Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus burrowed in svchost.exe or spoolsv.exe--hijackthis log ensues


  • This topic is locked This topic is locked
78 replies to this topic

#1 vanguardxl

vanguardxl

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 18 October 2009 - 11:30 PM

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:29 PM, on 7/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\ico.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Systweak\Systweak CacheBoost\trayicon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Electronic Arts\The Sims 3\Game\Bin\TS3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\Systweak\Systweak CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [PCmover CookieMerge] "C:\Program Files\Laplink\PCmover\CookieMerge.exe" "C:\Windows\ServiceProfiles\LocalService\AppData\Local\Laplink\PCmover\Cookies" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [StartUp This] "C:\Program Files\Laplink\PCmover\LaunchSt.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartUp This] "C:\Program Files\Laplink\PCmover\LaunchSt.exe" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157318545421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Systweak Inc - C:\Program Files\Systweak\Systweak CacheBoost\cbsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13319 bytes


Thank you in advance.

Edited by vanguardxl, 18 October 2009 - 11:31 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 30 October 2009 - 04:29 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • RootRepeal log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 02 November 2009 - 07:43 PM

I really, really hate to sound like a complete moron, but despite your straightforward directions, none of those apps worked for me. I even tried both on safe mode. The DDS app displayed the startup screen, closed, and then I waited nearly ten minutes for the results to show. Nothing happened. I even disabled AVG's resident shield. No results, no nothing. As for GMER, my computer crashed every time I would scan it. I then scanned in safe mode, saved the results, but the file was corrupted.

I'm really sorry about all this. I really don't wish to cause you any more inconvenience as is, but I tried to work with those applications and failed to get anything.

Edited by vanguardxl, 03 November 2009 - 01:42 AM.


#4 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 03 November 2009 - 12:41 AM

However, I am aware of one Trojan that incessantly respawns despite being purged multiple times by AVG and Windows Defender: It's a Trojan horse Agent_r.OT disguised as a system file called "tdlwsp.dll". Furthermore, I got DDS to work. Here's the log:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Frank Semko at 1:40:24.65 on Tue 11/03/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_03

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Free Ram Optimizer] c:\program files\acelogix\free ram optimizer\fro.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30618; MEGAUPLOAD 3.0; .NET CLR 3.5.30729; BCD2000)" -"http://www.miniclip.com/games/spineworld/en/"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [CacheBoost] c:\program files\systweak\systweak cacheboost\trayicon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [V0260Cfg.exe] V0260Cfg.exe /d:2
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
dRun: [StartUp This] "c:\program files\laplink\pcmover\LaunchSt.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157318545421
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL,avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-03 00:56 24,448 a------- c:\windows\system32\drivers\rkhdrv40.sys
2009-11-03 00:47 22,016 a------- c:\windows\system32\tdlwsp.dll
2009-10-31 02:55 87,040 a------- C:\ugdyakoc.sys
2009-10-29 11:15 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-29 11:14 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-29 11:14 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-29 11:14 33,792 a------- c:\windows\system32\wuapp.exe
2009-10-27 18:33 310,784 a------- c:\windows\system32\unregmp2.exe
2009-10-27 18:33 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-10-25 12:40 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-10-25 12:40 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-10-25 12:27 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-25 12:10 3 a------- c:\windows\wp3.dat
2009-10-25 12:10 58 a------- c:\windows\wp4.dat
2009-10-25 12:10 36 a------- c:\windows\system32\skynet.dat
2009-10-25 12:10 9 a------- c:\windows\system32\nuar.old
2009-10-14 19:41 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-14 19:41 60,928 a------- c:\windows\system32\msasn1(294).dll
2009-10-14 19:40 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-14 19:40 218,624 a------- c:\windows\system32\msv1_0(302).dll
2009-10-14 19:40 1,985,536 a------- c:\windows\system32\iertutil(278).dll
2009-10-14 19:40 1,208,832 a------- c:\windows\system32\urlmon(320).dll
2009-10-14 19:40 916,480 a------- c:\windows\system32\wininet.dll
2009-10-14 19:40 916,480 a------- c:\windows\system32\wininet(325).dll
2009-10-04 10:39 20 a------- c:\windows\system32\SYSTEM

==================== Find3M ====================

2009-10-19 16:51 292 a------- c:\users\olesem~1\appdata\roaming\wklnhst.dat
2009-10-03 00:33 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-10-01 09:29 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-24 23:33 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-24 23:33 143,360 a------- c:\windows\inf\infstor.dat
2009-09-24 23:33 51,200 a------- c:\windows\inf\infpub.dat
2009-09-24 23:26 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-24 23:25 0 a---h--- c:\windows\system32\drivers\Msft_User_AuxiliaryDisplayEnhancedDriver_01_00_00.Wdf
2009-09-16 00:34 56 a---h--- c:\programdata\ezsidmv.dat
2009-09-16 00:34 56 a---h--- c:\progra~2\ezsidmv.dat
2009-09-14 04:29 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-08-28 21:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 21:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 21:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 21:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 19:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 19:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-27 00:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 00:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 22:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-17 22:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-14 12:36 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-08-14 10:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 08:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 08:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 08:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 08:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 08:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 08:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 08:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 08:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-07 18:51 15,308,424 a------- c:\windows\system32\xlive.dll
2009-08-07 18:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-08-05 21:53 9,716 a------- c:\users\olesem~1\appdata\roaming\TheHunterSettings.bin
2009-04-27 18:39 174 a--sh--- c:\program files\desktop.ini
2008-02-04 19:46 32 a------- c:\programdata\ezsid.dat
2008-02-04 19:46 32 a------- c:\progra~2\ezsid.dat
2007-03-06 16:06 963,072 a------- c:\windows\inf\wpn311\WPN311x.sys
2007-03-06 16:03 782,848 a------- c:\windows\inf\wpn311\WPN311.sys
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-10-26 22:05 28,672 a------- c:\windows\inf\wpn311\SetDrv.exe

============= FINISH: 1:42:12.47 ===============

Edited by vanguardxl, 03 November 2009 - 01:44 AM.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 03 November 2009 - 03:15 AM

Hello vanguardxl,

You are pretty bad infected with a rootkit. Luckily we will be able to remove it, just leave GMER for now, after you last post I really don't need it :( Please proceed with the steps below.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 03 November 2009 - 03:42 PM

I'm having serious problems with ComboFix. I've been working all this afternoon to get it to run and my patience just ran out. I've tried everything: I turned off AVG 8.5's resident shield, I shut down Windows Defender, turned off Tea Timer and even deactivated my Identity protection software. Nothing. I got nothing. I turn on ComboFix, let the little blue screen activate with the "Please Wait" message and nothing happens. It goes so far as to back up my registry, but other than that, it just stays on my screen with the two lines of "please wait, Combofix is preparing to run..." for an indefinite period of time and nothing happens.. I must have waited 20 minutes for it to activate and still got nothing. So far I haven't seen a single one of the prompts or messages located in your post. What am I doing wrong???

P.S. The entire process went through ONCE....yes, once...and I got to the "Scanning for infected files... This typically doesn't take more than 10 minutes." prompt (I don't even know how I managed to make it happen) but by the time it got to stage 50, explorer.exe stopped working and ComboFix crashed, producing no report. What the hell is going on?

Edited by vanguardxl, 03 November 2009 - 07:37 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 03 November 2009 - 04:20 PM

Please look if there is a report at C:\Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 03 November 2009 - 07:16 PM

There's a file in C:\ called "ComboFix," but it's anything but a text document. It looks like this:
Posted Image


I tried right-clicking the file in hopes that I could open it with notepad, but it ended up looking like this:

Posted Image


When I access the file, it redirects me to "Computer." What is this supposed to mean?

Edited by vanguardxl, 03 November 2009 - 07:26 PM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 04 November 2009 - 05:41 AM

Please tell me whats in the Qoobox folder.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 04 November 2009 - 06:53 PM

Well, there's 5 folders in Qoobox. They are BackEnv, LastRun, Quarantine, Test, and TestC.

-TestC and Test are both empty.

-Quarantine has a folder called "C" and it contains some infected files that end with the extension ".VIR" (Which I assume that it means it's infected with a virus).

-LastRun has a couple of .DAT files with names like "d-del2A," "erunt" and "ScvTarget" and two .OLD files called "CredC.old" and "zhsvc.old"

-BackEnv just looks like this:
Posted Image


I can only assume that this is where ComboFix keeps all their info, right?

Edited by vanguardxl, 04 November 2009 - 06:55 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 05 November 2009 - 03:46 AM

Can you please list the content of the Quarantine folder for me?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 05 November 2009 - 08:10 PM

Sure.
Posted Image

Those viruses were all located in System32.

P.S. The tdlwsp.dll virus is still active.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 06 November 2009 - 04:34 AM

Please delete your old copy of Combofix first!!

Download Combofix from any of the links below but rename it to random.exe before saving it to your desktop.
You can do this by right-clicking the download link and selecting save target/link as...

Link 1
Link 2


==================================

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Edited by elise025, 06 November 2009 - 05:07 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 vanguardxl

vanguardxl
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 07 November 2009 - 08:14 PM

I followed all your instructions in earnest, I really did. I just can't get ComboFix to work. It's stuck at "please wait, Combofix is preparing to run...attempting to save registries"

It even goes so far as to save the registry, and then it gets stuck. Nothing happens. What can I do?

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:31 PM

Posted 08 November 2009 - 02:47 AM

Hello vanguardxl,

Lets see if we can find the cause of this :(

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    boot.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please include the following:
  • SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users