Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

sowhitehead

24 Posts

9630

April 27th, 2011 11:00

Fake Anti-Virus Pop-Ups, Unable to Update Security Software, All Security Disabled, Unable to use HiJackThis

My Dell laptop uses Windows Vista and is currently experiencing fake anti-virus pop-ups called "Vista Anti-Spyware".

I used Malwarebytes' Anti-Malware about a week ago and thought that had fixed it but now it's back and this time Malwarebytes' can't find it.

 

It has disabled Windows Defender, and causes the fatal blue screen crash everytime I use a Symantec Endpoint Protection to scan for it.

I get this Microsoft Windows Notice: "Host Process for Windows Services stopped working and was closed."

When I try to use Windows Update it says "Error 80072EFE".

My Security Center is turned off and when I try to turn it on it says "The Security Center service can't be started."

When I try to turn on Windows Defender it says "Windows Defender encountered an error: 0x80070424. The specified service does not exist as an installed service."

 

When I try to use HiJackThis it says "Cannot find the C:\Program Files\TrendMicro\HiJackThis\hijackthis.log file."

 

In Symantec Endpoint Protection's Quarantine there are these files:

Risk: Trojan.FakeAV!gen42 Filename: omnxawrces.exe Type: Backup Original Location: C:\Users\swhitehead\AppData\Local\Temp Status: Infected Date: 19/04/2011 14:25

Risk: Bloodhound.MalPE Filename: fwn.exe Type: Quarantine Original Location: C:\Avenger Status: Infected Date: 20/04/2011 14:09

Risk: Bloodhound.MalPE Filename: setup.exe Type: Quarantine Original Location: C:\Avenger Status: Infected Date: 20/04/2011 14:14

Risk: W32.Qakbot!gen8 Filename: iagu.exe Type: Backup Original Location: C:\Windows\Temp\ Status: Infected Date: 25/04/2011 11:20

Risk: Downloader.Ertfor Filename: pliiouru.exe Type: Backup Original Location: C:\Windows\Temp\ Status: Infected Date: 25/04/2011 11:20

Risk: Downloader.Ertfor Filename: lyyyzdduh[1].htm Type: Backup Original Location: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\ContentIE5\Z2SHV0I2\ Status: Infected Date: 25/04/2011 11:20

Risk:  W32.Qakbot!gen8 Filename: uhhymdqu[1].htm Type: Backup Original Location: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\ContentIE5\KDS7K0EL\ Status: Infected Date: 25/04/2011 11:20

kevin27_b3d29f

1.5K Posts

April 27th, 2011 13:00

Hi Sowhitehead,

 

 

Welcome to Dell Community Malware Removal Forums,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Failure to reply in three (3) days will result in this topic being closed and I will remove it from my notifications, If you require more time then that is fine but please let me know.

 

 

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:

  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

 

 

 

  • Double click your Malwarebytes desktop icon
  • Click the UPDATE tab at the top
  • Scan for and install any updates it finds
  • Then choose the SCANNER tab and run a QUICK SCAN
  • Once finished if MBAM found anything please click Show Results
  • Make sure EVERYTHING has a check in the box next to it and then click Remove Selected
  • Post the MBAM log results back to this thread

Please also post the MBAM log from last weeks run, it can be found under the logs tab.

 

 

 

I then need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.
    DDS.jpg
  • Instead of attaching, please copy/past both logs into your next reply.

     

     

  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

 

Please copy/paste back both MBAM logs and BOTH DDS logs for review.

Thanks.

sowhitehead

24 Posts

April 28th, 2011 08:00

There was only one log file in MBAM, I think CCleaner wiped the rest.

 

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6463

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

28/04/2011 14:58:24
mbam-log-2011-04-28 (14-58-24).txt

Scan type: Quick scan
Objects scanned: 159448
Time elapsed: 9 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
c:\Windows\Temp\Cbh.exe (Trojan.Downloader) -> 2992 -> Unloaded process successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\vcb.exe (Trojan.FakeAlert) -> 7952 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{D0EFA84D-612E-3808-01C7-1885CF77A215} (Trojan.ZbotR.Gen) -> Value: {D0EFA84D-612E-3808-01C7-1885CF77A215} -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\vcb.exe" -a "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\vcb.exe" -a "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\vcb.exe" -a "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\Cbh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\vcb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\local settings\application data\vcb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by swhitehead at 15:05:38.20 on 28/04/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3061.1635 [GMT 1:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlbacoms.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\STacSV.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Dell DataSafe Local Backup\Toaster.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\swhitehead\Downloads\dds (1).com
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19376071/19864233.aspx#19864233
uSearch Bar = Preserve
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [D1T2EUR7FZ] c:\windows\temp\Cbf.exe
dRun: [TBXQRHV4KR] c:\windows\temp\Cbg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\photof~1.lnk - c:\program files\common files\panasonic\photofunstudio autostart\AutoStartupService.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\swhite~1\appdata\roaming\mozilla\firefox\profiles\1loojk2n.default\
FF - prefs.js: browser.startup.homepage - www.givoogle.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XULRunner: {9582D979-4F23-4F44-B75C-4F305B15189B} - c:\users\swhitehead\appdata\local\{9582D979-4F23-4F44-B75C-4F305B15189B}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-18 214664]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-18 73728]
R2 dlba_device;dlba_device;c:\windows\system32\dlbacoms.exe -service --> c:\windows\system32\dlbacoms.exe -service [?]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-4-25 13336]
R2 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2010-12-10 705856]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-7-22 2440632]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-12-23 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-12-23 112936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-19 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-18 111616]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2009-12-23 13224]
S2 AMService;AMService;c:\windows\temp\olmi\setup.exe run --> c:\windows\temp\olmi\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9bc7dfefcb148;Google Update Service (gupdate1c9bc7dfefcb148);c:\program files\google\update\GoogleUpdate.exe [2009-4-13 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-22 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-18 30192]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-18 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-18 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-18 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-18 40552]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-23 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
exefile="c:\windows\system32\config\systemprofile\appdata\local\vcb.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-04-28 10:46:24 -------- d-----w- c:\program files\CCleaner
2011-04-27 16:29:58 388096 ----a-r- c:\users\swhite~1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-27 16:29:57 -------- d-----w- c:\program files\Trend Micro
2011-04-27 16:10:57 -------- d-----w- c:\windows\system32\catroot2
2011-04-25 13:43:32 -------- d-----w- c:\users\swhite~1\appdata\roaming\Intel Corporation
2011-04-25 10:49:43 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-04-25 10:49:07 -------- d-----w- C:\Intel
2011-04-25 10:49:05 354840 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-04-23 22:16:07 -------- d-----w- c:\users\swhite~1\appdata\roaming\Puors
2011-04-23 22:16:07 -------- d-----w- c:\users\swhite~1\appdata\roaming\Cyle
2011-04-21 17:34:56 80384 --sha-r- c:\windows\system32\pautoenrz.dll
2011-04-20 11:03:17 -------- d-----w- c:\users\swhite~1\appdata\roaming\Malwarebytes
2011-04-20 11:03:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 11:02:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 11:02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 11:02:59 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-19 22:08:48 0 ----a-w- c:\users\swhite~1\appdata\local\Vfahe.bin
2011-04-19 15:04:46 -------- d-----w- c:\users\swhite~1\appdata\local\{9582D979-4F23-4F44-B75C-4F305B15189B}
2011-04-19 09:57:31 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{182a7a79-5ad4-40e4-aa47-c34edb064e42}\mpengine.dll
2011-04-16 12:58:58 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-16 12:58:56 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 12:58:49 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-05 19:07:14 -------- d-----w- c:\users\swhite~1\appdata\roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-04-05 18:56:05 -------- d-----w- c:\progra~2\regid.1986-12.com.adobe
2011-04-05 18:54:34 -------- d-----w- c:\progra~2\ALM
2011-04-02 11:09:52 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-04-02 11:07:12 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-02 11:06:51 -------- d-----w- c:\windows\system32\directx
.
==================== Find3M  ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 15:08:05.52 ===============

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 18/12/2008 08:09:25
System Uptime: 28/04/2011 15:00:29 (0 hours ago)
.
Motherboard: Dell Inc. |  | 0U990C
Processor: Intel(R) Pentium(R) Dual  CPU  T3200  @ 2.00GHz | Microprocessor | 1000/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 285 GiB total, 198.419 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.264 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
 Update for Microsoft Office 2007 (KB2508958)
4oD
Acrobat.com
Adobe AIR
Adobe Common File Installer
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Illustrator CS5
Adobe Media Player
Adobe Photoshop Elements 5.0
Adobe Premiere Elements 3.0.2
Adobe Premiere Elements 3.0.2 Templates
Adobe Reader 9.1
Adobe Shockwave Player 11
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bamboo
Bamboo Dock
Bamboo Dock 3.1
BBC iPlayer Desktop
BBC iPlayer Download Manager
Bonjour
Browser Address Error Redirector
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Conexant HDA D330 MDC V.92 Modem
D3DX10
Dell-eBay
Dell Best of Web
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Digital Line Detect
DivX Version Checker
Download Manager 2.3.10
EDocs
EPSON S21 Series Printer Uninstall
Google Chrome
Google Desktop
Google Update Helper
GoToAssist 8.0.0.514
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Control Center
Intel(R) Rapid Storage Technology
Internet From BT
iPod for Windows 2005-03-23
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Java(TM) 6 Update 7
Junk Mail filter update
Laptop Integrated Webcam Driver (1.04.01.1011) 
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Livebrush Mini
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MobileMe Control Panel
Modem Diagnostic Tool
Mozilla Firefox (3.5.16)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
OGA Notifier 2.0.0048.0
OJOsoft DVD to MP4 Converter
OutlookAddinSetup
PDF Settings CS5
PHOTOfunSTUDIO 5.0
QuickSet
QuickTime
RollerCoaster Tycoon 2
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Skype Toolbars
Skype™ 5.1
Spelling Dictionaries Support For Adobe Reader 9
Symantec Endpoint Protection
Tiscali Internet
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== End Of File ===========================

 

Thanks for helping me out K27, this is much appreciated.

kevin27_b3d29f

1.5K Posts

April 28th, 2011 13:00

Hi,

Your Welcome :)

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

 

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

ComboFix MUST be saved to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as this is a VERY IMPORTANT backup of ComboFix (XP only, Vista/Windows 7 will NOT be propmted to install the recovery console)

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run ComboFix,
Post back and we will install it manually.

DO NOT mouse click when ComboFix is running as this will cause ComboFix to Stall and it will not work as it should

EXTRA NOTES:

  • If Combofix detects a Rootkit on the system it will give a warning and prompt for a reboot, please allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for a few minutes on reboot, this is normal
  • On some Vista machines, after running Combofix, you may receive a warning message about registry key's being listed for deletion, when trying to open certain programs. Please reboot the system and this will fix the issue (These certain items will not be deleted)

 

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
K27.

sowhitehead

24 Posts

April 28th, 2011 18:00

ComboFix 11-04-28.01 - swhitehead 29/04/2011   1:15.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3061.1702 [GMT 1:00]
Running from: c:\users\swhitehead\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\swhitehead\AppData\Local\{9582D979-4F23-4F44-B75C-4F305B15189B}
c:\users\swhitehead\AppData\Local\{9582D979-4F23-4F44-B75C-4F305B15189B}\chrome.manifest
c:\users\swhitehead\AppData\Local\{9582D979-4F23-4F44-B75C-4F305B15189B}\chrome\content\_cfg.js
c:\users\swhitehead\AppData\Local\{9582D979-4F23-4F44-B75C-4F305B15189B}\chrome\content\overlay.xul
c:\users\swhitehead\AppData\Local\{9582D979-4F23-4F44-B75C-4F305B15189B}\install.rdf
c:\users\swhitehead\GoToAssistDownloadHelper.exe
D:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-28 to 2011-04-29  )))))))))))))))))))))))))))))))
.
.
2011-04-29 00:28 . 2011-04-29 00:28    --------    d-----w-    c:\users\Default\AppData\Local\temp
2011-04-29 00:12 . 2011-04-29 00:12    --------    d-----w-    C:\32788R22FWJFW
2011-04-28 10:46 . 2011-04-28 10:46    --------    d-----w-    c:\program files\CCleaner
2011-04-27 16:29 . 2011-04-27 16:29    388096    ----a-r-    c:\users\swhitehead\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-27 16:29 . 2011-04-27 16:29    --------    d-----w-    c:\program files\Trend Micro
2011-04-27 16:10 . 2011-04-27 16:25    --------    d-----w-    c:\windows\system32\catroot2
2011-04-25 13:43 . 2011-04-25 13:43    --------    d-----w-    c:\users\swhitehead\AppData\Roaming\Intel Corporation
2011-04-25 10:49 . 2006-11-02 06:21    319456    ----a-w-    c:\windows\system32\difxapi.dll
2011-04-25 10:49 . 2011-04-25 10:51    --------    d-----w-    c:\program files\Intel
2011-04-25 10:49 . 2011-04-25 10:49    --------    d-----w-    C:\Intel
2011-04-25 10:49 . 2010-11-05 22:39    354840    ----a-w-    c:\windows\system32\drivers\iaStor.sys
2011-04-25 10:08 . 2011-04-25 10:08    125440    ----a-w-    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oqsup.exe
2011-04-23 22:16 . 2011-04-25 13:35    --------    d-----w-    c:\users\swhitehead\AppData\Roaming\Cyle
2011-04-23 22:16 . 2011-04-25 10:29    --------    d-----w-    c:\users\swhitehead\AppData\Roaming\Puors
2011-04-23 22:16 . 2011-04-23 22:16    129024    ----a-w-    c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fyyhl.exe
2011-04-21 17:34 . 2011-04-21 17:34    80384    --sha-r-    c:\windows\system32\pautoenrz.dll
2011-04-20 11:03 . 2011-04-20 11:03    --------    d-----w-    c:\users\swhitehead\AppData\Roaming\Malwarebytes
2011-04-20 11:03 . 2010-12-20 17:09    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 11:02 . 2011-04-28 14:00    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-04-20 11:02 . 2011-04-20 11:02    --------    d-----w-    c:\programdata\Malwarebytes
2011-04-20 11:02 . 2010-12-20 17:08    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-04-19 22:08 . 2011-04-20 10:27    0    ----a-w-    c:\users\swhitehead\AppData\Local\Vfahe.bin
2011-04-19 13:37 . 2011-04-19 13:37    --------    d-----w-    c:\windows\Sun
2011-04-19 09:57 . 2011-04-11 07:04    7071056    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{182A7A79-5AD4-40E4-AA47-C34EDB064E42}\mpengine.dll
2011-04-16 12:58 . 2011-03-03 13:25    2041856    ----a-w-    c:\windows\system32\win32k.sys
2011-04-16 12:58 . 2011-03-03 15:42    739328    ----a-w-    c:\windows\system32\inetcomm.dll
2011-04-16 12:58 . 2011-03-03 10:50    2409784    ----a-w-    c:\program files\Windows Mail\OESpamFilter.dat
2011-04-05 19:07 . 2011-04-05 19:07    --------    d-----w-    c:\users\swhitehead\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-04-05 18:56 . 2011-04-05 18:56    --------    d-----w-    c:\programdata\regid.1986-12.com.adobe
2011-04-05 18:54 . 2011-04-05 18:54    --------    d-----w-    c:\programdata\ALM
2011-04-05 18:51 . 2011-04-05 18:51    --------    d-----w-    c:\program files\Adobe Media Player
2011-04-02 11:09 . 2005-05-26 14:34    2297552    ----a-w-    c:\windows\system32\d3dx9_26.dll
2011-04-02 11:07 . 2011-04-04 12:26    --------    d--h--w-    c:\windows\msdownld.tmp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-14 12:20 . 2010-06-24 11:33    18328    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-22 14:13 . 2011-03-23 13:38    288768    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 13:38    1068544    ----a-w-    c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 13:38    797696    ----a-w-    c:\windows\system32\FntCache.dll
2011-02-02 17:11 . 2010-10-02 00:17    222080    ------w-    c:\windows\system32\MpSigStub.exe
2010-07-10 13:21 . 2008-12-29 18:42    119808    ----a-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-10 30192]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-11-06 184320]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-22 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BambooCore"="c:\program files\Bamboo Dock\BambooCore.exe" [2010-12-18 629336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\users\swhitehead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-18 50688]
PHOTOfunSTUDIO 5.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-12-26 172544]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
fyyhl.exe [2011-4-23 129024]
oqsup.exe [2011-4-25 125440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-18 07:46    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
R2 AMService;AMService;c:\windows\TEMP\olmi\setup.exe run
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9bc7dfefcb148;Google Update Service (gupdate1c9bc7dfefcb148);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-13 133104]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-07-22 23888]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-10 30192]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-01-30 15656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 dlba_device;dlba_device;c:\windows\system32\dlbacoms.exe [2007-03-05 538096]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]
S2 SftService;SoftThinks Agent Service;c:\program files\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-07-15 4408616]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 112936]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-15 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-05-20 13224]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-13 21:22]
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-13 21:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19376071/19864233.aspx#19864233
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
FF - ProfilePath - c:\users\swhitehead\AppData\Roaming\Mozilla\Firefox\Profiles\1loojk2n.default\
FF - prefs.js: browser.startup.homepage - www.givoogle.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\vcb.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
SafeBoot-Symantec Antvirus
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 01:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,
   6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
   ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:9e,09,9c,ff,4b,00,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,47,05,e0,db,56,08,41,b4,ed,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,47,05,e0,db,56,08,41,b4,ed,c0,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-29  01:48:06
ComboFix-quarantined-files.txt  2011-04-29 00:47
.
Pre-Run: 212,468,752,384 bytes free
Post-Run: 212,368,596,992 bytes free
.
- - End Of File - - 58BDD4F56EE64DDDD6EC31171DC192BC

kevin27_b3d29f

1.5K Posts

April 29th, 2011 04:00

Hi,

 

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBOFIX, SO THAT COMBOFIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

 

Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

Quote:

http://en.community.dell.com/support-forums/virus-spyware/f/3521/t/19376071.aspx

Suspect::[108]
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oqsup.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fyyhl.exe
c:\windows\system32\pautoenrz.dll
c:\windows\TEMP\olmi\setup.exe run

File::
c:\users\swhitehead\AppData\Local\Vfahe.bin

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,
   6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
   ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:9e,09,9c,ff,4b,00,cc,01
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,47,05,e0,db,56,08,41,b4,ed,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,47,05,e0,db,56,08,41,b4,ed,c0,\
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000













































 

 

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

 

Combofix is going to prompt that it is uploading a file, please allow it to do so.

 

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually

Thanks
K27.

 

sowhitehead

24 Posts

April 29th, 2011 16:00

K27,

I followed your instructions, but each time I drag the script into ComboFix, the screen turns blue and it says a problem has been detected so windows had to shut down to protect the computer. It then restarts. I've tried a few times today with the same result.

I'm pretty sure I've disabled all the security features (Symantic Endpoint Protection, Windows Firewall, Windows Defender, User Account Protection, Internet Security..)

kevin27_b3d29f

1.5K Posts

April 30th, 2011 03:00

OK,

Lets take this from a different approach.

 

 

Please go to Virus Total where you will see a browse button in the middle of the screen.

  • Click the Browse button
  • Locate the following file(s)

 

c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oqsup.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fyyhl.exe
c:\windows\system32\pautoenrz.dll
c:\windows\TEMP\olmi\setup.exe run

 

  • Click Send File
  • Post Reports back to this thread

 

Note: you may need to show hidden files to locate the files requested:

 

Please open any Windows Explorer window such as "My Computer" or "My Documents", any will do.

  • Please click Tools on the top menu bar and then click Folder Option
  • Then in the Folder option window click the View tab
  • Put a checkmark in the checkbox labeled Display the contents of system folders
  • Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders"
  • Remove the checkmark from the checkbox labeled "Hide file extensions for known file type"
  • Remove the checkmark from the checkbox labeled "Hide protected operating system files"
  • Then please click Apply and then click OK
  • you can now close all Windows Explorer windows until you are back at the Desktop.

 

 

Remember to hide hidden files/folders by reversing the action when you have finished

 

Please post the four Virus Total reports back for review.

 

Thanks.

kevin27_b3d29f

1.5K Posts

May 2nd, 2011 09:00

Hi sowhitehead,

Are you still in need of assistance?

Thanks.

sowhitehead

24 Posts

May 2nd, 2011 15:00

Hi K27,

sowhitehead

24 Posts

May 2nd, 2011 15:00

Hi K27,

Sorry it took me so long to get back to you, I gave my laptop to a friend to look at, and he seems to have gotten rid of the virus, however when I try to turn on Windows Defender it still says "Windows Defender encountered an error: 0x80070424. The specified service does not exist as an installed service."

 

kevin27_b3d29f

1.5K Posts

May 2nd, 2011 16:00

Hi,

however when I try to turn on Windows Defender it still says "Windows Defender encountered an error: 0x80070424. The specified service does not exist as an installed service."

 

That is the virus that is stopping the updates from happening,

 

 

 

You may be infected with a new variant of the TDL Rootkit, please follow these instructions exactly as written.

Please DO NOT click any fix button until instructed to do so by your analyst. Failure to comply with this may result in an unbootable system

Please download the Avast ASWMBR.exe Anti-Rootkit Tool and save it to you Desktop

 

  • Please double click the tool to open it (Windows Vista/7 please right click and "Run as Administrator")
  • Referring to the image below. please click the SCAN button and allow the scan to run to completion

 

1_aswmbr_scan.png

 

  • Once the scan has Completed, please click the Save Log button and save the log to the desktop

 

2_aswmbr_save_log.png

 

  • Saved to the desktop will be a text file named aswMBR.txt, please copy/paste the contents of the text file back for review in your next reply
  • There will also be a file named MBR.dat saved to the desktop, please Attach that file to your next reply, Please DO NOT copy/paste the contents of the .dat file as it will become unreadable

Thanks,

sowhitehead

24 Posts

May 2nd, 2011 17:00

aswMBR version 0.9.5.247 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 00:40:05
-----------------------------
00:40:05.962    OS Version: Windows 6.0.6002 Service Pack 2
00:40:05.962    Number of processors: 2 586 0xF0D
00:40:05.962    ComputerName: HARRY  UserName:
00:40:27.771    Initialize success
00:40:32.061    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
00:40:32.076    Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
00:40:32.092    Disk 0 MBR read successfully
00:40:32.092    Disk 0 MBR scan
00:40:32.092    Disk 0 unknown MBR code
00:40:32.108    Disk 0 scanning sectors +625139712
00:40:32.139    Disk 0 scanning C:\Windows\system32\drivers
00:40:42.372    Service scanning
00:40:43.776    Disk 0 trace - called modules:
00:40:43.776    ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
00:40:43.792    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86eeaac8]
00:40:43.792    3 CLASSPNP.SYS[8a9ab8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8572d028]
00:40:43.792    Scan finished successfully
00:40:49.938    Disk 0 MBR has been saved successfully to "C:\Users\swhitehead\Desktop\MBR.dat"
00:40:49.938    The log file has been saved successfully to "C:\Users\swhitehead\Desktop\aswMBR.txt"

 

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by swhitehead at  0:43:25.12 on 03/05/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3061.1600 [GMT 1:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlbacoms.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Dell DataSafe Local Backup\Toaster.exe
C:\Windows\System32\vds.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\swhitehead\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19376071/19864233.aspx#19864233
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\photof~1.lnk - c:\program files\common files\panasonic\photofunstudio autostart\AutoStartupService.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GoogleDesktopNetwork3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\swhite~1\appdata\roaming\mozilla\firefox\profiles\1loojk2n.default\
FF - prefs.js: browser.startup.homepage - www.givoogle.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-18 214664]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-18 73728]
R2 dlba_device;dlba_device;c:\windows\system32\dlbacoms.exe -service --> c:\windows\system32\dlbacoms.exe -service [?]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-4-25 13336]
R2 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2010-12-10 705856]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-7-22 2440632]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-12-23 4408616]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-12-23 112936]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-19 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-18 111616]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2009-12-23 13224]
S2 AMService;AMService;c:\windows\temp\olmi\setup.exe run --> c:\windows\temp\olmi\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9bc7dfefcb148;Google Update Service (gupdate1c9bc7dfefcb148);c:\program files\google\update\GoogleUpdate.exe [2009-4-13 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-22 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-18 30192]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-18 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-18 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-18 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-18 40552]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-23 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
exefile="c:\windows\system32\config\systemprofile\appdata\local\vcb.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-04-29 12:22:43    --------    d-s---w-    C:\ComboFix
2011-04-29 00:48:39    --------    d-sh--w-    C:\$RECYCLE.BIN
2011-04-29 00:13:01    89088    ----a-w-    c:\windows\MBR.exe
2011-04-29 00:13:00    98816    ----a-w-    c:\windows\sed.exe
2011-04-29 00:13:00    256512    ----a-w-    c:\windows\PEV.exe
2011-04-29 00:13:00    161792    ----a-w-    c:\windows\SWREG.exe
2011-04-28 10:46:24    --------    d-----w-    c:\program files\CCleaner
2011-04-27 16:29:58    388096    ----a-r-    c:\users\swhite~1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-27 16:29:57    --------    d-----w-    c:\program files\Trend Micro
2011-04-27 16:10:57    --------    d-----w-    c:\windows\system32\catroot2
2011-04-25 13:43:32    --------    d-----w-    c:\users\swhite~1\appdata\roaming\Intel Corporation
2011-04-25 10:49:43    319456    ----a-w-    c:\windows\system32\difxapi.dll
2011-04-25 10:49:07    --------    d-----w-    C:\Intel
2011-04-25 10:49:05    354840    ----a-w-    c:\windows\system32\drivers\iaStor.sys
2011-04-23 22:16:07    --------    d-----w-    c:\users\swhite~1\appdata\roaming\Puors
2011-04-23 22:16:07    --------    d-----w-    c:\users\swhite~1\appdata\roaming\Cyle
2011-04-21 17:34:56    80384    --sha-r-    c:\windows\system32\pautoenrz.dll
2011-04-20 11:03:17    --------    d-----w-    c:\users\swhite~1\appdata\roaming\Malwarebytes
2011-04-20 11:03:01    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 11:02:59    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-04-20 11:02:59    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-04-20 11:02:59    --------    d-----w-    c:\progra~2\Malwarebytes
2011-04-19 22:08:48    0    ----a-w-    c:\users\swhite~1\appdata\local\Vfahe.bin
2011-04-19 09:57:31    7071056    ----a-w-    c:\progra~2\microsoft\windows defender\definition updates\{182a7a79-5ad4-40e4-aa47-c34edb064e42}\mpengine.dll
2011-04-16 12:58:58    2041856    ----a-w-    c:\windows\system32\win32k.sys
2011-04-16 12:58:56    739328    ----a-w-    c:\windows\system32\inetcomm.dll
2011-04-16 12:58:49    2409784    ----a-w-    c:\program files\windows mail\OESpamFilter.dat
2011-04-05 19:07:14    --------    d-----w-    c:\users\swhite~1\appdata\roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-04-05 18:56:05    --------    d-----w-    c:\progra~2\regid.1986-12.com.adobe
2011-04-05 18:54:34    --------    d-----w-    c:\progra~2\ALM
.
==================== Find3M  ====================
.
2011-03-10 17:03:51    1162240    ----a-w-    c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51    1136640    ----a-w-    c:\windows\system32\mfc42.dll
2011-03-02 15:44:27    86528    ----a-w-    c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01    288768    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12    1068544    ----a-w-    c:\windows\system32\DWrite.dll
2011-02-22 13:33:09    797696    ----a-w-    c:\windows\system32\FntCache.dll
2011-02-16 16:16:37    34304    ----a-w-    c:\windows\system32\atmlib.dll
2011-02-16 14:02:23    292864    ----a-w-    c:\windows\system32\atmfd.dll
2011-02-02 17:11:20    222080    ------w-    c:\windows\system32\MpSigStub.exe
.
============= FINISH:  0:43:54.05 ===============

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 18/12/2008 08:09:25
System Uptime: 03/05/2011 00:37:55 (0 hours ago)
.
Motherboard: Dell Inc. |  | 0U990C
Processor: Intel(R) Pentium(R) Dual  CPU  T3200  @ 2.00GHz | Microprocessor | 2000/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 285 GiB total, 188.748 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.266 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
4oD
Acrobat.com
Adobe AIR
Adobe Common File Installer
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Illustrator CS5
Adobe Media Player
Adobe Photoshop Elements 5.0
Adobe Premiere Elements 3.0.2
Adobe Premiere Elements 3.0.2 Templates
Adobe Reader 9.1
Adobe Shockwave Player 11
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bamboo
Bamboo Dock
Bamboo Dock 3.1
BBC iPlayer Desktop
BBC iPlayer Download Manager
Bonjour
Browser Address Error Redirector
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Conexant HDA D330 MDC V.92 Modem
D3DX10
Dell-eBay
Dell Best of Web
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Digital Line Detect
DivX Version Checker
Download Manager 2.3.10
EDocs
EPSON S21 Series Printer Uninstall
Google Chrome
Google Desktop
Google Update Helper
GoToAssist 8.0.0.514
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Control Center
Intel(R) Rapid Storage Technology
Internet From BT
iPod for Windows 2005-03-23
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Java(TM) 6 Update 7
Junk Mail filter update
Laptop Integrated Webcam Driver (1.04.01.1011) 
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Livebrush Mini
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MobileMe Control Panel
Modem Diagnostic Tool
Mozilla Firefox (3.5.18)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
OGA Notifier 2.0.0048.0
OJOsoft DVD to MP4 Converter
OutlookAddinSetup
PDF Settings CS5
PHOTOfunSTUDIO 5.0
QuickSet
QuickTime
RollerCoaster Tycoon 2
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
Skype Toolbars
Skype™ 5.1
Spelling Dictionaries Support For Adobe Reader 9
Symantec Endpoint Protection
Tiscali Internet
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== End Of File ===========================

sowhitehead

24 Posts

May 2nd, 2011 17:00

aswMBR version 0.9.5.247 Copyright(c) 2011 AVAST Software
Run date: 2011-05-02 23:57:25
-----------------------------
23:57:25.213    OS Version: Windows 6.0.6002 Service Pack 2
23:57:25.213    Number of processors: 2 586 0xF0D
23:57:25.213    ComputerName: HARRY  UserName:
23:57:55.352    Initialize success
23:58:27.098    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:58:27.114    Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
23:58:27.114    Disk 0 MBR read successfully
23:58:27.114    Disk 0 MBR scan
23:58:27.130    Disk 0 TDL4@MBR code has been found
23:58:27.130    Disk 0 MBR hidden
23:58:27.130    Disk 0 MBR [TDL4]  **ROOTKIT**
23:58:27.130    Disk 0 trace - called modules:
23:58:27.145    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x882804f0]<<
23:58:27.145    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872d8338]
23:58:27.145    3 CLASSPNP.SYS[8a9aa8b3] -> nt!IofCallDriver -> [0x887ad678]
23:58:27.161    \Driver\iaStor[0x872f70e0] -> IRP_MJ_CREATE -> 0x882804f0
23:58:27.161    Scan finished successfully
23:58:39.844    Disk 0 MBR has been saved successfully to "C:\Users\swhitehead\Desktop\MBR.dat"
23:58:39.890    The log file has been saved successfully to "C:\Users\swhitehead\Desktop\aswMBR.txt"

1 Attachment

kevin27_b3d29f

1.5K Posts

May 2nd, 2011 17:00

Hi,

You are infected with an MBR Rootkit.

Please delete the version of aswMBR.exe that you have saved to the desktop and then reboot the computer <--Very Important, the system must be rebooted.

Then please download a fresh version from HERE and save it to the desktop

 

 

  • Then Please reopen the new version of the aswMBR.exe tool that is saved to the desktop
  • Referring to the image below. please click the SCAN button and allow the scan to run to completion

 

1_aswmbr_scan.png

 

  • Once the scan has completed, please click the FIX button

 

3_aswmbr_FIX.png

 

  • Please DO NOT do anything with the system until you are prompted to reboot the system

 

  • Once you see the pop-up window prompting for a reboot, please do so

NOTE: After the fix the system may become unresponsive, if this is the case then please do a hard reboot (hold the power button until the system shuts down.

Also, upon reboot the system may show a Blue Error Screen, this is normal and is nothing to worry about, please allow the system to carry on rebooting

 

  • Once the system has rebooted, please rescan with aswMBR.exe and post the fresh scan results back for review

Please also post a fresh set of DDS logs.

 

Thanks.

 

kevin27_b3d29f

1.5K Posts

May 2nd, 2011 18:00

Hi,

Good work, the rootkit is now gone.

 

 

  • Your Java is outdated
  • Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
Applications and Applets
Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

    .
    Adobe Reader and flash player are both out of date, please update to the latest versions from HERE (NOTE: On the Download page, please make sure to uncheck the box next to the "McAfee Scan" item as it is not needed)
    Once you have the latest version of Adobe Reader and flash installed, please uninstall all outdated versions that remain in the add/Remove programs list on your system in control panel.

     

     

    Please disable all active protection before running the online scan

     

     

     

    Go here to run an online scannner from ESET.

    • Note: You will need to use Internet explorer for this scan
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • Click the "Show Results" button
    • Then click the "Export to Text File" button and save the log to the desktop
    • Copy and paste that log as a reply to this topic and also let me know how things are now.

     

    Please post the ESET report and a fresh set of DDS logs and a status report on how the system is running <--Important, please answer this

     

    Thanks

    View More

    View All

    No Events found!

    Top