Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help remove malware


  • This topic is locked This topic is locked
56 replies to this topic

#16 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:33 PM

Posted 06 November 2009 - 11:52 AM

Hi,

that's my bad. Please try the following batch:

@echo off
set >"%tmp%\log.txt"
dir C:\>>"%tmp%\log.txt"
log.txt

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


BC AdBot (Login to Remove)

 


#17 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 06 November 2009 - 11:57 AM

cool the box remained open but the was no text in it or in the cmd

regards devil fruit

#18 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 06 November 2009 - 03:14 PM

a break through!!!!!! combo fix is running right now i will reread earlier steps and retrace them

thanks devilfruit

#19 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 06 November 2009 - 03:37 PM

combofix.txt is:

ComboFix 09-11-05.05 - 06/11/2009 19:59:21.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.80 [GMT 0:00]
Running from: C:\Windows\system32\config\systemprofile\Desktop\fun.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

#20 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:33 PM

Posted 07 November 2009 - 10:33 AM

Hi,

please boot into the system recovery environnement from vista:
Booting into the Windows Vista WinRE Environment using Windows Vista disk

Please insert your Windows Vista installation media into your CD-Rom/DVD drive and reboot your computer. During the reboot and at boot up you should see Press Any key to Boot from CD/DVD.... If you see that please press any key to continue and continue and follow the next set of instructions on "Using the Vista CD Disk to Access the Vista WinRE Environment". If not, please follow the next set of instructions on "How to Configure the System to Boot from CD/DVD" and then follow the steps to "Using the Vista CD Disk to Access the Vista WinRE Environment ".

How to Configure the system to boot from CD/DVD

Some machines will automatically attempt boot from the CD if a CD is inserted, if that is the case, please skip the instructions below...
  • Please reboot your machine or turn it on (Without the CD)
  • As soon as the BIOS is loaded begin tapping tapping the F2 or F12 or perhaps F9, F10 or F11 (try all of them if unsure, starting with F2)
  • Different Machines have different keys.
  • This will bring up the configuration options, please use your arrow keys to go to the Boot Tab.
  • In the Boot tab, there should be instructions on your right-hand side on how to move your CD/DVD as the top or First Priority
  • After you have moved CD/DVD at the top/first priority, please make sure you SAVE AND EXIT <- Important
  • It will now exit with Configuration settings saved.
Using the Vista CD Disk to Access the Vista WinRE Environment
  • Insert the Windows Vista disk in your computer.
  • Restart your computer so you are booting off of the CD.
  • During the reboot and boot up you will get a message saying: "Press any key to boot from CD", press Enter on your keyboard.
  • Select your language options, Time and Keyboard and press Next
  • At the next prompt press Posted Image
  • Select your Operating System (Windows Vista; the main one) from the list, and then press Next
  • Now press the Command Prompt option.
  • Enter the following code line by line one at a time and pressing enter on your keyboard on each line.
  • Wait for each command to be completed before continuing with the next one.
    move C:\WINDOWS\system32\cngaudit.dll C:\cngaudit.bad
    copy C:\Windows\System32\logevent.dll C:\Windows\system32\cngaudit.dll
  • Press the Restart button Posted Image and remove your Windows Vista disk from the DVD drive. Windows should now begin to load.
Once your system is loaded please try to run ComboFix again. (Please load a fresh copy)

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#21 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 07 November 2009 - 01:19 PM

hi temp
thanks for getting back to me
unfortuntely i dent have a boot disc as the laptop i have didnt come with one im afraid.
is there a download for it ?

regards devilfruit

#22 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:33 PM

Posted 07 November 2009 - 01:46 PM

Hi,

you can get a copy of the Vista Repair environnement here: link

If you need help on burning the iso to a CD, please refer to the following tutorial: link

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#23 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 November 2009 - 01:43 AM

Hello temp.
sorry about the lateness of my reply but have been working. At the moment i am awaiiting a friend to bring some cds to burn the recovery iso on to so i can follow your instructions. I have left vuze downloading it overnight, this morning i have noticed 2 DDS files have opened themselves for some reason, would you like me to post them?? I have no idea why they have appeared out of no where by themselves.

#24 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:33 PM

Posted 09 November 2009 - 05:30 AM

Hi,

yes please post the logs.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#25 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 November 2009 - 05:35 AM

first one is:


DDS (Ver_09-10-26.01) - NTFSx86
Run by at 23:14:35.74 on 08/11/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.274 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Windows\System32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\System32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\system32\config\systemprofile\RtkBtMnt.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Vuze\Azureus.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\config\SYSTEM~1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.talktalk/aol.com
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMService] "c:\program files\acer\acer arcade\PCMService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService]
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2008-2-25 51200]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-11-6 36368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-2-26 180736]

=============== Created Last 30 ================

2009-11-08 23:14:35 0 d-----w- c:\windows\system32\config\systemprofile\90BF.tmp
2009-11-08 19:34:04 2729 ----a-w- c:\windows\system32\config\systemprofile\CdMkr70.ini
2009-11-08 19:34:01 1654784 ----a-w- c:\windows\system32\config\systemprofile\~DFA5C1.tmp
2009-11-08 18:22:12 0 d-----w- c:\windows\system32\config\systemprofile\e4jDEE9.tmp_dir25475
2009-11-08 18:22:08 6639 ----a-w- c:\windows\system32\config\systemprofile\AZU4542563747139769301.tmp
2009-11-08 18:21:04 42032 ----a-w- c:\windows\system32\config\systemprofile\azupdater_1.8.12.zip
2009-11-08 18:21:00 548 ----a-w- c:\windows\system32\config\systemprofile\AZU6430499032106490500.tmp
2009-11-08 18:20:39 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF23C.tmp
2009-11-08 18:20:36 77824 ----a-w- c:\windows\system32\config\systemprofile\swt-gdip-win32-3448.dll
2009-11-08 18:20:33 335872 ----a-w- c:\windows\system32\config\systemprofile\swt-win32-3448.dll
2009-11-08 18:20:22 0 d-----w- c:\windows\system32\config\systemprofile\e4j30DF.tmp_dir25116
2009-11-08 18:18:45 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF4A5B.tmp
2009-11-08 18:18:45 0 ----atw- c:\windows\system32\config\systemprofile\~DF4241.tmp
2009-11-08 18:18:13 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF57DF.tmp
2009-11-08 18:18:11 16384 ----atw- c:\windows\system32\config\systemprofile\~DF3A6E.tmp
2009-11-08 18:18:10 0 ----atw- c:\windows\system32\config\systemprofile\~DF33CD.tmp
2009-11-08 18:03:58 0 d-----w- c:\windows\system32\config\systemprofile\WPDNSE
2009-11-08 18:03:27 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_uqhPOm4cUEqiRtt
2009-11-08 17:49:26 16384 ----a-w- c:\windows\system32\config\systemprofile\~DFC2D2.tmp
2009-11-08 17:48:27 0 d-s---w- C:\fun
2009-11-08 17:30:28 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF1311.tmp
2009-11-08 08:21:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-11-08 07:55:28 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF5A39.tmp
2009-11-08 07:40:51 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_exwssawu4ga5HnB
2009-11-07 18:05:04 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_qKucP2CT5IeNdc7
2009-11-07 00:34:47 311296 ----a-w- c:\windows\system32\config\systemprofile\~DFF7A1.tmp
2009-11-07 00:34:47 311296 ----a-w- c:\windows\system32\config\systemprofile\~DFF09D.tmp
2009-11-07 00:22:19 0 d-----w- c:\windows\system32\config\system~1\appdata\roaming\Malwarebytes
2009-11-07 00:11:10 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF1CE8.tmp
2009-11-07 00:10:14 3084 ----a-w- c:\windows\system32\config\systemprofile\AZU5004873084771910171.tmp
2009-11-07 00:09:46 0 d-----w- c:\windows\system32\config\systemprofile\e4j1C85.tmp_dir20804
2009-11-06 23:07:14 0 d-----w- c:\windows\system32\config\systemprofile\{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
2009-11-06 22:48:57 114688 ----a-w- c:\windows\system32\config\systemprofile\~DF54BA.tmp
2009-11-06 22:46:37 16384 ----a-w- c:\windows\system32\config\systemprofile\~DFDA58.tmp
2009-11-06 22:33:52 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF1C8E.tmp
2009-11-06 22:17:43 0 ----a-w- c:\windows\system32\config\systemprofile\Reg3
2009-11-06 22:17:43 0 ----a-w- c:\windows\system32\config\systemprofile\Reg2
2009-11-06 22:11:46 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-11-06 22:11:46 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-11-06 22:11:45 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-11-06 21:51:39 524288 ----atw- c:\windows\system32\config\systemprofile\TMP000000011081FCD5E6B1C9BA
2009-11-06 21:47:11 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF2EE9.tmp
2009-11-06 21:47:11 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF2EE0.tmp
2009-11-06 21:47:09 0 ----atw- c:\windows\system32\config\systemprofile\~DFF284.tmp
2009-11-06 21:47:07 16384 ----atw- c:\windows\system32\config\systemprofile\~DFBAD6.tmp
2009-11-06 21:46:54 0 ----atw- c:\windows\system32\config\systemprofile\~DF6577.tmp
2009-11-06 21:42:19 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_KlecAYyZXGxpnKS
2009-11-06 21:41:27 1063262029 ----a-w- c:\windows\MEMORY.DMP
2009-11-06 21:38:39 0 ----atw- c:\windows\system32\config\systemprofile\~DFE36E.tmp
2009-11-06 21:37:29 16384 ----atw- c:\windows\system32\config\systemprofile\~DF39FA.tmp
2009-11-06 21:31:16 16384 ----a-w- c:\windows\system32\config\systemprofile\~DFFD7C.tmp
2009-11-06 21:31:15 0 ----atw- c:\windows\system32\config\systemprofile\~DFCA2C.tmp
2009-11-06 21:25:08 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF687C.tmp
2009-11-06 21:25:07 16384 ----atw- c:\windows\system32\config\systemprofile\~DF5125.tmp
2009-11-06 21:25:06 0 ----atw- c:\windows\system32\config\systemprofile\~DF4402.tmp
2009-11-06 21:14:54 0 d-----w- c:\windows\system32\config\systemprofile\7696.tmp
2009-11-06 20:26:10 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_Si1inexHFNAjboO
2009-11-06 20:16:33 524288 ----atw- c:\windows\system32\config\systemprofile\TMP00000048C92AE7F8709EBCC3
2009-11-06 20:06:20 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF3151.tmp
2009-11-06 20:02:58 16384 ----a-w- c:\windows\system32\config\systemprofile\~DFC38C.tmp
2009-11-06 19:54:20 16384 ----a-w- c:\windows\system32\config\systemprofile\~DFC609.tmp
2009-11-06 19:53:35 77312 ----a-w- c:\windows\MBR.exe
2009-11-06 19:53:35 267264 ----a-w- c:\windows\PEV.exe
2009-11-06 19:53:35 161792 ----a-w- c:\windows\SWREG.exe
2009-11-06 19:53:34 98816 ----a-w- c:\windows\sed.exe
2009-11-06 18:28:43 0 d-----w- C:\32788R22FWJFW.14.tmp
2009-11-06 18:13:40 0 d-----w- c:\programdata\RegCure
2009-11-06 16:43:20 0 d-----w- C:\32788R22FWJFW.13.tmp
2009-11-06 15:28:49 0 d-----w- c:\windows\system32\config\systemprofile\nsz3EA.tmp
2009-11-06 15:28:49 0 d-----w- c:\programdata\TuneUpMedia
2009-11-06 15:27:59 0 d-----w- c:\windows\system32\config\systemprofile\TuneUpMedia
2009-11-06 15:27:12 3084 ----a-w- c:\windows\system32\config\systemprofile\AZU7081653448645155860.tmp
2009-11-06 15:27:00 0 d-----w- c:\windows\system32\config\systemprofile\swtlib-32
2009-11-06 15:26:57 0 d-----w- c:\windows\system32\config\systemprofile\e4j4F1B.tmp_dir16670
2009-11-06 15:26:02 0 d-----w- c:\program files\Vuze
2009-11-06 14:31:54 0 d-----w- C:\32788R22FWJFW.12.tmp
2009-11-06 13:50:38 11776 ----a-w- C:\cngaudit.dll
2009-11-06 12:59:57 0 d-----w- c:\windows\system32\config\systemprofile\AD20.tmp
2009-11-06 12:44:53 0 d-----w- C:\32788R22FWJFW.11.tmp
2009-11-06 12:06:24 0 d-----w- C:\32788R22FWJFW.10.tmp
2009-11-06 11:49:47 0 d-----w- C:\32788R22FWJFW.9.tmp
2009-11-06 11:37:57 0 d-----w- C:\32788R22FWJFW.8.tmp
2009-11-06 11:33:38 0 d-----w- c:\windows\system32\config\systemprofile\31AA.tmp
2009-11-06 11:33:23 0 d-----w- c:\windows\system32\config\systemprofile\F798.tmp
2009-11-06 11:31:25 0 d-----w- C:\32788R22FWJFW.7.tmp
2009-11-06 11:21:27 0 d-----w- C:\32788R22FWJFW.6.tmp
2009-11-06 10:35:51 0 d-----w- C:\32788R22FWJFW.5.tmp
2009-11-06 10:26:00 0 d-----w- c:\windows\system32\config\systemprofile\Temp1_Junction.zip
2009-11-06 10:17:23 0 d-----w- C:\32788R22FWJFW.4.tmp
2009-11-06 10:10:57 0 d-----w- C:\32788R22FWJFW.3.tmp
2009-11-06 08:46:25 0 d-----w- c:\windows\system32\config\systemprofile\1725.tmp
2009-11-06 08:45:14 0 d-----w- c:\windows\system32\config\systemprofile\1D1.tmp
2009-11-05 06:43:53 0 d-sh--w- c:\windows\ftpcache
2009-11-05 06:33:43 114688 ----a-w- c:\windows\system32\config\systemprofile\~DFD40C.tmp
2009-11-03 21:39:06 16384 ----a-w- c:\windows\system32\config\systemprofile\~DF2F6C.tmp
2009-11-03 21:33:28 16384 ----a-w- c:\windows\system32\config\systemprofile\~DFB4B7.tmp
2009-11-03 21:24:02 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_0inQabbngMXAvGQ
2009-11-03 20:57:22 0 d-----w- c:\windows\system32\config\systemprofile\PCTInstaller
2009-11-03 20:53:12 0 d-----w- c:\program files\Spyware Doctor
2009-11-03 20:52:55 0 d-----w- c:\windows\system32\config\systemprofile\is-UUMKK.tmp
2009-11-02 22:52:22 0 ----a-w- C:\xx21
2009-11-02 22:52:22 0 ----a-w- C:\xx20
2009-11-02 22:52:22 0 ----a-w- C:\xx19
2009-11-02 22:52:22 0 ----a-w- C:\xx18
2009-11-02 22:52:22 0 ----a-w- C:\xx17
2009-11-02 21:58:52 0 d-----w- c:\programdata\AVP 2009
2009-11-02 21:39:12 114688 ----a-w- c:\windows\system32\config\systemprofile\~DF83EE.tmp
2009-11-02 21:03:29 0 d-----w- c:\windows\system32\config\systemprofile\KAV Updater update files
2009-11-02 21:02:48 0 d-----w- c:\windows\system32\config\systemprofile\jkos-cherub
2009-11-02 21:01:03 0 d-----w- C:\32788R22FWJFW.2.tmp
2009-11-02 20:49:35 0 d-----w- C:\32788R22FWJFW.1.tmp
2009-11-02 20:12:37 0 d-----w- c:\windows\system32\config\systemprofile\hsperfdata_cherub
2009-11-02 20:12:02 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-02 20:12:02 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 20:03:23 0 d-----w- c:\windows\system32\config\systemprofile\Low
2009-11-02 19:10:14 0 d-----w- c:\windows\system32\config\systemprofile\I386
2009-11-02 18:31:10 528 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-11-02 18:27:09 12800 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-11-02 18:26:34 31832 ----a-w- c:\windows\system32\config\systemprofile\cherub.bmp
2009-11-02 18:04:24 524288 ----atw- c:\windows\system32\config\systemprofile\TMP00000001A4860536122AEA49
2009-11-02 18:03:37 2048 ----atw- c:\windows\system32\config\systemprofile\sqlite_xGQZkUqWpXypbvb
2009-11-02 17:40:26 0 d-----w- c:\programdata\SITEguard
2009-11-02 17:37:52 0 d-----w- c:\programdata\STOPzilla!
2009-11-02 17:37:52 0 d-----w- c:\program files\common files\iS3
2009-11-02 17:18:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-02 16:36:07 0 ----a-w- C:\xx16
2009-11-02 16:36:07 0 ----a-w- C:\xx15
2009-11-02 16:36:07 0 ----a-w- C:\xx14
2009-11-02 16:36:07 0 ----a-w- C:\xx13
2009-11-02 16:36:07 0 ----a-w- C:\xx12
2009-11-02 16:13:27 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 16:09:12 2868224 ----a-w- c:\windows\system32\mf.dll
2009-11-02 16:09:00 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-11-02 16:09:00 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-11-02 16:08:59 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-11-02 16:08:59 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-11-02 16:08:59 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-11-02 16:08:59 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-11-02 16:08:59 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-11-02 16:08:59 17920 ----a-w- c:\windows\system32\netevent.dll
2009-11-02 16:08:59 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-11-02 16:08:59 10240 ----a-w- c:\windows\system32\finger.exe
2009-11-02 16:08:16 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-11-02 16:08:04 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-11-02 16:07:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-11-02 16:07:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-11-02 16:07:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 19:42:52 0 ----a-w- C:\xx9
2009-10-14 19:42:52 0 ----a-w- C:\xx8
2009-10-14 19:42:52 0 ----a-w- C:\xx7
2009-10-14 19:42:52 0 ----a-w- C:\xx11
2009-10-14 19:42:52 0 ----a-w- C:\xx10
2009-10-14 19:13:37 0 d-sh--w- C:\%APPDATA%
2009-10-14 18:35:09 0 ----a-w- C:\xx6
2009-10-14 18:35:09 0 ----a-w- C:\xx5
2009-10-14 18:35:09 0 ----a-w- C:\xx4
2009-10-14 18:35:09 0 ----a-w- C:\xx3
2009-10-14 18:35:09 0 ----a-w- C:\xx2
2009-10-14 18:26:25 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2009-11-08 08:20:57 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-08 08:20:56 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-06 23:22:30 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-30 12:40:35 208896 ----a-w- c:\windows\system32\config\systemprofile\RtkBtMnt.exe
2008-08-03 15:13:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-10 09:34:53 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-10 09:34:53 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-10 09:34:53 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-14 18:47:09 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-14 07:40:42 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 23:15:33.35 ===============

and the attached :


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 03/04/2008 22:37:01
System Uptime: 11/08/2009 18:02:41 (2141 hours ago)

Motherboard: Acer | | Acadia
Processor: Intel® Celeron® CPU 550 @ 2.00GHz | uPGA-478 | 1995/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 32 GiB total, 2.698 GiB free.
D: is FIXED (NTFS) - 31 GiB total, 15.098 GiB free.
E: is CDROM (UDF)

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

4oD
Acer Arcade
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GameZone Console 2.0.1.1
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Agatha Christie Death on the Nile
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Azada
Backspin Billiards
Big Kahuna Reef
Bonjour
Bookworm Deluxe
Bricks of Egypt
Cake Mania
Chicken Invaders 3
Chuzzle
Diner Dash Flo on the Go
Flip Words 2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 15
Java™ 6 Update 7
Jewel Quest Solitaire
Kick N Rush
Launch Manager
LightScribe 1.4.142.1
Mahjong Escape Ancient China
Mahjongg Artifacts
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MobileMe Control Panel
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
OpenOffice.org Installer 1.0
Orion
PowerProducer
QuickTime
Realtek High Definition Audio Driver
RegCure 1.6.0.0
Search Settings 1.2.1
Turbo Pizza
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Veoh Web Player
Vuze
WebMediaPlayer
Yahoo! Toolbar
Zuma Deluxe

==== End Of File ===========================


thanks devilfruit

#26 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 10 November 2009 - 03:21 PM

hello temp
i am at the point of booting from cd, have chosen language and keyboard but for the command prompt option i have to logon as administrator. My normal logon password doesnt work, it just says your account has been disabled please see your system administrator.




any suggestions??

regards devil fruit

#27 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 10 November 2009 - 03:41 PM

forget my last post answered my own question lol

#28 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 11 November 2009 - 02:48 AM

hello temp

i have followed your instructions and here is what happened.
I ran combo fix and had a shower, when i came back the computer rebooted automatically, on the new load i searched for the combofix text file and couldnt find it.
I ran combofix again and before it rebooted i got

error restoring
C:\Windows\erdnt\subs\system
to
C:\Windows\System32\config\system!
continue wuth next file
(Regreplacekey:1009-configuration registry database is corrupt

i then clicked yes and the system rebooted and i did manage to find the combofix text file which is:


ComboFix 09-11-09.02 - 11/11/2009 7:21:14.3.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.317 [GMT 0:00]
Running from: C:\Windows\system32\config\systemprofile\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

off to work look forward to your reply
thanks devilfruit

#29 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:33 PM

Posted 11 November 2009 - 07:24 AM

Hi,

please delete the current copy of ComboFix you have on your system and download a new one and rename it:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • rename it to fun.exe
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If that does not work please run the follwing tool:
please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#30 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 11 November 2009 - 02:51 PM

well here in the text file :
ComboFix 09-11-11.02 - 11/11/2009 19:29:54.4.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.220 [GMT 0:00]
Running from: C:\Windows\system32\config\systemprofile\Desktop\fun.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

i think im missing something to be honest, combo fix requires defender to be disabled but in the report it says enabled and dont know how to disable it and i get the feeling this report should be longer than it is as it looks just the same as the last one apart from the time

regards devilfruit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users