Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run malawarebytes, adaware, spybot, browsers, safe mode doesn't work


  • This topic is locked This topic is locked
55 replies to this topic

#46 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 30 October 2009 - 12:25 PM

Hi Mike1911,

Disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

FCopy:: 
C:\i386\ws2_32.dll | c:\windows\system32\ws2_32.dll  
C:\i386\ws2_32.dll | C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll  

File:: 
c:\windows\untpi32.dll
c:\windows\system32\jozoyona.dll
c:\documents and settings\All Users\Application Data\b9d5e\WS9bd.exe

Folder:: 
c:\documents and settings\My Name\Application Data\Windows System Defender

Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows System Defender"=- 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] 
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

BC AdBot (Login to Remove)

 


#47 Mike1911

Mike1911
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 October 2009 - 12:55 PM

After I have unchecked teatimer and ok'd the prompts, should I close spybot before I drag CFScript.txt into Combo-Fix ? Just to be clear, I'm not supposed to run spybot, just change the described settings?

#48 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 30 October 2009 - 01:00 PM

Yes, don't run spypot, just change the setting as I described.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#49 Mike1911

Mike1911
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 October 2009 - 01:14 PM

ComboFix 09-10-28.08 - My Name 10/30/2009 14:03.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT -4:00]
Running from: c:\documents and settings\My Name\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\My Name\Desktop\CFScript.txt
AV: Windows System Defender *On-access scanning enabled* (Updated) {A6B3EE51-E906-4C4B-8E2C-7E8CFCDC7A8E}
FW: Windows System Defender *enabled* {E079797E-209A-4592-B213-205C94E82351}

FILE ::
"c:\documents and settings\All Users\Application Data\b9d5e\WS9bd.exe"
"c:\windows\system32\jozoyona.dll"
"c:\windows\untpi32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\b9d5e\WS9bd.exe
c:\windows\system32\jozoyona.dll
c:\windows\uhixutuxu.dll
c:\windows\untpi32.dll

.
--------------- FCopy ---------------

c:\i386\ws2_32.dll --> c:\windows\system32\ws2_32.dll
c:\i386\ws2_32.dll --> c:\windows\ServicePackFiles\i386\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 18:03 . 2009-10-30 18:03 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-29 23:29 . 2009-10-29 23:29 -------- d-----w- c:\documents and settings\My Name\Local Settings\Application Data\{1BCD67B5-741C-49E4-8C85-92F7F675C6A2}
2009-10-29 21:43 . 2009-10-29 21:51 -------- d-----w- C:\Combo-Fix
2009-10-29 20:40 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 20:40 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-29 16:58 . 2009-10-29 16:58 -------- d-----w- c:\documents and settings\My Name\Local Settings\Application Data\PCHealth
2009-10-28 20:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 20:45 . 2009-10-28 20:55 -------- d-----w- c:\program files\aaa
2009-10-28 20:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 20:35 . 2009-10-24 20:35 -------- d-sh--w- c:\documents and settings\My Name\Application Data\Windows System Defender
2009-10-23 19:34 . 2009-10-30 18:06 -------- d-sh--w- c:\documents and settings\All Users\Application Data\b9d5e
2009-10-23 19:34 . 2009-10-23 19:34 -------- d-sh--w- c:\documents and settings\Spouse Name\Application Data\Windows System Defender
2009-10-23 19:34 . 2009-10-23 19:34 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSDDSys
2009-10-23 19:28 . 2009-10-30 16:05 120 ----a-w- c:\windows\Vrumoz.dat
2009-10-23 19:28 . 2009-10-30 16:05 0 ----a-w- c:\windows\Cjutamicun.bin
2009-10-23 19:28 . 2009-10-23 19:28 -------- d-----w- c:\documents and settings\Spouse Name\Local Settings\Application Data\{ADD02D3E-9D5C-455A-8DAB-2477A057EE4D}
2009-10-23 19:24 . 2009-10-28 21:03 0 ----a-w- c:\windows\win32k.sys
2009-10-19 00:30 . 2009-10-19 00:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-10 18:35 . 2009-10-10 18:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-08 21:24 . 2009-10-08 21:24 -------- d-----w- c:\documents and settings\My Name\Local Settings\Application Data\Identities
2009-10-01 20:45 . 2009-10-01 20:45 -------- d-----w- c:\documents and settings\Spouse Name\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 20:24 . 2009-05-14 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-28 20:52 . 2009-07-18 12:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 23:47 . 2007-01-22 19:46 -------- d-----w- c:\program files\Google
2009-10-21 22:26 . 2007-01-22 19:53 81912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 21:37 . 2008-08-14 19:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-24 23:49 . 2009-09-24 23:49 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-24 23:49 . 2009-09-24 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-09-24 23:29 . 2009-09-24 23:29 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-24 22:47 . 2009-09-24 22:46 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{8C5755B2-1C3C-4AFF-9CFA-062D5D93F717}
2009-09-24 22:47 . 2009-09-24 22:47 -------- d-----w- c:\program files\Maptech
2009-09-24 22:47 . 2009-09-24 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Maptech
2009-09-24 22:43 . 2009-09-24 22:43 -------- d-----w- c:\documents and settings\My Name\Application Data\WinBatch
2009-09-23 12:55 . 2009-07-18 03:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-16 23:05 . 2009-09-16 23:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-11 22:19 . 2008-10-04 03:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 23:55 . 2007-01-22 19:42 -------- d-----w- c:\program files\Common Files\Real
2009-09-10 23:55 . 2009-09-10 23:55 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-10 23:54 . 2009-09-10 23:54 -------- d-----w- c:\program files\real
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 09:17 . 2009-07-18 05:07 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 07:04 . 2009-08-17 07:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 07:04 . 2009-08-17 07:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 07:03 . 2009-08-17 07:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 07:03 . 2009-08-17 07:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 07:03 . 2009-08-17 07:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 07:03 . 2009-08-17 07:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 07:03 . 2009-08-17 07:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 07:03 . 2009-08-17 07:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 07:03 . 2009-08-17 07:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 07:03 . 2009-08-17 07:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 07:03 . 2009-08-17 07:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 07:03 . 2009-08-17 07:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 07:02 . 2009-08-17 07:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 04:57 . 2009-08-17 04:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57 . 2009-08-17 04:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57 . 2009-08-17 04:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57 . 2009-08-17 04:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 04:57 . 2007-01-22 19:25 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57 . 2007-01-22 19:18 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-17 04:57 . 2007-01-22 19:18 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 04:57 . 2007-01-22 19:18 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 04:57 . 2007-01-22 19:18 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57 . 2005-08-16 10:35 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 04:57 . 2005-08-16 10:35 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-11 16:35 . 2009-09-24 23:48 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-06 23:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-01-25 02:10 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-08-16 10:40 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2007-01-28 05:17 . 2007-01-28 05:17 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-01-28 05:17 . 2007-01-28 05:17 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-01-28 05:17 . 2007-01-28 05:17 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2004-08-10 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2004-08-10 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2004-08-10 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-29_20.55.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-30 18:03 . 2004-08-10 11:00 82944 c:\windows\LastGood.Tmp\system32\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-10 198160]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"Bkalaz"="c:\windows\uhixutuxu.dll" [BU]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/17/2009 11:51 PM 64288]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1170768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/16/2007 11:56 PM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/24/2009 7:01 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 18:05]

2009-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-24 23:00]

2009-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-24 23:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.row2k.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\My Name\Application Data\Mozilla\Firefox\Profiles\x9svah1m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {ADD02D3E-9D5C-455A-8DAB-2477A057EE4D} - c:\documents and settings\Spouse Name\Local Settings\Application Data\{ADD02D3E-9D5C-455A-8DAB-2477A057EE4D}
FF - HiddenExtension: XULRunner: {1BCD67B5-741C-49E4-8C85-92F7F675C6A2} - c:\documents and settings\My Name\Local Settings\Application Data\{1BCD67B5-741C-49E4-8C85-92F7F675C6A2}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Windows System Defender - c:\documents and settings\All Users\Application Data\b9d5e\WS9bd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 14:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1392)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\imapi.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-10-30 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 18:11
ComboFix2.txt 2009-10-29 23:26
ComboFix3.txt 2009-10-29 21:51
ComboFix4.txt 2009-10-29 20:58

Pre-Run: 257,000,349,696 bytes free
Post-Run: 256,959,868,928 bytes free

- - End Of File - - E301A9C8CC209C189FB2C54BEF41A28E

#50 Mike1911

Mike1911
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 October 2009 - 02:07 PM

Mike, don't be mad. I know it's bad when I start a sentance that way, but I was replacing my real name with "My Name" so that my name does not appear on a message board. I saw that it was cited in your scrpit that you wrote for combofix. I am guessing that it probably won't work right since that is not the real name of the user. I'm really sorry.

#51 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 30 October 2009 - 02:20 PM

:( You are wasting my time!

The fixes will work if you replace your name with "My Name" .

No wonder you are still infected!


If you dont want you name to appear on a message board, then you should not post to a forum!



If you want help then you must not edit your log and change your name.

Let me know your decison.

If I dont here from you in a day I will close this thread.

Edited by SifuMike, 30 October 2009 - 02:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#52 Mike1911

Mike1911
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 October 2009 - 02:36 PM

I would like help. Getting infected in the first place was what brought on this level of caution. It seems counter intuitive to post my name on the internet. I will not edit my log and change my name.

#53 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 30 October 2009 - 02:43 PM

Because you were editing files, we have to start over.

You have wasted about three hours of my time! :(

Run Combofix and post the log.

If you find you have edited out your name I will close this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#54 Mike1911

Mike1911
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 30 October 2009 - 03:31 PM

Sorry, I just do not feel comfortable with my name appearing on the forum.

I really do appreciate your help though, and I am sorry for frustrating you.

I donated more than I make in 3 hours to your paypal account, I hope that is fair.

Thanks for the help you provided so far.

#55 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 30 October 2009 - 04:01 PM

Your welcome.
Thanks for the donation.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#56 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 19 November 2009 - 11:15 PM

Since your problem appears to be resolved, this thread will now be closed.
If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users