41 replies to this topic

[photo_angel2004]

No clue where to post what I posted in the other thread cuz I found like problems there now being thrown over here from a mod.
I am sorry I am craby and I have not slept. Been pulling my hair out trying a lot of things I have read from this forum with NO luck at all.

I saved some other logs due to the fact that others with same problmes like me where told to but they never posted back so there was no solution to go by.

Anyways.........

Hello,
I may be new to this forum but far from new to computer bases forums.
I can generally "FIX" most issues that arrise.
I have spent over 12 hours trying to get my Maywarebytes to work.

I have used it for a long time now and had an older version installed on my pc.
My son was on my pc and all of a sudden I am crashing right and left.
I know it has something to do with maleware but this is the very first time I can not use it to scan for the problem.
My first thought was that what ever had attacted my pc had corrupted my programs. So I downloaded the latest version and just beating my head into a brick wall here.

I have read many posts which really got me no where but more confussed.

I have 3 logs

when I try to run the program a pop up comes up which reads
"Setup
F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
CreateProcess Failed; code 2
The system cannot find the file specified.
I have run many scans with other reg. cleaners, spyware, and ran a full scan with my norton net security 2009 all of which found problems and solved what they found but there is something else going on yet. This used to by my last resort fix all - which just isnt happening today.

I cant even run the scans to find the problems.
Any help would be WONDERFUL.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:54 AM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
F:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
F:\Program Files\Creative\ShareDLL\CtNotify.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Creative\ShareDLL\MediaDet.Exe
F:\Program Files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE
F:\WINDOWS\explorer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\MSN\Toolbar\3.0.1125.0\msntask.exe
F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - F:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - F:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - F:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - F:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - F:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - F:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - F:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - F:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - F:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "F:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jeregapig] Rundll32.exe "f:\windows\system32\vuzoyime.dll",a
O4 - HKLM\..\Run: [UnlockerAssistant] "F:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NOMAD Detector] "F:\Program Files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE"
O8 - Extra context menu item: &Winamp Search - F:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - F:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O20 - AppInit_DLLs: yufiyasi.dll f:\windows\system32\vuzoyime.dll
O21 - SSODL: vonapizey - {a3deb7b1-3b35-42ee-a76b-6b843abd441e} - f:\windows\system32\vuzoyime.dll
O22 - SharedTaskScheduler: jugezatag - {a3deb7b1-3b35-42ee-a76b-6b843abd441e} - f:\windows\system32\vuzoyime.dll
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - F:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

--
End of file - 11260 bytes


If anyone can provide any help that would be great.

The only 1 reason I turned to this forum is its the forum that supports the program I cant get working.

[miekiemoes]

Hi,

Can you try to rename malwarebytes mbam.exe to explorer.exe ? It has to be that name.
Let me know if you have success with that name... and it it will run then...

[photo_angel2004]

miekiemoes, on Oct 26 2009, 11:08 AM, said:

Hi,

Can you try to rename malwarebytes mbam.exe to explorer.exe ? It has to be that name.
Let me know if you have success with that name... and it it will run then...

I have tried that already - no go.

Tried about 8 or 9 times I spent a lot of time ready posts before I posted. I can not get it to go.

Everything worked just fine until my son spend a day on my pc.

[miekiemoes]

Did you rename to explorer.exe? Because I see you have it renamed to other names (winlogon.exe), but not sure if it was to explorer.exe as well.

Also let me know when you do this... if there's any progress:

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).

[photo_angel2004]

photo_angel2004, on Oct 26 2009, 11:15 AM, said:

I have tried that already - no go.

Tried about 8 or 9 times I spent a lot of time ready posts before I posted. I can not get it to go.

Everything worked just fine until my son spend a day on my pc.

Doesn t matter what I rename it to this is always the end result:

Attached Files

•  HELP_2.png   76K   5 downloads

[miekiemoes]

The malware present here deletes mbam.exe.
I've already had a lot of success by renaming the installer to explorer.exe, don't select to start mbam after it finished, and then also renaming the mbam.exe file (if not already deleted) to explorer.exe. Renaming to other names will fail anyway...

Anyway, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[photo_angel2004]

page can not be displayed from that link, thanks

[photo_angel2004]

photo_angel2004, on Oct 26 2009, 11:23 AM, said:

page can not be displayed from that link, thanks

Attached Files

•  help_3.png   55.62K   5 downloads

[miekiemoes]

Try this Combofix: http://www.forospywa...Bs/ComboFix.exe

[miekiemoes]

By the way, what also should work is to install malwarebytes on another computer, copy the mbam.exe present in the C:\Program Files\Malwarebytes' Antimalware folder to flashdrive /cd, but rename mbam.exe first to explorer.exe and transfer the renamed file to the C:\Program Files\Malwarebytes' Antimalware folder on the infected computer.

[miekiemoes]

FYI, I made a small tutorial for this one:
http://www.malwareby...showtopic=29028

[photo_angel2004]

miekiemoes, on Oct 26 2009, 11:37 AM, said:

By the way, what also should work is to install malwarebytes on another computer, copy the mbam.exe present in the C:\Program Files\Malwarebytes' Antimalware folder to flashdrive /cd, but rename mbam.exe first to explorer.exe and transfer the renamed file to the C:\Program Files\Malwarebytes' Antimalware folder on the infected computer.

Thats sounds good but I dont have a different pc here now my son blew his out a while back.

I will try this combofix and report back. Sorry I had to get some sleep yesterday been up over 40 hours.

Thanks for the help I am hoping this works.

[miekiemoes]

Quote

Thats sounds good but I dont have a different pc here now my son blew his out a while back.

In that case... Please download a renamed mbam.exe from here: http://users.telenet.be/bluepatchy/miekiem...mp/explorer.exe
I renamed it to explorer.exe (this in case Security Tool is also present).
Then place the explorer.exe in your c:\program Files\malwarebytes' antimalware folder and launch it from there.

[photo_angel2004]

miekiemoes, on Oct 27 2009, 08:10 AM, said:

In that case... Please download a renamed mbam.exe from here: http://users.telenet.be/bluepatchy/miekiem...mp/explorer.exe
I renamed it to explorer.exe (this in case Security Tool is also present).
Then place the explorer.exe in your c:\program Files\malwarebytes' antimalware folder and launch it from there.

ComboFix 09-10-26.03 - Carla Bruss 10/27/2009 9:16.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.246 [GMT -5:00]
Running from: f:\documents and settings\Carla Bruss\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\xcrashdump.dat
f:\documents and settings\Carla Bruss\Application Data\02000000e5e0f29e669C.manifest
f:\documents and settings\Carla Bruss\Application Data\02000000e5e0f29e669O.manifest
f:\documents and settings\Carla Bruss\Application Data\02000000e5e0f29e669P.manifest
f:\documents and settings\Carla Bruss\Application Data\02000000e5e0f29e669S.manifest
f:\documents and settings\Carla Bruss\Application Data\Desktopicon
f:\documents and settings\Carla Bruss\Application Data\Desktopicon\eBay.ico
f:\documents and settings\Carla Bruss\Application Data\Desktopicon\uninst.exe
f:\windows\system32\_003520_.tmp.dll
f:\windows\system32\_003521_.tmp.dll
f:\windows\system32\dahapeno.dll
f:\windows\system32\hahagame.dll.tmp
f:\windows\system32\install.exe
f:\windows\system32\likegene.dll
f:\windows\system32\povoyite.dll
f:\windows\system32\sikivara.dll.tmp
f:\windows\system32\tihifipa.dll
f:\windows\system32\vakemuna.dll
f:\windows\system32\vuzoyime.dll
f:\windows\system32\walebuma.dll
f:\windows\system32\yufiyasi.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-26 15:56 . 2009-10-26 15:56 -------- d-----w- f:\program files\Trend Micro
2009-10-26 12:34 . 2009-10-26 12:34 -------- d-----w- f:\documents and settings\Carla Bruss\Application Data\Malwarebytes
2009-10-26 12:34 . 2009-09-10 19:54 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 12:34 . 2009-10-26 12:34 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 12:34 . 2009-09-10 19:53 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-10-26 12:34 . 2009-10-26 16:26 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2009-10-26 11:44 . 2009-10-26 11:45 -------- d-----w- f:\program files\Unlocker
2009-10-26 10:58 . 2009-10-26 10:59 4045528 ----a-w- f:\program files\winlogon.exe
2009-10-09 14:14 . 2009-10-09 14:14 -------- d-----w- f:\documents and settings\Carla Bruss\Local Settings\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 12:18 . 2009-05-06 05:40 -------- d-----w- f:\documents and settings\Carla Bruss\Application Data\GlarySoft
2009-10-26 11:36 . 2009-05-06 04:27 -------- d-----w- f:\program files\Coupons
2009-10-23 15:04 . 2009-05-14 08:35 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP
2009-09-14 12:50 . 2009-09-14 12:50 -------- d-----w- f:\program files\Lavasoft
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- f:\windows\system32\msv1_0.dll
2009-09-05 22:10 . 2009-09-05 22:10 -------- d-----w- f:\documents and settings\Carla Bruss\Application Data\Apple Computer
2009-09-05 22:10 . 2009-09-05 22:09 -------- d-----w- f:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-05 22:09 . 2009-09-05 22:09 -------- d-----w- f:\program files\iPod
2009-09-05 22:09 . 2009-09-05 22:05 -------- d-----w- f:\program files\Common Files\Apple
2009-09-05 22:09 . 2009-09-05 22:07 -------- d-----w- f:\documents and settings\All Users\Application Data\Apple Computer
2009-09-05 22:08 . 2009-09-05 22:08 -------- d-----w- f:\program files\Bonjour
2009-09-05 22:08 . 2009-09-05 22:07 -------- d-----w- f:\program files\QuickTime
2009-09-05 22:06 . 2009-09-05 22:06 -------- d-----w- f:\program files\Apple Software Update
2009-09-05 22:05 . 2009-09-05 22:05 -------- d-----w- f:\documents and settings\All Users\Application Data\Apple
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- f:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2003-03-31 12:00 916480 ----a-w- f:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- f:\windows\system32\strmdll.dll
2009-08-19 02:41 . 2009-03-18 18:57 60808 ----a-w- f:\windows\system32\S32EVNT1.DLL
2009-08-19 02:41 . 2009-03-18 18:57 124976 ----a-w- f:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 19:11 . 2009-03-18 18:57 36400 ----a-r- f:\windows\system32\drivers\SymIM.sys
2009-08-18 01:30 . 2009-08-11 05:11 34 ----a-w- f:\documents and settings\Carla Bruss\jagex_runescape_preferences.dat
2009-08-07 05:48 . 2009-03-18 14:09 69624 ----a-w- f:\documents and settings\Carla Bruss\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-03-31 12:00 2189184 ----a-w- f:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- f:\windows\system32\ntkrnlpa.exe
2009-07-27 09:16 . 2009-07-27 09:16 89088 --sha-w- f:\windows\system32\dafopore.dll
2009-07-26 21:15 . 2009-07-26 21:15 51712 --sha-w- f:\windows\system32\dedufaro.dll
2009-07-26 21:16 . 2009-07-26 21:16 51712 --sha-w- f:\windows\system32\vudaviyi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54c24349-e06c-4dde-bf16-75f7dc881c51}]
2009-07-26 21:16 51712 --sha-w- f:\windows\system32\vudaviyi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOMAD Detector"="f:\program files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE" [2000-07-27 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Disc Detector"="f:\program files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]
"Microsoft Default Manager"="f:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-27 198160]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"UnlockerAssistant"="f:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"jeregapig"="f:\windows\system32\dafopore.dll" [2009-07-27 89088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{0561a05e-bb84-42a6-8a10-2b07ee0b3063}"= "f:\windows\system32\dafopore.dll" [2009-07-27 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sunelabad"= {0561a05e-bb84-42a6-8a10-2b07ee0b3063} - f:\windows\system32\dafopore.dll [2009-07-27 89088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=f:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(2).lnk]
backup=f:\windows\pss\EPSON Status Monitor 3 Environment Check(2).lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^Carla Bruss^Start Menu^Programs^Startup^Webshots.lnk]
backup=f:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"f:\\WINDOWS\\system32\\imapi.exe"=

R0 m5289;m5289;f:\windows\system32\drivers\m5289.sys [3/18/2009 9:33 AM 52480]
R0 SymEFA;Symantec Extended File Attributes;f:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [8/31/2009 6:58 PM 310320]
R0 uliagpkx;ULi AGP Bus Filter Driver;f:\windows\system32\drivers\AGPKX.SYS [3/18/2009 9:33 AM 45056]
R1 BHDrvx86;Symantec Heuristics Driver;f:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [8/31/2009 6:57 PM 259632]
R1 ccHP;Symantec Hash Provider;f:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [8/31/2009 6:20 PM 482432]
R1 IDSxpx86;IDSxpx86;f:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091021.001\IDSXpx86.sys [10/22/2009 2:00 PM 329080]
R2 Norton Internet Security;Norton Internet Security;f:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [8/31/2009 6:46 PM 117640]
R2 ubsbm;Unibrain 1394 SBM Driver;f:\windows\system32\drivers\UBSBM.sys [7/27/2005 6:25 PM 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;f:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 6:25 PM 36352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;f:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 3:00 AM 102448]
R3 ubohci;Unibrain 1394 OHCI Driver;f:\windows\system32\drivers\ubohci.sys [7/27/2005 6:25 PM 77056]
S3 GAGPDrv;GAGPDrv; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-27 f:\windows\Tasks\GlaryInitialize.job
- f:\program files\Glary Utilities\initialize.exe [2009-05-06 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Winamp Search - f:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - f:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-ritamomure - tihifipa.dll
AddRemove-eBay Icon - f:\documents and settings\Carla Bruss\Application Data\Desktopicon\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 09:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = f:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@???@?? C???????@?????????@?B???A???????A?0?????B???@?????P?????@?? ??????~?B~??????????@???????????????????B?????<?????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"f:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"f:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
f:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2868)
f:\windows\system32\WININET.dll
f:\windows\system32\dafopore.dll
f:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\Ati2evxx.exe
f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\windows\system32\CTsvcCDA.EXE
f:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
f:\windows\system32\wdfmgr.exe
f:\windows\system32\MsPMSPSv.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\devldr32.exe
f:\combofix\CF11672.exe
f:\windows\system32\wscntfy.exe
f:\program files\Creative\ShareDLL\MediaDet.Exe
f:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 9:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 14:28

Pre-Run: 143,137,357,824 bytes free
Post-Run: 143,338,418,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 3C7F48F5E01BB0839EA28682A7E33CBE

[photo_angel2004]

I still cant run it still same old:

Attached Files

•  help_3.png   55.62K   6 downloads

[miekiemoes]

Hi,

Is it possible that this is a renamed malwarebytes as well?
2009-10-26 10:58 . 2009-10-26 10:59 4045528 ----a-w- f:\program files\winlogon.exe

Anyway, ** Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

Collect::[8]
f:\windows\system32\dafopore.dll
f:\windows\system32\dedufaro.dll
f:\windows\system32\vudaviyi.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54c24349-e06c-4dde-bf16-75f7dc881c51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jeregapig"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{0561a05e-bb84-42a6-8a10-2b07ee0b3063}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sunelabad"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[miekiemoes]

photo_angel, the explorer.exe file is a renamed version of mbam.exe. Not the installer.
You had to copy the explorer.exe you got from me (it has the mbam icon) to your C:\Program Files\Malwarebytes Antimalware folder.
What is in above screenshot is the renamed explorer.exe you had before, which is the malwarebytes installer. You don't need that installer anymore since malwarebytes is already installed.
Anyway, just proceed with the combofix instructions. Once that is done, you'll be able to run/install malwarebytes anyway.

[photo_angel2004]

miekiemoes, on Oct 27 2009, 08:10 AM, said:

In that case... Please download a renamed mbam.exe from here: http://users.telenet.be/bluepatchy/miekiem...mp/explorer.exe
I renamed it to explorer.exe (this in case Security Tool is also present).
Then place the explorer.exe in your c:\program Files\malwarebytes' antimalware folder and launch it from there.

OMG its running now! WOW thanks I hope this does the trick running quick scan now.

[photo_angel2004]

miekiemoes, on Oct 27 2009, 09:44 AM, said:

Hi,

Is it possible that this is a renamed malwarebytes as well?
2009-10-26 10:58 . 2009-10-26 10:59 4045528 ----a-w- f:\program files\winlogon.exe

Anyway, ** Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

I missed this post I will do that as well. Thanks

[miekiemoes]

photo_angel2004, after you have run another scan with Malwarebytes and did a reboot afterwards, then please also perform the instructions with Combofix, because I need some of the samples there