14 replies to this topic

[TomW]

I am posting a new topic as instructed by miekiemoes in the false postives forum.

Preims.dll was identified in my computer as a Trojan and removed by Malwarebytes but preims.dll keeps returning.

Malwarebytes no longer identifies preims.dll but preims.dll is still in the folder c:\windows and cannot be deleted manually (in normal mode or safe mode).

Current HijackThis scans and Malwarebytes scans are below.

Help please.

Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:14 AM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
E:\OmniPage\OpwareSE2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\ESET\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
E:\PalmOne\Hotsync.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
E:\ESET\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
G:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OpwareSE2] "E:\OmniPage\OpwareSE2.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = E:\PalmOne\Hotsync.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229156642718
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - E:\ESET\ekrn.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - E:\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7477 bytes

Malwarebytes' Anti-Malware 1.36
Database version: 2039
Windows 5.1.2600 Service Pack 3

4/25/2009 7:09:31 AM
mbam-log-2009-04-25 (07-09-31).txt

Scan type: Quick Scan
Objects scanned: 78709
Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[miekiemoes]

Hi,

I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called Active and Automatic.
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Make sure Combofix is on your DESKTOP and not anywhere else.

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[TomW]

Here is the combofix log:

ComboFix 09-04-25.A1 - Tom Gunby 04/25/2009 7:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3091 [GMT -4:00]
Running from: c:\documents and settings\Tom Gunby\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\avulinet.dll
c:\windows\preims.dll
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\imm32.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 08:03 . 2009-04-24 08:03 86 ----a-w c:\windows\wininit.ini
2009-04-23 09:44 . 2009-04-23 09:44 300 ----a-w c:\windows\Blefuqejakokup.dat
2009-04-23 09:44 . 2009-04-23 09:44 -------- d-----w c:\documents and settings\Tom Gunby\Local Settings\Application Data\{5E5FCB3C-01DE-4996-83D7-5D737D022F17}
2009-04-16 08:05 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 08:05 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 08:05 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 08:05 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 08:05 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 08:05 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 08:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 08:05 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 08:05 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 08:04 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 08:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 08:04 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:49 . 2009-04-24 05:15 0 ----a-w c:\windows\Udolaf.bin
2009-04-13 11:12 . 2009-04-13 11:12 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-12 09:59 . 2009-04-12 09:59 -------- d-----w c:\documents and settings\Tom Gunby\Local Settings\Application Data\ESET
2009-04-12 09:56 . 2009-04-12 09:56 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-11 08:25 . 2009-04-21 17:34 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-11 07:41 . 2009-04-21 17:33 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-11 07:38 . 2009-04-11 07:38 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-10 18:36 . 2009-04-10 18:36 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-10 09:26 . 2009-04-10 09:26 -------- d-----w c:\documents and settings\Tom Gunby\Application Data\Malwarebytes
2009-04-10 09:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-10 09:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 09:26 . 2009-04-10 09:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 07:08 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-03-29 08:46 . 2009-03-29 08:46 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-29 08:45 . 2009-03-29 08:45 -------- d-----w c:\windows\system32\AGEIA
2009-03-29 08:44 . 2009-04-25 11:55 212641 ----a-w c:\windows\system32\nvapps.xml
2009-03-29 08:44 . 2009-03-29 08:44 -------- d-----w c:\windows\nview
2009-03-29 08:44 . 2009-02-18 18:44 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-29 08:44 . 2009-02-18 18:44 19021 ----a-w c:\windows\system32\nvdisp.nvu
2009-03-29 08:44 . 2009-02-17 03:17 453152 ----a-w c:\windows\system32\NVUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 11:55 . 2009-04-18 05:34 4700 ----a-w C:\aaw7boot.log
2009-04-25 07:00 . 2008-07-07 18:40 42283521 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-24 08:33 . 2009-04-24 08:35 2000896 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-21 18:49 . 2008-05-10 06:59 -------- d-----w c:\documents and settings\Tom Gunby\Application Data\Canon
2009-04-18 09:09 . 2008-11-24 21:46 -------- d-----w c:\program files\Java
2009-04-11 07:38 . 2009-04-11 07:38 -------- d-----w c:\program files\Lavasoft
2009-04-11 07:32 . 2008-09-06 07:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-29 08:45 . 2009-03-29 08:45 -------- d-----w c:\program files\AGEIA Technologies
2009-03-28 16:12 . 2008-04-11 20:36 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-28 00:05 . 2008-04-05 18:46 69688 ----a-w c:\documents and settings\Tom Gunby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 15:45 . 2009-03-19 15:45 93848 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-03-19 15:44 . 2009-03-19 15:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-19 15:41 . 2009-03-19 15:41 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-09 09:19 . 2008-11-24 21:46 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2007-07-27 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2007-07-27 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2007-07-27 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 04:10 . 2009-03-15 10:23 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2007-07-27 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2007-07-27 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2007-07-27 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2007-07-27 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2007-07-27 12:00 145468 ----a-w c:\windows\system32\msabwnvpy.dll
2009-02-09 11:13 . 2007-07-27 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2007-07-27 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2007-07-27 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2007-07-27 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-03 20:28 . 2008-05-03 20:28 18096 ----a-w c:\documents and settings\Tom Gunby\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"OpwareSE2"="e:\omnipage\OpwareSE2.exe" [2003-05-08 49152]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="e:\quicktime\qttask.exe" [2008-05-27 413696]
"ZoneAlarm Client"="e:\zonealarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-21 516440]
"egui"="e:\eset\egui.exe" [2009-03-19 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-27 16875008]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2008-06-19 2808832]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-5-11 25214]
HotSync Manager.lnk - e:\palmone\Hotsync.exe [2004-6-9 471040]
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-8-11 253952]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli preims.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Tom Gunby^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Tom Gunby\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-21 64160]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-03-19 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-03-19 93848]
S2 ekrn;ESET Service;e:\eset\ekrn.exe [2009-03-19 731840]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-21 953168]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{216242d7-882e-11dd-8ae2-001d7d00107a}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{953432a4-a60d-11dd-8aee-001d7d00107a}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - e:\micros~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 07:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1356)
e:\omnipage\ophookSE2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\cdburnerxp\NMSAccessU.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-25 7:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 11:56

Pre-Run: 466,218,881,024 bytes free
Post-Run: 466,143,277,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

202

[miekiemoes]

Hi,

I guess it was mainly your Adwatch interfering previously.. Anyway...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\Blefuqejakokup.dat
c:\windows\Udolaf.bin
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[TomW]

Here is the log generated by the second run of combofix:

ComboFix 09-04-25.A1 - Tom Gunby 04/25/2009 8:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3087 [GMT -4:00]
Running from: c:\documents and settings\Tom Gunby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom Gunby\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Blefuqejakokup.dat
c:\windows\Udolaf.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Blefuqejakokup.dat
c:\windows\Udolaf.bin

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 08:03 . 2009-04-24 08:03 86 ----a-w c:\windows\wininit.ini
2009-04-23 09:44 . 2009-04-23 09:44 -------- d-----w c:\documents and settings\Tom Gunby\Local Settings\Application Data\{5E5FCB3C-01DE-4996-83D7-5D737D022F17}
2009-04-16 08:05 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 08:05 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 08:05 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 08:05 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 08:05 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 08:05 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 08:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 08:05 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 08:05 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 08:04 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 08:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 08:04 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 11:12 . 2009-04-13 11:12 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-12 09:59 . 2009-04-12 09:59 -------- d-----w c:\documents and settings\Tom Gunby\Local Settings\Application Data\ESET
2009-04-12 09:56 . 2009-04-12 09:56 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-11 08:25 . 2009-04-21 17:34 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-11 07:41 . 2009-04-21 17:33 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-11 07:38 . 2009-04-11 07:38 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-10 18:36 . 2009-04-10 18:36 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-10 09:26 . 2009-04-10 09:26 -------- d-----w c:\documents and settings\Tom Gunby\Application Data\Malwarebytes
2009-04-10 09:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-10 09:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 09:26 . 2009-04-10 09:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 07:08 . 2009-01-09 19:19 1089593 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-03-29 08:46 . 2009-03-29 08:46 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-29 08:45 . 2009-03-29 08:45 -------- d-----w c:\windows\system32\AGEIA
2009-03-29 08:44 . 2009-04-25 11:55 212641 ----a-w c:\windows\system32\nvapps.xml
2009-03-29 08:44 . 2009-03-29 08:44 -------- d-----w c:\windows\nview
2009-03-29 08:44 . 2009-02-18 18:44 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-03-29 08:44 . 2009-02-18 18:44 19021 ----a-w c:\windows\system32\nvdisp.nvu
2009-03-29 08:44 . 2009-02-17 03:17 453152 ----a-w c:\windows\system32\NVUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 11:55 . 2009-04-18 05:34 4700 ----a-w C:\aaw7boot.log
2009-04-25 07:00 . 2008-07-07 18:40 42283521 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-24 08:33 . 2009-04-24 08:35 2000896 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-21 18:49 . 2008-05-10 06:59 -------- d-----w c:\documents and settings\Tom Gunby\Application Data\Canon
2009-04-18 09:09 . 2008-11-24 21:46 -------- d-----w c:\program files\Java
2009-04-11 07:38 . 2009-04-11 07:38 -------- d-----w c:\program files\Lavasoft
2009-04-11 07:32 . 2008-09-06 07:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-29 08:45 . 2009-03-29 08:45 -------- d-----w c:\program files\AGEIA Technologies
2009-03-28 16:12 . 2008-04-11 20:36 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-28 00:05 . 2008-04-05 18:46 69688 ----a-w c:\documents and settings\Tom Gunby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 15:45 . 2009-03-19 15:45 93848 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-03-19 15:44 . 2009-03-19 15:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-19 15:41 . 2009-03-19 15:41 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-09 09:19 . 2008-11-24 21:46 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2007-07-27 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2007-07-27 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2007-07-27 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 04:10 . 2009-03-15 10:23 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2007-07-27 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2007-07-27 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2007-07-27 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2007-07-27 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2007-07-27 12:00 145468 ----a-w c:\windows\system32\msabwnvpy.dll
2009-02-09 11:13 . 2007-07-27 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2007-07-27 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2007-07-27 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2007-07-27 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-03 20:28 . 2008-05-03 20:28 18096 ----a-w c:\documents and settings\Tom Gunby\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"OpwareSE2"="e:\omnipage\OpwareSE2.exe" [2003-05-08 49152]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="e:\quicktime\qttask.exe" [2008-05-27 413696]
"ZoneAlarm Client"="e:\zonealarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-21 516440]
"egui"="e:\eset\egui.exe" [2009-03-19 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-27 16875008]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2008-06-19 2808832]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-5-11 25214]
HotSync Manager.lnk - e:\palmone\Hotsync.exe [2004-6-9 471040]
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-8-11 253952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Tom Gunby^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Tom Gunby\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-21 953168]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-21 64160]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-03-19 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-03-19 93848]
S2 ekrn;ESET Service;e:\eset\ekrn.exe [2009-03-19 731840]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{216242d7-882e-11dd-8ae2-001d7d00107a}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{953432a4-a60d-11dd-8aee-001d7d00107a}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - e:\micros~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 08:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-25 8:13
ComboFix-quarantined-files.txt 2009-04-25 12:13
ComboFix2.txt 2009-04-25 11:56

Pre-Run: 466,122,289,152 bytes free
Post-Run: 466,110,144,512 bytes free

172

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[TomW]

Combofix uninstalled successfully and preims.dll is no longer in the c:\windows folder.

Is the computer now clean?

Thank you.

[miekiemoes]

Yes, everything should be clean now.


Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[TomW]

Miekiemoes -

I would like to donate to the forum or purchase the registered version of Malwarebytes.

How do I do that?

Thank you.

Tom

[miekiemoes]

Hi,

Thank you for considering to purchase malwarebytes. To purchase, click the green "Buy now" button on the left: http://www.malwareby...rg/products.php
It is a one time fee of $24.95.

Thank you.

[SeanGorman]

miekiemoes, on Apr 25 2009, 07:18 AM, said:

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

On a related note Miekie - do you always need to run ComboFix /u

[miekiemoes]

Yes:

Quote

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

+ it deletes the malware present in quarantine.

Also, since Combofix is updated frequently, there's really no need to keep it since it just won't run anymore when a certain time has passed

[TomW]

Miekie -

I have purchased and registered Malwarebytes Anti-Malware and enabled its "protection."

Do I need to disable / remove Adaware's Adwatch to avoid conflicts with Malwarebytes Anti-Malware?

Also, are there any other changes necessary to Adaware, or NOD32, or ZoneAlarm, or Spybot to avoid conflicts with Malwarebytes Anti-Malware?

Thank you.

Tom

[miekiemoes]

Hi,

MalwareBytes doesn't interfere with other scanners, but personally I do not recommend multiple realtime scanners running in the background, this mainly because multiple scanners cause a system slowdown. In your case, you should be OK though. If you notice an extra slowdown or problems, then it may be a good idea to disable some scanners. Just make sure your Antivirus and mbam is always enabled for ideal prevention

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.