Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have tried to run Malwarebytes but cannot get it to install. I have tried to use Hostspert, but no luck. I have even tried SDfix, but like Malwarebytes, it will not run. I need some help.
Please download Malwarebytes' Anti-Malware from one of these sites:
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
I have already downloaded Malwarebytes, but I cannot get get the setup.exe to work. No problem with Hijackthis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:28 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\csasvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Sony Handheld\HOTSYNC.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/Walgreen...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/as...
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - https://portal.smhp.health-partners.org/portal/applets/mckntauth.ocx
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Creative Solutions Accounting Print Service (CSAPrintService) - Creative Solutions - C:\WINDOWS\csasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe--
End of file - 8347 bytes
0 0
Download it again, delete the first download, rename the new download, then see if it will install.
If that will not work download Malwarebytes to a cd from an uninfected computer then run it on the infected computer.
0
Ok,it now hangs right at the end of the installation when it says "finishing installation".
I will be able to try the download to my flashdrive tommorow from a different computer.
0
I tried downloading from another computer onto a flash drive, but the same thing happens when I try to run it on the infected computer, it hangs on installation just like before.
0
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus, Spybot and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
See if it will install in safe mode.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
0
Good news, I changed he name of the .exe for
Malwarebytes and it worked. I am attaching the log.Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 311/13/2008 9:48:17 PM
mbam-log-2008-11-13 (21-48-17).txtScan type: Quick Scan
Objects scanned: 49702
Time elapsed: 8 minute(s), 58 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
C:\WINDOWS\system32\TDSScfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSnrsr.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSofxh.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmaxt.sys (Rootkit.Agent) -> Delete on reboot.
0
Now try to run SDFIx.
When you said change the name, exactly what file name did you rename? Malwarebytes must have installed but not run so I'm assumimg (bad idea) that you renamed C:\Program Files\Malwarebytes\mbam.exe
If that is the case you will probably need to rename SDFix.exe unless Malwarebytes killed the registry file blocking the .exe file.
0
Changed mbam.exe to m.exe.
No problem running SDfix.
Here is the log.[b]SDFix: Version 1.240 [/b]
Run by Owner on Fri 11/14/2008 at 06:38 AMMicrosoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix[b]Checking Services [/b]:
[b]Name [/b]:
TDSSserv.sys[b]Path [/b]:
\systemroot\system32\drivers\TDSSmaxt.sysTDSSserv.sys - Deleted
Restoring Default Security Values
Restoring Default Hosts FileRebooting
[b]Checking Files [/b]:Trojan Files Found:
C:\WINDOWS\system32\drivers\TDSSmaxt.sys - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - DeletedRemoving Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 10:02:49
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe:*:Disabled:Support.com Scheduler and Command Dispatcher"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"[b]Remaining Files [/b]:
File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip[b]Files with Hidden Attributes [/b]:
Fri 14 Nov 2008 15,289 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Sun 12 Mar 2006 0 ...H. --- "C:\Program Files\CPAReady\Content\BEC33\z100.tmp"
Sun 12 Mar 2006 0 ...H. --- "C:\Program Files\CPAReady\Content\BEC33\z101.tmp"
Sun 12 Mar 2006 0 ...H. --- "C:\Program Files\CPAReady\Content\BEC33\z102.tmp"
Sat 26 Aug 2006 0 ...H. --- "C:\Program Files\CPAReady\Content\FAR33\z152.tmp"
Sat 26 Aug 2006 0 ...H. --- "C:\Program Files\CPAReady\Content\FAR33\z153.tmp"
Sat 26 Aug 2006 0 ...H. --- "C:\Program Files\CPAReady\Content\FAR33\z154.tmp"
Sun 19 Aug 2007 0 ...H. --- "C:\Program Files\CPAReady\Content\FAR33\z2E.tmp"
Sun 19 Aug 2007 0 ...H. --- "C:\Program Files\CPAReady\Content\FAR33\z2F.tmp"
Sun 19 Aug 2007 0 ...H. --- "C:\Program Files\CPAReady\Content\FAR33\z30.tmp"
Thu 30 Jun 2005 0 ...H. --- "C:\Program Files\CPAReady\Content\REG33\z1BC.tmp"
Thu 30 Jun 2005 0 ...H. --- "C:\Program Files\CPAReady\Content\REG33\z1BD.tmp"
Thu 30 Jun 2005 0 ...H. --- "C:\Program Files\CPAReady\Content\REG33\z1BE.tmp"
Mon 6 Aug 2007 759 A.SHR --- "C:\Documents and Settings\All Users\Application Data\Owner\Ts Config\eeosclaglt.sys"
Mon 6 Aug 2007 760 A.SHR --- "C:\Documents and Settings\All Users\Application Data\Owner\Ts Config\uqrsptawot.sys"
Mon 6 Aug 2007 759 A.SHR --- "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Ts Config\MSeoaglges.dll"
Mon 6 Aug 2007 760 A.SHR --- "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Ts Config\MSqrawowqs.dll"[b]Finished![/b]
0
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus, Spybot and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
Here is the log.
ComboFix 08-11-14.01 - Owner 2008-11-16 6:55:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.211 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\windows\system32\FTPx.dll
D:\Autorun.inf.
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.2008-11-14 06:37 . 2008-11-14 06:37 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-14 06:30 . 2008-11-14 06:31 <DIR> d-------- c:\windows\ERUNT
2008-11-13 21:36 . 2008-11-13 21:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-11 23:22 . 2008-11-13 21:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-11 23:22 . 2008-11-11 23:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-11 23:22 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-11 23:22 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 21:10 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 21:10 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 09:47 . 2008-11-06 09:47 0 --a------ c:\windows\UTWAPP.INI
2008-11-06 08:47 . 2008-11-06 10:51 129 --a------ c:\windows\CSAAPP.INI
2008-11-06 08:34 . 2008-02-27 11:28 118,784 -ra------ c:\windows\csasvc.exe
2008-11-06 08:33 . 2008-02-27 11:28 11,264 -ra------ c:\windows\espurge.exe
2008-11-06 08:32 . 2008-11-06 08:34 <DIR> d-------- c:\program files\Common Files\Creative Solutions
2008-11-06 08:32 . 1999-04-13 00:00 1,234,704 --a------ c:\windows\system32\MSJT4JLT.DLL
2008-11-06 08:30 . 2000-11-01 15:21 29,696 --a------ c:\windows\system32\xmlinst.exe
2008-11-06 08:30 . 2001-07-30 10:40 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-11-06 08:18 . 2008-11-06 09:44 <DIR> d-------- C:\WINCSI
2008-10-23 20:10 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 12:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-15 15:40 9,794 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-11-15 12:44 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2008-11-15 12:43 15,289 --sha-w c:\windows\system32\mmf.sys
2008-11-08 21:35 --------- d-----w c:\program files\Second And Ten V6
2008-11-05 11:06 --------- d-----w c:\program files\Norton 360
2008-10-25 18:47 --------- d-----w c:\program files\GDS
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-07 10:12 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-01 12:01 348,160 ------w c:\windows\system32\msvcr71.dll
2008-08-31 11:04 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-01-14 12:39 17,408 ----a-w c:\program files\Sony HandheldCondHistory.xml
2005-11-02 00:33 9,035 ----a-w c:\program files\FBPARKSOLD
2005-06-24 23:04 11,625,575 ----a-w c:\program files\pmv4_ne.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.exe" [2002-09-13 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-12-17 483394]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-01 185896]c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 61440]c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2006-11-21 800352]
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-10-27 2168360]
HotSync Manager.lnk - c:\program files\Sony Handheld\HOTSYNC.exe [2002-08-09 299008]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 69632][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=R2 CSAPrintService;Creative Solutions Accounting Print Service;c:\windows\csasvc.exe [2008-11-06 118784]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-05-17 2560]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder2007-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]2008-11-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.exe []
.
- - - - ORPHANS REMOVED - - - -HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.com/
mStart Page = hxxp://www.gatewaybiz.comc:\windows\Downloaded Program Files\mckntauth.ocx - O16 -: {EB29B81A-7351-4890-8BCE-58127C3545F9}
hxxps://portal.smhp.health-partners.org/portal/applets/mckntauth.ocx
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 07:07:20
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server?cmd.exe" /serverscanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-11-16 7:15:12
ComboFix-quarantined-files.txt 2008-11-16 12:14:59Pre-Run: 33,604,702,208 bytes free
Post-Run: 33,837,862,912 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect171 --- E O F --- 2008-11-12 04:46:13
0
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Please run Esets online scanner from this link:
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.
0
Here is the log.
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3615 (20081115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=51c23b9418b27149ae6da1ad46075478
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-16 09:35:25
# local_time=2008-11-16 04:35:25 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=708251
# found=0
# scan_time=10353
0
Very good. A little quicker than before. No problems. Any thing else to do? What do you suggest I can do to keep this from happening again?
Thank you for all of your help!
0
Your java version should be 6 update 10. I can't tell from your post. Go to start> control panel> java> update> update now> and let it update to the newest version.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
0  |
 Remove iexplore.exe virus...
|
Help Please Virus and Tro...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
