2 replies to this topic

[mudman2]

ComboFix 09-08-31.03 - lindam 09/01/2009 10:08.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1717 [GMT -4:00]
Running from: c:\documents and settings\lindam\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\MailSwitch.ocx
c:\windows\sc.exe
c:\windows\system32\3.tmp
c:\windows\system32\bejowaku.dll
c:\windows\system32\drivers\smss.exe
c:\windows\system32\figakezo.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\gumeyesu.dll
c:\windows\system32\huhomogi.dll
c:\windows\system32\Iasex.dll
c:\windows\system32\Install.txt
c:\windows\system32\jigepivi.dll
c:\windows\system32\logapaju.dll
c:\windows\system32\melusume.dll
c:\windows\system32\pusogumu.dll
c:\windows\system32\tizoyate.dll
c:\windows\system32\wiwow64.exe
c:\windows\system32\yutiruhi.dll
c:\windows\system32\zukogulu.dll
c:\windows\TEMP\mta102860.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_glaide32
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 13:10 . 2009-09-01 13:11 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-01 13:10 . 2009-09-01 13:11 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-09-01 12:51 . 2009-09-01 12:51 -------- dc----w- c:\program files\Trend Micro
2009-09-01 10:57 . 2009-09-01 10:57 152576 -c--a-w- c:\documents and settings\lindam\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-30 13:08 . 2009-08-30 13:08 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache
2009-08-30 00:07 . 2009-09-01 11:00 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware2
2009-08-29 00:22 . 2009-08-30 13:43 -------- dc----w- c:\documents and settings\All Users\Application Data\15156564
2009-08-29 00:18 . 2009-08-29 00:18 -------- dcsh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-29 00:17 . 2009-08-29 00:17 42496 -c--a-w- C:\cajhqlq.exe
2009-08-29 00:17 . 2009-08-29 00:17 4608 -c--a-w- C:\xsmcjnkq.exe
2009-08-29 00:17 . 2009-08-29 00:17 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 00:16 . 2009-08-29 00:16 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-08-29 00:16 . 2009-08-29 00:16 49664 -c--a-w- C:\fsmpw.exe
2009-08-29 00:14 . 2009-08-29 00:14 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-20 22:19 . 2009-08-20 22:19 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-08-20 22:14 . 2009-08-20 22:14 -------- dc----w- c:\program files\TrueSwitch
2009-08-20 22:14 . 2009-08-20 22:14 -------- dc----w- c:\documents and settings\lindam\Application Data\TrueSwitch
2009-08-20 22:11 . 2009-08-20 22:19 -------- dc----w- c:\program files\TrueSwitchVerizon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 14:08 . 2008-04-25 20:33 56320 -c--a-w- c:\windows\system32\eventlog.dll
2009-09-01 11:00 . 2008-11-25 08:58 -------- dc----w- c:\program files\Java
2009-08-29 00:15 . 2009-08-29 00:15 -------- dc----w- c:\program files\Protection System
2009-08-29 00:14 . 2009-08-29 00:14 0 -c--a-w- c:\windows\system32\4.tmp
2009-08-29 00:14 . 2009-08-29 00:14 52 -c--a-w- c:\windows\system32\2.tmp
2009-08-20 23:10 . 2009-05-21 00:13 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 17:36 . 2009-05-21 00:14 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-05-21 00:14 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 09:23 . 2008-12-27 00:05 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-07-03 17:09 . 2008-04-25 20:33 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-06-30 19:49 . 2009-01-04 16:21 33336 -c--a-w- c:\documents and settings\lindam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2008-04-25 20:33 119808 -c--a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 20:33 81920 -c--a-w- c:\windows\system32\fontsub.dll
2009-06-06 15:31 . 2009-06-06 15:31 3371383 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-03 19:09 . 2008-04-25 20:33 1291264 -c--a-w- c:\windows\system32\quartz.dll
2009-05-30 13:56 . 2009-05-30 13:56 827392 -csha-w- c:\windows\system32\gorumiba.exe
2009-05-31 13:57 . 2009-05-31 13:57 829440 -csha-w- c:\windows\system32\lakopayi.exe
.

------- Sigcheck -------

[-] 2008-04-14 12:00 15360 C5E8076316BECE604B8BC99B3CEBEF50 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"áN@"="e14e4000" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-25 09:25 10536 -c--a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^lindam^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=c:\documents and settings\lindam\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=c:\windows\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sofatnet"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NetLogin"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"GoToAssist"=3 (0x3)
"BITS"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [11/25/2008 5:02 AM 9856]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [4/25/2008 4:33 PM 14336]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [11/25/2008 6:15 AM 93968]
S3 netskt;netskt;\??\c:\windows\system32\netskt.sys --> c:\windows\system32\netskt.sys [?]
S4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 9:51 PM 468224]
S4 NetLogin;Net Login;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [4/14/2008 8:00 AM 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{edfe5fac-fd0f-4fc9-a16f-872f51f4a3f1} - c:\windows\system32\wuyojogi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-09-01 10:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 14:22

Pre-Run: 8,355,315,712 bytes free
Post-Run: 8,339,607,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

202 --- E O F --- 2009-08-09 11:38

[miekiemoes]

Hi,

1) Please download this file

2) Place fr33.exe next to the mbam.exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).




You can do that with every exe file that cannot run.

Then update malwarebytes, let it scan, then remove what it found.
Reboot and post the malwarebytes log in your next reply.

[miekiemoes]

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.