Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix and Malwarebytes fail to run, various other problems.


  • This topic is locked This topic is locked
6 replies to this topic

#1 RedHanded

RedHanded

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 02 June 2009 - 04:39 AM

Started with Google results redirecting in firefox (which I assumed was a go.google virus), but since having tried to fix this the problems have escalated - Malwarebytes and Combofix both fail to run (Mb entirely, Cf 'encounters a problem' upon run). All folders are intermittently made 'read only'. Computer occasionally fails to start properly (a blue screen of some sort, which then reboots). Please help - I'm in exam season and need this computer to work properly!



Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.372 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\EeeRotate\EeeRotate.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Henthorn\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyServer = wf2.thegrid.org.uk:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\eeerot~1.lnk - c:\program files\eeerotate\EeeRotate.exe
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\robert~1\startm~1\programs\startup\styler.lnk - c:\docume~1\robert~1\applic~1\microsoft\installer\{e9ecf354-2422-4fdb-9abf-d8adac0ef941}\_585b207a.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.166,85.255.112.67
TCP: {3989E3B3-C94F-4B37-A122-1C4BEAD24621} = 85.255.112.166,85.255.112.67
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\wb85nb0w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-21 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-21 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-21 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-21 55640]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-2-12 4300]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-2-12 238464]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-2 19840]

=============== Created Last 30 ================

2009-06-02 10:06 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 10:06 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-02 10:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-02 09:13 <DIR> --d----- c:\documents and settings\robert henthorn\DoctorWeb
2009-05-29 22:14 32,768 a------- c:\windows\ReBirth RB-338 2.prf
2009-05-29 22:10 57,600 ac------ c:\windows\system32\dllcache\redbook.sys
2009-05-29 22:10 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-05-29 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-29 22:09 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-29 22:06 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-29 22:06 <DIR> --d----- c:\docume~1\robert~1\applic~1\DAEMON Tools Lite
2009-05-29 21:28 24 a------- c:\windows\LogonStudio.ini
2009-05-29 21:14 1,066,176 a------- c:\windows\system32\mscomctl.ocx
2009-05-29 21:14 198,656 a------- c:\windows\system32\comdlg32.ocx
2009-05-29 21:14 187,392 a------- c:\windows\system32\JPGUtils.dll
2009-05-29 21:14 <DIR> --d----- c:\program files\WinCustomize
2009-05-29 14:19 <DIR> --d----- c:\program files\IMBT
2009-05-27 20:12 <DIR> --d----- c:\program files\torcs
2009-05-27 11:13 <DIR> --d----- c:\program files\uTorrent
2009-05-27 11:13 <DIR> --d----- c:\docume~1\robert~1\applic~1\uTorrent
2009-05-25 11:20 <DIR> --d----- c:\program files\GOG.com
2009-05-24 13:00 <DIR> --d----- c:\docume~1\robert~1\applic~1\Mobipocket
2009-05-24 12:09 <DIR> --d----- c:\program files\EeeRotate
2009-05-22 22:47 <DIR> --d----- c:\docume~1\robert~1\applic~1\IMBT
2009-05-22 22:44 <DIR> --d----- c:\program files\MarkAble
2009-05-21 16:43 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-21 16:43 <DIR> --d----- c:\program files\Avira
2009-05-21 16:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-21 15:06 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-05-21 13:37 <DIR> --d----- c:\documents and settings\robert henthorn\Bluetooth Software
2009-05-21 13:23 37,280 a------- c:\windows\system32\drivers\btwmodem.sys
2009-05-21 13:23 156,816 a------- c:\windows\system32\drivers\btwdndis.sys
2009-05-21 13:23 55,352 a------- c:\windows\system32\drivers\btwhid.sys
2009-05-21 13:23 37,424 a------- c:\windows\system32\drivers\btport.sys
2009-05-21 13:23 879,832 a------- c:\windows\system32\drivers\btkrnl.sys
2009-05-21 13:23 539,640 a------- c:\windows\system32\drivers\btaudio.sys
2009-05-21 13:23 <DIR> --d----- c:\program files\WIDCOMM
2009-05-21 13:23 1,520 -------- c:\windows\system32\Robert Henthorn_KBD.ini
2009-05-21 13:23 0 a------- c:\windows\system32\drivers\144D_SAMSUNG_N_NC10_04CA.mrk
2009-05-21 13:22 <DIR> --d----- c:\documents and settings\Robert Henthorn
2009-05-21 13:14 8,192 a------- c:\windows\REGLOCS.OLD
2009-05-11 14:48 <DIR> --d----- c:\program files\AskBarDis
2009-05-11 14:48 <DIR> --d----- c:\docume~1\robert~1\applic~1\Foxit
2009-05-11 14:48 <DIR> --d----- c:\program files\Foxit Software
2009-05-11 12:47 <DIR> --d----- c:\program files\Stardock
2009-05-11 12:47 <DIR> --d----- c:\program files\common files\Stardock
2009-05-11 12:31 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-11 11:37 218,624 a------- c:\windows\system32\uxtheme.uxtender
2009-05-11 10:14 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-05-11 10:14 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-05-11 10:13 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-11 10:13 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-11 10:13 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-11 10:13 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-05-11 10:12 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-11 10:11 <DIR> --d----- c:\windows\system32\PreInstall
2009-05-11 10:11 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-05-11 10:05 <DIR> --d----- c:\docume~1\robert~1\applic~1\OpenOffice.org
2009-05-11 09:09 <DIR> --d----- c:\program files\JRE
2009-05-11 09:08 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-05-11 09:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-11 09:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-11 08:58 <DIR> --d----- c:\docume~1\robert~1\applic~1\Styler
2009-05-11 08:37 168,448 a------- c:\windows\system32\unrar.dll
2009-05-11 08:36 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-05-11 08:36 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-11 08:36 348,160 a------- c:\windows\system32\msvcr71.dll
2009-05-11 08:36 <DIR> --d----- c:\program files\Real Alternative
2009-05-11 08:34 <DIR> --d----- c:\program files\Styler
2009-05-11 08:19 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-11 08:19 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-11 08:18 <DIR> --d----- c:\program files\iPod
2009-05-11 08:18 <DIR> --d----- c:\program files\iTunes
2009-05-11 08:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-11 08:17 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-11 08:17 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-11 08:17 <DIR> --d----- c:\program files\QuickTime Alternative
2009-05-11 08:13 <DIR> --d----- c:\docume~1\robert~1\applic~1\.purple
2009-05-11 08:11 <DIR> --d----- c:\program files\Pidgin
2009-05-11 08:11 <DIR> --d----- c:\program files\common files\GTK

==================== Find3M ====================

2009-05-29 21:32 514,560 a------- c:\windows\system32\logonuiX.exe
2009-05-11 14:34 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-11 11:37 218,624 a------- c:\windows\system32\uxtheme.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 10:12:31.39 ===============

Edited by RedHanded, 02 June 2009 - 04:40 AM.


BC AdBot (Login to Remove)

 


#2 joseibarra

joseibarra

  • Members
  • 1,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:07:06 AM

Posted 02 June 2009 - 05:22 AM

Did MBAM install/update but just will not launch? Has it ever run successfully?

Some malicious software will not let things run (appear as a task in Task Manager) just by their name alone.

The malware does not want you to run anything that might help you remove it. That would include the AV programs it knows about like (mbam.exe) and other things, like regedit, cmd, rstrui, etc. and will redirect you away from sites that might help you remove it.

It would be interesting to see if you can run regedit and cmd from Start, Run...

I have not yet encountered a case where ComboFix would not run, but it would not surprise me. I have even seen a case where test.exe would not run (cute malware).

If MBAM is installed, try renaming the executable mbam.exe something else - like redhand.exe and see if that will run.

Try the same approach for other detection/removal tools - especially those that used to work and now don't.

Edited by joseibarra, 02 June 2009 - 05:24 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#3 RedHanded

RedHanded
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 02 June 2009 - 05:24 AM

Update; have now persuaded Combofix to run (after rebooting, and renaming the run file), and it appears to have done the trick - currently running Malwarebytes scan.
Will post in this thread again if any problems persist.

#4 RedHanded

RedHanded
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 02 June 2009 - 05:31 AM

Did MBAM install/update but just will not launch? Has it ever run successfully?


Correct, and no, I did not go looking for MBAM until I encountered these problems (having previously been fine with AntiVir).

Some malicious software will not let things run (appear as a task in Task Manager) just by their name alone.


Which, at least in part, seems to be the root cause - thank you, this helped.

I'll post log files from both MBAM and Cf once the laptop has finished scanning, for those it would interest.

#5 RedHanded

RedHanded
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 02 June 2009 - 05:40 AM

All appears to be fixed - much thanks, both to those who read my plea, and to those who answered similar threads in the past which I learnt an awful lot from!

How it went down; once renamed, Combofix did this -->

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ROBERT~1\LOCALS~1\Temp\tmp1.tmp
c:\windows\msetup
c:\windows\msetup\MSetup.exe
c:\windows\system32\drivers\gxvxchdhlxdjkylkjkrmbpfaqbigoeparflyh.sys
c:\windows\system32\drivers\gxvxcpuxrdlvmpfvkberrlnimnnmqxnkfxhxy.sys
c:\windows\system32\drivers\gxvxcqbutowehwgkcpxwntiqlamyqbimxoruj.sys
c:\windows\system32\gxvxcjinocoklloxeuxngiparyijoelrdrdjf.dll
c:\windows\system32\gxvxcklvdylksrtebhxwriomqhbasbwewfvxu.dll
c:\windows\Temp\scsF.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 09:24 . 2009-06-02 09:24 -------- d-----w- c:\program files\CCleaner
2009-06-02 08:36 . 2009-06-02 08:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-02 08:13 . 2009-06-02 08:13 -------- d-----w- c:\documents and settings\Robert Henthorn\DoctorWeb
2009-05-31 18:59 . 2009-05-31 18:59 2141 ----a-w- c:\documents and settings\Robert Henthorn\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-05-29 21:12 . 2009-05-29 21:12 -------- d-----w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\Help
2009-05-29 21:10 . 2008-04-13 23:10 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2009-05-29 21:10 . 2008-04-13 23:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-05-29 21:09 . 2009-05-29 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-29 21:09 . 2009-05-29 21:09 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-29 21:06 . 2009-05-29 21:06 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-29 21:06 . 2009-05-29 21:11 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\DAEMON Tools Lite
2009-05-29 20:14 . 2000-05-17 08:52 187392 ----a-w- c:\windows\system32\JPGUtils.dll
2009-05-29 20:14 . 2009-05-29 20:14 -------- d-----w- c:\program files\WinCustomize
2009-05-29 13:19 . 2009-05-29 13:19 -------- d-----w- c:\program files\IMBT
2009-05-27 19:48 . 2009-05-27 19:48 -------- d-----w- c:\windows\Sun
2009-05-27 19:12 . 2009-05-27 19:14 -------- d-----w- c:\program files\torcs
2009-05-27 15:17 . 2009-05-27 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-27 15:06 . 2009-05-27 15:06 2165 ----a-w- c:\documents and settings\Robert Henthorn\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-05-27 10:13 . 2009-05-27 10:13 -------- d-----w- c:\program files\uTorrent
2009-05-27 10:13 . 2009-06-01 21:07 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\uTorrent
2009-05-25 10:20 . 2009-05-25 10:20 -------- d-----w- c:\program files\GOG.com
2009-05-24 12:00 . 2009-05-24 12:18 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\Mobipocket
2009-05-24 11:09 . 2009-05-24 11:10 -------- d-----w- c:\program files\EeeRotate
2009-05-22 21:47 . 2009-05-22 21:47 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\IMBT
2009-05-22 21:44 . 2009-05-22 21:44 -------- d-----w- c:\program files\MarkAble
2009-05-21 21:16 . 2009-05-21 21:16 2145 ----a-w- c:\documents and settings\Robert Henthorn\Application Data\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-05-21 15:43 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-21 15:43 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-21 15:43 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-21 15:43 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-21 15:43 . 2009-05-21 15:43 -------- d-----w- c:\program files\Avira
2009-05-21 15:43 . 2009-05-21 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-21 14:14 . 2009-05-21 14:14 -------- d-----w- c:\program files\7-Zip
2009-05-21 13:10 . 2009-05-21 13:10 0 ----a-w- c:\windows\nsreg.dat
2009-05-21 13:09 . 2009-05-21 13:09 -------- d-----w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\Mozilla
2009-05-21 12:37 . 2009-05-21 12:37 -------- d-----w- c:\documents and settings\Robert Henthorn\Bluetooth Software
2009-05-21 12:23 . 2008-07-26 23:29 37280 ----a-w- c:\windows\system32\drivers\btwmodem.sys
2009-05-21 12:23 . 2008-07-29 15:59 156816 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2009-05-21 12:23 . 2008-07-26 23:29 55352 ----a-w- c:\windows\system32\drivers\btwhid.sys
2009-05-21 12:23 . 2008-07-26 23:29 37424 ----a-w- c:\windows\system32\drivers\btport.sys
2009-05-21 12:23 . 2008-07-29 15:59 879832 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2009-05-21 12:23 . 2008-07-26 23:29 539640 ----a-w- c:\windows\system32\drivers\btaudio.sys
2009-05-21 12:23 . 2009-05-21 12:23 -------- d-----w- c:\program files\WIDCOMM
2009-05-11 14:02 . 2009-05-11 14:02 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\Media Player Classic
2009-05-11 13:48 . 2009-05-11 13:48 -------- d-----w- c:\program files\AskBarDis
2009-05-11 13:48 . 2009-05-11 13:48 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\Foxit
2009-05-11 13:48 . 2009-05-11 13:48 -------- d-----w- c:\program files\Foxit Software
2009-05-11 11:47 . 2009-05-11 11:47 -------- d-----w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\Stardock
2009-05-11 11:47 . 2009-05-29 20:14 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-11 11:47 . 2009-05-11 11:47 -------- d-----w- c:\program files\Stardock
2009-05-11 11:31 . 2009-05-27 19:31 -------- d-----w- c:\windows\SxsCaPendDel
2009-05-11 09:14 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-05-11 09:14 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-05-11 09:13 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-11 09:13 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-11 09:13 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-11 09:13 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-11 09:12 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-11 09:11 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-11 09:08 . 2009-06-02 07:41 1 ----a-w- c:\documents and settings\Robert Henthorn\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-11 09:05 . 2009-05-11 09:05 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\OpenOffice.org
2009-05-11 08:40 . 2009-05-11 08:40 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\Thunderbird
2009-05-11 08:40 . 2009-05-11 08:40 -------- d-----w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\Thunderbird
2009-05-11 08:39 . 2009-06-02 09:37 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-05-11 08:09 . 2009-05-11 08:09 -------- d-----w- c:\program files\JRE
2009-05-11 08:08 . 2009-05-11 08:09 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-11 08:08 . 2009-05-11 08:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-11 07:59 . 2008-12-04 00:25 120832 ----a-w- c:\documents and settings\Robert Henthorn\Application Data\Mozilla\Firefox\Profiles\wb85nb0w.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-05-11 07:58 . 2009-05-11 07:58 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\Styler
2009-05-11 07:37 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-05-11 07:36 . 2009-05-11 07:57 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-05-11 07:36 . 2004-01-11 22:00 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-11 07:36 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-11 07:36 . 2009-05-11 07:36 -------- d-----w- c:\program files\Real Alternative
2009-05-11 07:36 . 2009-05-11 07:36 -------- d-----w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\Real
2009-05-11 07:34 . 2009-05-11 07:34 15086 ----a-r- c:\documents and settings\Robert Henthorn\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_7b12541d.exe
2009-05-11 07:34 . 2009-05-11 07:34 15086 ----a-r- c:\documents and settings\Robert Henthorn\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe
2009-05-11 07:34 . 2009-05-11 07:58 -------- d-----w- c:\program files\Styler
2009-05-11 07:21 . 2009-05-21 21:03 17536 ----a-w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 07:19 . 2009-05-22 21:32 -------- d-----w- c:\documents and settings\Robert Henthorn\Local Settings\Application Data\Apple Computer
2009-05-11 07:19 . 2009-05-11 07:19 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\Apple Computer
2009-05-11 07:19 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-11 07:19 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-11 07:18 . 2009-05-11 07:18 -------- d-----w- c:\program files\iPod
2009-05-11 07:18 . 2009-05-11 07:18 -------- d-----w- c:\program files\iTunes
2009-05-11 07:18 . 2009-05-11 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-11 07:18 . 2009-05-11 07:18 -------- d-----w- c:\program files\Common Files\Apple
2009-05-11 07:17 . 2009-05-11 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-11 07:17 . 2009-05-11 07:18 -------- d-----w- c:\program files\QuickTime Alternative
2009-05-11 07:15 . 2009-06-01 19:44 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\gtk-2.0
2009-05-11 07:14 . 2009-05-11 07:14 2099 ----a-w- c:\documents and settings\Robert Henthorn\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-05-11 07:13 . 2009-06-01 21:10 -------- d-----w- c:\documents and settings\Robert Henthorn\Application Data\.purple
2009-05-11 07:12 . 2009-05-11 07:13 -------- d-----w- c:\program files\Aspell
2009-05-11 07:11 . 2009-05-11 13:47 -------- d-----w- c:\program files\Pidgin
2009-05-11 07:11 . 2009-05-11 07:11 -------- d-----w- c:\program files\Common Files\GTK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 20:32 . 2009-02-12 18:05 514560 ----a-w- c:\windows\system32\logonuiX.exe
2009-05-27 11:09 . 2009-02-12 19:32 -------- d-----w- c:\program files\Samsung
2009-05-27 11:09 . 2009-02-12 19:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 12:23 . 2009-05-21 12:23 0 ----a-w- c:\windows\system32\drivers\144D_SAMSUNG_N_NC10_04CA.mrk
2009-05-11 13:34 . 2009-02-12 19:25 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-11 10:37 . 2009-02-12 18:05 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-05-11 08:08 . 2009-02-12 19:29 -------- d-----w- c:\program files\Java
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-06 14:22 . 2009-02-12 18:05 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 11:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-10-27 298664]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-08-26 16851456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Robert Henthorn\Start Menu\Programs\Startup\
EeeRotate.lnk - c:\program files\EeeRotate\EeeRotate.exe [2009-5-24 416223]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-5-11 3450608]
Styler.lnk - c:\documents and settings\Robert Henthorn\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-5-11 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/05/2009 16:43 108289]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [12/02/2009 20:29 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 04:01 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [12/02/2009 20:33 238464]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [02/08/2006 00:57 19840]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyServer = wf2.thegrid.org.uk:80
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Robert Henthorn\Application Data\Mozilla\Firefox\Profiles\wb85nb0w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 11:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-02 11:06
ComboFix-quarantined-files.txt 2009-06-02 10:06

Pre-Run: 46,571,536,384 bytes free
Post-Run: 46,631,120,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

219 --- E O F --- 2009-05-21 20:38







After which, MBAM was able to run, and in so doing carried out these actions -->


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

02/06/2009 11:27:30
mbam-log-2009-06-02 (11-27-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 102951
Time elapsed: 18 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3989e3b3-c94f-4b37-a122-1c4bead24621}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3989e3b3-c94f-4b37-a122-1c4bead24621}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.166,85.255.112.67 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Thanks again.

#6 joseibarra

joseibarra

  • Members
  • 1,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:07:06 AM

Posted 02 June 2009 - 09:17 AM

Man, you took a lickin'!

I find these to be a reasonable arsenal for the current time:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
AVG (AVG): http://free.avg.com/

Everyone will have their favorites, but no single program can know or keep up with everything, so it is a good idea to have a couple (all free).

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:06 AM

Posted 02 June 2009 - 12:02 PM

ComboFix logs should not to be posted or discussed outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I Infected forum.
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Explain the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users