WiredWX Hobby Weather ToolsLog in

 


descriptionAnti Virus Pro, following guide to remove wont work. EmptyAnti Virus Pro, following guide to remove wont work.

more_horiz
Believe I have this anti virus pro, maybe something worse.

I can only boot my computer in safe mode right now...

Anyways, I did all the guide told me to, and that Malwarebytes just will not work. Every time I install then try to launch like it says, it comes up with an error that says:

Unable to Execute:
C:\program Files\Malwarebytes' Anti Malware\mbam.exe

CreateProcess failed; code 2
The system cannot find the specified file.

My Hijack this log file is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:23 AM, on 10/27/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://url.urtbk.com/cpv.jsp?p=113120&ip=71.14.122.143&url=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3D2%26view%3Djs%26name%3Djs%26ver%3DnxuHLIqdUtA.en.%26am%3D%21CJUZrzRQt-K5Bd7y2fd6TgBlflrrFB42JpNabx-pLrp6&context=%25s&selectedKeyword=google+com&selectedListingId=7556471&default=http%3A%2F%2F82.98.231.93%2F%3Fsource%3Dvenus_extra_120%26affid%3D200063%26guid%3Dea6d59c3c9ecf34480c2decd813f34d3%26uid%3Db1818b7ac24711de9741200063ffffff%26rid%3Dnkvt00002%26ver%3D21129%26m%3Dvr03%26b42%3D0.0048
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ADC PlugIn - {77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02} - C:\WINDOWS\System32\plugie.dll
O2 - BHO: JustForMonkeys.Bananas - {7977A6ED-C4BD-490E-8C58-AA0849CA03A4} - C:\WINDOWS\System32\{7977A6ED-C4BD-490E-8C58-AA0849CA03A4}.dll
O2 - BHO: (no name) - {b0a6e15e-62ec-4889-bd8f-9b3dc9ebe898} - nalejida.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: BHO - {C277B942-1F68-486b-8F95-6E486A13F148} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Andrew\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [cjwpenc] C:\WINDOWS\cjwpenc.EXE
O4 - HKLM\..\Run: [nbjrzww] C:\WINDOWS\nbjrzww.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [353133333A353E3B4] 3430323239343D3.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [system tool] C:\Program Files\tpdijg\kfrysysguard.exe
O4 - HKLM\..\Run: [bamigejume] Rundll32.exe "niludesa.dll",s
O4 - HKLM\..\Run: [lulogarot] Rundll32.exe "c:\windows\system32\kumudaki.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O20 - AppInit_DLLs: befologo.dll c:\windows\system32\kumudaki.dll
O21 - SSODL: jasotesub - {1b09657e-0899-4082-af67-77608fe9bb45} - c:\windows\system32\lekenavi.dll (file missing)
O21 - SSODL: tozemogeb - {994776f3-4dd3-4fe0-8a7b-e1afdcd2c55e} - c:\windows\system32\kumudaki.dll
O22 - SharedTaskScheduler: tokatiluy - {1b09657e-0899-4082-af67-77608fe9bb45} - c:\windows\system32\lekenavi.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {994776f3-4dd3-4fe0-8a7b-e1afdcd2c55e} - c:\windows\system32\kumudaki.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\cjwpsvc.exe

--
End of file - 8142 bytes

What do I do?

Thanks for any help!

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
I cannot use Malwarebytes' Anti-Malware.

Every time I try it gives me

Unable to Execute:
C:\program Files\Malwarebytes' Anti Malware\mbam.exe

CreateProcess failed; code 2
The system cannot find the specified file

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Anti Virus Pro, following guide to remove wont work. CF_download_FF

    Anti Virus Pro, following guide to remove wont work. CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Anti Virus Pro, following guide to remove wont work. Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Anti Virus Pro, following guide to remove wont work. Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
combofix got me out of safe mode and able to use the computer regularly, however it is still painfully slow...

here is the combo fix log...

ComboFix 09-10-27.04 - Andrew 10/27/2009 21:12.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.324 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ccu.exe
c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\cmapp
c:\program files\cmapp\Client\hf.txt
c:\program files\cmapp\Client\rf.txt
c:\program files\cmapp\Client\sf.txt
c:\program files\cmapp\Client\Uninstall.exe
c:\program files\fcadvice
c:\program files\fcadvice\FCAdvice.dll
c:\program files\fcadvice\FCAdvice.exe
c:\program files\fcadvice\patterns.dat
c:\program files\fcadvice\redirect.dat
c:\program files\fcadvice\Uninstall.exe
c:\program files\wincmapp
c:\program files\wincmapp\Uninstall.exe
c:\windows\svohost.exe
c:\windows\syssvc.exe
c:\windows\system32\4h0ve601.dat
c:\windows\System32\befologo.dll
c:\windows\system32\bemevaja.dll
c:\windows\system32\bincd32.dat
c:\windows\system32\bitonuta.dll
c:\windows\system32\config\systemprofile\Desktop\Windows Police Pro.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\Data
c:\windows\system32\digezuru.dll
c:\windows\system32\drivers\kbiwkmwjtrdgae.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\kbiwkmbkduqmot.dll
c:\windows\system32\kbiwkmkwbhuwvt.dll
c:\windows\system32\kbiwkmnskxwfap.dll
c:\windows\system32\kbiwkmorauknkh.dll
c:\windows\system32\kbiwkmpiixxanw.dat
c:\windows\system32\kbiwkmqyhfilnm.dat
c:\windows\system32\kbiwkmsdbgjcge.dll
c:\windows\system32\kekasika.dll
c:\windows\system32\kiyisovo.dll
c:\windows\system32\kumudaki.dll
c:\windows\system32\lavufanu.dll
c:\windows\system32\lsp.dll
c:\windows\system32\nalejida.dll
c:\windows\System32\niludesa.dll
c:\windows\system32\nuar.old
c:\windows\system32\Plugins
c:\windows\system32\Plugins\Mime.ini
c:\windows\system32\Plugins\MozillaEdit.exe
c:\windows\system32\Plugins\NPLeechGet.dll
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\system32\sonumiwo.dll
c:\windows\system32\SplWbr.dlltmp
c:\windows\system32\test.exe
c:\windows\system32\towozoha.dll
c:\windows\system32\yigekote.dll

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmhppklilj
-------\Legacy_kbiwkmhppklilj
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Legacy_WINDOWS_VISFX_COMPONENTS
-------\Service_Windows VisFx Components
-------\Legacy_WDefend
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 16:38 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 16:38 . 2009-09-10 19:53 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 16:08 . 2009-10-27 16:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 16:04 . 2009-10-27 16:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-27 15:58 . 2009-10-27 15:58 -------- d-----w- c:\program files\Trend Micro
2009-10-27 15:58 . 2009-10-27 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 15:36 . 2009-10-27 15:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-27 15:30 . 2009-10-27 15:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-10-27 05:21 . 2009-10-27 05:21 -------- d-----w- c:\documents and settings\Administrator
2009-10-19 02:27 . 2009-10-19 02:43 58 ----a-w- c:\windows\wp4.dat
2009-10-19 02:27 . 2009-10-19 02:43 2 ----a-w- c:\windows\wp3.dat
2009-10-19 02:27 . 2009-10-19 02:42 561664 ----a-w- c:\windows\system32\plugie.dll
2009-10-06 06:17 . 2009-10-06 06:17 -------- d-----w- C:\Microsoft Office!
2009-09-28 03:30 . 2009-09-28 03:31 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Temp
2009-09-28 03:30 . 2009-09-28 03:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-28 03:30 . 2009-09-28 03:31 -------- d-----w- c:\program files\Google
2009-09-28 03:30 . 2009-09-28 03:30 570016 ----a-w- C:\GoogleEarthSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 02:24 . 2009-06-05 22:40 -------- d-----w- c:\program files\DNA
2009-10-28 02:24 . 2009-06-05 22:40 -------- d-----w- c:\documents and settings\Andrew\Application Data\DNA
2009-10-28 02:24 . 2005-08-10 20:57 9 ----a-w- c:\windows\ofxnm.dat
2009-10-27 05:51 . 2009-10-27 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-10-27 05:35 . 2006-07-22 08:35 -------- d-----w- c:\program files\Trillian
2009-10-27 05:11 . 2004-06-28 02:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-09 16:07 . 2009-06-05 22:40 -------- d-----w- c:\documents and settings\Andrew\Application Data\BitTorrent
2009-10-04 23:36 . 2004-06-27 21:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 23:15 . 2009-09-15 02:33 -------- d-----w- c:\program files\MSECache
2009-09-22 23:15 . 2009-09-22 23:14 27024112 ----a-w- C:\PowerPointViewer.exe
2009-09-20 20:46 . 2004-07-02 05:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-20 20:44 . 2006-01-22 03:56 -------- d-----w- c:\documents and settings\Andrew\Application Data\Webshots
2009-09-20 20:43 . 2004-06-28 02:13 -------- d-----w- c:\program files\Viewpoint
2009-09-20 20:42 . 2004-09-02 21:08 -------- d-----w- c:\program files\Starcraft
2009-09-20 20:42 . 2005-05-27 19:49 -------- d-----w- c:\program files\StarWarsGalaxies
2009-09-20 20:41 . 2005-12-16 21:06 -------- d-----w- c:\program files\MindArk
2009-09-20 20:40 . 2006-05-12 04:00 -------- d-----w- c:\program files\POV-Ray for Windows v3.6
2009-09-20 20:40 . 2009-04-17 00:36 -------- d-----w- c:\program files\SD EnterNET
2009-09-20 20:37 . 2005-11-22 01:20 -------- d-----w- c:\program files\Lux
2009-09-20 20:34 . 2004-11-08 21:04 -------- d-----w- c:\program files\GameSpy Arcade
2009-09-20 20:34 . 2004-09-14 01:27 -------- d-----w- c:\program files\CCP
2009-09-20 20:33 . 2004-06-28 17:53 -------- d-----w- c:\program files\City of Heroes
2009-09-20 20:31 . 2005-07-24 18:42 -------- d-----w- c:\program files\Canon
2009-09-20 20:30 . 2005-12-04 20:52 -------- d-----w- c:\program files\Blitz 1941 Global
2009-09-20 20:29 . 2006-06-21 20:51 -------- d-----w- c:\program files\EA GAMES
2009-09-20 20:27 . 2005-07-27 03:16 -------- d-----w- c:\program files\ArtMoney
1989-12-12 14:10 . 2005-08-10 20:57 86016 --sh--r- c:\windows\cjwpenc.exe
1989-12-12 14:10 . 2005-08-10 20:57 126976 --sh--r- c:\windows\cjwpsvc.exe
1998-10-24 05:00 . 1998-10-24 05:00 700 --sha-w- c:\windows\dv11mxv_0$1_783482.drv
1989-12-12 14:10 . 2005-10-11 18:06 290000 --sh--r- c:\windows\meqpmqe.exe
1998-10-24 05:00 . 1998-10-24 05:00 700 --sha-w- c:\windows\mk79vx928341.drv
1998-10-24 05:00 . 1998-10-24 05:00 700 --sha-w- c:\windows\mx3vd9499586.drv
1998-10-24 05:00 . 1998-10-24 05:00 700 --sha-w- c:\windows\vzm9dl314539.drv
1998-10-24 05:00 . 1998-10-24 05:00 700 --sha-w- c:\windows\xv1mdrv691928.drv
1989-12-12 14:10 . 2005-09-16 20:36 380000 --sh--r- c:\windows\zdjqycy.exe
2002-09-03 17:13 . 2005-05-22 18:02 520192 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2003-04-14 1491216]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-05 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-06-01 7618560]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"cjwpenc"="c:\windows\cjwpenc.EXE" [1989-12-12 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-02-17 59040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-12 155648]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-06-01 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2005-3-14 1646592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.7.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LimeWire 4.0.7.lnk
backup=c:\windows\pss\LimeWire 4.0.7.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/27/2009 10:30 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-28 03:30]

2009-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-28 03:30]

2009-10-24 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Andrew.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-11-12 17:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://search.msn.com
mSearch Bar =
IE: Download using LeechGet - file://c:\program files\LeechGet 2004\\AddUrl.html
IE: Download using LeechGet Wizard - file://c:\program files\LeechGet 2004\\Wizard.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Parse with LeechGet - file://c:\program files\LeechGet 2004\\Parser.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - hxxp://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\default.7so\
FF - prefs.js: browser.search.selectedEngine - ISearch
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: keyword.URL - hxxp://www.isearch.com/?q=
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\default.7so\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMCult3DP.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWTHost.dll
FF - plugin: c:\windows\SYSTEM32\Cult3D\NPMCult3DP.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\leechget.js - /*=*/pref("leechget.path", "null");
.
- - - - ORPHANS REMOVED - - - -

BHO-{b0a6e15e-62ec-4889-bd8f-9b3dc9ebe898} - nalejida.dll
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-CMAPP - c:\program files\CMAPP\Client\cmappclient.exe
HKCU-Run-ichckupd - c:\windows\System32\ichckupd.exe
HKLM-Run-nbjrzww - c:\windows\nbjrzww.EXE
HKLM-Run-lulogarot - c:\windows\system32\kumudaki.dll
HKLM-Run-353133333A353E3B4 - 3430323239343D3.exe
HKLM-Run-bamigejume - niludesa.dll
SharedTaskScheduler-{1b09657e-0899-4082-af67-77608fe9bb45} - c:\windows\system32\lekenavi.dll
SharedTaskScheduler-{994776f3-4dd3-4fe0-8a7b-e1afdcd2c55e} - c:\windows\system32\kumudaki.dll
SSODL-jasotesub-{1b09657e-0899-4082-af67-77608fe9bb45} - c:\windows\system32\lekenavi.dll
SSODL-tozemogeb-{994776f3-4dd3-4fe0-8a7b-e1afdcd2c55e} - c:\windows\system32\kumudaki.dll
AddRemove-Sysnet - c:\docume~1\Andrew\LOCALS~1\Temp\snuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 21:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{58108EA6-F0F8-838F-6C2A403DB017DCAF}\{7C3918A7-E77A-99CB-B21F6D376FB586C0}\{5E9787CE-D944-C377-C12E117E9C86E636}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59FD906B-7064-D511-A92C76967AEA497D}\{7BE5E469-8614-18F7-FB4A2951C2296B41}\{4CE5DCAA-16CA-BCB0-DF1B4E45E77E17F5}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(888)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2088)
c:\program files\Trillian\events.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\combo-fix\CF8640.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\System32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 02:29

Pre-Run: 102,590,980,096 bytes free
Post-Run: 104,742,633,472 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 9362F9BF9DFE9E962503083DAAD2284F

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
Was now able to run malwarebytes...

Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 1

10/27/2009 10:01:54 PM
mbam-log-2009-10-27 (22-01-54).txt

Scan type: Quick Scan
Objects scanned: 108779
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xjado (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\System32\{7977A6ED-C4BD-490E-8C58-AA0849CA03A4}.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\plugie.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\pysoft_uninstaller.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{7977A6ED-C4BD-490E-8C58-AA0849CA03A4}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Runner.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
Hello.
Nice work, but not done yet.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    qmgr.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:59 on 28/10/2009 by Andrew (Administrator - Elevation successful)

========== filefind ==========

Searching for "qmgr.dll"
C:\WINDOWS\ERDNT\cache\qmgr.dll --a--- 221696 bytes [02:27 28/10/2009] [16:53 03/09/2002] 6A1CF14D0E7D0B2241F552223769C8A7
C:\WINDOWS\SoftwareDistribution\Download\62f994895b2e7156099353faaa0580c0\sp1qfe\qmgr.dll --a--- 361984 bytes [16:14 29/08/2004] [22:08 01/07/2004] 696AC82FB290A03F205901442E0E9589
C:\WINDOWS\system32\qmgr.dll ------ 221696 bytes [20:57 27/06/2004] [16:53 03/09/2002] 6A1CF14D0E7D0B2241F552223769C8A7

-=End Of File=-

descriptionAnti Virus Pro, following guide to remove wont work. EmptyRe: Anti Virus Pro, following guide to remove wont work.

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum