Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsers and anti-malware software disabled


  • This topic is locked This topic is locked
2 replies to this topic

#1 tyronet

tyronet

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 12 September 2009 - 03:21 PM

Hi there,

I had a very unpleasant malware experience and I wanted to post my findings to help others and to make sure I have completely removed the problem. I'm also concerned that while infected passwords and other confidential info may have been comprimised.

I am running XP Professional Version 2002 SP3. I have Avira AntiVir Personal, Windoes Firewall, and Spyware Doctor which was disabled at time of infection. None of these tools seemed to notice or mind the takeover of my computer and neither scan detected any comprimise.

I first detected a problem when Firefox started running slowly. I did a reinstall and then it wouldn't start at all. IE would start, but was not able to view any websites (it just showed a white screen). Google Chrome was the only browser which worked. I first tried to scan with Spyware Doctor and Avira which showed no infection. I next tried installing HiJackThis MBAM and other MicroTrend products, all of which would terminate after install shortly after startup even after executable renaming.

I did some Google searching and came accross ComboFix, which ran successfully (thank god). Here are the results from the log file:


################ (log seperator used throughout post)


ComboFix 09-09-11.05 - User 09/12/2009 11:07.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1380 [GMT -7:00]
Running from: c:\documents and settings\User\Documents\Downloads\ffd.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MW
c:\program files\MW\changes.rtf
c:\program files\MW\Languages\albanian.lng
c:\program files\MW\Languages\arabic.lng
c:\program files\MW\Languages\bosnian.lng
c:\program files\MW\Languages\bulgarian.lng
c:\program files\MW\Languages\catalan.lng
c:\program files\MW\Languages\chineseSI.lng
c:\program files\MW\Languages\chineseTR.lng
c:\program files\MW\Languages\croatian.lng
c:\program files\MW\Languages\czech.lng
c:\program files\MW\Languages\danish.lng
c:\program files\MW\Languages\dutch.lng
c:\program files\MW\Languages\english.lng
c:\program files\MW\Languages\estonian.lng
c:\program files\MW\Languages\finnish.lng
c:\program files\MW\Languages\french.lng
c:\program files\MW\Languages\german.lng
c:\program files\MW\Languages\greek.lng
c:\program files\MW\Languages\hebrew.lng
c:\program files\MW\Languages\hungarian.lng
c:\program files\MW\Languages\italian.lng
c:\program files\MW\Languages\korean.lng
c:\program files\MW\Languages\latvian.lng
c:\program files\MW\Languages\macedonian.lng
c:\program files\MW\Languages\norwegian.lng
c:\program files\MW\Languages\polish.lng
c:\program files\MW\Languages\portugueseBR.lng
c:\program files\MW\Languages\portuguesePT.lng
c:\program files\MW\Languages\romanian.lng
c:\program files\MW\Languages\russian.lng
c:\program files\MW\Languages\serbian.lng
c:\program files\MW\Languages\slovak.lng
c:\program files\MW\Languages\slovenian.lng
c:\program files\MW\Languages\spanish.lng
c:\program files\MW\Languages\swedish.lng
c:\program files\MW\Languages\turkish.lng
c:\program files\MW\Languages\ukrainian.lng
c:\program files\MW\license.txt
c:\program files\MW\mbam.chm
c:\program files\MW\mbam.dll
c:\program files\MW\mbam.exe
c:\program files\MW\mbamext.dll
c:\program files\MW\mbamgui.exe
c:\program files\MW\mbamservice.exe
c:\program files\MW\ssubtmr6.dll
c:\program files\MW\unins000.dat
c:\program files\MW\unins000.exe
c:\program files\MW\unins000.msg
c:\program files\MW\vbalsgrid6.ocx
c:\program files\MW\zlib.dll
c:\windows\AegisP.inf
c:\windows\Installer\DW20.msi
c:\windows\system32\MabryObj.dll
c:\windows\Temp\tmp3.tmp

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-12 17:56 . 2009-09-12 17:56 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple_Inc
2009-09-12 17:55 . 2009-09-12 17:55 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-09-12 17:55 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 17:55 . 2009-09-12 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-12 17:55 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-12 17:37 . 2009-09-12 17:37 -------- d-----w- c:\program files\Trend Micro
2009-09-12 17:24 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-12 02:00 . 2009-09-12 02:01 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-12 01:59 . 2009-09-12 02:00 -------- d-----w- c:\program files\Safari
2009-09-12 01:51 . 2009-09-12 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 01:47 . 2009-09-12 01:49 -------- d-----w- c:\program files\QuickTime
2009-09-12 00:39 . 2009-09-12 00:39 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
2009-09-12 00:39 . 2009-09-12 00:39 -------- d-----w- c:\documents and settings\User\.tucan
2009-09-11 23:44 . 2009-09-11 23:44 -------- d-----w- c:\documents and settings\User\Application Data\Mozilla(2)
2009-09-11 23:44 . 2009-09-12 00:39 -------- d-----w- c:\program files\Mozilla Firefox(2)
2009-09-11 03:51 . 2009-09-11 03:51 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-09 07:18 . 2009-09-09 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-09-09 07:18 . 2009-09-09 07:18 -------- d-----w- c:\program files\Rosetta Stone
2009-09-03 16:33 . 2009-09-03 16:33 -------- d-----w- c:\program files\Tucan
2009-09-01 00:02 . 2009-09-01 00:07 -------- d-----w- c:\program files\Auction Sentry
2009-08-31 23:13 . 2009-08-31 23:13 -------- d-----w- c:\program files\BonfireSoft
2009-08-31 05:18 . 2009-08-31 05:18 -------- d-----w- c:\program files\RAR Password Cracker
2009-08-31 00:07 . 2009-09-08 16:55 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Xobni
2009-08-31 00:05 . 2009-08-31 00:07 -------- d-----w- c:\program files\Xobni
2009-08-31 00:04 . 2009-08-31 00:07 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ApplicationHistory
2009-08-18 06:06 . 2009-08-18 06:06 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Easy CD-DA Extractor
2009-08-18 06:06 . 2009-08-18 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2009-08-18 06:06 . 2009-08-18 06:06 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2009-08-18 06:06 . 2009-08-18 06:06 -------- d-----w- c:\windows\Easy CD-DA Extractor 12.0.1
2009-08-18 06:03 . 2009-08-18 06:03 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Ahead
2009-08-15 03:04 . 2009-08-15 03:04 -------- d-----w- c:\program files\eMule
2009-08-13 20:27 . 2009-08-13 20:27 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 18:22 . 2009-05-19 16:13 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-09-12 18:22 . 2009-05-19 16:14 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2009-09-12 17:40 . 2009-05-19 16:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 17:29 . 2009-05-24 10:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 02:18 . 2009-05-21 09:26 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-09-12 01:55 . 2009-05-21 09:25 -------- d-----w- c:\program files\iTunes
2009-09-12 01:52 . 2009-05-21 09:26 -------- d-----w- c:\program files\iPod
2009-09-12 01:43 . 2009-05-21 09:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 00:40 . 2009-06-03 12:26 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2009-09-12 00:39 . 2009-05-19 20:00 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 16:28 . 2009-08-02 09:05 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2009-09-09 07:19 . 2009-05-25 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-31 00:02 . 2009-06-03 12:25 -------- d-----w- c:\program files\Vuze
2009-08-29 02:42 . 2009-05-26 17:37 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-05-26 17:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-24 19:18 . 2009-08-02 17:27 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2009-08-09 18:32 . 2009-05-19 19:18 -------- d-----w- c:\program files\BabasChess
2009-08-06 01:50 . 2009-08-06 01:50 -------- d-----w- c:\documents and settings\User\Application Data\Intuit
2009-08-06 01:50 . 2009-08-06 01:50 -------- d-----w- c:\program files\ItsDeductible2006
2009-08-06 01:49 . 2009-08-06 01:49 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2009-08-06 01:49 . 2009-05-19 09:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 01:48 . 2009-08-06 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-08-06 01:47 . 2009-08-06 01:47 -------- d-----w- c:\program files\Common Files\Intuit
2009-08-06 01:45 . 2009-08-06 01:45 -------- d-----w- c:\program files\TurboTax
2009-08-06 01:14 . 2009-08-06 01:14 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2009-08-05 19:51 . 2009-05-19 16:44 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-30 21:30 . 2009-07-30 21:30 -------- d-----w- c:\program files\Network Stumbler
2009-07-16 18:22 . 2009-07-16 18:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf
2009-07-16 18:22 . 2009-07-16 18:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-16 03:29 . 2009-07-16 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-07-16 02:59 . 2009-07-16 02:59 -------- d-----w- c:\documents and settings\User\Application Data\Marvell
2009-07-16 00:27 . 2009-07-15 22:34 -------- d-----w- c:\program files\Hewlett-Packard
2009-07-15 22:48 . 2009-05-19 10:41 81176 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 22:34 . 2009-07-15 22:32 -------- d-----w- c:\program files\HP
2009-07-15 22:32 . 2009-07-15 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-07-15 22:29 . 2009-07-15 22:29 -------- d-----w- c:\documents and settings\User\Application Data\Hewlett-Packard
2009-07-15 22:29 . 2009-07-15 22:29 -------- d-----w- c:\documents and settings\User\Application Data\HP
2008-12-31 08:38 . 2009-08-18 19:13 2728798 ----a-w- c:\program files\Buenos Aires 09 150.JPG
2008-12-31 08:38 . 2009-08-18 19:13 2702602 ----a-w- c:\program files\Buenos Aires 09 149.JPG
2008-12-31 08:38 . 2009-08-18 19:13 2398840 ----a-w- c:\program files\Buenos Aires 09 148.JPG
2008-12-31 08:37 . 2009-08-18 19:13 2559717 ----a-w- c:\program files\Buenos Aires 09 147.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2668533 ----a-w- c:\program files\Buenos Aires 09 146.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2639363 ----a-w- c:\program files\Buenos Aires 09 145.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2751994 ----a-w- c:\program files\Buenos Aires 09 144.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2789925 ----a-w- c:\program files\Buenos Aires 09 143.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2788571 ----a-w- c:\program files\Buenos Aires 09 142.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2761731 ----a-w- c:\program files\Buenos Aires 09 141.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2774308 ----a-w- c:\program files\Buenos Aires 09 140.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2629592 ----a-w- c:\program files\Buenos Aires 09 139.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2662957 ----a-w- c:\program files\Buenos Aires 09 138.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2643378 ----a-w- c:\program files\Buenos Aires 09 137.JPG
2008-12-31 08:36 . 2009-08-18 19:13 2570653 ----a-w- c:\program files\Buenos Aires 09 136.JPG
2008-12-31 08:35 . 2009-08-18 19:13 2750499 ----a-w- c:\program files\Buenos Aires 09 135.JPG
2008-12-31 08:35 . 2009-08-18 19:13 2703194 ----a-w- c:\program files\Buenos Aires 09 134.JPG
2008-12-31 08:35 . 2009-08-18 19:13 2784829 ----a-w- c:\program files\Buenos Aires 09 133.JPG
2009-05-24 10:47 . 2009-05-24 10:47 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2007-02-26 437160]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-09-05 118784]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-09-17 53248]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-05-24 30192]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-24 68592]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 148888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-2 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-05-16 18:50 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtPCS.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/24/2009 03:54 130424]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/19/2009 09:44 108289]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [5/24/2009 03:33 37376]
R3 5U870UVC;Sony Visual Communication Camera VGP-VCC7;c:\windows\system32\drivers\5U870.sys [8/4/2009 12:40 90240]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/19/2009 09:06 41216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [5/19/2009 03:52 71961]
S2 gupdate1c9dc5d312aaa5e;Google Update Service (gupdate1c9dc5d312aaa5e);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 03:48 133104]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/24/2009 03:47 30192]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/30/2009 10:21 17408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/24/2009 03:54 348752]
S3 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [5/6/2009 18:21 45288]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-09-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-24 10:44]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 10:48]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 10:48]

2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{E0FC6819-AD2E-496B-9741-D612E85CE3B4}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/ig
mStart Page = hxxp://linklol.com/homepage/
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRfox000
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3288)
c:\program files\Google\Quick Search Box\bin\1.2.1137.3514\qsb.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
.
**************************************************************************
.
Completion time: 2009-09-12 11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 18:25

Pre-Run: 3,463,692,288 bytes free
Post-Run: 3,661,549,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

312


################


I then re-installed and ran MBAM. It found 20 infections. Here are the results:


################


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 3

9/12/2009 12:04:01
mbam-log-2009-09-12 (12-04-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184015
Time elapsed: 30 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre6\bin\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.


################


I then installed and ran Housecall, which only found 1 infection in an old file, which may have been there before. IE works again. I completely uninstalled and re-installed Firefox, which also works again. Finally, I re-installed and ran HiJackThis, the results of which are posted below. I would be very grateful for any information on the virus and whether my passwords have been compromised and how to remove any further signs of the infection.

Thanks for your help!

Tyrone


################


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02:51, on 9/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://linklol.com/homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] ;C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [IntelZeroConfig] ;"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] ;"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] ;C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /nosplash /min
O4 - HKLM\..\Run: [NeroFilterCheck] ;C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] ;"C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] ;"C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] ;C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpbdfawep] ;C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [PrnStatusMX] ;C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
O4 - HKLM\..\Run: [QuickTime Task] ;"C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MW\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Xobni\Skype4Com.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9dc5d312aaa5e) (gupdate1c9dc5d312aaa5e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 11046 bytes

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 27 September 2009 - 11:15 PM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:59 PM

Posted 08 October 2009 - 05:24 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users