Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

still infected after Windows AntiVirus Pro


  • This topic is locked This topic is locked
36 replies to this topic

#1 big slick

big slick

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 21 August 2009 - 07:02 AM

Windows AntiVirus Pro was the first infection that corrupted my restore points so I had to try other measures. I seem to get by now only if I run mbam every single time I start up. If I leave it on and unattended, it populates itself with a host of bad stuff and becomes difficult to even run anything again. The reoccurances are becoming frequent and some things, like hjgruilcuqswbj.dll (Trojan.TDSS) are always found. Also still have browser redirects. I will include DDS logs. I ran RootRepeal for several hours and it had flagged 10 or more files as invisible or with changed attributes when I went to bed. Unfortunately, the next morning I found the Windows login screen and it had recovered from an error with no log. I will try it again and if successful, will attach it as well. Your help and expertise would be greatly appreciated.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Alan at 9:42:35.68 on Thu 08/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Documents and Settings\Alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! §u®„¶C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
dRun: [AntiSpyware Service] c:\windows\temp\j6uc3ri.exe
dRun: [NordBull] c:\windows\temp\cpv.exe
dRun: [segobojumi] Rundll32.exe "c:\windows\system32\sofokujo.dll",s
StartupFolder: c:\docume~1\alan\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alan\startm~1\programs\startup\palmre~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {809132AF-89D2-4d52-AA03-AB4E35BBDC5B} - c:\program files\pokerstars.test\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206298899468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206299593546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: dqyrhnvf - c:\documents and settings\alan\application data\dqyrhnvf.dll
Notify: rxhoeyxq - c:\windows\system32\config\systemprofile\application data\rxhoeyxq.dll
AppInit_DLLs: c:\windows\temp\441943kou.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\windows\system32\halihupe.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-03-24 15:40 8 ---shr-- c:\windows\system32\9E11B1887B.sys
2008-05-01 23:17 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:45:35.03 ===============




Also, if it helps, here is last (and typical) log from MalwareBytes AntiMalware:

Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 3

8/21/2009 7:07:32 AM
mbam-log-2009-08-21 (07-07-26).txt

Scan type: Quick Scan
Objects scanned: 137520
Time elapsed: 20 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruilcuqswbj.dll (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Alan\Application Data\dqyrhnvf.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dqyrhnvf (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruilcuqswbj.dll (Trojan.TDSS) -> No action taken.
c:\documents and settings\Alan\application data\dqyrhnvf.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.


Edit to add:

Finally got RootRepeal to run with some options unchecked.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/22 07:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000008CF
Image Path: 000008CF
Address: 0x893A6000 Size: 41219 File Visible: No Signed: -
Status: -

Name: 000008CF
Image Path: 000008CF
Address: 0xA82C1000 Size: 73984 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xA8FCC000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xAC0A4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruiiciardyu.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruiiciardyu.sys
Address: 0xB203C000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA659B000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
ServiceTable Hooked [0x8933ca68]!

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruilcuqswbj.dll]
Process: svchost.exe (PID: 972) Address: 0x008a0000 Size: 28672

Object: Hidden Module [Name: hjgruivtocfmhv.dll]
Process: svchost.exe (PID: 972) Address: 0x008d0000 Size: 57344

==EOF==

It had found a dozen files in the run before this before it hung again.
Several starting with the filename starting with "hjgrui" and a few starting with "sqlite_" but it had run for 24 hours so I started over.

Attached Files


Edited by big slick, 22 August 2009 - 06:58 AM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:29 AM

Posted 01 September 2009 - 03:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.††

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.††Please perform the following scan:
  • Download DDS by sUBs from one of the following links.††Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.††No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:††You may have to disable any script protection running if the scan fails to run.††After downloading the tool, disconnect from the internet and disable all antivirus protection.††Run the scan, enable your A/V and reconnect to the internet.††

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 September 2009 - 10:35 AM

Thanks for the response. I had many attacks including Windows AntiVirus Pro and PC AntiVirus 2010 but managed to keep them knocked down with mbam. Finally, a few days ago, an mbam update was finally able to remove the files that it was previously unsuccessful with. It now returns (No malicious items detected) and I haven't seen any new malware symptoms in the last few days.

I would still like help/verification of PC health and recommendations on shoring up my anti-malware and firewall defenses. My McAfee subscription expires soon and I would appreciate any other suggested options at conclusion.

New DDS and Attach files included:



DDS (Ver_09-07-30.01) - NTFSx86
Run by Alan at 10:48:02.00 on Tue 09/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Documents and Settings\Alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! §u®„¶C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
dRun: [segobojumi] Rundll32.exe "c:\windows\system32\sofokujo.dll",s
StartupFolder: c:\docume~1\alan\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alan\startm~1\programs\startup\palmre~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {809132AF-89D2-4d52-AA03-AB4E35BBDC5B} - c:\program files\pokerstars.test\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206298899468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206299593546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\windows\system32\halihupe.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-23 214024]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-21 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-23 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-27 24652]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-3-23 1310720]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-23 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-23 35272]
R3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [2008-11-20 173696]
S2 lhbvc;lhbvc;\??\c:\windows\system32\drivers\ueomppitu.sys --> c:\windows\system32\drivers\ueomppitu.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-23 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-23 606736]

=============== Created Last 30 ================

2009-08-25 03:55 18,328 a------- c:\windows\gyzemogosu.vbs
2009-08-25 03:55 17,716 a------- c:\docume~1\alan\applic~1\ybibeko.dat
2009-08-25 03:55 17,207 a------- c:\windows\system32\iposypuhu.dl
2009-08-25 03:55 15,737 a------- c:\windows\system32\hokemo._sy
2009-08-25 03:55 14,842 a------- c:\program files\common files\kazu.bin
2009-08-25 03:55 14,774 a------- c:\windows\system32\fofa.reg
2009-08-25 03:55 13,969 a------- c:\windows\foqihyh.lib
2009-08-25 03:55 13,740 a------- c:\windows\system32\samily.scr
2009-08-25 03:55 13,684 a------- c:\windows\jusovycado.exe
2009-08-25 03:55 13,659 a------- c:\windows\system32\vyfikycilo.sys
2009-08-25 03:55 13,452 a------- c:\docume~1\alluse~1\applic~1\wycov.pif
2009-08-25 03:55 12,385 a------- c:\windows\irefumuwep.reg
2009-08-25 03:55 11,133 a------- c:\windows\system32\wixeho.bat
2009-08-25 03:55 10,097 a------- c:\windows\cecyhem.ban
2009-08-13 04:57 1 a------- c:\windows\4ff345dfbh521
2009-08-13 04:44 9,388 a------- c:\windows\th1234.dat
2009-08-06 20:56 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-06 03:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-06 03:03 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 03:03 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 03:03 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 03:03 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 03:03 <DIR> --d----- C:\ad66ef36956fb95a37a38f147419
2009-08-06 03:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-06 03:03 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-06 03:03 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-06 03:02 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-02 23:17 <DIR> --d----- C:\_OTM
2009-08-02 21:04 <DIR> --d----- c:\docume~1\alan\applic~1\GetRightToGo

==================== Find3M ====================

2009-08-28 14:50 363,582 a------- c:\windows\system32\hjgruiitupnanp.dat
2009-08-25 03:55 12,997 a------- c:\program files\common files\doqepyq.db
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-10-10 20:29 0 a---h--- c:\documents and settings\alan\hpothb07.dat
2008-04-22 11:55 21,408 a------- c:\docume~1\alan\applic~1\GDIPFONTCACHEV1.DAT
2008-03-24 15:37 1,386,064 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-12-21 15:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2008-03-24 15:40 8 ---shr-- c:\windows\system32\9E11B1887B.sys
2008-05-01 23:17 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:49:05.68 ===============

Again, thank you.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 05 September 2009 - 05:25 PM

Hello.

I still see several infection related files and registry items on your computer.

Please run a new scan with RootRepeal and a new scan with DDS as well.

Post back with those logs once they are done.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 05 September 2009 - 10:59 PM

Thank you for your attention. Posting new DDS files. I will start Root Repeal and add that report when it finishes.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Alan at 23:46:50.57 on Sat 09/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Documents and Settings\Alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! §u®„¶C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
dRun: [segobojumi] Rundll32.exe "c:\windows\system32\sofokujo.dll",s
StartupFolder: c:\docume~1\alan\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alan\startm~1\programs\startup\palmre~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {809132AF-89D2-4d52-AA03-AB4E35BBDC5B} - c:\program files\pokerstars.test\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206298899468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206299593546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\windows\system32\halihupe.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-23 214024]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-21 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-23 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-27 24652]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-3-23 1310720]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-23 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-23 35272]
R3 phil2vid;Philips USB VGA Camera;c:\windows\system32\drivers\philcam2.sys [2008-11-20 173696]
S2 lhbvc;lhbvc;\??\c:\windows\system32\drivers\ueomppitu.sys --> c:\windows\system32\drivers\ueomppitu.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-23 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-23 606736]

=============== Created Last 30 ================

2009-08-25 03:55 18,328 a------- c:\windows\gyzemogosu.vbs
2009-08-25 03:55 17,716 a------- c:\docume~1\alan\applic~1\ybibeko.dat
2009-08-25 03:55 17,207 a------- c:\windows\system32\iposypuhu.dl
2009-08-25 03:55 15,737 a------- c:\windows\system32\hokemo._sy
2009-08-25 03:55 14,842 a------- c:\program files\common files\kazu.bin
2009-08-25 03:55 14,774 a------- c:\windows\system32\fofa.reg
2009-08-25 03:55 13,969 a------- c:\windows\foqihyh.lib
2009-08-25 03:55 13,740 a------- c:\windows\system32\samily.scr
2009-08-25 03:55 13,684 a------- c:\windows\jusovycado.exe
2009-08-25 03:55 13,659 a------- c:\windows\system32\vyfikycilo.sys
2009-08-25 03:55 13,452 a------- c:\docume~1\alluse~1\applic~1\wycov.pif
2009-08-25 03:55 12,385 a------- c:\windows\irefumuwep.reg
2009-08-25 03:55 11,133 a------- c:\windows\system32\wixeho.bat
2009-08-25 03:55 10,097 a------- c:\windows\cecyhem.ban
2009-08-13 04:57 1 a------- c:\windows\4ff345dfbh521
2009-08-13 04:44 9,388 a------- c:\windows\th1234.dat

==================== Find3M ====================

2009-08-28 14:50 363,582 a------- c:\windows\system32\hjgruiitupnanp.dat
2009-08-25 03:55 12,997 a------- c:\program files\common files\doqepyq.db
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2008-10-10 20:29 0 a---h--- c:\documents and settings\alan\hpothb07.dat
2008-04-22 11:55 21,408 a------- c:\docume~1\alan\applic~1\GDIPFONTCACHEV1.DAT
2008-03-24 15:37 1,386,064 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2007-12-21 15:12 1,719,336 a------- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2008-03-24 15:40 8 ---shr-- c:\windows\system32\9E11B1887B.sys
2008-05-01 23:17 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:47:42.12 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 06 September 2009 - 09:51 AM

Hello.

I'll await for the RootRepeal log. Those infections are still on your system. I want to see if there's anything else.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 07 September 2009 - 10:59 PM

Pasted and attached new RootRepeal log.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/06 00:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xA7C88000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xA96D6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9630000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\sqlite_b3j4ijvruvyibzn
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_z4jae1dtlnueljt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_fjnvqa4d57dredw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_jaumhbzfnh4j0qu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\Pure Networks\Platform\networklib.xml
Status: Could not get file information (Error 0xc0000008)

Path: \\?\C:\Documents and Settings\Alan\Local Settings\History\History.IE5\MSHist012009090520090906\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\Alan\Local Settings\History\History.IE5\MSHist012009090520090906\index.dat
Status: Invisible to the Windows API!

Hidden Services
-------------------
Service Name: hjgruioitsbiiu
Image Path: C:\WINDOWS\system32\drivers\hjgruiiciardyu.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACoynapjcxxvoywmanm.sys

==EOF==

Attached Files

  • Attached File  ark.txt   3.69KB   8 downloads

Edited by big slick, 07 September 2009 - 11:01 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 08 September 2009 - 03:11 PM

Hello.

Yes, one of the infection is a rootkit.

Regarding rootkits...

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 09 September 2009 - 12:15 AM

I would like to continue cleaning while I set up a new hard drive with OS before wiping this one. However...

I cannot save ComboFix??? I can still save other files like DDS. Even tried renaming it but just get this error when the download seems complete:

Error Copying File or Folder
Cannot copy ComboFix[1]: Access is denied.
Make sure the disk is not full or write-protected
and that the file is not currently in use.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 09 September 2009 - 03:08 PM

Hello.

Thanks for reporting that to me. I would like you to run Win32KDiag...

Download and Run Win32KDiag

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3
  • Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
  • A black command prompt window shall appear.
  • It will now begin to scan. This may take a while, please be paitent until the scan is complete.
  • Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
  • A log file called Win32KDiag.txt will be created on your desktop.
  • Please copy and paste the contents of that log file here in your next reply please.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 10 September 2009 - 02:10 AM

This is it - only ran for a couple minutes:


Log file is located at: C:\Documents and Settings\Alan\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Edited by big slick, 10 September 2009 - 02:12 AM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 10 September 2009 - 03:00 PM

Hello.

Let's try Combofix again. See if it makes any difference.

Download and Run ComboFix (Rename Before Saving)


Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Save it as Svchost.exe INSTEAD of Combo-Fix.exe as illustrated in the images please.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.

Double click on Svchost.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

If it still doesn't work let me know. Also take a new RootRepeal and DDS run afterwards IF Combofix did not work.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 10 September 2009 - 08:00 PM

Still can't save it. Even though I rename it, I get the same exact error that I had above.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 PM

Posted 10 September 2009 - 08:13 PM

Hello.

Try the following...

Download and Run FixSwen
  • Please download Fixswen and save it to your desktop
  • Now right-click on the file and choose install
  • Follow any prompts afterwards to let the tool finish it's fix.
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following if it's ticked:
  • Hide extensions for known file types
[/list]Click Apply and then click OK

Now try renaming Combofix's extension to Svchost.bat and run it again. If it doesn't work let me know please. We'll try something else then.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 big slick

big slick
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 10 September 2009 - 11:24 PM

Completed. Still no luck - exactly the same error.

Can combofix be run from a usb thumbdrive by any chance? (if I can download at a different computer.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users