Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antispyware Vista and redirect problem


  • This topic is locked This topic is locked
33 replies to this topic

#1 tajemi

tajemi

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 02 April 2010 - 05:15 PM

inital issue This has all the error messages etc that I am still receiving in this thread.

So initially I wanted help with a redirect problem (also a new tab will open occasionally of it's own accord) but it seems I keep getting reinfected with antispyware Vista. MBAM was detecting the infestation but soon it was having issues of it's own and an error would cause it to shutdown before removal could be completed.

So Boopme sent me here to get further help (which I reallllllly appreciate!!)

DDS log
QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by tanya at 8:31:51.45 on Sat 03/04/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2038.801 [GMT 11:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe
C:\Windows\PLFSetI.exe
svchost.exe
svchost.exe
svchost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\tanya\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehmsas.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\tanya\AppData\Roaming\MySpace\Toolbar\bin\MSTBCoreContainer.exe
C:\Users\tanya\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://en.au.acer.yahoo.com
mDefault_Page_URL = hxxp://en.au.acer.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [eAudio] "c:\program files\acer\empowering technology\eaudio\eAudio.exe"
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ZPdtWzdVitaKey MC3000] "c:\program files\acer\acer bio protection\PdtWzd.exe" show
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ArcadeDeluxeAgent] "c:\program files\acer arcade deluxe\acer arcade deluxe\ArcadeDeluxeAgent.exe"
mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\tanya\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer\acer bio protection\PwdBank.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\acer bio protection\WinNotify.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli c:\program files\acer\acer bio protection\PwdFilter

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [2008-8-19 43184]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-24 64288]
R1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-3-21 201288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2008-8-19 41456]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-2-26 21752]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2008-8-19 81504]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-3-21 24576]
R2 IGBASVC;iGroupTec Service;c:\program files\acer\acer bio protection\BASVC.exe [2008-8-19 3474432]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2008-8-19 122368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-22 135664]
S3 bsusbser;PHD USB Device for Legacy Serial Communication;c:\windows\system32\drivers\bsusbser.sys [2008-1-23 99456]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-3-21 54784]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-3-21 84240]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-3-21 79304]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-3-21 35240]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2008-3-21 33800]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2008-3-21 40488]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-4-23 40752]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 8:38:03.63 ===============




When I was running the GMER scan the first time it caused (I am presuming it was the scan) windows to unexpectedly shutdown and restart on it's own so I will post this and then attach the GMER file when I complete the scan again.

I can't get the GMER scan to save a log... it causes my compter to crash either during the scan or while the scan has completed. If I can get the scan to complete (which takes a long time) I can't get it to do anything else, I click the save button and it the mouse icon (or what ever it is) tells me the system is busy, but it doesn't get any further and I can't do anything but shut my computer off.

Merged posts. ~ OB

Edited by Orange Blossom, 03 April 2010 - 02:05 AM.


BC AdBot (Login to Remove)

 


#2 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 04 April 2010 - 05:26 PM

I can't see the file I attached when I first posted... will reattach

Attached Files



#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 06 April 2010 - 05:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 03:47 PM

Hi mOle smile.gif Thank you so much for helping me, I look forward to getting this bug off my computer smile.gif

Tanya

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 07 April 2010 - 05:12 PM

Hi Tanya,

First question: Have you tried running Gmer in safe mode?
Posted Image
m0le is a proud member of UNITE

#6 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 05:16 PM

No, Should I do that now?

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 07 April 2010 - 05:19 PM

Yes, give it a go. It may still crash...
Posted Image
m0le is a proud member of UNITE

#8 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 05:20 PM

Ok... will do. Cross your fingers! LOL

#9 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 06:49 PM

GMER found no modifications when after scanning in safe mode. Is that normal for it to have a big list in normal mode and none in safe mode?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 07 April 2010 - 07:00 PM

Yes, safe mode has less processes running so will be a shorter log.


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 07:25 PM

I have double clicked it and now it is asking me which program to open it with??

ETA: it's iexpore it wants to open

Edited by tajemi, 07 April 2010 - 07:26 PM.


#12 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 08:46 PM

QUOTE
ComboFix 10-04-06.05 - Owner 08/04/2010 11:08:39.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2038.631 [GMT 10:00]
Running from: C:\Users\tanya\Desktop\comfix.exe.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$RECYCLE.BIN\S-1-5-21-1338672131-3479510949-1578703941-1000
C:\$RECYCLE.BIN\S-1-5-21-3402706699-2011739237-2056063764-500
C:\ProgramData\2554285925.dll
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
C:\Users\Owner\AppData\Roaming\.#
C:\Users\Owner\AppData\Roaming\.#\MBX@D8C@1BB2990.###
C:\Users\Owner\AppData\Roaming\.#\MBX@D8C@1BB29C0.###
C:\Users\Owner\AppData\Roaming\.#\MBX@D8C@1BB29F0.###
C:\Users\Owner\AppData\Roaming\.#\MBX@F70@352990.###
C:\Users\Owner\AppData\Roaming\.#\MBX@F70@3529C0.###
C:\Users\Owner\AppData\Roaming\.#\MBX@F70@3529F0.###
C:\Users\tanya\AppData\Local\av.exe
C:\Users\tanya\AppData\Local\ave.exe
C:\Users\tanya\AppData\Local\Microsoft\Windows\Temporary Internet Files\3m0AT0UJ.jpg
C:\Users\tanya\AppData\Local\Microsoft\Windows\Temporary Internet Files\4RjGfJ.jpg
C:\Users\tanya\AppData\Local\Microsoft\Windows\Temporary Internet Files\7pT2UyJ0.jpg
C:\Users\tanya\AppData\Local\Microsoft\Windows\Temporary Internet Files\hiIW5.jpg
C:\Users\tanya\AppData\Local\Temp\aNxw.exe
C:\Users\tanya\AppData\Local\Temp\is-369GQ.tmp\mbam-setup(3).tmp
C:\Users\tanya\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\tanya\AppData\Local\Temp\YQww.exe
C:\Windows\Suyin.reg

.


I had a few issues with the combofix program, so I am not sure if it worked properly.
when I initially ran it it asked me what it wanted to open a few different files and I just cancelled all of those then it ran. It told me it it found something (rootkit??) and need to restart... so it did that. Then when it started again after the restat I have to verify about 1000 times and Mcaffee popped up that it was blocking something so I shut combofix off.
I restarted it and it ran fine.... no need to restart before the scan. But Mcafee popped up again saying it found a virus (even after shutting it off). It finished the scan and needed to restart then after restarting it asked for verification several times.... I hope that made some sense! LOL



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 08 April 2010 - 12:33 PM

Please run Combofix again. The program has found a rootkit which it has had to deal with.

Please also post the last log:

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 tajemi

tajemi
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 08 April 2010 - 03:16 PM

Thank you mOle,
I tried to find the file you have listed in our last post (C:\QooBox\ComboFix-quarantined-files.txt) but my computer says it cannont find it.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 08 April 2010 - 03:51 PM

Okay, then rerun Combofix and let's see if we can get a log. Definitely rootkit activity here smile.gif

Edited by m0le, 08 April 2010 - 03:51 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users