WiredWX Hobby Weather ToolsLog in

 


AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

2 posters

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi, I am in desperate need of help. My computer is infected with Antivirus Pro 2010 and seems to be disabling my internet connection and only seems to let me open Microsoft Word 2003 and not any other programs.

I managed to transfer the malwarebytes program to my infected computer. Installation seemed to be successful but cannot scan my computer. The scanner just disappears after scanning for 2 seconds. When I try to reopen malwarebytes program by clicking on start menu icon, error msg appears stating that I "do not have permission to access..." I have tried doing this in safe mode and normal mode but I still can't get malwarebytes to scan my computer. Please advise.

I am worried about my word documents. If I were to ask someone to reformat my computer, would I be able to back up the files so that not everything gets erased?

I don't know what to do to fix this.
Please advise asap. Thanks.

Last edited by brownie1212 on 2nd October 2009, 8:49 am; edited 2 times in total (Reason for editing : left out info)

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi

Reformatting is probably not necessary. I can help you with programs that will help you backup all those necessary files, if that is the case. We should try to clean first, okay. Smile...

Please transfer this as well and attempt to use it as instructed.

Please download ComboFixAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Combofix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:

AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf110
AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf410
AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi, is the geekpolice forum undergoing maintenance at this time? There are boxes with "x" where the graphics should be. For example, I cannot make out what to "rename combofix.exe" in your previous reply...?


DragonMaster Jay wrote:
Hi

Reformatting is probably not necessary. I can help you with programs that will help you backup all those necessary files, if that is the case. We should try to clean first, okay. Smile...

Please transfer this as well and attempt to use it as instructed.

Please download ComboFixAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Combofix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:

AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf110
AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf410
AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.


Last edited by brownie1212 on 2nd October 2009, 4:45 pm; edited 1 time in total (Reason for editing : typo)

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyHow do I get combofix onto infected computer?? HELP

more_horiz
Please help! I'm at my wit's end here. thanks in advance for your advice!

I am SOOO close to just chucking my infected computer out my window. For some reason, the graphics on this site do not seem to be loading properly for me (on my GOOD computer) and I have red "x" where icons should appear.
I have the Antivirus pro 2010 AND Windows police programs on the infected desktop. I tried running the computer in safe mode and backing up my important files on my flashdrive. Of course, now I don't know if the malwares/viruses program have latched onto the files I am trying to save.

Neither Explorer nor Firefox would connect so I don't have the option of dl combofix off the site. Also, now that I have crammed up my flashdrive with saved files, I cannot risk opening the files on my one good computer and contaminating it as well. Therefore, I don't even know HOW to install combofix onto the infected computer.

I really don't want to have to erase everything off my hard drive but I'm also scared that my privacy will be compromised (or has been); I have several resumes saved on my C drive. Don't know what to do. Should I just reformat the whole thing?







brownie1212 wrote:
Hi, I am in desperate need of help. My computer is infected with Antivirus Pro 2010 and seems to be disabling my internet connection and only seems to let me open Microsoft Word 2003 and not any other programs.

I managed to transfer the malwarebytes program to my infected computer. Installation seemed to be successful but cannot scan my computer. The scanner just disappears after scanning for 2 seconds. When I try to reopen malwarebytes program by clicking on start menu icon, error msg appears stating that I "do not have permission to access..." I have tried doing this in safe mode and normal mode but I still can't get malwarebytes to scan my computer. Please advise.

I am worried about my word documents. If I were to ask someone to reformat my computer, would I be able to back up the files so that not everything gets erased?

I don't know what to do to fix this.
Please advise asap. Thanks.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Emptycan access firefox but how do I get combofix to work?

more_horiz
HI again,

For some reason, now I can access Firefox in SAFE w/networking mode. I tried to install combofix with the links but it doesn't give me the option of renaming. I only had the option of SAVE FILE and the file name is ComboFix.exe. After downloading, it does not run.

Gives me this message: "ComboFix.exe is an executable file...Use caution when opening this file. Are you sure you want to launch ComboFix.exe?" I press "OK" and another window comes up with the option to "RUN." Again, does not give me the option of renaming combofix.

I can access TASK MANAGER as well. Earlier, "Windows Police" appeared in the Processes Tab and I clicked "End Process" and it came off the list. Even though I only have firefox.exe running at the moment, there are a number of different "Image Names" under Processes tab.

It looks like so:

svchost.exe Local Service 00 3,552 K
firefox.exe Administrator 00 61,292K
svchost.exe NETWORK SERVICE 00 6,008 K
svchost.exe SYSTEM 00 14,104 k
taskmgr.exe Administrator 01 4,328 K
svchost.exe NETWORK SERVICE 00 4,932 K
svchost.exe SYSTEM 00 10,996 k
lsass.exe SYSTEM 00 2,616 K
services.exe SYSTEM 00 4,208 K
winlogon.exe SYSTEM 00 1,180 K
csrss.exe SYSTEM 00 3,288 K
smss.exe SYSTEM 00 400 k
System SYSTEM 00 276 k
System Idle Process SYSTEM 99 16 K

what to do?




DragonMaster Jay wrote:
Hi

Reformatting is probably not necessary. I can help you with programs that will help you backup all those necessary files, if that is the case. We should try to clean first, okay. Smile...

Please transfer this as well and attempt to use it as instructed.

Please download ComboFixAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Combofix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:

AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf110
AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf410
AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi

Go ahead and run ComboFix as downloaded. That will be fine.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyAntivirus Pro 2010 & Windows Police malware affected

more_horiz
Hi,

I tried to run combofix as combofix.exe and it asks me to install. After agreeing, the window just disappears and nothing happens.





DragonMaster Jay wrote:
Hi

Go ahead and run ComboFix as downloaded. That will be fine.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi

Please download exeHelper

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi,
I dl exeHelper.com. Next window was "Open executable file?" I checked OK. Another window opens: The publisher could not be verified. Are you sure you want to run this software? I click RUN. A black box DOES APPEAR but then it disappears within a second. I go to MY DOCUMENTS where I dl exehelper and I do not see a log.txt file. I do see the application exeHelper. It says document type is MS-DOS Application. I opened it in MS WORD but the characters are nonsense symbols! Why can't I run these programs properly??



DragonMaster Jay wrote:
Hi

Please download exeHelper

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds Emptyfound this file in WORD!

more_horiz
This word document "BUG" was saved onto my C drive. I do not know how it got there. I'm posting the contents of the doc.


PUSHD "C:\32788R22FWJFW"

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT
'SWXCACLS' is not recognized as an internal or external command,
operable program or batch file.

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SET "Ver_CF=09-10-01.05"

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.

PEV UZIP License\pv_5_2_2.zip .\

MOVE /Y PV.exe PV.cfxxe

IF NOT EXIST PEV.cfxxe COPY /Y PEV.exe PEV.cfxxe
1 file(s) copied.

SED "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV -rtf -s+901 .\OriPath00 && (
SED -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"
)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft Office\OFFICE11\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)
Active code page: 1252
Could Not Find C:\32788R22FWJFW\AbortB

CALL :MDCheck
Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md5979B230F49C5822DE12A7FF1C7088151 .\md5sum.pif || CALL :MDFaiL ChkSum_Fail
.\md5sum.pif

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL

GOTO :EOF

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
cfExt=cfxxe
CFLDR=32788R22FWJFW
Chksum=979B230F49C5822DE12A7FF1C7088151
CLIENTNAME=Console
Command switches used=Command switches used
CommonProgramFiles=C:\Program Files\Common Files
Completion time=Completion time
COMPUTERNAME=CAT
ComSpec=C:\WINDOWS\system32\cmd.execf
Connecting to=Connecting to
Connecting to ComboFix servers=Connecting to ComboFix servers
Cryptography Services Error=Cryptography Services Error
Disclaimer=The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE.
DLLs Loaded Under Running Processes=DLLs Loaded Under Running Processes
Drivers/Services=Drivers/Services
Fail2Delete=failed to delete
File Associations=File Associations
File Replicators=File Replicators
Files Infected - Patched=Files Infected - Patched
FIREFOX POLICIES=FIREFOX POLICIES
FP_NO_HOST_CHECK=NO
hȋdden files=hȋdden files
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
is infected=is infected
is missing=is missing
KMD=CF1641.exe
LANG_CF=EN
Line1=Please wait.
Line10=ComboFix has detected the presence of rootkit activity and needs to reboot the machine~nKindly note down on paper, the name of each file. We may need it later~n~n%~G" "Rootkit !!
Line10A=ComboFix has detected the presence of rootkit activity and needs to reboot the machine" "Rootkit !!
Line11=Scanning for infected files . . .
Line12=This typically doesn't take more than 10 minutes
Line13=However, scan times for badly infected machines may easily double
Line14=%G ...... driver unloaded successfully.
Line15=Rootkit driver %G is still present. A rootkit scan is required
Line16=ComboFix has changed your clock settings.
Line17=Do not change it back. It shall be restored later
Line18=ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
Line19=to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
Line2=ComboFix is preparing to run.
Line20=Preparing Log Report.
Line21=Do not run any programs until ComboFix has finished
Line22=No new files created in this timespan
Line23=*Note* empty entries ^& legit default entries are not shown
Line24=Contents of the 'Scheduled Tasks' folder
Line25=Almost done . . This window will close in a short while
Line26=Please wait a few seconds for the report log to pop up
Line27=ComboFix's log shall be located at C:\COMBOFIX.TXT
Line28=Rebooting Windows . . . Please wait
Line29=Please allow ComboFix to reboot the machine.
Line3=You need Administrative privileges to run this tool" "Not Admin !!
Line30=Overlay aborted ... Please run ComboFix once more
Line31=Date Error: ~%CurrDate.yyyy-MM-dd%~n~nCheck your settings" "DATE ERROR
Line32=C:\WINDOWS\system32\HAL.DLL is missing !!~n~nIt's IMPORTANT that you DO NOT reboot/shutdown the machine~n~nPost to the forums for immediate help. Do not click OK until further instructed" "CRITICAL WARNING !!
Line33=ComboFix needs to submit malware files for further analysis.~n~nPlease ensure that you're connected to the internet before clicking OK" "Submit Files for further analysis
Line34=Submit malware to Bleeping Computer for analysis.
Line35=Copy/Paste the filepath below into the box above and click Send.
Line36=Infected copy of %~1 was found and disinfected
Line36A=Restored copy from - %~2
Line37=%~1 . . . is infected!!
Line38=((((((((((((((((((((((((( Files Created from %thirty% to %dateX% )))))))))))))))))))))))))))))))
Line39=(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
Line4=C:\WINDOWS\regedit.exe is missing~n~nCopy one from another machine" "Terminal Error - Missing file
Line40=Webserver appears to be temporarily inaccessible.~nFor your convenience, ComboFix created a submissions form located at:~n~n* C:\CF-Submit.htm~n~nPlease use that to manually upload it later. " "Upload Failed!!
Line41=((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
Line42=((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
Line43=Deleting Files:
Line43A=Deleting Folders:
Line44=- REDUCED FUNCTIONALITY MODE -
Line45=SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
Line46=scanning hȋdden processes ...
Line47=scanning hȋdden autostart entries ...
Line48=scanning hȋdden files ...
Line49=-- Snapshot reset to current date --
Line5=Current date is ~%CurrDate.yyyy-MM-dd%. ComboFix has expired~n~nClick 'Yes' to run in REDUCED FUNCTIONALITY mode~n~nClick 'No' to exit" "Version_%ver_CF%
Line50=ComboFix is uninstalled" "Info
Line51=Will only install the Recovery Console for Windows XP
Line52=Boot Partition cannot be enumerated correctly
Line53=%BootDir%Boot.ini is not correctly formated
Line54=This machine already has the Recovery Console installed.~n~nAborting operations
Line55=Please click 'YES' in the End User License Agreement (EULA) dialog that follows ..." "Installing the Recovery Console
Line56=Installation file - %~G - cannot be found
Line57=You didn't select YES~n~nInstallation is aborted
Line58=Contents of %BootDir%cmdcons are not in order.~n~nPlease disable your security programs before trying again
Line59=Congratulations!!! The Microsoft Recovery Console was successfully installed.~n~nOn each restart of the machine, a black screen will offer you the option to boot into recovery console mode.~nFor normal use, just ignore the black screen. Windows shall boot normally in 2 seconds~n~nClick 'Yes' to continue scanning for malware" "Info
Line6=Were you trying to run CFScript?~n~nThe name, CFScript appears to be incorrectly spelt" "CFScript Name Error
Line60=Click 'Yes' to continue scanning for malware~n~nClick 'No' to exit" "What's next ?
Line62=There's a newer version of ComboFix available.~n~nWould you like to update ComboFix?" "Update
Line63=--- WARNING !! ---~n~nA critical update is required.~n~nComboFix shall now update itself.~n~n--- WARNING !! ---" "Mandatory Update
Line64=Failed to download updated copy.~n~nWill continue with existing copy" "Failed Download
Line65=ComboFix shall now restart" "Updated
Line66=Interference detected~n~nPlease perform a Rootkit Scan" "Abort!
Line67=You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters
Line68=%cd% not in expected location~n~n Inform sUBs now!!
Line69=ComboFix effected repairs on missing C:\WINDOWS\system32\hal.dll
Line7=Attempting to create a new System Restore point
Line70=This machine does not have the 'Microsoft Windows recovery console' installed~n~nWithout it, ComboFix shall not attempt the fixing of some serious infections.~n~nClick 'Yes' to have ComboFix download/install it.~n~nNOTE: this requires an active internet connection." "Microsoft Windows Recovery Console
Line71=Click 'Yes' if this is a WINDOWS XP *HOME EDITION* machine" "XP Home Edition
Line72=Failed to download required files. Aborting ... ~n~nShall continue scanning for malware
Line73=Internal error! Failed to enumerate download path. ~n~nAborting ... Shall continue scanning for malware
Line74=You do not appear to be connected to the internet. Kindly connect before clicking 'OK'
Line75=The following files were trying to attach to ComboFix. They shall be disabled~nKindly note down on paper, the name of each file. We may need it later~n~n%~G" "Parasites found !!
Line76=ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!
Line77=%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!
Line78=%~1 was missing
Line79=%~1 . . . is missing!!
Line8=Rich text formats (RTF) are unacceptable !!~n~nPlease save CFScript commands as a textfile, using Notepad.exe" "ERROR - Script format is incorrect
Line80=!! ALERT !! It is NOT SAFE to continue!~n~nThe contents of the ComboFix package has been compromised.~nPlease download a fresh copy from:~n~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nNote: You may be infected with a file patching virus 'Virut'" "Error
Line81=ComboFix's script appears tampered. It is not safe to continue.~nComboFix shall now exit. Please inform the forum helper that's aiding~nyou. Unless further instructed to do so, do not run ComboFix again." "Failed Verification
Line82=Webserver appears to be temporarily inaccessible.~nFor your convenience, a zipped file has been created at:~n~nC:\CFCollect.zip~n~nPlease upload the file to BleepingComputer~n~nDo not forget to fill in the 'Comments' section" "Upload Failed!!
Line83=NETSVCS REQUIRES REPAIRS - current entries shown
Line84=http://download.bleepingcomputer.com/sUBs/ComboFix.exe~nhttp://www.forospyware.com/sUBs/ComboFix.exe~n~nComboFix.exe may be downloaded from any of the above sites. If you~nhave downloaded from some other site, there's a likely chance that it~nmay be tainted. For peace of mind, I suggest that you delete the current~ncopy and get a fresh one." "Caution
Line85=Manual Fix is required for restoring CommonStartup
Line9=Rootkit driver %G is present. ... attempting disinfection
Line90=ComboFix needs to perform a deeper scan
Line91=This should not take more than 10-15 minutes
Line92=Infected HTML files detected.
Line93=ComboFix will now attempt to disinfect
Line94=This is going to take some time
Line95=Disinfection complete !!! ... continuing Log Report preparation
Line96=Recovery in Progress . . .
Line97=WARNING !! Do not manually reboot the machine yourself
LOCKED REGISTRY KEYS=LOCKED REGISTRY KEYS
LOGONSERVER=\\CAT
machine was rebooted=machine was rebooted
not completed=not completed
NUMBER_OF_PROCESSORS=2
ORPHANS REMOVED=ORPHANS REMOVED
OS=Windows_NT
Other Running Processes=Other Running Processes
Other Services/Drivers In Memory=Other Services/Drivers In Memory
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft Office\OFFICE11\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
Possible infected sites=Possible infected sites
Post-Run=Post-Run
Pre-Run=Pre-Run
Previous Run=Previous Run
PROCESS=PROCESS
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$
Qrntn=C:\Qoobox\Quarantine
RecoveryConsole=WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Resident AV is active=Resident AV is active
RestorePoint= * Created a new restore point
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
Running from=Running from
SAFEBOOT_OPTION=MINIMAL
scan completed successfully=scan completed successfully
SESSIONNAME=Console
sfxcmd="G:\ComboFix.exe"
sfxname=G:\ComboFix.exe
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
Stage=Completed Stage_
Supplementary Scan=Supplementary Scan
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
The following files were disabled during the run=The following files were disabled during the run
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Upload was successful=Upload was successful
Uploading files to server=Uploading files to server
USERDOMAIN=CAT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
Ver_CF=09-10-01.05
WecVersionForRosebud.518=2
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux

GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

SET SfxCmd 1>SET00

SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*G:\\ComboFix.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd

DEL /A/F SET00

ATTRIB +R "G:\ComboFix.exe"

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

PV -kf CSCRIPT.exe PV.*
Killing 'CSCRIPT.exe'
Killing 'PV.*'

IF NOT EXIST AvBlack00 GREP -Fsf AVBlack resident.txt 1>AvBlack00 && (
SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01
FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"
NIRCMD EXEC HIDE PV -d6000 -kf CSCRIPT.EXE
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
PV -kf CSCRIPT.exe PV.*
)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (
SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""
)





DragonMaster Jay wrote:
Hi

Please download exeHelper

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Please run ComboFix as noted above.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
I keep getting the warning: Combofix has detected the following real time scanners to be active:
Symantec Antivirus Corporate Edition. Please disable these scanners before clicking OK.

Problem is, I cannot access Symantec. I click on the icon and nothing happens. Should I just run combofix as is? even if symantec is on? because I cannot access symantec to disable.


DragonMaster Jay wrote:
Hi

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Please run ComboFix as noted above.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Yes. ComboFix will disable it anyway. Please go ahead.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
ComboFix 09-10-01.05 - Administrator 10/04/2009 8:06.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.839 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\services.exe
c:\documents and settings\All Users\Application Data\buji.bin
c:\documents and settings\All Users\Application Data\dikiqekyde.reg
c:\documents and settings\All Users\Application Data\kylumyqo._sy
c:\documents and settings\All Users\Application Data\tece._dl
c:\documents and settings\All Users\Application Data\tecezibax.pif
c:\documents and settings\All Users\Application Data\yfyfoj.exe
c:\documents and settings\All Users\Documents\atymu.dl
c:\documents and settings\All Users\Documents\sahukyc.scr
c:\documents and settings\Catherine\Application Data\elixodyg.scr
c:\documents and settings\Catherine\Application Data\igynahe.pif
c:\documents and settings\Catherine\Application Data\jakycakoka.dl
c:\documents and settings\Catherine\Application Data\lizkavd.exe
c:\documents and settings\Catherine\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Catherine\Application Data\noha.bin
c:\documents and settings\Catherine\Application Data\seres.exe
c:\documents and settings\Catherine\Application Data\svcst.exe
c:\documents and settings\Catherine\Cookies\akyb._dl
c:\documents and settings\Catherine\Cookies\famafu.lib
c:\documents and settings\Catherine\Cookies\idyxo.scr
c:\documents and settings\Catherine\Cookies\ilesi.vbs
c:\documents and settings\Catherine\Cookies\jogulero.dl
c:\documents and settings\Catherine\Cookies\jorenuluh._dl
c:\documents and settings\Catherine\Cookies\liboge.ban
c:\documents and settings\Catherine\Cookies\omulaxita.db
c:\documents and settings\Catherine\Cookies\suhonicufu.db
c:\documents and settings\Catherine\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Catherine\Local Settings\Application Data\ohiki.pif
c:\documents and settings\Catherine\Local Settings\Application Data\zyhi.dll
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\ivop.db
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\letisavuj._sy
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\yrok.reg
c:\documents and settings\Catherine\My Documents\winlogon.exe
c:\documents and settings\Catherine\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Catherine\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Catherine\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Malwarebytes' Anti-Malware\mbam.exe
c:\documents and settings\prg22\mbam.exe
C:\p2hhr.bat
c:\program files\Common Files\sywe.bat
c:\program files\Common Files\zuby.ban
c:\windows\afemuroc.bin
c:\windows\Downloaded Program Files\webinst.dll
c:\windows\gike.ban
c:\windows\hujumibi.bat
c:\windows\hyxub.pif
c:\windows\Installer\1d481.msp
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\muwosik._dl
c:\windows\qamuvy.bat
c:\windows\sejuz.reg
c:\windows\svchast.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\cilyjysaz.vbs
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\gasfkyncaeseee.sys
c:\windows\system32\drivers\gasfkyqxtabvti.sys
c:\windows\system32\gasfkyaaukocsy.dll
c:\windows\system32\gasfkyhtavyxuw.dll
c:\windows\system32\gasfkyjnquujcn.dll
c:\windows\system32\gasfkykbggkfci.dat
c:\windows\system32\gasfkykhmtsoul.dat
c:\windows\system32\gasfkypjoymwte.dll
c:\windows\system32\gasfkyupobonmp.dat
c:\windows\system32\junefare.exe
c:\windows\system32\junovedo.dll
c:\windows\system32\kenamezi.dll
c:\windows\system32\kolubagu.exe
c:\windows\system32\monekuho.dll
c:\windows\system32\muwatibi.dll
c:\windows\system32\newuwiyo.dll
c:\windows\system32\pimimoso.dll
c:\windows\system32\rilonake.dll
c:\windows\system32\sejutedi.dll
c:\windows\system32\sysnet.dat
c:\windows\system32\tipifipo.exe
c:\windows\system32\tycisela.sys
c:\windows\system32\wafiguvu.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wutivoba.exe
c:\windows\system32\zasezara.exe
c:\windows\system32\zzkgj2.dll
c:\windows\weryjakad.ban
c:\windows\ymahu.dl
c:\windows\ymaqaje.vbs
D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyohpxmpnu
-------\Legacy_gasfkyohpxmpnu
-------\Legacy_IPRIP
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_Iprip
-------\Legacy_AntiPol
-------\Service_AntiPol


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 12:12 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-04 00:51 . 2009-10-04 01:47 -------- d--h--w- c:\windows\PIF
2009-10-04 00:39 . 2009-10-04 00:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\5418712380
2009-10-03 05:33 . 2009-10-03 05:33 58 ----a-w- c:\windows\wf4.dat
2009-10-03 05:33 . 2009-10-03 05:33 1 ----a-w- c:\windows\wf3.dat
2009-10-03 05:33 . 2009-10-03 05:33 553472 ----a-w- c:\windows\system32\pump.exe
2009-10-03 05:33 . 2009-10-03 05:33 658944 ----a-w- c:\windows\system32\plugie.dll
2009-10-03 05:10 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\prg22\mbamservice.exe
2009-10-03 05:10 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\prg22\mbamgui.exe
2009-10-03 05:10 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\prg22\zlib.dll
2009-10-03 05:10 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\prg22\ssubtmr6.dll
2009-10-03 05:10 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\prg22\mbamext.dll
2009-10-03 05:10 . 2009-10-03 05:10 -------- d-----w- c:\documents and settings\prg22\Languages
2009-10-03 05:10 . 2009-10-04 12:12 -------- d-----w- c:\documents and settings\prg22
2009-10-03 05:10 . 2009-10-03 05:10 9165 ----a-w- c:\documents and settings\prg22\unins000.dat
2009-10-03 05:10 . 2009-10-03 05:08 699216 ----a-w- c:\documents and settings\prg22\unins000.exe
2009-10-03 05:10 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\prg22\mbam.dll
2009-10-02 20:49 . 2009-10-04 01:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-02 20:47 . 2009-10-02 20:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-02 08:17 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamservice.exe
2009-10-02 08:17 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamgui.exe
2009-10-02 08:17 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\zlib.dll
2009-10-02 08:17 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\ssubtmr6.dll
2009-10-02 08:17 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamext.dll
2009-10-02 08:17 . 2009-10-02 20:46 -------- d-----w- c:\documents and settings\Malwarebytes' Anti-Malware\Languages
2009-10-02 08:17 . 2009-10-04 12:12 -------- d-----w- c:\documents and settings\Malwarebytes' Anti-Malware
2009-10-02 08:17 . 2009-10-02 20:47 21037 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\unins000.dat
2009-10-02 08:17 . 2009-10-02 20:46 699216 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\unins000.exe
2009-10-02 08:17 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbam.dll
2009-10-02 07:40 . 2009-10-02 07:40 -------- d-----w- c:\documents and settings\Catherine\Application Data\Malwarebytes
2009-10-02 07:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 07:40 . 2009-10-02 07:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 07:40 . 2009-10-02 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 07:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 07:08 . 2009-10-02 07:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-02 03:10 . 2009-10-02 03:10 -------- d-----w- c:\documents and settings\Catherine\Application Data\7925498587
2009-10-02 03:01 . 2009-10-04 12:16 82944 ----a-w- c:\windows\system32\drivers\e2aede76.sys
2009-10-02 02:59 . 2009-10-04 11:46 0 ----a-r- c:\windows\win32k.sys
2009-10-02 02:58 . 2009-10-02 02:58 17920 ----a-w- C:\qgferewy.exe
2009-10-02 02:58 . 2009-10-02 02:58 45568 ----a-w- C:\hrngen.exe
2009-10-02 02:58 . 2009-10-02 02:58 201200 ----a-w- C:\prdfjhha.exe
2009-09-09 17:17 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 19:55 . 2009-07-02 19:53 38912 --sha-w- c:\windows\system32\biluguki.dll
2009-10-02 19:53 . 2009-07-02 19:53 52736 --sha-w- c:\windows\system32\vuwupajo.dll
2009-10-02 06:05 . 2009-10-02 06:05 17814 ----a-w- c:\documents and settings\Catherine\Application Data\ojikoxun.dat
2009-10-02 03:05 . 2006-12-14 22:10 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-10 08:46 . 2009-08-22 02:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 08:01 . 2006-07-19 23:20 50288 ----a-w- c:\documents and settings\Catherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 07:10 . 2009-08-23 07:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-14 18:17 . 2007-12-31 15:13 -------- d-----w- c:\documents and settings\Catherine\Application Data\Printer Info Cache
2009-08-14 18:17 . 2007-12-31 15:13 -------- d-----w- c:\documents and settings\Catherine\Application Data\Image Zone Express
2009-08-13 16:33 . 2009-08-13 16:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-13 16:32 . 2006-07-15 02:16 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-07-22 21:54 . 2006-07-20 00:00 88 --sh--r- c:\windows\system32\DFC1708291.sys
2006-07-22 21:54 . 2006-07-20 00:00 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-15 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-15 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"HP Software Update"="c:\hp software update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-13 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"7925498587"="c:\documents and settings\Catherine\Application Data\7925498587\7925498587.exe" [2009-10-02 1047588]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-9-15 114688]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-14 24576]
HP Digital Imaging Monitor.lnk - c:\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/28/2009 8:05 PM 102448]
S3 84b9e43c-b74b-42f7-ae60-a4b36d6a424b;84b9e43c-b74b-42f7-ae60-a4b36d6a424b;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxp://regcat.resnet.stonybrook.edu/CAT/CNICAT.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
FF - ProfilePath - c:\documents and settings\Catherine\Application Data\Mozilla\Firefox\Profiles\5osujfiv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Catherine\Application Data\Mozilla\Firefox\Profiles\5osujfiv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{5803c4c9-cb57-4b31-9186-89a1bed8ada3} - rilonake.dll
HKCU-Run-Creative Software Update - c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe
HKCU-Run-mserv - c:\documents and settings\Catherine\Application Data\svcst.exe
HKCU-Run-Login Software 2009 - c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe
HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
HKLM-Run-jemokarat - c:\windows\system32\monekuho.dll
HKLM-Run-zalafavoka - junovedo.dll
SharedTaskScheduler-ThreadingModel - (no file)
SharedTaskScheduler-{e96614ed-f87e-4dcb-8b23-ecf073b3eff1} - c:\windows\system32\monekuho.dll
SharedTaskScheduler-{33c85cd0-341a-4c1c-9a89-391a4e27cebe} - c:\windows\system32\monekuho.dll
SSODL-zehevewud-{e96614ed-f87e-4dcb-8b23-ecf073b3eff1} - c:\windows\system32\monekuho.dll
SSODL-mojohifiy-{33c85cd0-341a-4c1c-9a89-391a4e27cebe} - c:\windows\system32\monekuho.dll
AddRemove-Move Networks Player_is1 - c:\documents and settings\Catherine\Application Data\Move Networks\ie_bin\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 08:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\e2aede76]
"ImagePath"="\SystemRoot\System32\drivers\e2aede76.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5236)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\digital imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\progra~1\Symantec\LIVEUP~1\LUALL.EXE
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-10-04 8:22 - machine was rebooted [Catherine]
ComboFix-quarantined-files.txt 2009-10-04 12:22

Pre-Run: 33,255,006,208 bytes free
Post-Run: 33,186,713,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

368 --- E O F --- 2009-09-10 07:07





DragonMaster Jay wrote:
Yes. ComboFix will disable it anyway. Please go ahead.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
Hi

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DirLook::
    c:\windows\system32\config\systemprofile\Application Data\5418712380
    c:\documents and settings\Catherine\Application Data\7925498587

    FileLook::
    junovedo.dll

    File::
    c:\windows\system32\pump.exe
    c:\windows\wf4.dat
    c:\windows\wf3.dat
    c:\windows\system32\plugie.dll
    c:\windows\system32\drivers\e2aede76.sys
    C:\qgferewy.exe
    C:\hrngen.exe
    C:\prdfjhha.exe
    c:\windows\system32\biluguki.dll
    c:\windows\system32\vuwupajo.dll
    c:\documents and settings\Catherine\Application Data\ojikoxun.dat
    c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe
    c:\documents and settings\Catherine\Application Data\svcst.exe
    c:\windows\system32\monekuho.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds CFScriptB-4

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please download SpiderKill and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


==

Please include the ComboFix and SpiderKill logs in your next reply.

descriptionAVP 2010:Managed to install malwarebytes but won't scan past 2 seconds EmptyRe: AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum