Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me, Got some Vundo


  • This topic is locked This topic is locked
7 replies to this topic

#1 Bonaojnfr525

Bonaojnfr525

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 06 February 2009 - 09:58 PM

ok so I just got a new laptop (two days ago) and I made the mistake of not installing an antivirus before going on the internet. I was trying to do the windows update but when i went online I got a trojan. How, i dont know.
SO when I tried some of the listed processes in here it would say to remove especially Malwarebytes It would show about 31 and would remove all but one which was a memory module that was infected: C:\Windows\System32\nnnlMEUL.dll (Trojan.Vundo.H)
Because of this Malwarebytes needed to restart in order to delete the trojan on reboot, but every time i would do this what would occur is that my Windows in normal mode would show an alert saying that I have done somenthing unauthorized to Windows and would then log me off. But it was ok because I would just go into safe mode, go to the early system restore(which still had the virus) but would let me at least log into Windows and take notes (but not open IE or Mozilla). I kept trying different things in Safe mode and if anything failed I would just restore back. But today while reading instructions someone recommended to turn system restore off since the viruses can sometimes jump back and I did, tried malwarebytes again and same windows error occurs, except now I cannot restore back because in safe mode i cannot turn system restore back on. So the only way my pc is working right now is in safe mode.

When i cannot solve a virus on my desktop I usually just reinstall XP. But I got my laptop two days ago and I did not order it with a dvd/cd drive so I cannot reinstall Vista. Last time I tried reinstalling Vista with the pc the harddrive got corrupted and the manufacturer repaired it, so i got it back two days ago from them.

Sorry to have so much description I just wanted the problem to be understood.
----------------

==== Installed Programs ======================


Agere Systems HDA Modem
ArtRage 2.1
AuthenTec Fingerprint System
Broadcom 802.11 Wireless LAN Adapter
BumpTop
Digsby
Dropbox
ESU for Microsoft Vista SP1
HP 3D DriveGuard
HP Broadband Wireless Modules
HP MULTIPLE MODEM INSTALLER for VISTA
HP Quick Launch Buttons 6.40 G3
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® Network Connections Drivers
Intel® Active Management Technology
Intel® Matrix Storage Manager
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
Kaspersky Internet Security 2009
Malwarebytes' Anti-Malware
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.6)
RICOH R5C853 Media Driver Ver.1.02.00.09
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Business
Roxio Creator Business v10
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD
SCR3xxx Smart Card Reader
Sonic CinePlayer Decoder Pack
SoundMAX
Synaptics Pointing Device Driver
Tablet
VLC media player 0.9.8a
WinRAR archiver

==== End Of File ===========================

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Admin at 21:46:07.60 on Fri 02/06/2009
Internet Explorer: 7.0.6001.18000

============== Pseudo HJT Report ===============

BHO: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} -
BHO: {c81ddf74-549a-41bb-8c5b-9484369acb11} - c:\windows\system32\nnnlMEUL.dll
TB: BumpTop Explorer Bar: {32ca105a-bd6c-4afc-b4d9-346262e9f483} - c:\program files\bumptop\BTShExt.dll
uRun: [jsf8uiw3jnjgffght] c:\users\admin\appdata\local\temp\winlognn.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\soundmax.exe /tray
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [jsf8uiw3jnjgffght] c:\users\admin\appdata\local\temp\winlognn.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {A573D71B-951B-4BAD-B8CC-708AE84769C9} - {32CA105A-BD6C-4AFC-B4D9-346262E9F483} - c:\program files\bumptop\BTShExt.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: xqrpslzb - xqrpslzb.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnlMEUL

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\ps6zbwt7.default\
FF - HiddenExtension: XUL Cache: {750572D0-4EE5-4E2D-BD46-C2681DE1A857} - c:\users\admin\appdata\local\{750572D0-4EE5-4E2D-BD46-C2681DE1A857}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-06 15:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-06 05:41 <DIR> --d----- C:\ComboFix
2009-02-05 21:46 <DIR> --d----- c:\program files\Enigma Software Group
2009-02-05 20:16 <DIR> --d----- C:\Malwarebytes' Anti-Malware
2009-02-05 14:47 <DIR> --d----- C:\VundoFix Backups
2009-02-05 07:00 84,992 a------- C:\foqt.exe
2009-02-05 06:42 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-04 23:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware(7)
2009-02-04 23:51 <DIR> --d----- c:\programdata\Digsby
2009-02-04 23:51 <DIR> --d----- c:\progra~2\Digsby
2009-02-04 23:42 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-02-04 23:17 <DIR> --d----- c:\program files\PDF Annotator
2009-02-04 23:16 <DIR> --d----- c:\users\admin\appdata\roaming\Thinstall
2009-02-04 23:07 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-02-04 22:22 <DIR> --d----- c:\users\admin\appdata\roaming\Bump Technologies, Inc
2009-02-04 22:22 <DIR> --d----- c:\program files\BumpTop
2009-02-04 22:04 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-02-04 22:04 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-02-04 22:03 1,161,248 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-04 22:03 262,176 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-02-04 22:03 11,200 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-04 22:03 1,976 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-02-04 21:49 <DIR> --d----- c:\users\admin\appdata\roaming\Dropbox
2009-02-04 21:49 <DIR> --d----- c:\program files\Dropbox
2009-02-04 21:48 <DIR> --d----- c:\users\admin\appdata\roaming\Ambient Design
2009-02-04 21:46 <DIR> --d----- c:\program files\Ambient Design
2009-02-04 21:45 <DIR> --d----- c:\users\admin\appdata\roaming\Digsby
2009-02-04 21:44 <DIR> --d----- c:\program files\VideoLAN
2009-02-04 21:44 <DIR> --d----- c:\program files\Digsby
2009-02-04 21:31 <DIR> --d----- c:\users\admin\appdata\roaming\Malwarebytes
2009-02-04 21:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-04 21:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 21:31 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-04 21:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 21:31 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-04 21:23 336,384 a------- c:\windows\system32\CF30358.exe
2009-02-04 21:22 336,384 a------- c:\windows\system32\CF30185.exe
2009-02-04 21:21 336,384 a------- c:\windows\system32\CF30100.exe
2009-02-04 21:10 437,264 a--sh--- c:\windows\system32\vuDegMoq.ini
2009-02-04 21:10 372 a--sh--- c:\windows\system32\vuDegMoq.ini2
2009-02-04 21:05 50,176 a------- c:\windows\system32\khfDvvVN.dll
2009-02-04 21:05 16,896 a------- c:\windows\system32\xqrpslzb32.dll
2009-02-04 21:05 16,896 a------- c:\windows\system32\xqrpslzb.dll
2009-02-04 20:55 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-04 20:53 <DIR> --d----- c:\programdata\avg8
2009-02-04 20:53 <DIR> --d----- c:\program files\AVG
2009-02-04 20:53 <DIR> --d----- c:\progra~2\avg8
2009-02-04 20:38 <DIR> --d-h--- C:\ckis
2009-02-04 20:36 28,672 a------- c:\users\admin\ieframes.dll
2009-02-04 20:36 50,176 a------- c:\windows\system32\cbxwWppp.dll
2009-02-04 20:05 15,000 a------- c:\windows\system32\hs78k4rgf4d.dll
2009-02-04 20:02 <DIR> --d----- c:\program files\Kaspersky Lab
2009-02-04 20:02 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-02-04 20:02 <DIR> --d----- c:\progra~2\Kaspersky Lab
2009-02-04 20:01 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-02-04 20:01 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-02-04 19:58 32,592 a------- c:\windows\system32\msonpmon.dll
2009-02-04 19:58 <DIR> --d----- c:\windows\PCHEALTH
2009-02-04 19:56 <DIR> --d----- c:\programdata\Microsoft Help
2009-02-04 19:42 1,536,827 a--sh--- c:\windows\system32\sjijelpy.ini
2009-02-04 19:41 437,627 a--sh--- c:\windows\system32\iOqrsCcf.ini2
2009-02-04 19:41 437,627 a--sh--- c:\windows\system32\iOqrsCcf.ini
2009-02-04 19:36 46,080 a------- C:\otdfi.exe
2009-02-04 19:36 22,016 a------- C:\bkha.exe
2009-02-04 19:36 40,448 a------- C:\asyoclq.exe
2009-02-04 19:36 22,016 a------- C:\elmumyh.exe
2009-02-04 19:36 2 a------- C:\-2145232569
2009-02-04 19:36 62,976 a------- C:\ptooigas.exe
2009-02-04 19:36 <DIR> --d----- c:\windows\system32\x13
2009-02-04 19:36 <DIR> --d----- c:\windows\system32\tov02
2009-02-04 19:36 <DIR> --d----- c:\temp\sTMP3
2009-02-04 19:36 <DIR> --d----- C:\Temp
2009-02-04 19:27 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-02-04 19:26 83,456 a------- c:\windows\system32\wudriver.dll
2009-02-04 19:26 162,064 a------- c:\windows\system32\wuwebv.dll
2009-02-04 19:26 48,640 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2009-02-06 14:47 21,504 a------- c:\windows\system32\svchost.exe
2009-02-05 15:25 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-02-04 22:04 143,360 a------- c:\windows\inf\infstrng.dat
2009-02-04 22:04 86,016 a------- c:\windows\inf\infstor.dat
2009-02-04 22:04 51,200 a------- c:\windows\inf\infpub.dat
2008-12-03 18:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-03 16:54 3,481,600 a------- c:\windows\system32\bcmihvsrv.dll
2008-12-03 16:54 3,141,632 a------- c:\windows\system32\bcmihvui.dll
2008-12-03 16:54 87,328 a------- c:\windows\system32\bcmwlcoi.dll
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:46:37.63 ===============

please help me, Thank You
bonajnfr

BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:18 PM

Posted 07 February 2009 - 05:51 PM

Hi :thumbup2:

Please download GooredFix and save it to your Desktop.
  • Right-click GooredFix.exe on your Desktop and select Run As Administrator... to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.


Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

We need to disable one or more of your security programs so that they do not interfere with ComboFix.

Please disable Kaspersky Internet Security via its system tray icon.

Right-click on ComboFix.exe, select Run As Administrator... & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
  • ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 Bonaojnfr525

Bonaojnfr525
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 08 February 2009 - 10:31 AM

thanks for replying, here are the logs. Also, is there anyway to turn system restore in safe mode?

GooredFix v1.83 by jpshortstuff
Log created at 01:10 on 08/02/2009 running Option #2 (Admin)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{750572D0-4EE5-4E2D-BD46-C2681DE1A857}"="C:\Users\Admin\AppData\Local\{750572D0-4EE5-4E2D-BD46-C2681DE1A857}" (Folder Missing)









ComboFix 09-02-07.01 - Admin 2009-02-08 10:20:22.1 - NTFSx86 NETWORK
Running from: c:\users\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hs78k4rgf4d.dll
c:\windows\system32\iOqrsCcf.ini
c:\windows\System32\iOqrsCcf.ini2
c:\windows\system32\sjijelpy.ini
c:\windows\system32\vuDegMoq.ini
c:\windows\system32\vuDegMoq.ini2
c:\windows\system32\x13
c:\windows\system32\x13\VE2PIX5.exe
c:\windows\system32\xqrpslzb.dll
c:\windows\system32\xqrpslzb32.dll
c:\windows\Tasks\pipdxijc.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPSR


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 01:26 . 2009-02-08 01:26 <DIR> d-------- c:\users\Admin\Tracing
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Windows Live
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Microsoft
2009-02-08 01:23 . 2009-02-08 01:23 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-08 00:53 . 2009-02-08 00:53 <DIR> d-------- c:\windows\System32\Macromed
2009-02-07 17:18 . 2009-02-07 17:18 <DIR> d-------- c:\program files\Opera
2009-02-07 16:59 . 2009-02-07 16:59 <DIR> d-------- c:\windows\LastGood.Tmp
2009-02-07 12:18 . 2009-02-07 16:17 <DIR> d----c--- c:\windows\System32\DRVSTORE
2009-02-07 12:14 . 2009-02-07 16:17 <DIR> d-------- c:\users\All Users\Lavasoft
2009-02-07 12:14 . 2009-02-07 16:17 <DIR> d-------- c:\programdata\Lavasoft
2009-02-07 12:14 . 2009-02-07 16:17 <DIR> d-------- c:\program files\Lavasoft
2009-02-07 11:48 . 2009-02-07 11:48 7,680 --a------ c:\windows\System32\drivers\RKL4A48.tmp.sys
2009-02-07 11:31 . 2009-02-07 11:31 66 --a------ c:\windows\wininit.ini
2009-02-06 22:00 . 2009-02-06 22:01 1,905 --a------ c:\windows\diagwrn.xml
2009-02-06 22:00 . 2009-02-06 22:01 1,905 --a------ c:\windows\diagerr.xml
2009-02-06 15:36 . 2009-02-06 15:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-05 21:59 . 2009-02-05 21:59 <DIR> d-------- c:\program files\Alwil Software
2009-02-05 21:46 . 2009-02-05 21:46 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-05 20:16 . 2009-02-05 20:29 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2009-02-05 14:47 . 2009-02-05 14:47 <DIR> d-------- C:\VundoFix Backups
2009-02-05 07:00 . 2009-02-05 07:00 84,992 --a------ C:\foqt.exe
2009-02-04 23:59 . 2009-02-04 23:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware(7)
2009-02-04 23:51 . 2009-02-04 23:51 <DIR> d-------- c:\users\All Users\Digsby
2009-02-04 23:51 . 2009-02-04 23:51 <DIR> d-------- c:\programdata\Digsby
2009-02-04 23:42 . 2009-02-04 23:42 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-02-04 23:42 . 2009-02-04 23:42 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-02-04 23:17 . 2009-02-07 16:49 <DIR> d-------- c:\program files\PDF Annotator
2009-02-04 23:16 . 2009-02-04 23:16 <DIR> d-------- c:\users\Admin\AppData\Roaming\Thinstall
2009-02-04 23:07 . 2009-02-04 23:07 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage
2009-02-04 22:22 . 2009-02-04 22:22 <DIR> d-------- c:\users\Admin\AppData\Roaming\Bump Technologies, Inc
2009-02-04 22:03 . 2009-02-06 20:53 1,161,248 --ahs---- c:\windows\System32\drivers\fidbox.dat
2009-02-04 22:03 . 2009-02-06 20:53 262,176 --ahs---- c:\windows\System32\drivers\fidbox2.dat
2009-02-04 22:03 . 2009-02-06 20:53 11,200 --ahs---- c:\windows\System32\drivers\fidbox.idx
2009-02-04 22:03 . 2009-02-06 20:53 1,976 --ahs---- c:\windows\System32\drivers\fidbox2.idx
2009-02-04 21:49 . 2009-02-08 00:46 <DIR> d-------- c:\users\Admin\AppData\Roaming\Dropbox
2009-02-04 21:49 . 2009-02-07 15:58 <DIR> d-------- c:\program files\Dropbox
2009-02-04 21:48 . 2009-02-04 21:48 <DIR> d-------- c:\users\Admin\AppData\Roaming\Ambient Design
2009-02-04 21:46 . 2009-02-04 21:46 <DIR> d-------- c:\program files\Ambient Design
2009-02-04 21:45 . 2009-02-04 23:51 <DIR> d-------- c:\users\Admin\AppData\Roaming\Digsby
2009-02-04 21:44 . 2009-02-04 21:44 <DIR> d-------- c:\program files\VideoLAN
2009-02-04 21:44 . 2009-02-04 21:44 <DIR> d-------- c:\program files\Digsby
2009-02-04 21:31 . 2009-02-04 21:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-04 21:31 . 2009-02-04 21:31 <DIR> d-------- c:\users\Admin\AppData\Roaming\Malwarebytes
2009-02-04 21:31 . 2009-02-04 21:31 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-04 21:31 . 2009-02-05 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 21:31 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-04 21:31 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-04 21:27 . 2009-02-04 21:27 0 --a------ c:\windows\nsreg.dat
2009-02-04 21:05 . 2009-02-04 21:05 50,176 --a------ c:\windows\System32\khfDvvVN.dll
2009-02-04 20:55 . 2009-02-04 21:00 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-04 20:53 . 2009-02-04 21:01 <DIR> d-------- c:\users\All Users\avg8
2009-02-04 20:53 . 2009-02-04 21:01 <DIR> d-------- c:\programdata\avg8
2009-02-04 20:53 . 2009-02-04 20:53 <DIR> d-------- c:\program files\AVG
2009-02-04 20:38 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2009-02-04 20:36 . 2009-02-04 20:36 50,176 --a------ c:\windows\System32\cbxwWppp.dll
2009-02-04 20:36 . 2009-02-05 06:59 28,672 --a------ c:\users\Admin\ieframes.dll
2009-02-04 20:02 . 2009-02-05 06:55 <DIR> d-------- c:\program files\Kaspersky Lab
2009-02-04 20:01 . 2009-02-04 20:04 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2009-02-04 20:01 . 2009-02-04 20:04 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2009-02-04 19:58 . 2009-02-04 19:58 <DIR> d-------- c:\windows\PCHEALTH
2009-02-04 19:58 . 2009-02-04 19:58 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-04 19:58 . 2009-02-04 19:58 <DIR> d-------- c:\program files\Microsoft Works
2009-02-04 19:58 . 2006-10-26 19:56 32,592 --a------ c:\windows\System32\msonpmon.dll
2009-02-04 19:56 . 2009-02-04 19:58 <DIR> d-------- c:\users\All Users\Microsoft Help
2009-02-04 19:56 . 2009-02-04 19:58 <DIR> d-------- c:\programdata\Microsoft Help
2009-02-04 19:55 . 2009-02-04 19:55 <DIR> dr-h----- C:\MSOCache
2009-02-04 19:36 . 2009-02-06 11:32 <DIR> d-------- c:\windows\System32\tov02
2009-02-04 19:36 . 2009-02-04 19:36 <DIR> d-------- c:\temp\sTMP3
2009-02-04 19:36 . 2009-02-05 22:50 <DIR> d-------- C:\Temp
2009-02-04 19:36 . 2009-02-05 07:00 62,976 --a------ C:\ptooigas.exe
2009-02-04 19:36 . 2009-02-05 07:00 46,080 --a------ C:\otdfi.exe
2009-02-04 19:36 . 2009-02-05 07:00 40,448 --a------ C:\asyoclq.exe
2009-02-04 19:36 . 2009-02-05 07:00 22,016 --a------ C:\elmumyh.exe
2009-02-04 19:36 . 2009-02-05 07:00 22,016 --a------ C:\bkha.exe
2009-02-04 19:36 . 2009-02-05 07:00 2 --a------ C:\-2145232569
2009-02-04 19:27 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2009-02-04 19:27 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2009-02-04 19:27 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2009-02-04 19:27 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2009-02-04 19:26 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2009-02-04 19:26 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2009-02-04 19:26 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2009-02-04 19:26 . 2008-10-16 13:56 48,640 --a------ c:\windows\System32\wuapp.exe
2009-02-04 19:26 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-07 22:59 --------- d-----w c:\programdata\SonicFocus
2009-02-07 22:59 --------- d-----w c:\program files\Hewlett-Packard
2009-02-07 22:59 --------- d-----w c:\program files\Analog Devices
2009-02-07 22:01 --------- d-----w c:\users\Admin\AppData\Roaming\WTablet
2009-02-06 17:33 --------- d-----w c:\program files\Windows Mail
2009-02-06 17:33 --------- d-----w c:\program files\Windows Journal
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

------- Sigcheck -------

2008-01-20 20:24 2944512 5cd6f8d59153af4ee12dc5654cb79af1 c:\windows\explorer.exe
2008-10-29 00:20 2940928 4dffc97a79496a3d9e8a2dd540c668f4 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
2008-10-27 20:15 2940928 93140d4ebb0de66c0275c87e370de6c8 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
2008-10-29 00:29 2944512 a42b9071dd7a16e56eb7f74358084bf5 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
2008-10-29 21:59 2945024 28512350343270fa6b68e201ce489f49 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
2008-01-20 20:24 2944512 5cd6f8d59153af4ee12dc5654cb79af1 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

2006-11-02 03:45 26112 e5684e07bf78512d833436b8aa1d1bae c:\windows\System32\ctfmon.exe
2006-11-02 03:45 26112 e5684e07bf78512d833436b8aa1d1bae c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9cad793a67953\ctfmon.exe

2008-01-20 20:25 143360 cbc7a6d35f67c0419dde949af1e4fe24 c:\windows\System32\spoolsv.exe
2008-01-20 20:25 143360 cbc7a6d35f67c0419dde949af1e4fe24 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\spoolsv.exe

2008-01-20 20:25 42496 16877b4975c576aef781b73c648c40c3 c:\windows\System32\userinit.exe
2008-01-20 20:25 42496 16877b4975c576aef781b73c648c40c3 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-07-11 181552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-15 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-15 145944]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-02 367128]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-08 1331200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-01-14 1293968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1609274603-2870970682-3683536806-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B4E50849-2E85-41E9-8473-AD3BEDD79EF4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{59D3A18D-61DB-4A5A-8454-DE594EB72E5F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BNDE4E.tmp"= c:\users\Admin\AppData\Local\Temp\BNDE4E.tmp:*:Enabled:EMOTIONS_EXECUTABLE
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BN2443.tmp"= c:\users\Admin\AppData\Local\Temp\BN2443.tmp:*:Enabled:EMOTIONS_EXECUTABLE
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BN8556.tmp"= c:\users\Admin\AppData\Local\Temp\BN8556.tmp:*:Enabled:EMOTIONS_EXECUTABLE
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BN141D.tmp"= c:\users\Admin\AppData\Local\Temp\BN141D.tmp:*:Enabled:EMOTIONS_EXECUTABLE
"c:\\Windows\\system32\\wininit.exe"= c:\windows\system32\wininit.exe:*:enabled:@shell32.dll,-1

R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-04-07 24936]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-27 1357608]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-06-02 2058776]
R3 AntiAries;Anti Aries Helper Driver;c:\windows\System32\drivers\RKL4A48.tmp.sys [2009-02-07 7680]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-06-12 477696]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-03-27 224384]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
S3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\DRIVERS\wisdpen.sys [2008-03-27 30888]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - CLFS
*Deregistered* - Compbatt
*Deregistered* - crcdisk
*Deregistered* - CSC
*Deregistered* - DfsC
*Deregistered* - Ecache
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - iScsiPrt
*Deregistered* - KSecDD
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - msahci
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - PxHelp20
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - Smb
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tdx
*Deregistered* - TermDD
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - wacomvhid
*Deregistered* - WacomVKHid
*Deregistered* - Wdf01000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a3d3db6-f324-11dd-b1c4-002186db83b5}]
\shell\AutoRun\command - D:\SETUP.EXE
\shell\configure\command - D:\SETUP.EXE
\shell\install\command - D:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b1b7bc4-f325-11dd-9849-002264cb7f41}]
\shell\Auto\command - D:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2da9e16e-f17e-11dd-a5b1-002186db83b5}]
\shell\Auto\command - D:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a83fc37b-c19d-11dd-ac0e-bed485001169}]
\shell\AutoRun\command - d:\swsetup\APPINSTL\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8879a3d-c206-11dd-98a3-002186328935}]
\shell\Auto\command - D:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C81DDF74-549A-41BB-8C5B-9484369ACB11} - c:\windows\system32\nnnlMEUL.dll
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-jsf8uiw3jnjgffght - c:\users\Admin\AppData\Local\Temp\winlognn.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps6zbwt7.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 10:25:07
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Admin\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(900)
c:\program files\Dropbox\DropboxExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\HelpPane.exe
.
**************************************************************************
.
Completion time: 2009-02-08 10:27:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-08 16:26:57
ComboFix2.txt 2009-02-06 14:35:22

Pre-Run: 106,489,167,872 bytes free
Post-Run: 106,526,429,184 bytes free

321 --- E O F --- 2009-02-05 01:59:01

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:18 PM

Posted 09 February 2009 - 06:18 AM

Hi,

This looks nasty, and pretty new. Several of your system files have been infected, which is why you are having problems getting into normal mode. I'm afraid it would have been best to keep system restore on, being able to restore to an infected machine state is better than not being able to restore at all. Even if we could turn system restore on now, it wouldn't do us any good, all those past restore points would have been wiped.

Let's see what we can do to help this machine.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\foqt.exe
c:\windows\System32\khfDvvVN.dll
c:\windows\System32\cbxwWppp.dll
c:\users\Admin\ieframes.dll
C:\ptooigas.exe
C:\otdfi.exe
C:\asyoclq.exe
C:\elmumyh.exe
C:\bkha.exe

Folder::
C:\ckis
c:\windows\System32\tov02
c:\temp\sTMP3
C:\Temp
C:\-2145232569
C:\Users\Admin\AppData\Local\{750572D0-4EE5-4E2D-BD46-C2681DE1A857}

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BNDE4E.tmp"=-
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BN2443.tmp"=-
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BN8556.tmp"=-
"c:\\Users\\Admin\\AppData\\Local\\Temp\\BN141D.tmp"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a3d3db6-f324-11dd-b1c4-002186db83b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b1b7bc4-f325-11dd-9849-002264cb7f41}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2da9e16e-f17e-11dd-a5b1-002186db83b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a83fc37b-c19d-11dd-ac0e-bed485001169}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8879a3d-c206-11dd-98a3-002186328935}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please attempt to log into normal mode Post the Combofix.txt log in your next reply.


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
If DrWeb does find and disinfect anything, again, please attempt to boot into normal mode.

I will do some more research and see if I can find any other solutions.

Let me just clarify - you have no Vista DVD and no other recovery DVDs available?

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 Bonaojnfr525

Bonaojnfr525
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 09 February 2009 - 08:09 AM

thanks
I do have the dvds but my pc wont recognize my external dvd. In normal mode, didnt work

ComboFix 09-02-08.02 - Admin 2009-02-09 7:54:41.2 - NTFSx86 NETWORK
Running from: c:\users\Admin\Desktop\ComboFix.exe
Command switches used :: c:\users\Admin\Desktop\CFScript.txt

FILE ::
C:\asyoclq.exe
C:\bkha.exe
C:\elmumyh.exe
C:\foqt.exe
C:\otdfi.exe
C:\ptooigas.exe
c:\users\Admin\ieframes.dll
c:\windows\System32\cbxwWppp.dll
c:\windows\System32\khfDvvVN.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\-2145232569\
C:\asyoclq.exe
C:\bkha.exe
C:\ckis
c:\ckis\crack.lst
C:\elmumyh.exe
C:\foqt.exe
C:\otdfi.exe
C:\ptooigas.exe
C:\Temp
c:\temp\sTMP3\cxI.log
c:\users\Admin\ieframes.dll
c:\windows\System32\cbxwWppp.dll
c:\windows\System32\khfDvvVN.dll
c:\windows\System32\tov02
c:\windows\System32\tov02\tov022328.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-08 23:19 . 2009-02-08 23:28 <DIR> d-------- C:\MGADiagToolOutput
2009-02-08 23:01 . 2009-02-08 23:01 41,472 --a------ c:\windows\Cnerulukac.dll
2009-02-08 01:26 . 2009-02-08 01:26 <DIR> d-------- c:\users\Admin\Tracing
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Windows Live
2009-02-08 01:25 . 2009-02-08 01:25 <DIR> d-------- c:\program files\Microsoft
2009-02-08 01:23 . 2009-02-08 01:23 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-08 00:53 . 2009-02-08 00:53 <DIR> d-------- c:\windows\System32\Macromed
2009-02-07 17:18 . 2009-02-07 17:18 <DIR> d-------- c:\program files\Opera
2009-02-07 12:18 . 2009-02-07 16:17 <DIR> d----c--- c:\windows\System32\DRVSTORE
2009-02-07 12:14 . 2009-02-07 16:17 <DIR> d-------- c:\users\All Users\Lavasoft
2009-02-07 12:14 . 2009-02-07 16:17 <DIR> d-------- c:\programdata\Lavasoft
2009-02-07 12:14 . 2009-02-07 16:17 <DIR> d-------- c:\program files\Lavasoft
2009-02-07 11:48 . 2009-02-07 11:48 7,680 --a------ c:\windows\System32\drivers\RKL4A48.tmp.sys
2009-02-07 11:31 . 2009-02-07 11:31 66 --a------ c:\windows\wininit.ini
2009-02-06 22:00 . 2009-02-06 22:01 1,905 --a------ c:\windows\diagwrn.xml
2009-02-06 22:00 . 2009-02-06 22:01 1,905 --a------ c:\windows\diagerr.xml
2009-02-06 15:36 . 2009-02-06 15:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-05 21:59 . 2009-02-05 21:59 <DIR> d-------- c:\program files\Alwil Software
2009-02-05 21:46 . 2009-02-05 21:46 <DIR> d-------- c:\program files\Enigma Software Group
2009-02-05 20:16 . 2009-02-05 20:29 <DIR> d-------- C:\Malwarebytes' Anti-Malware
2009-02-05 14:47 . 2009-02-05 14:47 <DIR> d-------- C:\VundoFix Backups
2009-02-04 23:59 . 2009-02-04 23:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware(7)
2009-02-04 23:51 . 2009-02-04 23:51 <DIR> d-------- c:\users\All Users\Digsby
2009-02-04 23:51 . 2009-02-04 23:51 <DIR> d-------- c:\programdata\Digsby
2009-02-04 23:42 . 2009-02-04 23:42 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-02-04 23:42 . 2009-02-04 23:42 <DIR> d-------- c:\programdata\Office Genuine Advantage
2009-02-04 23:17 . 2009-02-07 16:49 <DIR> d-------- c:\program files\PDF Annotator
2009-02-04 23:16 . 2009-02-04 23:16 <DIR> d-------- c:\users\Admin\AppData\Roaming\Thinstall
2009-02-04 23:07 . 2009-02-04 23:07 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage
2009-02-04 22:22 . 2009-02-04 22:22 <DIR> d-------- c:\users\Admin\AppData\Roaming\Bump Technologies, Inc
2009-02-04 22:03 . 2009-02-06 20:53 1,161,248 --ahs---- c:\windows\System32\drivers\fidbox.dat
2009-02-04 22:03 . 2009-02-06 20:53 262,176 --ahs---- c:\windows\System32\drivers\fidbox2.dat
2009-02-04 22:03 . 2009-02-06 20:53 11,200 --ahs---- c:\windows\System32\drivers\fidbox.idx
2009-02-04 22:03 . 2009-02-06 20:53 1,976 --ahs---- c:\windows\System32\drivers\fidbox2.idx
2009-02-04 21:49 . 2009-02-08 16:34 <DIR> d-------- c:\users\Admin\AppData\Roaming\Dropbox
2009-02-04 21:49 . 2009-02-07 15:58 <DIR> d-------- c:\program files\Dropbox
2009-02-04 21:48 . 2009-02-04 21:48 <DIR> d-------- c:\users\Admin\AppData\Roaming\Ambient Design
2009-02-04 21:46 . 2009-02-04 21:46 <DIR> d-------- c:\program files\Ambient Design
2009-02-04 21:45 . 2009-02-04 23:51 <DIR> d-------- c:\users\Admin\AppData\Roaming\Digsby
2009-02-04 21:44 . 2009-02-04 21:44 <DIR> d-------- c:\program files\VideoLAN
2009-02-04 21:44 . 2009-02-04 21:44 <DIR> d-------- c:\program files\Digsby
2009-02-04 21:31 . 2009-02-04 21:31 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-04 21:31 . 2009-02-04 21:31 <DIR> d-------- c:\users\Admin\AppData\Roaming\Malwarebytes
2009-02-04 21:31 . 2009-02-04 21:31 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-04 21:31 . 2009-02-05 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 21:31 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-04 21:31 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-04 21:27 . 2009-02-04 21:27 0 --a------ c:\windows\nsreg.dat
2009-02-04 20:55 . 2009-02-04 21:00 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-04 20:53 . 2009-02-04 21:01 <DIR> d-------- c:\users\All Users\avg8
2009-02-04 20:53 . 2009-02-04 21:01 <DIR> d-------- c:\programdata\avg8
2009-02-04 20:53 . 2009-02-04 20:53 <DIR> d-------- c:\program files\AVG
2009-02-04 20:02 . 2009-02-05 06:55 <DIR> d-------- c:\program files\Kaspersky Lab
2009-02-04 20:01 . 2009-02-04 20:04 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2009-02-04 20:01 . 2009-02-04 20:04 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2009-02-04 19:58 . 2009-02-04 19:58 <DIR> d-------- c:\windows\PCHEALTH
2009-02-04 19:58 . 2009-02-04 19:58 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-04 19:58 . 2009-02-04 19:58 <DIR> d-------- c:\program files\Microsoft Works
2009-02-04 19:58 . 2006-10-26 19:56 32,592 --a------ c:\windows\System32\msonpmon.dll
2009-02-04 19:56 . 2009-02-04 19:58 <DIR> d-------- c:\users\All Users\Microsoft Help
2009-02-04 19:56 . 2009-02-04 19:58 <DIR> d-------- c:\programdata\Microsoft Help
2009-02-04 19:55 . 2009-02-04 19:55 <DIR> dr-h----- C:\MSOCache
2009-02-04 19:36 . 2009-02-05 07:00 2 --a------ C:\-2145232569
2009-02-04 19:27 . 2008-10-16 15:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2009-02-04 19:27 . 2008-10-16 14:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2009-02-04 19:27 . 2008-10-16 15:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2009-02-04 19:27 . 2008-10-16 15:09 43,544 --a------ c:\windows\System32\wups2.dll
2009-02-04 19:26 . 2008-10-16 15:12 561,688 --a------ c:\windows\System32\wuapi.dll
2009-02-04 19:26 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2009-02-04 19:26 . 2008-10-16 14:55 83,456 --a------ c:\windows\System32\wudriver.dll
2009-02-04 19:26 . 2008-10-16 13:56 48,640 --a------ c:\windows\System32\wuapp.exe
2009-02-04 19:26 . 2008-10-16 15:08 34,328 --a------ c:\windows\System32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 06:55 --------- d-----w c:\users\Admin\AppData\Roaming\WTablet
2009-02-07 22:59 --------- d-----w c:\programdata\SonicFocus
2009-02-07 22:59 --------- d-----w c:\program files\Hewlett-Packard
2009-02-07 22:59 --------- d-----w c:\program files\Analog Devices
2009-02-06 20:47 21,504 ----a-w c:\windows\System32\svchost.exe
2009-02-06 17:33 --------- d-----w c:\program files\Windows Mail
2009-02-06 17:33 --------- d-----w c:\program files\Windows Journal
2008-12-03 22:54 87,328 ----a-w c:\windows\System32\bcmwlcoi.dll
2008-12-03 22:54 3,481,600 ----a-w c:\windows\System32\bcmihvsrv.dll
2008-12-03 22:54 3,141,632 ----a-w c:\windows\System32\bcmihvui.dll
2008-12-03 04:37 49,480 ----a-w c:\windows\System32\sirenacm.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

------- Sigcheck -------

2008-01-20 20:24 2944512 5cd6f8d59153af4ee12dc5654cb79af1 c:\windows\explorer.exe
2008-10-29 00:20 2940928 4dffc97a79496a3d9e8a2dd540c668f4 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
2008-10-27 20:15 2940928 93140d4ebb0de66c0275c87e370de6c8 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
2008-10-29 00:29 2944512 a42b9071dd7a16e56eb7f74358084bf5 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
2008-10-29 21:59 2945024 28512350343270fa6b68e201ce489f49 c:\windows\SoftwareDistribution\Download\7061d8bdfc6a60f6588941d7a2c304c7\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
2008-01-20 20:24 2944512 5cd6f8d59153af4ee12dc5654cb79af1 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

2006-11-02 03:45 26112 e5684e07bf78512d833436b8aa1d1bae c:\windows\System32\ctfmon.exe
2006-11-02 03:45 26112 e5684e07bf78512d833436b8aa1d1bae c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9cad793a67953\ctfmon.exe

2008-01-20 20:25 143360 cbc7a6d35f67c0419dde949af1e4fe24 c:\windows\System32\spoolsv.exe
2008-01-20 20:25 143360 cbc7a6d35f67c0419dde949af1e4fe24 c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\spoolsv.exe

2008-01-20 20:25 42496 16877b4975c576aef781b73c648c40c3 c:\windows\System32\userinit.exe
2008-01-20 20:25 42496 16877b4975c576aef781b73c648c40c3 c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-08_10.26.28.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 02:25:48 159,744 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe
+ 2008-01-21 02:25:48 180,224 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe
- 2008-01-21 02:25:49 61,440 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe
+ 2008-01-21 02:25:49 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe
- 2008-01-21 02:25:48 143,360 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe
+ 2008-01-21 02:25:48 163,840 ----a-w c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe
+ 2009-02-08 22:46:09 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-08 22:46:09 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-08 22:46:09 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-08 16:25:02 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-09 04:02:16 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-08 16:25:02 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-09 04:02:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-08 16:23:22 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-09 13:50:11 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-08 16:23:22 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-09 13:50:11 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-08 16:23:22 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-09 13:50:11 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-06 17:33:35 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-02-09 13:54:34 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-01-07 23:20:24 1,486,192 ----a-w c:\windows\System32\LegitCheckControl.DLL
- 2009-02-08 16:10:24 101,144 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-09 13:54:31 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-08 16:10:24 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-09 13:54:31 595,446 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-07 01:44:27 231,092 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-02-09 06:55:06 68,244 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-02-08 07:25:56 86,750,525 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-08 22:59:08 117,533,521 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 01:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-07-11 181552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-15 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-15 145944]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-02 367128]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-23 197904]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-08 1331200]
"Hpalane"="c:\windows\Cnerulukac.dll" [2009-02-08 41472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-01-14 1293968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1609274603-2870970682-3683536806-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B4E50849-2E85-41E9-8473-AD3BEDD79EF4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{59D3A18D-61DB-4A5A-8454-DE594EB72E5F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Windows\\system32\\wininit.exe"= c:\windows\system32\wininit.exe:*:enabled:@shell32.dll,-1

R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-04-07 24936]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-27 1357608]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-06-02 2058776]
R3 AntiAries;Anti Aries Helper Driver;c:\windows\System32\drivers\RKL4A48.tmp.sys [2009-02-07 7680]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-06-12 477696]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-03-27 224384]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
S3 WISDPen;Wacom Penabled MiniDriver;c:\windows\system32\DRIVERS\wisdpen.sys [2008-03-27 30888]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*NewlyCreated* - PXHELP20
*Deregistered* - AFD
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - CLFS
*Deregistered* - Compbatt
*Deregistered* - crcdisk
*Deregistered* - CSC
*Deregistered* - DfsC
*Deregistered* - Ecache
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - iScsiPrt
*Deregistered* - KSecDD
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - msahci
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - PxHelp20
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - Smb
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tdx
*Deregistered* - TermDD
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - wacomvhid
*Deregistered* - WacomVKHid
*Deregistered* - Wdf01000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ps6zbwt7.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 07:56:14
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-09 7:57:06
ComboFix-quarantined-files.txt 2009-02-09 13:57:04
ComboFix2.txt 2009-02-08 16:27:07
ComboFix3.txt 2009-02-06 14:35:22

Pre-Run: 104,923,566,080 bytes free
Post-Run: 104,816,996,352 bytes free

329 --- E O F --- 2009-02-05 01:59:01

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:18 PM

Posted 09 February 2009 - 08:43 AM

Hi,

OK. Did you try Dr. Web CureIt?

I do have the dvds but my pc wont recognize my external dvd

Sorry, do you mean you have an external DVD drive but the computer doesn't read from it at boot time? Have you tried entering BIOS setup (usually you will have to press F2, F11, Del or something soon after turning your computer on, depends on manufacturer. You should see a splash screen shortly after booting that will say "Press <button> to enter setup") and changing the boot order so that it boots from the DVD first? (I can give more details of this if necessary.)
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 Bonaojnfr525

Bonaojnfr525
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 11 February 2009 - 07:22 PM

hey nothing worked, that external dvd is not recognized by my pc but i just bought one that did and i am now installing vista with a clean install.thanks for your help=D

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:18 PM

Posted 12 February 2009 - 05:37 AM

OK, thanks for letting me know. I hope all goes well.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users