Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a new rootkit variant


  • Please log in to reply
3 replies to this topic

#1 sicopunch

sicopunch

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 21 September 2009 - 11:54 PM

I had posted my problem in another forum and eventually was directed here. I guess my CPU has a very bad rootkit. I have read the Preparation guide and followed it per all instructions. I cannot get the Rootrepeal.exe to work. It initally started and closed out. Now It is unresponsive and cannot be deleted. I get the following error message when trying to delete

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/258186/vundo-trojan-infection/ ~ OB

Error Deleting File or Folder
---------------------------
Cannot delete RootRepeal: Access is denied.

Make sure the disk is not full or write-protected
and that the file is not currently in use.
---------------------------
OK
---------------------------


I will also list a copy of the last response to my original post the adverted me here:



Your system is infected with a new rootkit variant that has become quite pervasive as evidenced by these entries:

Mount point destination : \Device\__max++>\^
[1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()
The rootkit itself is a protection module used to terminate a variety of security programs so the scans will not work. Disinfection will require the use of more powerful tools than we recommend in this forum.

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

Start a new topic and post your DDS log along with the Win32kDiag.txt and Log.txt reports in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If DDS will not run, then just post the results of the Win32kDiag.txt and Log.txt. Be sure to include a note that you tried to follow the Prep Guide but were unable to get DDS to run.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.




Here is a copy of the DDS.txt:



DDS (Ver_09-07-30.01) - NTFSx86
Run by malkit at 21:01:16.23 on Mon 09/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.336 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\malkit\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uStart Page = hxxp://m.www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RiskII.exe] c:\downlo~1\RISKII~1.EXE /r
uRun: [Yahoo! Pager] 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [13760934] c:\documents and settings\all users\application data\13760934\13760934.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [CPM3205e83d] Rundll32.exe "c:\windows\system32\hugitayu.dll",a
mRun: [12249214] c:\documents and settings\all users\application data\12249214\12249214.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207629437296
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Filter: text/html - {4293b07c-2502-4879-9454-d467c14e09b2} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\hugitayu.dll c:\windows\system32\zoyutoma.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hugitayu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\hugitayu.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-9-1 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-1 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-1 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-1 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-1 297752]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 KMSKSSRV;KMSKSSRV;\??\c:\docume~1\malkit\locals~1\temp\kmskssrv.sys --> c:\docume~1\malkit\locals~1\temp\KMSKSSRV.sys [?]

=============== Created Last 30 ================

2009-09-19 23:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 23:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-19 23:23 --d----- c:\program files\Malwarebytes
2009-09-17 17:02 --d----- c:\docume~1\malkit\applic~1\Malwarebytes
2009-09-17 17:02 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-10 23:01 --d----- c:\docume~1\alluse~1\applic~1\ATTToolbar
2009-09-10 23:01 --d----- c:\program files\ATTToolbar
2009-09-10 23:01 --d----- c:\docume~1\malkit\applic~1\ATTToolbar
2009-09-01 23:14 --d-h--- C:\$AVG8.VAULT$
2009-09-01 23:09 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-09-01 23:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-01 23:08 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-01 23:08 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-01 23:08 --d----- c:\windows\system32\drivers\Avg
2009-09-01 23:07 --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-09-01 23:07 --d----- c:\program files\AVG
2009-09-01 23:07 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-01 22:53 --d----- c:\docume~1\malkit\applic~1\AVG8
2009-08-31 02:16 --d----- c:\program files\Zone.com
2009-08-31 01:53 176,128 a------- c:\windows\system32\bcmwlu00.EXE
2009-08-31 01:53 69,632 a------- c:\windows\system32\bcmwlD2K.EXE
2009-08-31 01:49 --d----- c:\windows\OPTIONS
2009-08-30 23:33 19,968 a------- c:\windows\system32\UACplynbhykfo.dll
2009-08-30 23:32 723,456 a------- c:\windows\system32\wscsvc32.exe
2009-08-30 23:32 25,088 a------- c:\windows\system32\tapi.nfo
2009-08-30 23:32 954,368 a------- c:\windows\system32\UACggrvunyfqv.dll
2009-08-30 23:32 174 a------- c:\windows\system32\UACemktubjtnq.dat
2009-08-30 23:32 6,536 a------- c:\windows\system32\uacinit.dll
2009-08-30 23:32 74,240 a------- c:\windows\system32\UACngdcuhyroe.dll
2009-08-30 23:30 24,064 a------- c:\windows\system32\UACcalaltqkqp.dll
2009-08-30 23:30 50,176 a------- c:\windows\system32\drivers\UACwnktpuodrh.sys
2009-08-30 23:29 0 a------- C:\825678606
2009-08-30 23:29 9,728 a------- C:\fyblb.exe
2009-08-30 23:28 76,288 a------- c:\windows\system32\~.exe

==================== Find3M ====================

2009-08-30 23:36 831,012 a--sh--- c:\windows\system32\motaporo.exe
2009-08-30 23:36 209,408 a--sh--- c:\windows\system32\zoyutoma.dll
2009-08-30 23:36 209,408 a--sh--- c:\windows\system32\hugitayu.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 -------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:25 730,112 -------- c:\windows\system32\lsasrv.dll
2006-07-30 20:02 58,232 ac------ c:\docume~1\malkit\applic~1\GDIPFONTCACHEV1.DAT
2006-03-07 22:22 242 ac------ c:\docume~1\malkit\applic~1\wklnhst.dat

============= FINISH: 21:03:39.01 ===============



Here is the Attach.txt:



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/20/2006 10:51:29 PM
System Uptime: 9/21/2009 9:18:33 AM (12 hours ago)

Motherboard: Hewlett-Packard | | 30AE
Processor: AMD Turion™ 64 Mobile Technology ML-32 | U23 | 1790/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 48.415 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP305: 8/30/2009 11:32:20 PM - System Checkpoint
RP306: 8/30/2009 11:32:25 PM - System Checkpoint
RP307: 8/30/2009 11:32:32 PM - System Checkpoint
RP308: 8/30/2009 11:32:42 PM - System Checkpoint
RP309: 8/30/2009 11:32:50 PM - Installed Java™ 6 Update 14
RP310: 8/30/2009 11:33:10 PM - Software Distribution Service 3.0
RP311: 8/30/2009 11:33:20 PM - Software Distribution Service 3.0
RP312: 8/30/2009 11:33:23 PM - Software Distribution Service 3.0
RP313: 8/30/2009 11:33:34 PM - System Checkpoint
RP314: 8/30/2009 11:33:41 PM - System Checkpoint
RP315: 8/30/2009 11:33:43 PM - Software Distribution Service 3.0
RP316: 8/30/2009 11:33:46 PM - Software Distribution Service 3.0
RP317: 8/30/2009 11:33:50 PM - Software Distribution Service 3.0
RP318: 8/30/2009 11:33:56 PM - System Checkpoint
RP319: 8/30/2009 11:34:02 PM - System Checkpoint
RP320: 8/30/2009 11:34:09 PM - Software Distribution Service 3.0
RP321: 8/30/2009 11:34:17 PM - Installed LG USB Modem driver
RP322: 8/30/2009 11:34:19 PM - Software Distribution Service 3.0
RP323: 8/30/2009 11:34:24 PM - System Checkpoint
RP324: 8/31/2009 2:11:04 AM - Software Distribution Service 3.0

==== Installed Programs ======================

1300
1300_Help
1300Tour
1300Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Adobe Reader 7.0.9
Adobe Shockwave Player
AiO_Scan
AIOMinimal
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AT&T Self Support Tool
AT&T Toolbar
AT&T Yahoo! Applications
AT&T Yahoo! Music Jukebox
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-PRT22
AVG 8.5
AXIS Media Control Embedded
Barbie™ and the Magic of Pegasus™
Barbie™ Beauty Boutique™ CD-ROM
Barbie™ Horse Adventures™
Beauty and the Beast Magical Ballroom
Bonjour
Broadcom 802.11 Wireless LAN Adapter
BroadJump Client Foundation
BufferChm
CA Yahoo! Anti-Spy (remove only)
CameraDrivers
CameraUserGuides
Citrix XenApp Web Plugin
Conexant AC-Link Audio
Copy
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Curitel PC Card Software
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Disney's Magic Artist
DocProc
ESPN Java Check
eSupportQFolder
Fax
Full Tilt Poker
FullDPAppQFolder
High Definition Audio Driver Package - KB835221
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Cameras 6.0
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 3.5
HP Software Update
HP Solution Center and Imaging Support Tools 6.0
HP User Guides 0008
HP User Guides 0012
HP Wireless Assistant 1.01 C1
hpiCamDrvQFolder
hpmdtab
HPProductAssistant
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
InstantShareDevices
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 14
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
LG USB Modem driver
LightScribe 1.4.44.1
LimeWire 5.1.2
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Managed DirectX (0901)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0 - SE
OTOY
overland
PanoStandAlone
PhotoGallery
PrintScreen
Quick Launch Buttons 5.20 D2
QuickProjects
QuickTime
RandMap
Readme
REALTEK Gigabit and Fast Ethernet NIC Driver
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SkinsHP2
Soft Data Fax Modem with SmartCP
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
Sony USB Driver
Status
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
V CAST Music with Rhapsody
Virtools 3D Life Player
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Search Protection
Yahoo! Software Update
Zone Deluxe Games

==== Event Viewer Messages From Past Week ========

9/19/2009 10:41:37 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/17/2009 9:51:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AvgLdx86 AvgMfx86 eabfiltr Fips
9/17/2009 9:51:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/17/2009 4:53:27 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
9/17/2009 12:08:42 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
9/17/2009 12:08:42 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
9/17/2009 12:08:42 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The system cannot find the file specified.
9/17/2009 12:08:42 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/17/2009 10:02:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/17/2009 10:00:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/14/2009 11:46:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

==== End Of File ===========================



Any help would be appreciated. Thank you. My original post was under "Am I infected? What do I do?". Topic title was "Vundo Trojan infection" if it helps at all.

Attached Files


Edited by Orange Blossom, 22 September 2009 - 10:30 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 AM

Posted 23 September 2009 - 07:10 AM

Please download ComboFix from one of these locations and save it to your Desktop. <-Important!!!
Note: If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
Download Mirror #1
Download Mirror #2
Download Mirror #3

Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix. However, some types of malware will disable ComboFix so you must rename the file before downloading and saving it to your Desktop. <-Important!!!

Posted Image


Posted Image
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Double-click on Combo-Fix.exe and follow the prompts, instructions you printed out earlier.
  • If using Windows Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • Install the Windows Recovery Console. As part of it's routine, ComboFix will check to see if the Recovery Console is installed before attempting to remove any malware. If not installed, Combofix will not attempt to fix some serious infections. The Recovery Console will allow you to boot into a special repair mode should your computer encounter any problems during the disinfection process. Vista users can use their Windows DVD to boot up into the Vista Recovery Environment. If you don't have an XP CD, go to Microsoft's web site and download the appropriate XP Setup boot disks for your operating system.
  • Follow the prompts to allow ComboFix to download and install the Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install it.

    Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes to continue scanning for malware.
  • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
  • Be sure to re-enable your anti-virus and other security programs.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
-- Do not touch your mouse/keyboard until the Combofix scan has completed, as this may cause the process to stall or the computer to lock.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- Combofix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.


-- If ComboFix did not run successfully stop here and advise me so I can modify the fix strategy. If it did, then continue as follows.

We need to run Win32kDiag.exe again but this time with a specific command to fix some malware related changes.
  • Make sure Win32kDiag.exe is still on the Desktop. <- Important!
  • Go to Posted Image > Run..., then copy and paste this command into the open box:
"%userprofile%\desktop\win32kdiag.exe" -f -r
  • Click OK.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the contents in your next reply.
Please download Malwarebytes Anti-Malware (v1.41) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Reports/logs to post in your next reply:
* ComboFix.txt
* Win32kDiag.txt
* MBAM report log
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sicopunch

sicopunch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 24 September 2009 - 12:39 AM

So I have tried all 3 links to Combofix and keep getting the same thing. The hyrogriphics below is all that I get. It is what I see on every link to download Combofix. No download button anywhere on my end of the link. (DOS mode?????)






MZ@ !L!This program cannot be run in DOS mode. $}9o9o9oa1oa*o9no'<o08o0o08o'8o08oRich9oPEL'dJ  `Z`@P73u8`UPX0 UPX1@.rsrc `@3.03UPX!  (7;Y%3&@s s_ ̋D$L$  u S~d$ [?WVS3 }GTIڃ؉C:uuv?3pA Tu u”wRr;'wr;+vNoLOulp[^_`-U3GEr(”Av{M”G=2 N+3 ]xMMyЋ!ٿ=j]Qr+#%;r Y”$-&2:Ru+zau%/_ru!uuu 8Bum7j DVW|??P*t |LA%v#~_^E toP,vV9FNF~v/W| ;v\6yXUSᄉmF0Q”@U j0FWƆǶ;FBt {[&Ή”'8b1S-JhkM) 6?” nEu`ooE@ǀ8sgCPb7t6/o~2}-}~'-+M0/xSu FuXtG;%|,jP”QtuP98%u9\Ъa"Xٱ3 `f9f;wPtj|PFƢaYYoM}z”&$w; 52ȋ-T7ar)2؏  WGvj "}kUX 3A46sl|^”f,4Vx|-569U xF8zuWh"ualG sSuҎ,}uފ"f&]wAk? 5tu0vsF HF6BrMƺщƉ8L "#svµm/ -dxƶq`4[ɦG*4LVh˃NCT/|k;Av +AH 4T3Nj v72Aw 7C`wn_H˃2H SX/jxɄ3~VnhAGvMt]WS@ї(f { y5S)“<kRW ‹M己wE WɅlGSֺH1?f 86 7v\a w|=ag@Va#[i745 H\܎D &o h!d Gh ”“"xVjwE{2 lf6Ad$+G5>>)F@dda S#MkXT}uX(^)vLP\6]A|s}fCK4]qCf9d7S7k4,ȅJFDi[H}[[  Hn\2NlxpSUs>{Z DžH{uEu aȇ6PͨFAn Sy%>;u֐;n)8@-jFS#[ ####lX&”tFLdžH-BϾLAj X^Ln)g_ 5w{N% mȬq`DFmqs][v e_ RZXᰣ;c^@,+ YTYEW;"| #xw|+`%K#vRg}R$?/<”Àw ?%@o~*<v43$J}S /?=^Xd1>@"s_.-_+f L~-braɍ,?I<՛H/t\uڧo\:_ ^z)J^#;f\,-j\Y1 _@@ 1|S!oD7M̉x“|N?~dX”Ȇ";|Ax~{,r5j . Ľ ͈- “-t&ld ! "&BIA~$n,<~(FWX-J“,zY K' 9u +`[o,)ċ SsW 0׉[+ $ #j&j~ shug~{c0QPƄ= K2F۰X~ +n m Wq k^1̼XG.XlT"H /P  /ȉ0:{F)Pͷf “НM {[u-!g.F”W ,[7!@+WQK&58i“?G[N! vBކk”%"H5<y$TXMJ`lZVFR<S4,2X}dz l7" | AR.”v C-Vȝ܏2U5tj Y}oEe^#~$+@J|K\0 EOuzo4“DuCm+Fo|b-Wk6 26ڊQpd8:r9Htzu h”@da24@`PBj!F5aqFh0}(̳@&uGFx%U+U“0݃ػ3!p{uN)E#14HXWr^+R G`?Nu5ȍu7sa'jpVI9[gL ;+|xw p C -I+dr ΁WS'hoJ@Zb.<05 $ `/eR9S1}mH+<xK“h~W d'+ HSt9] u X?lM l+K<~Zb+S'ʎ#s_M8~}q$%3#vSRoYm#\nˏV͆MG"Ѝxn.xmf?G8_<٣4o҉S_yP)ktP@6t9+ C hq0 ';˘4^IxC& Hhpx<@2#g1 0,N9l${t I'C!uk9tw/8u˯SlAV,D,0AC `=I?GƁ(EP!5c V].AV“жmBE 6sPA:vo“WfV V^Qy0D)Z:,){L})VQ.ot-:dN  uVVC” hԵ?0jLD0^?;pPvx^ ἂ ڴVwnА3c“;u)NW( mk< Aaݮ oP<4Ӂf(8=03v-)(-ɝ[,N? fdBkwuP_(Ͳu8.J3l. ( 7Vsݍ޻cf%3ŀG;tWB0ԿVNj'#;S/_4EFАmr(

Edited by sicopunch, 24 September 2009 - 12:40 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 AM

Posted 24 September 2009 - 10:08 AM

If you cannot download and rename ComboFix as instruced to the infected machine, try downloading from another computer (family member, friend, library, etc) with an Internet connection. Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine's Desktop, then run the program(s). If you cannot copy files to your usb drive, make sure it is not "Write Protected".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users