c4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):32,a0,d0,e4,9d,2b,dd,f4,53,e6,96,54,08,c2,12,93,4a,46,ea,54,4e,
52,0f,c1,77,83,49,f3,9a,a0,6e,bf,26,40,a3,79,91,ae,5d,9d,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauserv\Parameters]
@DACL=(02 0000)
"ServiceDll"=expand:"c:\\WINDOWS\\system32\\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauserv\Security]
@DACL=(02 0000)
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(2016)
c:\windows\system32\iavlsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\hp\KBD\KBD.EXE
.
**************************************************************************
.
Completion time: 2009-11-10 10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 15:37

Pre-Run: 80,207,478,784 bytes free
Post-Run: 85,152,100,352 bytes free

- - End Of File - - C716DF0982A04605E956B5591AC9CFAF

Thanks again for your help.

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 November 2009 - 07:12 PM

Hi,

Please do the following:

Pleas go to Start > Control Panel > Add/Remove programs:

A list of installed programs will populate

locate all the enries for IOBIT security suite/antivirus and REMOVE.

NEXT


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\drivers\ndis.sys

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>

Rootkit::
c:\windows\system32\OLD18.tmp:ext.exe 

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{76a4a367-8ef7-44e8-91ca-218acd36082f}]
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Open your [b Malwarebytes' Anti-Malware[/b] program and select the [bUpdate tab[/b],
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so.


NEXT


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner:
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 07:18 PM

There are no listings for IOBIT in the list of installed programs - should I do everything else? Thanks again

#6 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 07:21 PM

Gotta run and pick up my daughter be back in 30 mins

#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 November 2009 - 08:18 PM

Hi, Yes please Thank-you

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#8 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 09:15 PM

Did as requested with dragging the newly created CFScript onto Combo and got the following error: PEV.cfxxe has encountered a problem and needs to close. We are sorry for the inconvenience. blah, blah, blah. Additional info: Error Signature AppName: pev.cfxxe AppVer: 0.0.0.0 ModName: pev.cfxxe ModVer: 0.0.0.0 Offset: 00088763 Exception Information Code 0xc0000417 I closed the error ----- and then the scan restarted - My desktop background just changed to the "Active Desktop Recovery screen" but the search is still running Now I got the following error: Freeware implementation of REG.EXE has encountered a problem and needs to close. We are sorry ...... Error Signature AppName: swreg.cfxxe AppVer: 3.0.0.0 NodName: oleaut32.dll ModVer: 5.1.2600.3266 Offset 00004b7f Exception Information Code 0xc0000005 I closed the error ----- looks like the scan got to "completed stage_50" The computer restarted and after a while it stopped I then saved the log file to the desktop I opened malwarebytes and completed the update Ran the quick scan - It found five items - all boxes were checked - and I selected remove Malwarebytes removed the five items and told me to restart - I just did and now I have the dreaded "blue screen Technical information: *** Stop: 0x0000007B (0XF7996528,0xC0000034,0x00000000,0x00000000) this is being sent from my neighbours laptop - I'm glad that I took notes as I was going ! HELP - please???

#9 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 November 2009 - 09:30 PM

Hi, Please reboot, tap F8 repeatedly upon reboot until a menu option appears arrow up to "last know good configuration" > select your machine should now reboot normally

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#10 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 09:38 PM

Still get the blue screen

    Advertisements

Register to Remove


#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 10 November 2009 - 09:45 PM

Hi,

Please do the following:

  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press Enter:

    cd erdnt\subs


  • At the next prompt, type the following bolded text, and press Enter:

    batch erdnt.con

  • The erunt backups will begin copying.
  • At the next prompt, type the following bolded text, and press Enter:

    exit

  • Windows will now begin loading.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#12 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 09:54 PM

Alright, windows is now loading any advice what to try next? thanks again for all of your help on this!

#13 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 10:00 PM

I don't know if these worked but here is the Log from Combofix:

ComboFix 09-11-09.01 - Compaq_Owner 11/10/2009 21:24.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.525 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo.com
Command switches used :: c:\docume~1\COMPAQ~1\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: iolo Personal Firewall® *disabled* {38254411-9AEC-4967-913E-F892C2A4DF89}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fci
-------\Legacy_NPF
-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-10 11:49 . 2009-11-10 11:49 -------- d-----w- c:\program files\ERUNT
2009-11-10 03:27 . 2009-11-10 03:27 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-10 03:27 . 2009-11-10 03:27 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-10 03:25 . 2009-11-11 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-10 03:25 . 2009-11-10 03:25 -------- d-----w- c:\program files\Kaspersky Lab
2009-11-10 03:21 . 2009-10-20 16:54 75609088 ----a-w- C:\kis.en.msi
2009-11-03 21:12 . 2009-11-03 21:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-11-03 21:12 . 2009-09-10 19:54 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 21:11 . 2009-11-03 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 21:11 . 2009-09-10 19:53 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-11-03 17:15 . 2009-11-03 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 17:14 . 2009-11-03 17:15 -------- d-----w- c:\program files\MalwarebytesPortable
2009-10-21 01:34 . 2009-10-21 01:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-15 02:18 . 2009-10-15 02:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 15:08 . 2004-08-04 12:00 577536 ------w- c:\windows\system32\user32.dll
2009-11-10 03:20 . 2009-01-29 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-10 03:02 . 2007-04-17 00:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-03 23:52 . 2009-04-23 20:19 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-11-03 23:52 . 2009-04-23 21:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 23:52 . 2007-04-13 19:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-03 23:50 . 2007-12-18 04:44 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Tunebite
2009-11-03 23:46 . 2005-05-26 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 23:41 . 2009-04-06 01:57 305640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-03 23:36 . 2008-01-05 21:45 -------- d-----w- c:\program files\Spider-Man Photo Lab
2009-11-03 23:36 . 2005-11-06 02:50 -------- d-----w- c:\program files\SlySoft
2009-11-03 23:33 . 2005-11-06 18:03 -------- d-----w- c:\program files\DVD Shrink
2009-11-03 23:30 . 2005-05-26 04:17 -------- d-----w- c:\program files\QuickTime
2009-11-03 23:27 . 2005-05-26 03:54 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-03 23:27 . 2009-03-04 02:11 -------- d-----w- c:\program files\SoundTaxi
2009-11-03 23:24 . 2005-07-24 17:53 101336 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 23:21 . 2005-05-26 04:31 -------- d-----w- c:\program files\Google
2009-11-03 23:21 . 2009-03-06 21:56 -------- d-----w- c:\program files\Error Repair Professional
2009-11-03 23:19 . 2009-03-02 00:15 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-03 23:15 . 2009-03-02 00:15 -------- d-----w- c:\program files\Roxio Creator 2009
2009-11-03 23:15 . 2005-05-26 04:05 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-03 23:14 . 2009-03-02 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-03 23:09 . 2008-07-16 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{FBB5C4A9-4848-46A0-8863-C359F08D7728}
2009-11-03 23:07 . 2008-06-11 00:46 -------- d-----w- c:\program files\Supreme Auction 2
2009-11-03 22:59 . 2006-12-25 15:11 -------- d-----w- c:\program files\Apple Software Update
2009-11-03 19:02 . 2009-03-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-10-03 00:39 . 2009-10-03 00:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-09-14 19:42 . 2009-09-14 19:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-10 00:01 . 2009-09-10 00:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-01 20:29 . 2009-09-01 20:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-10_15.25.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-27 04:58 . 2009-11-10 15:28 72300 c:\windows\system32\perfc009.dat
+ 2005-01-27 04:58 . 2009-11-11 02:46 72300 c:\windows\system32\perfc009.dat
+ 2005-01-27 04:58 . 2009-11-11 02:46 443604 c:\windows\system32\perfh009.dat
- 2005-01-27 04:58 . 2009-11-10 15:28 443604 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 182912 c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"EPSON Stylus Photo R320 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-04-12 49152]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Compaq_Owner\Application Data\iolo\

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"=
"c:\\Program Files\\Wirelwss LAN Utility\\tiwlnsvc.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39658:TCP"= 39658:TCP:*:Disabled:Service
"39674:TCP"= 39674:TCP:*:Disabled:Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [5/31/2008 8:33 PM 39424]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/31/2008 8:34 PM 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/31/2008 8:34 PM 566120]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [3/3/2009 8:44 PM 2688]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [9/30/2007 1:34 PM 438912]
S2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" --> c:\program files\ESET\ESET Smart Security\ekrn.exe [?]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [3/3/2009 9:11 PM 184320]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchURL,(Default) = hxxp://keyword.netscape.com/keyword/%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\iavlsp.dll
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
Trusted Zone: aol.com\free
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 21:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\OLD18.tmp:ext.exe 32256 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4794b132-12ea-4371-ae4c-575eaa5fd580}]
@Denied: (Full) (Everyone)
"Model"=dword:00000070
"Therad"=dword:00000002
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(2028)
c:\windows\system32\iavlsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\hp\KBD\KBD.EXE
.
**************************************************************************
.
Completion time: 2009-11-11 22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 03:00
ComboFix2.txt 2009-11-10 15:37

Pre-Run: 85,049,692,160 bytes free
Post-Run: 85,034,795,008 bytes free

- - End Of File - - 387EF13E7442847D80F77632C143414F



Here is the Log file from MWB:


Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 2

11/10/2009 10:08:57 PM
mbam-log-2009-11-10 (22-08-57).txt

Scan type: Quick Scan
Objects scanned: 120364
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> Quarantined and deleted successfully.



I don't know if you still want me to run the Kaspersky on-line check - let me know please

Thanks again!

#14 azstokes

azstokes

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 10 November 2009 - 10:07 PM

Maybe I should have brought this question up earlier? I don't really care about any of the data on this machine, and would be very happy to do a "destructive recovery" (I think that's what it's called) - but when I tried previously it said I was missing a restore log (something like that) - I also do not have recovery discs (didn't come with the machine - and I never got around to making them - tried lately but machine was to infected to create them) - would it be easier to fix that issue than the ones that I have at the moment???? Thanks again for all of your help - I gotta get to bed as I have to work in a few hours!

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 11 November 2009 - 07:14 AM

Hi,

It's easier to continue to clean, we're almost there. You may wish to contact Microsoft for a replacement disk, I think the fee is nominal.


Please do the following:

Delete the copy of combofix that you have on your system and download a fresh copy from one of the previous links provided, then do the following:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

SecCenter::
{2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
{38254411-9AEC-4967-913E-F892C2A4DF89}

FCopy::
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\dllcache\ndis.sys

ADS::
c:\windows\system32\OLD18.tmp

Folder::
c:\documents and settings\Compaq_Owner\Application Data\iolo
c:\program files\iolo

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"=-

Driver::
XPacket
ioloFileInfoList
ioloSystemService

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Please also run the Kaspersky online scan

Thanks

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users